Prevent users from deleting the last payment method attached to the org

feat(app-connection, secret-rotation): Okta App Connection + Okta Client Secret Rotation

README.md

@@ -149,11 +149,8 @@ Not sure where to get started? You can:
 
 - Join our <a href="https://infisical.com/slack">Slack</a>, and ask us any questions there.
 
-## Resources
+## We are hiring!
 
-- [Docs](https://infisical.com/docs/documentation/getting-started/introduction) for comprehensive documentation and guides
-- [Slack](https://infisical.com/slack) for discussion with the community and Infisical team.
-- [GitHub](https://github.com/Infisical/infisical) for code, issues, and pull requests
-- [Twitter](https://twitter.com/infisical) for fast news
-- [YouTube](https://www.youtube.com/@infisical_os) for videos on secret management
-- [Blog](https://infisical.com/blog) for secret management insights, articles, tutorials, and updates
+If you're reading this, there is a strong chance you like the products we created.
+
+You might also make a great addition to our team. We're growing fast and would love for you to [join us](https://infisical.com/careers).

backend/src/db/migrations/20250717195959_gatewayid-for-app-conn.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.AppConnection, "gatewayId"))) {
+    await knex.schema.alterTable(TableName.AppConnection, (t) => {
+      t.uuid("gatewayId").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.AppConnection, "gatewayId")) {
+    await knex.schema.alterTable(TableName.AppConnection, (t) => {
+      t.dropColumn("gatewayId");
+    });
+  }
+}

backend/src/db/migrations/20250721101756_bump-aws-arn-field-size.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.string("allowedPrincipalArns", 4096).notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.string("allowedPrincipalArns", 2048).notNullable().alter();
+    });
+  }
+}

backend/src/db/schemas/app-connections.ts

@@ -20,7 +20,8 @@ export const AppConnectionsSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional()
+  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional(),
+  gatewayId: z.string().uuid().nullable().optional()
 });
 
 export type TAppConnections = z.infer<typeof AppConnectionsSchema>;

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -6,6 +6,7 @@ import { registerAzureClientSecretRotationRouter } from "./azure-client-secret-r
 import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
 import { registerMySqlCredentialsRotationRouter } from "./mysql-credentials-rotation-router";
+import { registerOktaClientSecretRotationRouter } from "./okta-client-secret-rotation-router";
 import { registerOracleDBCredentialsRotationRouter } from "./oracledb-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
 
@@ -22,5 +23,6 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
   [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
   [SecretRotation.AzureClientSecret]: registerAzureClientSecretRotationRouter,
   [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter,
-  [SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter
+  [SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter,
+  [SecretRotation.OktaClientSecret]: registerOktaClientSecretRotationRouter
 };

backend/src/ee/routes/v2/secret-rotation-v2-routers/okta-client-secret-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  CreateOktaClientSecretRotationSchema,
+  OktaClientSecretRotationGeneratedCredentialsSchema,
+  OktaClientSecretRotationSchema,
+  UpdateOktaClientSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/okta-client-secret";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerOktaClientSecretRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.OktaClientSecret,
+    server,
+    responseSchema: OktaClientSecretRotationSchema,
+    createSchema: CreateOktaClientSecretRotationSchema,
+    updateSchema: UpdateOktaClientSecretRotationSchema,
+    generatedCredentialsSchema: OktaClientSecretRotationGeneratedCredentialsSchema
+  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts

@@ -7,6 +7,7 @@ import { AzureClientSecretRotationListItemSchema } from "@app/ee/services/secret
 import { LdapPasswordRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { MySqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { OktaClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/okta-client-secret";
 import { OracleDBCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
@@ -23,7 +24,8 @@ const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
   Auth0ClientSecretRotationListItemSchema,
   AzureClientSecretRotationListItemSchema,
   AwsIamUserSecretRotationListItemSchema,
-  LdapPasswordRotationListItemSchema
+  LdapPasswordRotationListItemSchema,
+  OktaClientSecretRotationListItemSchema
 ]);
 
 export const registerSecretRotationV2Router = async (server: FastifyZodProvider) => {

backend/src/ee/services/app-connections/oracledb/oracledb-connection-schemas.ts

@@ -45,7 +45,10 @@ export const ValidateOracleDBConnectionCredentialsSchema = z.discriminatedUnion(
 ]);
 
