Manual Chapter : Configuring an Okta OAuth provider with discovery

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9

back-action Seamless OAuth with Okta and RADIUS MFA

Updated Date: 04/30/2026

Configuring an Okta OAuth provider with discovery

Configure the Okta OAuth server and make a note of the OpenID URI to use for discovery.

OAuth Discover uses the global system DNS (not DNS resolvers) so you need to have configured a DNS remote lookup server using System > Configuration > Device > DNS to use discovery.

You can configure an Okta OAuth provider to obtain opaque tokens or JSON web tokens (JWTs) from an OAuth authorization server that supports them. When an OAuth provider supports discovery from a well-known endpoint, APM can discover JWTs and JSON web key (JWK) configurations from the provider.

Without discovery, you can still create token and key configurations in Access > Federation > JSON Web Token.

Note: APM includes preconfigured providers named AzureAD (Azure Active Directory from Microsoft), F5 (APM), Facebook, Google, Okta, and Ping (PingFederate from Ping Identity).

  1. On the Main tab, click Access > Federation > OAuth Client / Resource Server > Provider.

    The Provider screen opens.

  2. Click Create.

  3. Type the Name for the provider.

  4. From the Type field, select Okta.

  5. Select the Trusted Certificate Authorities.

  6. Select Use Auto JWT.

  7. In the OpenID URI field, specify the OpenID URI of the server.

  8. Click Discover to fill in the remaining fields.

    Note: This only works if you have configured a system DNS server in System > Configuration > Device > DNS.

  9. Click Save.

    The new Okta OAuth provider displays on the Provider screen.