MCP Authorization

MCP Okta OAuth Policy

MCP Gateway Policy

This policy is for use with the MCP Gateway. See the MCP Gateway documentation to learn how to proxy and secure MCP servers with Zuplo.

Authenticate MCP gateway requests using a gateway-issued OAuth access token, with browser login delegated to Okta.

This is an Okta-friendly wrapper around McpOAuthInboundPolicy. Provide an Okta domain, optional authorization server id, clientId, and clientSecret; the Okta OIDC issuer, JWKS URL, and browser login endpoints are derived automatically.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.


config/policies.json
{
  "name": "my-mcp-okta-oauth-inbound-policy",
  "policyType": "mcp-okta-oauth-inbound",
  "handler": {
    "export": "McpOktaOAuthInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "authorizationServerId": "default",
      "browserLoginOverrides": {
        "remoteTimeoutMs": 10000,
        "sessionTtlSeconds": 28800,
        "stateTtlSeconds": 900
      },
      "clientId": "$env(OKTA_CLIENT_ID)",
      "clientSecret": "$env(OKTA_CLIENT_SECRET)",
      "gateway": {
        "accessTokenTtlSeconds": 900,
        "cimdEnabled": true,
        "refreshTokenTtlSeconds": 2592000
      },
      "oktaDomain": "acme.okta.com",
      "scope": "openid profile email"
    }
  }
}

Policy Configuration

name <string> - The name of your policy instance. This is used as a reference in your routes.
policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be mcp-okta-oauth-inbound.
handler.export <string> - The name of the exported type. Value should be McpOktaOAuthInboundPolicy.
handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

oktaDomain (required) <string> - The Okta org domain, without https://, a trailing slash, or a path.
authorizationServerId <string> - Optional Okta custom authorization server id. Omit this to use the org authorization server.
clientId (required) <string> - The Okta OIDC application client_id registered for the gateway's browser login flow.
clientSecret (required) <string> - The Okta OIDC application client_secret. Use $env(...) to source from a secret environment variable.
scope <string> - OIDC scopes requested during browser login. Defaults to "openid profile email".
gateway <object> - Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
- accessTokenTtlSeconds <integer> - Lifetime of access tokens issued by /oauth/token. Defaults to 900.
- refreshTokenTtlSeconds <integer> - Lifetime of refresh tokens issued by /oauth/token. Defaults to 2592000.
- cimdEnabled <boolean> - Whether to advertise client_id_metadata_document_supported in AS metadata. Defaults to true.
browserLoginOverrides <object> - Optional overrides for the derived browser-login settings.
- remoteTimeoutMs <integer> - No description available. Defaults to 10000.
- stateTtlSeconds <integer> - No description available. Defaults to 900.
- sessionTtlSeconds <integer> - No description available. Defaults to 28800.

Using the Policy

MCP Okta OAuth Inbound

Authenticate MCP gateway requests using a gateway-issued OAuth access token, with browser login delegated to Okta.

This is a thin Okta-friendly wrapper around the generic McpOAuthInboundPolicy. Use it when you want to configure browser login with Okta-specific fields instead of the full set of OIDC URLs.

Derived configuration

For the Okta org authorization server, the wrapper derives:

Generic field	Derived value
`oidc.issuer`	`https://{oktaDomain}`
`oidc.jwksUrl`	`https://{oktaDomain}/oauth2/v1/keys`
`browserLogin.url`	`https://{oktaDomain}/oauth2/v1/authorize`
`browserLogin.tokenUrl`	`https://{oktaDomain}/oauth2/v1/token`

When authorizationServerId is set, the wrapper derives custom authorization server URLs:

Generic field	Derived value
`oidc.issuer`	`https://{oktaDomain}/oauth2/{authorizationServerId}`
`oidc.jwksUrl`	`https://{oktaDomain}/oauth2/{authorizationServerId}/v1/keys`
`browserLogin.url`	`https://{oktaDomain}/oauth2/{authorizationServerId}/v1/authorize`
`browserLogin.tokenUrl`	`https://{oktaDomain}/oauth2/{authorizationServerId}/v1/token`

These endpoint shapes follow Okta's org and custom authorization server metadata conventions.

Configuration


Code
{
  "name": "okta-managed-oauth",
  "policyType": "mcp-okta-oauth-inbound",
  "handler": {
    "module": "$import(@zuplo/runtime)",
    "export": "McpOktaOAuthInboundPolicy",
    "options": {
      "oktaDomain": "acme.okta.com",
      "authorizationServerId": "default",
      "clientId": "$env(OKTA_CLIENT_ID)",
      "clientSecret": "$env(OKTA_CLIENT_SECRET)"
    }
  }
}

oktaDomain must be an Okta org domain like acme.okta.com or acme.oktapreview.com. Do not include https://, a trailing slash, or an authorization server path.