 export const CreateOracleDBConnectionSchema = ValidateOracleDBConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true })
+  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, {
+    supportsPlatformManagedCredentials: true,
+    supportsGateways: true
+  })
 );
 
 export const UpdateOracleDBConnectionSchema = z
@@ -54,7 +57,12 @@ export const UpdateOracleDBConnectionSchema = z
       AppConnections.UPDATE(AppConnection.OracleDB).credentials
     )
   })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true }));
+  .and(
+    GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, {
+      supportsPlatformManagedCredentials: true,
+      supportsGateways: true
+    })
+  );
 
 export const OracleDBConnectionListItemSchema = z.object({
   name: z.literal("OracleDB"),

backend/src/ee/services/license/license-service.ts

@@ -5,13 +5,14 @@
 // TODO(akhilmhdh): With tony find out the api structure and fill it here
 
 import { ForbiddenError } from "@casl/ability";
+import { AxiosError } from "axios";
 import { CronJob } from "cron";
 import { Knex } from "knex";
 
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { verifyOfflineLicense } from "@app/lib/crypto";
-import { NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TIdentityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -603,10 +604,22 @@ export const licenseServiceFactory = ({
       });
     }
 
-    const { data } = await licenseServerCloudApi.request.delete(
-      `/api/license-server/v1/customers/${organization.customerId}/billing-details/payment-methods/${pmtMethodId}`
-    );
-    return data;
+    try {
+      const { data } = await licenseServerCloudApi.request.delete(
+        `/api/license-server/v1/customers/${organization.customerId}/billing-details/payment-methods/${pmtMethodId}`
+      );
+      return data;
+    } catch (error) {
+      if (error instanceof AxiosError) {
+        throw new BadRequestError({
+          // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+          message: `Failed to remove payment method: ${error.response?.data?.message}`
+        });
+      }
+      throw new BadRequestError({
+        message: "Unable to remove payment method"
+      });
+    }
   };
 
   const getOrgTaxIds = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgTaxIdDTO) => {

backend/src/ee/services/secret-rotation-v2/okta-client-secret/index.ts

@@ -0,0 +1,3 @@
+export * from "./okta-client-secret-rotation-constants";
+export * from "./okta-client-secret-rotation-schemas";
+export * from "./okta-client-secret-rotation-types";

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-constants.ts

@@ -0,0 +1,15 @@
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
+  name: "Okta Client Secret",
+  type: SecretRotation.OktaClientSecret,
+  connection: AppConnection.Okta,
+  template: {
+    secretsMapping: {
+      clientId: "OKTA_CLIENT_ID",
+      clientSecret: "OKTA_CLIENT_SECRET"
+    }
+  }
+};

