Okta Connector Setup Guide
This guide walks you through creating an OAuth App in your Okta Admin Console so you can connect Okta to Treasure Studio.
Prerequisites
- Okta admin privileges (Super Admin or Org Admin)
- "OAuth 2.0 for Okta" enabled in your org (enabled by default on most Okta orgs)
Step 1: Create the OAuth App
- Log in to your Okta Admin Console (e.g.,
https://your-org.okta.com/admin) - Navigate to Applications → Applications
- Click Create App Integration
- Select:
- Sign-in method: OIDC - OpenID Connect
- Application type: Web Application
- Click Next
Step 2: Configure the App
Fill in the following settings:
| Setting | Value |
|---|---|
| App integration name | TDX Studio (or any name you prefer) |
| Grant type | Check Authorization Code and Refresh Token |
| Sign-in redirect URIs | http://localhost:6276/callback |
| Sign-out redirect URIs | (leave empty) |
| Controlled access | Choose based on your org's needs (e.g., "Allow everyone in your organization") |
Click Save.
Step 3: Copy Your Credentials
After saving, you'll see the app's settings page:
- Copy the Client ID (displayed on the General tab)
- Copy the Client Secret (click the copy icon)
- Note your Okta Domain (e.g.,
https://your-org.okta.com)
You'll enter these three values in Treasure Studio's connector setup dialog.
Step 4: Grant Admin API Scopes
- On the app page, click the Okta API Scopes tab
- Grant the following scopes by clicking Grant next to each one:
| Scope | Description |
|---|---|
okta.users.read | Read user profiles |
okta.groups.read | Read groups and group membership |
okta.apps.read | Read application assignments |
okta.logs.read | Read system log / audit events |
okta.factors.read | Read MFA factor enrollments |
okta.policies.read | Read authentication policies |
Note: Only read scopes are required. Write scopes (
*.manage) are not needed for the current set of tools.
Step 5: Connect in Treasure Studio
- Open Treasure Studio
- Go to Settings (gear icon) → Connectors
- Find and click the Okta card
- Enter:
- Okta Domain:
https://your-org.okta.com - Client ID: (from Step 3)
- Client Secret: (from Step 3)
- Okta Domain:
- Click Connect
- Your browser will open the Okta login page — sign in and authorize the app
- Studio will show "Connected" with your Okta email
Troubleshooting
"redirect_uri" error
Make sure the Sign-in redirect URI is exactly http://localhost:6276/callback (no trailing slash, no HTTPS).
"insufficient_scope" error
Go back to the Okta API Scopes tab and ensure all required scopes are granted.
"OAuth 2.0 for Okta" not available
This feature may need to be enabled by your Okta Super Admin. Go to Security → API and verify the org authorization server exists.
Connection timeout
Ensure no firewall or VPN is blocking localhost:6276. The OAuth callback uses a local HTTP server on this port.
Available Tools
Once connected, the following read-only tools are available in chat:
- Users: Search, get, and list Okta users
- Groups: List groups, view members, check user memberships
- Applications: List apps, view assigned users
- MFA: View enrolled factors and supported factor types
- Audit Logs: Search system logs, view user login history
- Policies: List and inspect authentication policies and rules