remove api token and addition access key

[DrJfrost]

Ticket ENG-1916
https://ethyca.atlassian.net/browse/ENG-1916

Description Of Changes

Analyzed existing OAuth2 client-credentials patterns to guide the Okta worker migration and removed the remaining Okta API-token legacy usage so the connector now expects OAuth2-only secrets. Adjusted schemas, fixtures, configs, and tests to align with the new access-token fields while warning if a legacy token is still supplied.

Code Changes

• reviewed existing OAuth2 client-credentials strategy implementations and documented reusable patterns (analysis only; no code changes required)

• removed api_token handling from OktaConnector and introduced _get_oauth_access_token() erroring when OAuth2 secrets are missing

• updated OktaSchema to deprecate/ignore api_token, surface access_token, and adjusted connection model defaults

• refreshed SaaS YAML fixtures, integration tests, and Okta connection fixtures to rely on access_token

• ensured Nox/test helpers reference OAuth2 environment variables instead of legacy API-token settings

Steps to Confirm

1. python -m pytest tests/ops/service/connectors/saas/test_zipfile_response_management.py
2. python -m pytest tests/ops/integration_tests/test_connection_configuration_integration.py -k okta

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
fides-plus-nightly	Ready	Preview	Comment	Nov 14, 2025 11:02pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
fides-privacy-center	Ignored			Nov 14, 2025 11:02pm

[greptile-apps]

Greptile Overview

Greptile Summary

This PR migrates the Okta connector from legacy API token authentication to OAuth2 access token authentication. The changes deprecate the api_token field while introducing access_token, updating all related tests, fixtures, and configuration files to use the new field name.

Key changes:

• Deprecated api_token in OktaSchema with a warning when detected
• Added access_token field for OAuth2 authentication
• Updated OktaConnector to validate and use access_token with improved error handling
• Added backward-compatible model_dump() logic in OktaConfig to map access_token to token for the Okta client
• Updated all test fixtures, YAML configs, and environment variable references from OKTA_API_TOKEN to OKTA_ACCESS_TOKEN

Issues identified:

• The error message in _get_oauth_access_token() misleadingly suggests implementing an OAuth2 Client Credentials module, but this PR only adds static token support without automatic refresh
• The access_token field should be in _required_components to provide early validation when creating connections, rather than failing at runtime

Confidence Score: 3/5

• This PR has moderate risk due to validation gaps and misleading error messages that could confuse users
• Score reflects two logical issues: (1) misleading error message suggesting OAuth2 auto-refresh when only static tokens are supported, and (2) missing schema validation for access_token which allows invalid connections to be created. The migration is otherwise thorough and includes proper backward compatibility, but these issues could lead to poor user experience and runtime errors.
• Pay close attention to src/fides/api/schemas/connection_configuration/connection_secrets_okta.py (needs validation) and src/fides/api/service/connectors/okta_connector.py (misleading error message)

Important Files Changed

File Analysis

Filename	Score	Overview
src/fides/api/service/connectors/okta_connector.py	4/5	Migrated from API token to OAuth2 access token with deprecation warning; added validation logic
src/fides/api/schemas/connection_configuration/connection_secrets_okta.py	3/5	Deprecated api_token field, added access_token field; removed api_token from required components but validation may be insufficient
src/fides/connectors/models.py	4/5	Added access_token field and model_dump override to map access_token to token for OktaClient compatibility

[greptile-apps]

_{14 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

style: protocol change from http to https appears unrelated to OAuth2 migration. Check that this doesn't break existing test expectations for the mock server.

[stephenkiers]

Does this pass tests in CI, of so, keep

[codecov]

Codecov Report

❌ Patch coverage is 39.28571% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.06%. Comparing base (ce27594) to head (8250806).
⚠️ Report is 19 commits behind head on main.

Files with missing lines	Patch %	Lines
src/fides/api/service/connectors/okta_connector.py	14.28%	12 Missing ⚠️
src/fides/connectors/models.py	50.00%	5 Missing ⚠️

❌ Your project check has failed because the head coverage (82.06%) is below the target coverage (85.00%). You can increase the head coverage or adjust the target coverage.

❗ There is a different number of reports uploaded between BASE (ce27594) and HEAD (8250806). Click for more details.

HEAD has 19 uploads less than BASE

Flag	BASE (ce27594)	HEAD (8250806)
	32	13

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6960      +/-   ##
==========================================
- Coverage   87.32%   82.06%   -5.26%     
==========================================
  Files         525      525              
  Lines       34418    34477      +59     
  Branches     3960     3970      +10     
==========================================
- Hits        30055    28295    -1760     
- Misses       3500     5361    +1861     
+ Partials      863      821      -42     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[stephenkiers]

This will be removed in fast follow, correct?

[DrJfrost]

The idea behind keeping this field is to ensure that existing integrations relying on it elsewhere don't inadvertently affect other parts of the functionality. For now, I've only left it referenced; I'd probably go ahead and remove this field only once I'm confident that the Okta access tokens are properly integrated and nothing breaks as a result.

[stephenkiers]

Where is this secret set? Does this actually exist? ... this is just for bridge support right now, correct? Will be removed for GA?

[stephenkiers]

Also, all other api_token references need to be cleaned up in follow up PR

https://github.com/ethyca/fides/search?q=api_token
https://github.com/ethyca/fides/search?q=OKTA_API_TOKEN

[stephenkiers]

this is just for okta? just want to confirm

[stephenkiers]

perhaps rename or confirm

[stephenkiers]

same here, is this ONLY idp/okta?

[stephenkiers]

Left comments. Also want you to confirm the changes to the tests are ONLY for okta oauth, they seem generic and overreaching

[galvana]

Just a drive by comment since Github auto-tagged me. I agree with @stephenkiers on this:

Also want you to confirm the changes to the tests are ONLY for okta oauth, they seem generic and overreaching

Too many SaaS-related files got caught up in this change. We should roll these back so we don't give the impression later that SaaS functionality changed in this PR.