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-fns.ts

@@ -0,0 +1,273 @@
+/* eslint-disable no-await-in-loop */
+import { AxiosError } from "axios";
+
+import {
+  TRotationFactory,
+  TRotationFactoryGetSecretsPayload,
+  TRotationFactoryIssueCredentials,
+  TRotationFactoryRevokeCredentials,
+  TRotationFactoryRotateCredentials
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { request } from "@app/lib/config/request";
+import { delay as delayMs } from "@app/lib/delay";
+import { BadRequestError } from "@app/lib/errors";
+import { getOktaInstanceUrl } from "@app/services/app-connection/okta";
+
+import {
+  TOktaClientSecret,
+  TOktaClientSecretRotationGeneratedCredentials,
+  TOktaClientSecretRotationWithConnection
+} from "./okta-client-secret-rotation-types";
+
+type OktaErrorResponse = { errorCode: string; errorSummary: string; errorCauses?: { errorSummary: string }[] };
+
+const isOktaErrorResponse = (data: unknown): data is OktaErrorResponse => {
+  return (
+    typeof data === "object" &&
+    data !== null &&
+    "errorSummary" in data &&
+    typeof (data as OktaErrorResponse).errorSummary === "string"
+  );
+};
+
+const createErrorMessage = (error: unknown) => {
+  if (error instanceof AxiosError) {
+    if (error.response?.data && isOktaErrorResponse(error.response.data)) {
+      const oktaError = error.response.data;
+      if (oktaError.errorCauses && oktaError.errorCauses.length > 0) {
+        return oktaError.errorCauses[0].errorSummary;
+      }
+      return oktaError.errorSummary;
+    }
+    if (error.message) {
+      return error.message;
+    }
+  }
+  return "Unknown error";
+};
+
+// Delay between each revocation call in revokeCredentials
+const DELAY_MS = 1000;
+
+export const oktaClientSecretRotationFactory: TRotationFactory<
+  TOktaClientSecretRotationWithConnection,
+  TOktaClientSecretRotationGeneratedCredentials
+> = (secretRotation) => {
+  const {
+    connection,
+    parameters: { clientId },
+    secretsMapping
+  } = secretRotation;
+
+  /**
+   * Creates a new client secret for the Okta app.
+   */
+  const $rotateClientSecret = async () => {
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      const { data } = await request.post<TOktaClientSecret>(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets`,
+        {},
+        {
+          headers: {
+            Accept: "application/json",
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      if (!data.client_secret || !data.id) {
+        throw new Error("Invalid response from Okta: missing 'client_secret' or secret 'id'.");
+      }
+
+      return {
+        clientSecret: data.client_secret,
+        secretId: data.id,
+        clientId
+      };
+    } catch (error: unknown) {
+      if (
+        error instanceof AxiosError &&
+        error.response?.data &&
+        isOktaErrorResponse(error.response.data) &&
+        error.response.data.errorCode === "E0000001"
+      ) {
+        // Okta has a maximum of 2 secrets per app, thus we must warn the users in case they already have 2
+        throw new BadRequestError({
+          message: `Failed to add client secret to Okta app ${clientId}: You must have only a single secret for the Okta app prior to creating this secret rotation.`
+        });
+      }
+
+      throw new BadRequestError({
+        message: `Failed to add client secret to Okta app ${clientId}: ${createErrorMessage(error)}`
+      });
+    }
+  };
+
+  /**
+   * List client secrets.
+   */
+  const $listClientSecrets = async () => {
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      const { data } = await request.get<TOktaClientSecret[]>(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets`,
+        {
+          headers: {
+            Accept: "application/json",
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      return data;
+    } catch (error: unknown) {
+      throw new BadRequestError({
+        message: `Failed to list client secrets for Okta app ${clientId}: ${createErrorMessage(error)}`
+      });
+    }
+  };
+
+  /**
+   * Checks if a credential with the given secretId exists.
+   */
+  const credentialExists = async (secretId: string): Promise<boolean> => {
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      const { data } = await request.get<TOktaClientSecret>(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets/${secretId}`,
+        {
+          headers: {
+            Accept: "application/json",
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      return data.id === secretId;
+    } catch (_) {
+      return false;
+    }
+  };
+
+  /**
+   * Revokes a client secret from the Okta app using its secretId.
+   * First checks if the credential exists before attempting revocation.
+   */
+  const revokeCredential = async (secretId: string) => {
+    // Check if credential exists before attempting revocation
+    const exists = await credentialExists(secretId);
+    if (!exists) {
+      return; // Credential doesn't exist, nothing to revoke
+    }
+
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      // First deactivate the secret
+      await request.post(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets/${secretId}/lifecycle/deactivate`,
+        undefined,
+        {
+          headers: {
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      // Then delete it
+      await request.delete(`${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets/${secretId}`, {
+        headers: {
+          Authorization: `SSWS ${connection.credentials.apiToken}`
+        }
+      });
+    } catch (error: unknown) {
+      if (
+        error instanceof AxiosError &&
+        error.response?.data &&
+        isOktaErrorResponse(error.response.data) &&
+        error.response.data.errorCode === "E0000001"
+      ) {
+        // If this is the last secret, we cannot revoke it
+        return;
+      }
+
+      throw new BadRequestError({
+        message: `Failed to remove client secret with secretId ${secretId} from app ${clientId}: ${createErrorMessage(error)}`
+      });
+    }
+  };
+
+  /**
+   * Issues a new set of credentials.
+   */
+  const issueCredentials: TRotationFactoryIssueCredentials<TOktaClientSecretRotationGeneratedCredentials> = async (
+    callback
+  ) => {
+    const credentials = await $rotateClientSecret();
+    return callback(credentials);
+  };
+
+  /**
+   * Revokes a list of credentials.
+   */
+  const revokeCredentials: TRotationFactoryRevokeCredentials<TOktaClientSecretRotationGeneratedCredentials> = async (
+    credentials,
+    callback
+  ) => {
+    if (!credentials?.length) return callback();
+
+    for (const { secretId } of credentials) {
+      await revokeCredential(secretId);
+      await delayMs(DELAY_MS);
+    }
+    return callback();
+  };
+
+  /**
+   * Rotates credentials by issuing new ones and revoking the old.
+   */
+  const rotateCredentials: TRotationFactoryRotateCredentials<TOktaClientSecretRotationGeneratedCredentials> = async (
+    oldCredentials,
+    callback,
+    activeCredentials
+  ) => {
+    // Since in Okta you can only have a maximum of 2 secrets at a time, we must delete any other secret besides the current one PRIOR to generating the second secret
+    if (oldCredentials?.secretId) {
+      await revokeCredential(oldCredentials.secretId);
+    } else if (activeCredentials) {
+      // On the first rotation oldCredentials won't be set so we must find the second secret manually
+      const secrets = await $listClientSecrets();
+
+      if (secrets.length > 1) {
+        const nonActiveSecret = secrets.find((secret) => secret.id !== activeCredentials.secretId);
+        if (nonActiveSecret) {
+          await revokeCredential(nonActiveSecret.id);
+        }
+      }
+    }
+
+    const newCredentials = await $rotateClientSecret();
+    return callback(newCredentials);
+  };
+
+  /**
+   * Maps the generated credentials into the secret payload format.
+   */
+  const getSecretsPayload: TRotationFactoryGetSecretsPayload<TOktaClientSecretRotationGeneratedCredentials> = ({
+    clientSecret
+  }) => [
+    { key: secretsMapping.clientId, value: clientId },
+    { key: secretsMapping.clientSecret, value: clientSecret }
+  ];
+
+  return {
+    issueCredentials,
+    revokeCredentials,
+    rotateCredentials,
+    getSecretsPayload
+  };
+};

