From 7c3efe4f42bc37ccab613fe5002c172e147e3195 Mon Sep 17 00:00:00 2001
From: Trevor Box <56689670+trevorbox@users.noreply.github.com>
Date: Wed, 8 Apr 2020 13:28:00 -0700
Subject: [PATCH] Update okta doc (#481)

* updated Okta docs and added localhost example

* add changelog entry

* added pull request # to changelog

Co-authored-by: tbox <tbox@redhat.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
---
 CHANGELOG.md   |  1 +
 docs/2_auth.md | 35 ++++++++++++++++++++++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fd46f7c1..86b894a3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@
 
 ## Changes since v5.1.0
 
+- [#481](https://github.com/oauth2-proxy/oauth2-proxy/pull/481) Update Okta docs (@trevorbox)
 - [#474](https://github.com/oauth2-proxy/oauth2-proxy/pull/474) Always log hasMember request error object (@jbielick)
 - [#468](https://github.com/oauth2-proxy/oauth2-proxy/pull/468) Implement graceful shutdown and propagate request context (@johejo)
 - [#464](https://github.com/oauth2-proxy/oauth2-proxy/pull/464) Migrate to oauth2-proxy/oauth2-proxy (@JoelSpeed)
diff --git a/docs/2_auth.md b/docs/2_auth.md
index 23726ef0..9793c08c 100644
--- a/docs/2_auth.md
+++ b/docs/2_auth.md
@@ -203,7 +203,7 @@ you may wish to configure an authorization server for each application. Otherwis
 
 ```
 provider = "oidc"
-redirect_url = "https://example.corp.com"
+redirect_url = "https://example.corp.com/oauth2/callback"
 oidc_issuer_url = "https://corp.okta.com/oauth2/abCd1234"
 upstreams = [
     "https://example.corp.com"
@@ -224,6 +224,39 @@ Generate a unique `client_secret` to encrypt the cookie.
 
 Then you can start the oauth2-proxy with `./oauth2-proxy -config /etc/example.cfg`
 
+#### Configuring the OIDC Provider with Okta - localhost
+1. Signup for developer account: https://developer.okta.com/signup/
+2. Create New `Web` Application: https://${your-okta-domain}/dev/console/apps/new
+3. Example Application Settings for localhost:
+   * **Name:** My Web App
+   * **Base URIs:** http://localhost:4180/
+   * **Login redirect URIs:** http://localhost:4180/oauth2/callback
+   * **Logout redirect URIs:** http://localhost:4180/
+   * **Group assignments:** `Everyone`
+   * **Grant type allowed:** `Authorization Code` and `Refresh Token`
+4. Make note of the `Client ID` and `Client secret`, they are needed in a future step
+5. Make note of the **default** Authorization Server Issuer URI from: https://${your-okta-domain}/admin/oauth2/as
+6. Example config file `/etc/localhost.cfg`
+   ```
+   provider = "oidc"
+   redirect_url = "http://localhost:4180/oauth2/callback"
+   oidc_issuer_url = "https://${your-okta-domain}/oauth2/default"
+   upstreams = [
+       "http://0.0.0.0:8080"
+   ]
+   email_domains = [
+       "*"
+   ]
+   client_id = "XXX"
+   client_secret = "YYY"
+   pass_access_token = true
+   cookie_secret = "ZZZ"
+   cookie_secure = false
+   skip_provider_button = true
+   # Note: use the following for testing within a container
+   # http_address = "0.0.0.0:4180"
+   ```
+7. Then you can start the oauth2-proxy with `./oauth2-proxy -config /etc/localhost.cfg`
 
 ### login.gov Provider