Pairing

Pair this policy with McpTokenExchangeInboundPolicy and McpProxyHandler, the same as McpOAuthInboundPolicy. Only one MCP OAuth policy is allowed per project; attach the same policy by name to every MCP route.

MCP Okta OAuth Policy

MCP Gateway Policy

This policy is for use with the MCP Gateway. See the MCP Gateway documentation to learn how to proxy and secure MCP servers with Zuplo.

Authenticate MCP gateway requests using a gateway-issued OAuth access token, with browser login delegated to Okta.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.


config/policies.json
{
  "name": "my-mcp-okta-oauth-inbound-policy",
  "policyType": "mcp-okta-oauth-inbound",
  "handler": {
    "export": "McpOktaOAuthInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "authorizationServerId": "default",
      "browserLoginOverrides": {
        "remoteTimeoutMs": 10000,
        "sessionTtlSeconds": 28800,
        "stateTtlSeconds": 900
      },
      "clientId": "$env(OKTA_CLIENT_ID)",
      "clientSecret": "$env(OKTA_CLIENT_SECRET)",
      "gateway": {
        "accessTokenTtlSeconds": 900,
        "cimdEnabled": true,
        "refreshTokenTtlSeconds": 2592000
      },
      "oktaDomain": "acme.okta.com",
      "scope": "openid profile email"
    }
  }
}

Policy Configuration

name <string> - The name of your policy instance. This is used as a reference in your routes.
policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be mcp-okta-oauth-inbound.
handler.export <string> - The name of the exported type. Value should be McpOktaOAuthInboundPolicy.
handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

oktaDomain (required) <string> - The Okta org domain, without https://, a trailing slash, or a path.
authorizationServerId <string> - Optional Okta custom authorization server id. Omit this to use the org authorization server.
clientId (required) <string> - The Okta OIDC application client_id registered for the gateway's browser login flow.
clientSecret (required) <string> - The Okta OIDC application client_secret. Use $env(...) to source from a secret environment variable.
scope <string> - OIDC scopes requested during browser login. Defaults to "openid profile email".
gateway <object> - Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
- accessTokenTtlSeconds <integer> - Lifetime of access tokens issued by /oauth/token. Defaults to 900.
- refreshTokenTtlSeconds <integer> - Lifetime of refresh tokens issued by /oauth/token. Defaults to 2592000.
- cimdEnabled <boolean> - Whether to advertise client_id_metadata_document_supported in AS metadata. Defaults to true.
browserLoginOverrides <object> - Optional overrides for the derived browser-login settings.
- remoteTimeoutMs <integer> - No description available. Defaults to 10000.
- stateTtlSeconds <integer> - No description available. Defaults to 900.
- sessionTtlSeconds <integer> - No description available. Defaults to 28800.

Using the Policy

MCP Okta OAuth Inbound

Authenticate MCP gateway requests using a gateway-issued OAuth access token, with browser login delegated to Okta.

This is a thin Okta-friendly wrapper around the generic McpOAuthInboundPolicy. Use it when you want to configure browser login with Okta-specific fields instead of the full set of OIDC URLs.

Derived configuration

For the Okta org authorization server, the wrapper derives:

Generic field	Derived value
`oidc.issuer`	`https://{oktaDomain}`
`oidc.jwksUrl`	`https://{oktaDomain}/oauth2/v1/keys`
`browserLogin.url`	`https://{oktaDomain}/oauth2/v1/authorize`
`browserLogin.tokenUrl`	`https://{oktaDomain}/oauth2/v1/token`

When authorizationServerId is set, the wrapper derives custom authorization server URLs:

Generic field	Derived value
`oidc.issuer`	`https://{oktaDomain}/oauth2/{authorizationServerId}`
`oidc.jwksUrl`	`https://{oktaDomain}/oauth2/{authorizationServerId}/v1/keys`
`browserLogin.url`	`https://{oktaDomain}/oauth2/{authorizationServerId}/v1/authorize`
`browserLogin.tokenUrl`	`https://{oktaDomain}/oauth2/{authorizationServerId}/v1/token`

These endpoint shapes follow Okta's org and custom authorization server metadata conventions.

Configuration


Code
{
  "name": "okta-managed-oauth",
  "policyType": "mcp-okta-oauth-inbound",
  "handler": {
    "module": "$import(@zuplo/runtime)",
    "export": "McpOktaOAuthInboundPolicy",
    "options": {
      "oktaDomain": "acme.okta.com",
      "authorizationServerId": "default",
      "clientId": "$env(OKTA_CLIENT_ID)",
      "clientSecret": "$env(OKTA_CLIENT_SECRET)"
    }
  }
}

oktaDomain must be an Okta org domain like acme.okta.com or acme.oktapreview.com. Do not include https://, a trailing slash, or an authorization server path.