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-schemas.ts

@@ -0,0 +1,68 @@
+import { z } from "zod";
+
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import {
+  BaseCreateSecretRotationSchema,
+  BaseSecretRotationSchema,
+  BaseUpdateSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
+import { SecretRotations } from "@app/lib/api-docs";
+import { SecretNameSchema } from "@app/server/lib/schemas";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const OktaClientSecretRotationGeneratedCredentialsSchema = z
+  .object({
+    clientId: z.string(),
+    clientSecret: z.string(),
+    secretId: z.string()
+  })
+  .array()
+  .min(1)
+  .max(2);
+
+const OktaClientSecretRotationParametersSchema = z.object({
+  clientId: z
+    .string()
+    .trim()
+    .min(1, "Client ID Required")
+    .describe(SecretRotations.PARAMETERS.OKTA_CLIENT_SECRET.clientId)
+});
+
+const OktaClientSecretRotationSecretsMappingSchema = z.object({
+  clientId: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.OKTA_CLIENT_SECRET.clientId),
+  clientSecret: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.OKTA_CLIENT_SECRET.clientSecret)
+});
+
+export const OktaClientSecretRotationTemplateSchema = z.object({
+  secretsMapping: z.object({
+    clientId: z.string(),
+    clientSecret: z.string()
+  })
+});
+
+export const OktaClientSecretRotationSchema = BaseSecretRotationSchema(SecretRotation.OktaClientSecret).extend({
+  type: z.literal(SecretRotation.OktaClientSecret),
+  parameters: OktaClientSecretRotationParametersSchema,
+  secretsMapping: OktaClientSecretRotationSecretsMappingSchema
+});
+
+export const CreateOktaClientSecretRotationSchema = BaseCreateSecretRotationSchema(
+  SecretRotation.OktaClientSecret
+).extend({
+  parameters: OktaClientSecretRotationParametersSchema,
+  secretsMapping: OktaClientSecretRotationSecretsMappingSchema
+});
+
+export const UpdateOktaClientSecretRotationSchema = BaseUpdateSecretRotationSchema(
+  SecretRotation.OktaClientSecret
+).extend({
+  parameters: OktaClientSecretRotationParametersSchema.optional(),
+  secretsMapping: OktaClientSecretRotationSecretsMappingSchema.optional()
+});
+
+export const OktaClientSecretRotationListItemSchema = z.object({
+  name: z.literal("Okta Client Secret"),
+  connection: z.literal(AppConnection.Okta),
+  type: z.literal(SecretRotation.OktaClientSecret),
+  template: OktaClientSecretRotationTemplateSchema
+});

