Okta Integration
Connect Okta Identity Cloud to authenticate end users interacting with your Char AI widget. This guide walks you through creating an OIDC application in Okta and configuring Char AI to validate tokens.Prerequisites
- An Okta organization (production or preview)
- Admin access to create applications in Okta
- Access to the Char AI dashboard
Quick Links
Okta Admin Console
Sign in to manage your Okta organization
Okta Developer Docs
OIDC implementation guide
Configuration Steps
1
Create an OIDC Application in Okta
- Sign in to your Okta Admin Console
- Navigate to Applications → Applications
- Click Create App Integration
- Select OIDC - OpenID Connect as the sign-in method
- Select Single-Page Application as the application type
- Click Next
2
Configure Application Settings
Configure your new application:
Click Save to create the application.
| Setting | Value |
|---|---|
| App integration name | Char AI Widget (or your preferred name) |
| Grant type | Authorization Code (with PKCE) |
| Sign-in redirect URIs | Your application’s callback URL |
| Sign-out redirect URIs | Your application’s logout URL |
| Controlled access | Assign to appropriate groups or allow everyone |
3
Note Your Client ID and Domain
After creating the application:
- Copy the Client ID from the application’s General tab
- Note your Okta domain (e.g.,
acme.okta.comoracme.oktapreview.com)
Find your Client ID in the Okta application settings
4
Configure Char AI
In the Char AI Dashboard:
- Navigate to Settings → Integration
- Under SSO Configuration, select Okta as the provider
- Enter your Client ID from Step 3
- Enter your Okta domain (e.g.,
acme.okta.com) - Click Test Connection to verify
- Click Save Changes
Configuration Reference
| Char AI Field | Okta Value | Example |
|---|---|---|
| Provider Type | Okta | okta |
| Client ID | Application Client ID | 0oa1b2c3d4e5f6g7h8i9 |
| Domain | Your Okta domain | acme.okta.com |
Okta preview environments use
*.oktapreview.com domains. Both production and preview domains are supported.Token Requirements
Char AI validates Okta tokens with these requirements:| Claim | Requirement |
|---|---|
iss | Must match https://{your-domain} |
aud | Must include your configured Client ID |
sub | Required - used as the user identifier |
exp | Must not be expired |
Example: Obtaining and Passing the Token
Once your Okta application is configured, obtain the ID token after authentication and pass it to the Char widget:- Okta Auth JS
- React (Okta React SDK)
Troubleshooting
INVALID_ISSUER error
INVALID_ISSUER error
Verify your Okta domain is correctly configured:
- Domain should not include
https://prefix - Domain should match exactly (e.g.,
acme.okta.com) - For preview environments, use
*.oktapreview.com
INVALID_AUDIENCE error
INVALID_AUDIENCE error
The token’s
aud claim doesn’t match your configured Client ID:- Ensure the Client ID in Char matches your Okta application exactly
- Verify you’re using the ID token, not the access token
- Check that your Okta application is configured as a Single-Page Application
JWKS_FETCH_FAILED error
JWKS_FETCH_FAILED error
Char AI couldn’t reach Okta’s JWKS endpoint:
- Verify your Okta domain is correct
- Check that Okta is accessible (not blocked by firewall)
- Use Test Connection in the dashboard to verify connectivity
Token expired immediately
Token expired immediately
If tokens expire quickly:
- Check your Okta application’s token lifetime settings
- Consider refreshing tokens before they expire
- Verify your server and Okta have synchronized clocks
Security Best Practices
- Use HTTPS for all redirect URIs
- Restrict application access to only the users/groups who need it
- Regularly rotate tokens by implementing proper session management
- Monitor Okta system logs for suspicious authentication attempts