How to integrate OKTA to an application which is not having UI

How to integrate OKTA to an application like CLI or Web API which is not having any UI.
Scenario could be PLC using CLI.

It depends but the alternative could be using RADIUS (Getting started with Okta RADIUS Integrations | Okta)

Hi, perhaps start on, scroll down until the “API services” section. Pick your relevant language sdk and try a tutorial.

Are you trying to allow the users to log in, or do you just need your application to have permissions to perform operations to your tenant?

It’s no different from typical OIDC / OAUTH2 implementations:

  • CLIs, you generally open a browser, redirect to the IdP (Okta in this case)
  • Services / Daemons - Client Credential Flow

I’ve also seen folks leveraging a YubiKey to authenticate a user with factor sequencing for very limited UI devices.

Following up on @brh55 comments, the following Python CLI project is a great example to check out @pkumar and borrow the approach :wink:

GitHub - flypenguin/okta-cli: A command line interface to Okta.

1 Like

It depends on the application. I’m assuming you are talking about an application where there is some sort of end-user (typical CLI app). For these types of applications, you have two OAuth options (which are commonly used):

1.) If you are sure you can open a browser on the user’s desktop, you can use an OAuth authorization code flow (redirect the user to sign in). You start a small HTTP server on localhost to handle the authentication. You open a browser with an authorization URL to the IdP (Okta). Then you handle the callback in your small HTTP server.

2.) Use the same technique you use to log in to apps on your TV, a Device Authorization Grant. The TL;DR for this one is you display a code to the user, the user navigates to your website and enters the code. In the background your CLI app polls to check to see when this completes.
A neat part about this one is if you can open a browser on the desktop, you can often give the user a URL with a code, so it’s one less step for them (similar to what the AWS CLI does when you configure SSO). If you cannot open a browser, then the flow works just like a TV (or any other input-constrained device).

Okta doesn’t yet directly support this second option though we will soon :wink:

We also have this blog post that covers this flow in more detail.

For Web Apps:

If you are building a service that runs as a daemon, as mentioned already above the Client Credentials Flow is probably your best bet!

1 Like