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-types.ts

@@ -0,0 +1,40 @@
+import { z } from "zod";
+
+import { TOktaConnection } from "@app/services/app-connection/okta";
+
+import {
+  CreateOktaClientSecretRotationSchema,
+  OktaClientSecretRotationGeneratedCredentialsSchema,
+  OktaClientSecretRotationListItemSchema,
+  OktaClientSecretRotationSchema
+} from "./okta-client-secret-rotation-schemas";
+
+export type TOktaClientSecretRotation = z.infer<typeof OktaClientSecretRotationSchema>;
+
+export type TOktaClientSecretRotationInput = z.infer<typeof CreateOktaClientSecretRotationSchema>;
+
+export type TOktaClientSecretRotationListItem = z.infer<typeof OktaClientSecretRotationListItemSchema>;
+
+export type TOktaClientSecretRotationWithConnection = TOktaClientSecretRotation & {
+  connection: TOktaConnection;
+};
+
+export type TOktaClientSecretRotationGeneratedCredentials = z.infer<
+  typeof OktaClientSecretRotationGeneratedCredentialsSchema
+>;
+
+export interface TOktaClientSecretRotationParameters {
+  clientId: string;
+  secretId: string;
+}
+
+export interface TOktaClientSecretRotationSecretsMapping {
+  clientId: string;
+  clientSecret: string;
+  secretId: string;
+}
+
+export interface TOktaClientSecret {
+  id: string;
+  client_secret: string;
+}

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts

@@ -6,7 +6,8 @@ export enum SecretRotation {
   Auth0ClientSecret = "auth0-client-secret",
   AzureClientSecret = "azure-client-secret",
   AwsIamUserSecret = "aws-iam-user-secret",
-  LdapPassword = "ldap-password"
+  LdapPassword = "ldap-password",
+  OktaClientSecret = "okta-client-secret"
 }
 
 export enum SecretRotationStatus {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -10,6 +10,7 @@ import { AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./azure-client-secret"
 import { LDAP_PASSWORD_ROTATION_LIST_OPTION, TLdapPasswordRotation } from "./ldap-password";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
 import { MYSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mysql-credentials";
+import { OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./okta-client-secret";
 import { ORACLEDB_CREDENTIALS_ROTATION_LIST_OPTION } from "./oracledb-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
@@ -30,7 +31,8 @@ const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2List
   [SecretRotation.Auth0ClientSecret]: AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AzureClientSecret]: AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AwsIamUserSecret]: AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION,
-  [SecretRotation.LdapPassword]: LDAP_PASSWORD_ROTATION_LIST_OPTION
+  [SecretRotation.LdapPassword]: LDAP_PASSWORD_ROTATION_LIST_OPTION,
+  [SecretRotation.OktaClientSecret]: OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION
 };
 
 export const listSecretRotationOptions = () => {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts

@@ -9,7 +9,8 @@ export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
   [SecretRotation.Auth0ClientSecret]: "Auth0 Client Secret",
   [SecretRotation.AzureClientSecret]: "Azure Client Secret",
   [SecretRotation.AwsIamUserSecret]: "AWS IAM User Secret",
-  [SecretRotation.LdapPassword]: "LDAP Password"
+  [SecretRotation.LdapPassword]: "LDAP Password",
+  [SecretRotation.OktaClientSecret]: "Okta Client Secret"
 };
 
 export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnection> = {
@@ -20,5 +21,6 @@ export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnectio
   [SecretRotation.Auth0ClientSecret]: AppConnection.Auth0,
   [SecretRotation.AzureClientSecret]: AppConnection.AzureClientSecrets,
   [SecretRotation.AwsIamUserSecret]: AppConnection.AWS,
-  [SecretRotation.LdapPassword]: AppConnection.LDAP
+  [SecretRotation.LdapPassword]: AppConnection.LDAP,
+  [SecretRotation.OktaClientSecret]: AppConnection.Okta
 };

