Configuring EnvSync's okta-cli-client for SPA app with PKCE flow for migration from a dev account

We are attempting to capture a snapshot of our current Okta Developer Edition for migration using EnvSync.

This was recommended in “Use our migration tool for one-off organization backup” section of the blog post “Changes Are Coming to the Okta Developer Edition Organizations”.

We are using the sample okta-cli-client OAuth 2.0 YAML configuration and EnvSync is failing in okta-cli-client with an “invalid private key” message. We believe this is because the sample configuration is for authorizationMode: “PrivateKey” and our application is a Single Page Application (SPA) which uses a PKCE flow.

Is this possible to configure okta-cli-client for an SPA/PKCE app and does anyone have a sample configuration we can see?

As you’ve observed, EnvSync inherits all the configuration from GitHub - okta/okta-cli-client.

The okta-cli-client README is assuming that you’re using a dedicated app integration in your organization if you’re doing OAuth. When you set up the app for the CLI client, you should be able to choose the appropriate authorizationMode. Please don’t give the CLI client the key for some other app integration.

When working with non-production data in developer accounts, the security tradeoffs of just using token auth can be worthwhile for the setup convenience.

I’ll work with the okta-cli-client team to get the README updated with clearer setup instructions.

Thank you for the timely response. It is really appreciated.

Unfortunately, we are still blocked.

Can you say anything about the availability of those clearer setup instructions in the context of Okta’s July 18 deadline?

In the mean time, are there any details you can provide as to what we can do to configure our SPA/PKCE app? Specifically, suggestions for any values and fields that might be needed.

Thanks again.