Okta Auth
БесплатноНе проверенMCP server for Okta authentication, enabling AI agents to log in, check sessions, list, delete, and get cookies using saved Okta sessions.
Описание
MCP server for Okta authentication, enabling AI agents to log in, check sessions, list, delete, and get cookies using saved Okta sessions.
README
Alpha: this project is under active development. APIs, tool signatures, and session formats may change between releases.
okta-auth is an Okta login toolkit with two entry points:
okta: interactive CLI for humansokta-auth: MCP server for AI agents that reuse saved sessions
Sessions are stored under ~/.okta-auth/sessions/. Existing sessions under
~/.okta-auth-mcp/sessions/ are migrated automatically.
Install
uv tool
uv tool install okta-auth-cli
pipx
pipx install okta-auth-cli
pip
pip install okta-auth-cli
Browser setup
The project uses Playwright for browser automation. It automatically prefers a local Chrome or Edge install when available.
If no supported system browser is found, install Playwright Chromium:
playwright install chromium
Upgrade
uv tool:uv tool upgrade okta-auth-clipipx:pipx upgrade okta-auth-clipip:pip install -U okta-auth-cli
Quick Start
1. Configure credentials
Run the built-in wizard:
okta config
If the wizard asks for a TOTP secret and you are not sure where to find it, see TOTP Secret.
The wizard supports two providers:
keyring: store credentials in the OS credential managerop: generate~/.okta-auth/op.envwithop://...references forop run
Only non-secret settings such as the default URL and provider metadata are stored
in ~/.okta-auth/config.json.
2. Log in
okta
Or pass a target URL directly:
okta https://portal.company.com
The login flow is headless by default. Use --headed to show the browser.
3. Reuse the session from MCP
Once configured, AI agents can authenticate with the saved session or with the credential provider you configured.
TOTP Secret
The TOTP secret is the Base32 key behind your authenticator app. You typically must capture it during initial MFA enrollment.
During Okta MFA setup
- Go to Settings -> Security Methods in Okta.
- Choose Google Authenticator or another TOTP-compatible factor.
- On the QR screen, click Can't scan?
- Copy the displayed Base32 secret.
- Complete enrollment by entering the generated code.
This project does not currently support portals that rely only on the Okta Verify push app for MFA.
If you already enrolled and lost the secret
You usually need to remove and re-enroll the authenticator factor to get a new secret.
Credential Setup
Credential resolution order is:
- Explicit CLI or MCP arguments
- Environment variables
- Stored keyring credentials when the selected provider is
keyring
Recommended: OS keyring
This is the default and recommended local setup:
okta config --provider keyring
What gets stored:
username,password,totp_secret: OS keyring onlydefault_url:~/.okta-auth/config.json
Typical keyring backends:
- macOS: Keychain Access
- Windows: Credential Manager / Credential Locker
- Linux: Secret Service or KWallet
If no secure backend is available, the wizard refuses to fall back to plaintext.
1Password CLI
If you already manage secrets in 1Password:
okta config --provider op
What gets stored:
vault,item, field names,default_url:~/.okta-auth/config.jsonOKTA_USERNAME,OKTA_PASSWORD, optionalOKTA_TOTP_SECRETreferences:~/.okta-auth/op.env
The generated env file contains op://... references, not plaintext values.
Launch the CLI or MCP server through op run:
op run --env-file=$HOME/.okta-auth/op.env -- okta
op run --env-file=$HOME/.okta-auth/op.env -- uvx --from okta-auth-cli okta-auth
1Password vault, item, and field names must be compatible with secret reference
paths. If a name contains unsupported separators such as /, use the object's
unique ID instead.
Environment variables
Environment variables are still supported for CI, ephemeral shells, or external
secret managers. They override okta config values.
export OKTA_USERNAME="[email protected]"
export OKTA_PASSWORD="your-okta-password"
export OKTA_TOTP_SECRET="JBSWY3DPEHPK3PXP"
Manual 1Password setup
If you do not want to use the wizard, you can set up op run manually.
- Create a login item:
op item create --category login --title "Okta MCP" \
username="[email protected]" \
password="your-okta-password" \
totp_secret="JBSWY3DPEHPK3PXP"
- Create
~/.okta-auth/op.env:
OKTA_USERNAME=op://Personal/Okta MCP/username
OKTA_PASSWORD=op://Personal/Okta MCP/password
OKTA_TOTP_SECRET=op://Personal/Okta MCP/totp_secret
- Launch through
op run:
op run --env-file=$HOME/.okta-auth/op.env -- uvx --from okta-auth-cli okta-auth
CLI
Common commands
okta [url]: log in and save a sessionokta config: open the credential wizardokta config --provider keyring: force keyring configurationokta config --provider op: force 1Password configurationokta config --show: show current config statusokta config --reset: remove saved config and credentialsokta check <url>: verify a stored sessionokta list: list stored sessionsokta delete <url>: delete a stored sessionokta cookies <url>: inspect stored cookies
Example
okta https://portal.company.com --username [email protected] --headed
MCP Server
MCP tools
| Tool | Description |
|---|---|
okta_login |
Authenticate to a target URL and store session state |
okta_check_session |
Verify whether a stored session is still valid |
okta_list_sessions |
List saved sessions and metadata |
okta_delete_session |
Remove a stored session |
okta_get_cookies |
Retrieve cookies from a stored session |
Claude Code
claude mcp add okta-auth -- uvx --from okta-auth-cli okta-auth
If you use 1Password:
claude mcp add okta-auth -- op run --env-file=$HOME/.okta-auth/op.env -- uvx --from okta-auth-cli okta-auth
Claude Desktop / Cursor / Windsurf
Default:
{
"mcpServers": {
"okta-auth": {
"command": "uvx",
"args": ["--from", "okta-auth-cli", "okta-auth"]
}
}
}
With 1Password:
{
"mcpServers": {
"okta-auth": {
"command": "op",
"args": ["run", "--env-file=/Users/yourname/.okta-auth/op.env", "--", "uvx", "--from", "okta-auth-cli", "okta-auth"]
}
}
}
Use okta for the interactive CLI. Use okta-auth only when wiring the package
into an MCP client.
Security
- This project is intended for local trusted execution.
- Session files and cookies are sensitive credentials.
- Prefer
okta configover passing credentials directly on the command line. - Prefer
keyringorop runover plaintext shell files. - Never post cookie values, passwords, or TOTP secrets in issues or logs.
Development
uv venv && source .venv/bin/activate
uv pip install -e '.[dev]'
playwright install chromium
Run checks locally:
ruff format --check .
ruff check .
pytest
Установка Okta Auth
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/bunizao/okta-authFAQ
Okta Auth MCP бесплатный?
Да, Okta Auth MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Okta Auth?
Нет, Okta Auth работает без API-ключей и переменных окружения.
Okta Auth — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Okta Auth в Claude Desktop, Claude Code или Cursor?
Открой Okta Auth на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
автор: modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
автор: xuzexin-hzCompare Okta Auth with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории ai