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -4,6 +4,7 @@ import isEqual from "lodash.isequal";
 
 import { SecretType, TableName } from "@app/db/schemas";
 import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { hasSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -82,6 +83,7 @@ import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secre
 import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
 
 import { awsIamUserSecretRotationFactory } from "./aws-iam-user-secret/aws-iam-user-secret-rotation-fns";
+import { oktaClientSecretRotationFactory } from "./okta-client-secret/okta-client-secret-rotation-fns";
 import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 
 export type TSecretRotationV2ServiceFactoryDep = {
@@ -107,6 +109,7 @@ export type TSecretRotationV2ServiceFactoryDep = {
   queueService: Pick<TQueueServiceFactory, "queuePg">;
   appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">;
   folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };
 
 export type TSecretRotationV2ServiceFactory = ReturnType<typeof secretRotationV2ServiceFactory>;
@@ -126,7 +129,8 @@ const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplem
   [SecretRotation.Auth0ClientSecret]: auth0ClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AzureClientSecret]: azureClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AwsIamUserSecret]: awsIamUserSecretRotationFactory as TRotationFactoryImplementation,
-  [SecretRotation.LdapPassword]: ldapPasswordRotationFactory as TRotationFactoryImplementation
+  [SecretRotation.LdapPassword]: ldapPasswordRotationFactory as TRotationFactoryImplementation,
+  [SecretRotation.OktaClientSecret]: oktaClientSecretRotationFactory as TRotationFactoryImplementation
 };
 
 export const secretRotationV2ServiceFactory = ({
@@ -148,7 +152,8 @@ export const secretRotationV2ServiceFactory = ({
   keyStore,
   queueService,
   folderCommitService,
-  appConnectionDAL
+  appConnectionDAL,
+  gatewayService
 }: TSecretRotationV2ServiceFactoryDep) => {
   const $queueSendSecretRotationStatusNotification = async (secretRotation: TSecretRotationV2Raw) => {
     const appCfg = getConfig();
@@ -461,7 +466,8 @@ export const secretRotationV2ServiceFactory = ({
         rotationInterval: payload.rotationInterval
       } as TSecretRotationV2WithConnection,
       appConnectionDAL,
-      kmsService
+      kmsService,
+      gatewayService
     );
 
     // even though we have a db constraint we want to check before any rotation of credentials is attempted
@@ -824,7 +830,8 @@ export const secretRotationV2ServiceFactory = ({
           connection: appConnection
         } as TSecretRotationV2WithConnection,
         appConnectionDAL,
-        kmsService
+        kmsService,
+        gatewayService
       );
 
       const generatedCredentials = await decryptSecretRotationCredentials({
@@ -907,7 +914,8 @@ export const secretRotationV2ServiceFactory = ({
           connection: appConnection
         } as TSecretRotationV2WithConnection,
         appConnectionDAL,
-        kmsService
+        kmsService,
+        gatewayService
       );
 
       const updatedRotation = await rotationFactory.rotateCredentials(

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts

@@ -1,4 +1,5 @@
 import { AuditLogInfo } from "@app/ee/services/audit-log/audit-log-types";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TSqlCredentialsRotationGeneratedCredentials } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-types";
 import { OrderByDirection } from "@app/lib/types";
 import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
@@ -45,6 +46,13 @@ import {
   TMySqlCredentialsRotationListItem,
   TMySqlCredentialsRotationWithConnection
 } from "./mysql-credentials";
+import {
+  TOktaClientSecretRotation,
+  TOktaClientSecretRotationGeneratedCredentials,
+  TOktaClientSecretRotationInput,
+  TOktaClientSecretRotationListItem,
+  TOktaClientSecretRotationWithConnection
+} from "./okta-client-secret";
 import {
   TOracleDBCredentialsRotation,
   TOracleDBCredentialsRotationInput,
@@ -68,7 +76,8 @@ export type TSecretRotationV2 =
   | TAuth0ClientSecretRotation
   | TAzureClientSecretRotation
   | TLdapPasswordRotation
-  | TAwsIamUserSecretRotation;
+  | TAwsIamUserSecretRotation
+  | TOktaClientSecretRotation;
 
