Okta: Backend/type changes for Okta Integration enrolment improvements

lib/web/apiserver.go

@@ -1055,7 +1055,7 @@ func (h *Handler) bindDefaultEndpoints() {
 	h.GET("/webapi/scripts/integrations/configure/gcp-workforce-saml.sh", h.WithLimiter(h.gcpWorkforceConfigScript))
 
 	// Okta integration endpoints.
-	h.GET("/.well-known/jwks-okta", h.WithLimiter(h.jwksOkta))
+	h.GET(OktaJWKSWellknownURI, h.WithLimiter(h.jwksOkta))
 
 	// Azure OIDC integration endpoints
 	h.GET("/webapi/scripts/integrations/configure/azureoidc.sh", h.WithLimiter(h.azureOIDCConfigure))

lib/web/oidcidp.go

@@ -32,6 +32,8 @@ import (
 const (
 	// OIDCJWKWURI is the relative path where the OIDC IdP JWKS is located
 	OIDCJWKWURI = "/.well-known/jwks-oidc"
+	// OktaJWKSWellknownURI is the relative path where the Okta JWKS is located
+	OktaJWKSWellknownURI = "/.well-known/jwks-okta"
 )
 
 // openidConfiguration returns the openid-configuration for setting up the AWS OIDC Integration

web/packages/teleport/src/Notifications/Notification.tsx

@@ -98,7 +98,7 @@ export function Notification({
   if (view === 'Unread' && notification.clicked) {
     // If this is a text content notification, the dialog should still be renderable. This is to prevent the text content dialog immediately disappearing
     // when trying to open an unread text notification, since clicking on the notification instantly marks it as read.
-    if (content.kind == 'text') {
+    if (content.kind === 'text') {
       return (
         <Dialog open={showTextContentDialog} className={IGNORE_CLICK_CLASSNAME}>
           <DialogHeader>

web/packages/teleport/src/config.ts

@@ -203,8 +203,8 @@ const cfg = {
     kubernetes: '/web/cluster/:clusterId/kubernetes',
     headlessSso: `/web/headless/:requestId`,
     integrations: '/web/integrations',
-    integrationStatus: '/web/integrations/status/:type/:name',
-    integrationEnroll: '/web/integrations/new/:type?',
+    integrationStatus: '/web/integrations/status/:type/:name/:page?',
+    integrationEnroll: '/web/integrations/new/:type?/:page?',
     locks: '/web/locks',
     newLock: '/web/locks/new',
     requests: '/web/requests/:requestId?',
@@ -571,12 +571,16 @@ const cfg = {
     return generatePath(cfg.routes.audit, { clusterId });
   },
 
-  getIntegrationEnrollRoute(type?: string) {
-    return generatePath(cfg.routes.integrationEnroll, { type });
+  getIntegrationEnrollRoute(type?: string, page?: string) {
+    return generatePath(cfg.routes.integrationEnroll, { type, page });
   },
 
-  getIntegrationStatusRoute(type: PluginKind | IntegrationKind, name: string) {
-    return generatePath(cfg.routes.integrationStatus, { type, name });
+  getIntegrationStatusRoute(
+    type: PluginKind | IntegrationKind,
+    name: string,
+    page?: string
+  ) {
+    return generatePath(cfg.routes.integrationStatus, { type, name, page });
   },
 
   getMsTeamsAppZipRoute(clusterId: string, plugin: string) {

web/packages/teleport/src/services/integrations/types.ts

@@ -16,6 +16,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+import { PluginStatusOkta } from 'teleport/services/integrations/oktaStatusTypes';
 import { Label } from 'teleport/types';
 
 import { ResourceLabel } from '../agents';
@@ -224,14 +225,27 @@ export type PluginStatus<D = any> = {
   details?: D;
 };
 
-export type PluginSpec =
-  | PluginOktaSpec
-  | PluginSlackSpec
-  | PluginMattermostSpec
-  | PluginOpsgenieSpec
-  | PluginDatadogSpec
-  | PluginEmailSpec
-  | PluginMsTeamsSpec;
+/**
+ * PluginNameToSpec defines a mapping of plugin names to their respective
+ * spec types.
+ */
+export type PluginNameToSpec = {
+  okta: PluginOktaSpec;
+  slack: PluginSlackSpec;
+  mattermost: PluginMattermostSpec;
+  opsgenie: PluginOpsgenieSpec;
+  datadog: PluginDatadogSpec;
+  email: PluginEmailSpec;
+  msteams: PluginMsTeamsSpec;
+};
+
+/**
+ * PluginNameToDetails defines a mapping of plugin names to their respective
+ * status details types.
+ */
+export type PluginNameToDetails = {
+  okta: PluginStatusOkta;
+};
 
 // PluginKind represents the type of the plugin
 // and should be the same value as defined in the backend (check master branch for the latest):
@@ -254,31 +268,46 @@ export type PluginKind =
   | 'aws-identity-center';
 
 export type PluginOktaSpec = {
-  // scimBearerToken is the plain text of the bearer token that Okta will use
-  // to authenticate SCIM requests
+  // The plaintext of the bearer token that Okta will use
+  // to authenticate SCIM requests.
   scimBearerToken: string;
-  // oktaAppID is the Okta ID of the SAML App created during the Okta plugin
+  // The Okta ID of the SAML App created during the Okta plugin
   // installation
   oktaAppId: string;
-  // oktaAppName is the human readable name of the Okta SAML app created
+  // the human-readable name of the Okta SAML app created
   // during the Okta plugin installation
   oktaAppName: string;
   // teleportSSOConnector is the name of the Teleport SAML SSO connector
   // created by the plugin during installation
   teleportSsoConnector: string;
-  // error contains a description of any failures during plugin installation
+  // Contains a description of any failures during plugin installation
   // that were deemed not serious enough to fail the plugin installation, but
-  // may effect the operation of advanced features like User Sync or SCIM.
+  // may affect the operation of advanced features like User Sync or SCIM.
   error: string;
-  /**
-   * is the set of usernames that the integration assigns as
-   * owners to any Access Lists that it creates
-   */
+  // The set of usernames that the integration assigns as
+  // owners to any Access Lists that it creates
   defaultOwners: string[];
-  /**
-   * the Okta org's base URL
-   */
+  // The Okta organization's base URL
   orgUrl: string;
+  // Whether User Sync is enabled
+  enableUserSync?: boolean;
+  // Whether Access List Sync is enabled. Should match App/Group sync.
+  enableAccessListSync?: boolean;
+  // Whether App/Group Sync is enabled. Should match Access List sync.
+  enableAppGroupSync?: boolean;
+  // Information about currently configured credentials for the plugin
+  credentialsInfo?: CredentialsInfo;
+};
+
+/**
+ * CredentialsInfo contains information about currently-configured
+ * credentials for a plugin. Can be all true, or all omitted.
+ * Omitted fields should be assumed as false.
+ */
+export type CredentialsInfo = {
+  hasSSMSToken?: boolean;
+  hasConfiguredOauthCredentials?: boolean;
+  hasSCIMToken?: boolean;
 };
 
 export type PluginSlackSpec = {