docs: Okta OAuth 2.0 setup — DPoP, PKCS#1, BATON_AUTH_METHOD (CXH-1519)

[manuel-ts-14]

Summary

• Documents three required workarounds in the OAuth 2.0 setup walkthrough that the published docs currently omit: disable Okta's DPoP toggle (defaults to on for new API Services apps), provide a PKCS#1-formatted private key (modern OpenSSL produces PKCS#8 which the connector rejects), and set BATON_AUTH_METHOD=private-key-group when using OAuth from the CLI.
• Adds three soft-gap callouts for common Okta admin-UI footguns the existing walkthrough doesn't acknowledge: the JWK two-step save, scope-grant persistence, and the 403 surfaced when an admin role assignment is missing.
• Docs-only — no connector code changes.

Why this is needed

Reproduced live on 2026-05-20 against integrator-9077615.okta.com: a customer following the existing OAuth walkthrough verbatim hits this sequence of failures before reaching a working sync. The highest-impact gap is DPoP — Okta now defaults "Require Demonstrating Proof of Possession" to on for new API Services apps, and the connector does not implement DPoP. The customer-visible error ("The DPoP proof JWT header is missing") comes from Okta and gives no indication the connector is the limiting factor, so customers debug the wrong side of the integration.

Full diagnosis, reproduction transcript, and the related connector-side defects (separate tickets) are in CXH-1519.

Scope

In scope here:

• docs/connector.mdx: one new <Step> (disable DPoP), one new <Warning> callout (PKCS#1 format), three inline <Note> blocks (JWK save gotcha, scope verification, admin role 403).
• README.md: OAuth env-var example updated with BATON_AUTH_METHOD=private-key-group, plus PKCS#1 and DPoP notes pointing into docs/connector.mdx.

Out of scope — tracked separately:

• DPoP support in the connector (depends on PR [BB-1459] Upgrade okta v5 #122 / v5 SDK migration, or a wrapper). High-priority follow-on.
• PKCS#8 acceptance at the SDK or connector boundary.
• Adding a description to the --auth-method flag in pkg/config/config.go.

Refs:

• Diagnosis ticket: CXH-1519
• Parent feature: CXH-1333

🤖 Generated with Claude Code

[linear-code]

CXH-1519

[github-actions]

Connector PR Review: docs: Okta OAuth 2.0 setup — DPoP, PKCS#1, BATON_AUTH_METHOD (CXH-1519)

Blocking Issues: 0 | Suggestions: 0 | Threads Resolved: 0
Review mode: full
View review run

Review Summary

Docs-only change adding three critical workaround steps to the OAuth 2.0 setup walkthrough in docs/connector.mdx (disable DPoP, PKCS#1 key format, BATON_AUTH_METHOD env var) and three soft-gap callout notes for common Okta admin-UI gotchas. The README.md OAuth example is updated to include BATON_AUTH_METHOD=private-key-group and key format notes. MDX structure is valid — the new <Step>, <Note>, and <Warning> blocks are correctly nested within the existing <Steps> hierarchy. No security or correctness concerns.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

None.

[github-actions]

No blocking issues found.