[GH-ISSUE #3630] [FEAT]: Support for Okta-Based Authentication Integration #2343

Closed
opened 2026-02-22 18:29:16 -05:00 by yindo · 2 comments
Owner

Originally created by @avinashkurup on GitHub (Apr 11, 2025).
Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/3630

Hi @timothycarambat ,

Currently, AnythingLLM supports username/password authentication. We’re exploring how to integrate Okta-based authentication and authorization from a custom UI with the AnythingLLM backend.

Request:

We’d appreciate guidance or support for mapping Okta-authenticated sessions (e.g., OAuth2/JWT tokens) to valid AnythingLLM API requests. This would enable secure integration of enterprise SSO into custom frontends.

Considerations:

Okta typically uses OAuth2/JWT tokens, whereas the AnythingLLM backend expects username/password-based sessions.

A way to bridge or map this securely—either via backend support or a recommended middleware/proxy pattern—would be valuable.

We're also open to implementing a custom auth layer or reverse proxy if there are recommendations on how to do this securely.

Request for Guidance:

Is there an existing or planned way to support external authentication flows like Okta? If not, would you suggest any best practices for safely integrating it?

We’re happy to continue the discussion on Discord or collaborate on a possible approach.

Thanks!

Originally created by @avinashkurup on GitHub (Apr 11, 2025). Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/3630 Hi @timothycarambat , Currently, AnythingLLM supports username/password authentication. We’re exploring how to integrate Okta-based authentication and authorization from a custom UI with the AnythingLLM backend. #### Request: We’d appreciate guidance or support for mapping Okta-authenticated sessions (e.g., OAuth2/JWT tokens) to valid AnythingLLM API requests. This would enable secure integration of enterprise SSO into custom frontends. #### Considerations: Okta typically uses OAuth2/JWT tokens, whereas the AnythingLLM backend expects username/password-based sessions. A way to bridge or map this securely—either via backend support or a recommended middleware/proxy pattern—would be valuable. We're also open to implementing a custom auth layer or reverse proxy if there are recommendations on how to do this securely. #### Request for Guidance: Is there an existing or planned way to support external authentication flows like Okta? If not, would you suggest any best practices for safely integrating it? We’re happy to continue the discussion on Discord or collaborate on a possible approach. Thanks!
yindo added the enhancementfeature request labels 2026-02-22 18:29:16 -05:00
yindo closed this issue 2026-02-22 18:29:16 -05:00
Author
Owner

@avinashkurup commented on GitHub (Apr 14, 2025):

Hi @timothycarambat

Following our initial request, we’d like to provide additional context and questions to support further exploration of Okta integration with AnythingLLM.

Our goal is to securely map Okta-authenticated sessions (e.g., OAuth2/JWT tokens) to AnythingLLM's backend, which currently supports only username/password authentication. We're open to implementing a custom middleware or reverse proxy but would appreciate guidance on safe and supported methods for this.

Key follow-up questions:

  • Does AnythingLLM support or plan to support external identity providers like Okta or OAuth2?
  • Is there a way to generate a valid session for the backend using external authentication?
  • Are there any recommended best practices or concerns around implementing a custom auth layer?

We’re happy to continue this conversation on Discord and appreciate any direction from the team.

@avinashkurup commented on GitHub (Apr 14, 2025): Hi @timothycarambat Following our initial request, we’d like to provide additional context and questions to support further exploration of Okta integration with AnythingLLM. Our goal is to securely map Okta-authenticated sessions (e.g., OAuth2/JWT tokens) to AnythingLLM's backend, which currently supports only username/password authentication. We're open to implementing a custom middleware or reverse proxy but would appreciate guidance on safe and supported methods for this. #### Key follow-up questions: - Does AnythingLLM support or plan to support external identity providers like Okta or OAuth2? - Is there a way to generate a valid session for the backend using external authentication? - Are there any recommended best practices or concerns around implementing a custom auth layer? We’re happy to continue this conversation on Discord and appreciate any direction from the team.
Author
Owner

@timothycarambat commented on GitHub (Apr 14, 2025):

Does AnythingLLM support or plan to support external identity providers like Okta or OAuth2?

No, mostly because there are infinite configurations for SSO providers and due to their secure nature, make general debugging quite involved and bespoke per client due to their permissions, config, firewalling, etc.

Is there a way to generate a valid session for the backend using external authentication?

Yes, via the Simple SSO config!

Are there any recommended best practices or concerns around implementing a custom auth layer?

Ultimately you should be doing your pre-auth with your bespoke or provider SSO integration and then issues session tokens based on that. Simple SSO will then bypass the login page via an auth token URL param that is validated against the backend.

Then that session will remain active for a sub user without every having see the login page.

@timothycarambat commented on GitHub (Apr 14, 2025): > Does AnythingLLM support or plan to support external identity providers like Okta or OAuth2? No, mostly because there are infinite configurations for SSO providers and due to their secure nature, make general debugging quite involved and bespoke per client due to their permissions, config, firewalling, etc. > Is there a way to generate a valid session for the backend using external authentication? Yes, via the [Simple SSO config]( https://docs.anythingllm.com/configuration#simple-sso-passthrough)! > Are there any recommended best practices or concerns around implementing a custom auth layer? Ultimately you should be doing your pre-auth with your bespoke or provider SSO integration and then issues session tokens based on that. Simple SSO will then bypass the login page via an auth token URL param that is validated against the backend. Then that session will remain active for a sub user without every having see the login page.
yindo changed title from [FEAT]: Support for Okta-Based Authentication Integration to [GH-ISSUE #3630] [FEAT]: Support for Okta-Based Authentication Integration 2026-06-05 14:46:01 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#2343