ENG-1952 Add OAuth2 HTTP client with DPoP support

[stephenkiers]

Ticket ENG-1952

Description Of Changes

This work introduces a minimal Okta HTTP client with full support for OAuth2 private_key_jwt authentication and DPoP — functionality not provided by the Okta SDK. It also adds a comprehensive suite of unit tests. This client is the foundation for the OAuth2 migration required to properly secure the Okta Identity Provider Monitor.

Code Changes

• Added OktaHttpClient implementing OAuth2 private_key_jwt + DPoP authentication.
• Implemented key parsing, algorithm selection, and structured error handling for missing dependencies or invalid keys.
• Added pagination helpers (list_applications, list_all_applications) with cursor extraction from response headers.
• Introduced test_okta_http_client.py with full mock-based coverage for initialization, authentication, pagination, helper methods, and error paths.
• Tests validate handling of invalid JWKs, algorithm resolution, missing deps, and API error conditions.

Steps to Confirm

1. Run unit tests: nox -s unit.
2. Validate the client can fetch paginated Okta applications using mocked responses.
3. Confirm error handling behavior by running tests covering invalid keys, missing dependencies, and API failures.

Pre-Merge Checklist

• All CI Pipelines Succeeded
• New features have been verified on Demo Environment using nox -s demo -- dev
• Documentation:
  • documentation complete, [PR opened in fides

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
fides-plus-nightly	Ignored	Preview		Nov 26, 2025 9:58am
fides-privacy-center	Ignored			Nov 26, 2025 9:58am

[greptile-apps]

Greptile Overview

Greptile Summary

This PR introduces a minimal Okta HTTP client with OAuth2 private_key_jwt authentication and DPoP (Demonstrating Proof-of-Possession) support, filling a gap left by the Okta SDK.

Key Changes:

• Added new OktaHttpClient class with comprehensive OAuth2 authentication flow
• Implemented JWK parsing, algorithm detection (RSA/EC curves), and DPoP key generation
• Added pagination helpers for listing Okta applications with cursor-based navigation
• Comprehensive test suite with 100% mock-based coverage

Issues Found:

• Imports placed inside functions (__init__ and _get_token) instead of at module top, violating code standards
• Typo in docstring: "iplementation" should be "implementation"

Confidence Score: 4/5

• Safe to merge after fixing typo and moving imports to module top
• Well-structured implementation with comprehensive test coverage and proper error handling. Minor style violations (imports inside functions) and a typo need fixing, but no logical errors or security issues found
• Pay attention to src/fides/api/service/connectors/okta_http_client.py for the import placement and typo fixes

Important Files Changed

File Analysis

Filename	Score	Overview
requirements.txt	5/5	Added requests-oauth2client>=1.5.0 dependency for OAuth2 with DPoP support
src/fides/api/service/connectors/okta_http_client.py	3/5	New OAuth2 HTTP client with DPoP support; has imports inside functions violating code standards and a typo in docstring
tests/ops/service/connectors/test_okta_http_client.py	5/5	Comprehensive test coverage with proper mocking and no issues found

[greptile-apps]

_{3 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

syntax: "iplementation" is misspelled

Suggested change

	we will extract it from this iplementation with a clear product decision and 2-3 use
	we will extract it from this implementation with a clear product decision and 2-3 use

[codecov]

Codecov Report

❌ Patch coverage is 96.72131% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.07%. Comparing base (0b67f6e) to head (cc2965c).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...c/fides/api/service/connectors/okta_http_client.py	96.72%	2 Missing and 2 partials ⚠️

❌ Your patch check has failed because the patch coverage (96.72%) is below the target coverage (100.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7038      +/-   ##
==========================================
+ Coverage   87.03%   87.07%   +0.03%     
==========================================
  Files         528      529       +1     
  Lines       34666    34788     +122     
  Branches     4005     4021      +16     
==========================================
+ Hits        30172    30290     +118     
- Misses       3620     3622       +2     
- Partials      874      876       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.