fix: enhance okta sso

[cody-eding]

Closes #5423

📑 Description

This pull request enhances the Okta SSO implementation and documentation to more closely match other OAuth providers such as OneLogin. The okta_authverifier.py file has been improved by taking many pieces of the OneLogin implementation.

Improvements include:

• Removing invalid role names and class variables
• Correcting invalid default Okta JWKS URL
• Support for customized Okta group to Keep role mapping using the groups claim
• Role mapping and auto-provisioning logic similar to OneLogin
• Additional logging
• Updated and fixed missing documentation

✅ Checks

• My pull request adheres to the code style of this project
• My code requires changes to the documentation
• I have updated the documentation as required
• All the tests have passed

[greptile-apps]

Skipped: This PR does not target one of your configured branches: (refactor/2512-nextjs-15)

[vercel]

@cody-eding is attempting to deploy a commit to the KeepHQ Team on Vercel.

A member of the Team first needs to authorize it.

[shahargl]

how did it work until now?

[cody-eding]

I was unable to get the original implementation working unless I overrode the pre-configured default by setting the OKTA_JWKS_URL environment variable.

The Okta documentation suggests that /keys is the appropriate endpoint.

I checked the three Okta tenants I have access to, and they all seem to use /keys for the jwks_url.

[mohamed-allouch]

what have you set to make it work, I am struggling with that actually

[cody-eding]

With my test integration tenant, I set the following in the compose file for both the API and UI with the currently released code:

OKTA_JWKS_URL=https://integrator-XXXXXXX.okta.com/oauth2/default/v1/keys

This assumes your Okta OIDC issuer is something like: https://integrator-XXXXXXX.okta.com/oauth2/default

[shahargl]

Hey! thanks for opening this PR!

We have some problem with the CI/CD. Going to handle it soon and let this PR in :)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
keep	Ready	Preview	Comment	Nov 16, 2025 7:59am

[shahargl]

lgtm

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 30.54%. Comparing base (97c263a) to head (f88505c).
⚠️ Report is 6 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (97c263a) and HEAD (f88505c). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (97c263a)	HEAD (f88505c)
	2	1

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #5424       +/-   ##
===========================================
- Coverage   46.39%   30.54%   -15.86%     
===========================================
  Files         176      101       -75     
  Lines       18412    11669     -6743     
===========================================
- Hits         8543     3564     -4979     
+ Misses       9869     8105     -1764     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.