TL;DR

  • Okta is an IDaaS provider for SSO, MFA, and user provisioning.
  • Most issues come from misconfiguration, not Okta itself.
  • Focus on redirect handling, token validation, and SCIM exposure.
  • Profile schema writes can lead to privilege escalation.
  • Always map the full auth flow: user -> Okta -> app -> API.

What Okta Does

  • Login and SSO (OIDC, OAuth, SAML)
  • MFA and policy enforcement
  • User provisioning via SCIM
  • Federation between identity providers
  • Centralized user profile schema

Where to Look

  • Login domains: login.example.com, id.example.com
  • Okta tenant domains: *.okta.com, *.oktapreview.com
  • OIDC metadata: /.well-known/openid-configuration
  • User schema API: /api/v1/meta/schemas/user/
  • SCIM endpoints: /scim/v2/Users, /scim/v2/Groups

Common Misconfigurations

Misconfiguration Typical Impact
Weak redirect_uri validation Open redirect / token leakage
Over-broad OAuth scopes Data exposure
Token validation missing Auth bypass / account takeover
Public SCIM endpoints User enumeration / data leak
Writable profile attributes Privilege escalation
Broken account linking Login as other users
MFA not enforced Account takeover

Quick Checklist

1) Auth flow (OIDC/OAuth/SAML)

  • Validate redirect_uri and strict allowlists.
  • Check state and nonce handling.
  • Look for token replay or token injection.
  • Verify id_token and access_token signatures and audience.

2) SCIM provisioning

  • Is /scim/v2/Users exposed?
  • Can you list or modify users without the right scopes?
  • Try low-privileged tokens or missing auth headers.

3) Profile schema

  • Identify READ_WRITE or SELF fields.
  • Test whether profile attributes drive roles, groups, or MFA.
  • Look for flags like isAdmin, mfaRequired, federated.

4) Federation and account linking

  • Can you bypass an external IdP and fall back to Okta?
  • Test idp, login_hint, sessionToken parameters.
  • Check if account linking is automatic or insecure.

5) Session handling

  • Inspect cookies and session lifetime.
  • Validate logout behavior across SP and IdP.
  • Confirm token revocation works as expected.

Recon Tips

  • Look for X-Okta-Request-Id in response headers.
  • Inspect redirect patterns: sessionToken=, state=, idp=.
  • Check if the app leaks tenant URL or client IDs in JS.

Practical Testing Flow

  1. Recon the tenant and auth domains.
  2. Pull OIDC metadata and locate auth endpoints.
  3. Map redirect URIs and allowed clients.
  4. Test token validation (aud, iss, exp).
  5. Probe SCIM endpoints and profile schema writes.
  6. Review account linking and federation fallbacks.

Tools

  • Burp Suite (+ SSO extension)
  • jwt_tool or njwt
  • httpx and dirsearch
  • amass / subfinder for tenant discovery

Notes

  • Most Okta bugs are app-level misconfigurations.
  • Always confirm scope before brute force or auth bypass testing.