Skip to main content


Create an "Application," by browsing to "Applications" and clicking "Add Application" button.

For a website, the choice is "Web".

Okta Developer - New App Choice

Provided your application is running on localhost port 8443, provide the following information:

Base URI entries:

  • https://myapp.localdomain.local:8443/
  • https://localhost:8443/

Login redirect URIs:

  • https://myapp.localdomain.local:8443/auth/oauth2/okta/authorization-code-callback
  • https://localhost:8443/auth/oauth2/okta/authorization-code-callback

Logout redirect URIs:

  • https://myapp.localdomain.local:8443/auth/logout
  • https://localhost:8443/auth/logout

Group Assignments:

  • Everyone
  • Viewer
  • Editor
  • Administrator

Grant type allowed:

  • Client acting on behalf of itself
    • Client Credentials: No
  • Client acting on behalf of a user
    • Authorization Code: Yes
    • Refresh Token: No
    • Implicit (Hybrid): No

Okta Developer - New App Setup

Review the newly created application.

Okta Developer - Settings - General

Store the credentials securely.

Okta Developer - Settings - Client Credentials

Review default Sign On Policy.

Okta Developer - Settings - Sign On

By default, the default Authorization Server has no groups scope.

Therefore, browse to "API", "Authorization Servers" and select "default".

Okta Developer - API

Okta Developer - API

Next, browse to "Scopes" and click "Add Scope".

Fill out the "Add Scope" form:

  • Name: groups
  • Description: This allows the app to view your group memberships.
  • Check "Set as a default scope"
  • Check "Include in public metadata"

Okta Developer - Add Scope

Next, browse to "Claims" and click "Add Claim".

Fill out the "Add Claim" form:

  • Name: groups
  • Include in token type: "ID Token", "Always"
  • Value type: Groups
  • Filter: Matches .* regex
  • Include in: The "groups" scope

Okta Developer - Add Scope

Next, review Okta OpenID Connect and OAuth 2.0 API - Get Started.

The following Caddyfile allows Okta-based authentication.

Provided the Okta domain is, the authorization server is default, and Client ID is 0oa121qw81PJW0Tj34x7, check OpenID configuration:

curl -X GET "" | jq

By default, the plugin logs public keys from keys endpoint.