Skip to main content
Connect Okta to authenticate end users with your Char agent. Create an OIDC application in Okta and configure Char to validate tokens.

Prerequisites

  • An Okta organization (production or preview)
  • Admin access to create applications in Okta
  • Access to the Char dashboard

Okta Admin Console

Sign in to manage your Okta organization

OAuth 2.0 & OIDC Overview

OAuth 2.0 and OpenID Connect concepts

OIDC API Reference

OpenID Connect API documentation

Build SSO Integration

Single Sign-On integration guide

SDK References

@okta/okta-auth-js

Okta Auth JavaScript SDK

@okta/okta-react

Okta React SDK

Configuration Steps

1

Create an OIDC Application in Okta

  1. Sign in to your Okta Admin Console
  2. Navigate to ApplicationsApplications
  3. Click Create App Integration
  4. Select OIDC - OpenID Connect as the sign-in method
  5. Select Single-Page Application as the application type
  6. Click Next
2

Configure Application Settings

Configure your new application:
SettingValue
App integration nameChar Agent (or your preferred name)
Grant typeAuthorization Code (with PKCE)
Sign-in redirect URIsYour application’s callback URL
Sign-out redirect URIsYour application’s logout URL
Controlled accessAssign to appropriate groups or allow everyone
Click Save to create the application.
3

Note Your Client ID and Domain

After creating the application:
  1. Copy the Client ID from the application’s General tab
  2. Note your Okta domain (e.g., acme.okta.com or acme.oktapreview.com)
4

Configure Char

In the Char Dashboard:
  1. Navigate to SettingsIntegration
  2. Under SSO Configuration, select Okta as the provider
  3. Add your Client ID to the Allowed Client IDs list
  4. Enter your Okta domain (e.g., acme.okta.com)
  5. Click Test Connection to verify
  6. Click Save Changes

Configuration Reference

Char FieldOkta ValueExample
Provider TypeOktaokta
Client IDApplication Client ID0oa1b2c3d4e5f6g7h8i9
DomainYour Okta domainacme.okta.com
Okta preview environments use *.oktapreview.com domains. Both production and preview domains are supported.

Token Requirements

Char validates Okta tokens with these requirements:
ClaimRequirement
issMust match https://{your-domain}
audMust include your configured Client ID
subRequired - used as the user identifier
expMust not be expired

Example: Obtaining and Passing the Token

Once your Okta application is configured, obtain the ID token after authentication and pass it to the Char agent. 
import OktaAuth from '@okta/okta-auth-js';
import "@mcp-b/char/web-component";
import type { WebMCPAgentElement } from "@mcp-b/char/web-component";

// Your Okta Client ID (must be in your Char allowed_audiences list)
const CLIENT_ID = '0oa1b2c3d4e5f6g7h8i9';

const oktaAuth = new OktaAuth({
  issuer: 'https://acme.okta.com',
  clientId: CLIENT_ID,
  redirectUri: window.location.origin + '/callback',
});

// After authentication
const tokens = await oktaAuth.tokenManager.getTokens();

const idToken = tokens.idToken?.idToken;
if (idToken) {
  const agent = document.querySelector("char-agent") as WebMCPAgentElement
    ?? document.createElement("char-agent") as WebMCPAgentElement;

  if (!agent.isConnected) {
    document.body.appendChild(agent);
  }

  // Use connect() - keeps token out of DOM
  agent.connect({ idToken, clientId: CLIENT_ID });
}
SPA vs SSR: Use connect({ idToken, clientId }) for SPAs to keep the JWT out of the DOM. Use connect({ ticketAuth }) for SSR apps where the Okta session lives on your server.

Troubleshooting

Verify your Okta domain is correctly configured:
  • Domain should not include https:// prefix
  • Domain should match exactly (e.g., acme.okta.com)
  • For preview environments, use *.oktapreview.com
The token’s aud claim doesn’t match your configured Client ID:
  • Ensure the Client ID in Char matches your Okta application exactly
  • Verify you’re using the ID token, not the access token
  • Check that your Okta application is configured as a Single-Page Application
Char couldn’t reach Okta’s JWKS endpoint:
  • Verify your Okta domain is correct
  • Check that Okta is accessible (not blocked by firewall)
  • Use Test Connection in the dashboard to verify connectivity
If tokens expire quickly:
  • Check your Okta application’s token lifetime settings
  • Consider refreshing tokens before they expire
  • Verify your server and Okta have synchronized clocks

Security Best Practices

Always configure allowed_audiences. Without audience validation, tokens from other applications in your Okta organization could be used to access your agent.
  • Use connect() for authentication - The connect({ idToken, clientId }) method keeps tokens out of the DOM
  • Use ticket exchange for SSR - Exchange your Okta JWT for a short-lived ticket server-side instead of passing the JWT to the client
  • Use HTTPS for all redirect URIs
  • Restrict application access to only the users/groups who need it
  • Regularly rotate tokens by implementing proper session management
  • Monitor Okta system logs for suspicious authentication attempts