 export type TSecretRotationV2WithConnection =
   | TPostgresCredentialsRotationWithConnection
@@ -78,14 +87,16 @@ export type TSecretRotationV2WithConnection =
   | TAuth0ClientSecretRotationWithConnection
   | TAzureClientSecretRotationWithConnection
   | TLdapPasswordRotationWithConnection
-  | TAwsIamUserSecretRotationWithConnection;
+  | TAwsIamUserSecretRotationWithConnection
+  | TOktaClientSecretRotationWithConnection;
 
 export type TSecretRotationV2GeneratedCredentials =
   | TSqlCredentialsRotationGeneratedCredentials
   | TAuth0ClientSecretRotationGeneratedCredentials
   | TAzureClientSecretRotationGeneratedCredentials
   | TLdapPasswordRotationGeneratedCredentials
-  | TAwsIamUserSecretRotationGeneratedCredentials;
+  | TAwsIamUserSecretRotationGeneratedCredentials
+  | TOktaClientSecretRotationGeneratedCredentials;
 
 export type TSecretRotationV2Input =
   | TPostgresCredentialsRotationInput
@@ -95,7 +106,8 @@ export type TSecretRotationV2Input =
   | TAuth0ClientSecretRotationInput
   | TAzureClientSecretRotationInput
   | TLdapPasswordRotationInput
-  | TAwsIamUserSecretRotationInput;
+  | TAwsIamUserSecretRotationInput
+  | TOktaClientSecretRotationInput;
 
 export type TSecretRotationV2ListItem =
   | TPostgresCredentialsRotationListItem
@@ -105,7 +117,8 @@ export type TSecretRotationV2ListItem =
   | TAuth0ClientSecretRotationListItem
   | TAzureClientSecretRotationListItem
   | TLdapPasswordRotationListItem
-  | TAwsIamUserSecretRotationListItem;
+  | TAwsIamUserSecretRotationListItem
+  | TOktaClientSecretRotationListItem;
 
 export type TSecretRotationV2TemporaryParameters = TLdapPasswordRotationInput["temporaryParameters"] | undefined;
 
@@ -239,7 +252,8 @@ export type TRotationFactory<
 > = (
   secretRotation: T,
   appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">,
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
 ) => {
   issueCredentials: TRotationFactoryIssueCredentials<C, P>;
   revokeCredentials: TRotationFactoryRevokeCredentials<C>;

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts

@@ -6,6 +6,7 @@ import { AzureClientSecretRotationSchema } from "@app/ee/services/secret-rotatio
 import { LdapPasswordRotationSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { MySqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { OktaClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/okta-client-secret";
 import { OracleDBCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { PostgresCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 
@@ -17,5 +18,6 @@ export const SecretRotationV2Schema = z.discriminatedUnion("type", [
   Auth0ClientSecretRotationSchema,
   AzureClientSecretRotationSchema,
   LdapPasswordRotationSchema,
-  AwsIamUserSecretRotationSchema
+  AwsIamUserSecretRotationSchema,
+  OktaClientSecretRotationSchema
 ]);

backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts

@@ -1,3 +1,5 @@
+import { Knex } from "knex";
+
 import {
   TRotationFactory,
   TRotationFactoryGetSecretsPayload,
@@ -5,7 +7,10 @@ import {
   TRotationFactoryRevokeCredentials,
   TRotationFactoryRotateCredentials
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { getSqlConnectionClient, SQL_CONNECTION_ALTER_LOGIN_STATEMENT } from "@app/services/app-connection/shared/sql";
+import {
+  executeWithPotentialGateway,
+  SQL_CONNECTION_ALTER_LOGIN_STATEMENT
+} from "@app/services/app-connection/shared/sql";
 
 import { generatePassword } from "../utils";
 import {
@@ -30,7 +35,7 @@ const redactPasswords = (e: unknown, credentials: TSqlCredentialsRotationGenerat
 export const sqlCredentialsRotationFactory: TRotationFactory<
   TSqlCredentialsRotationWithConnection,
   TSqlCredentialsRotationGeneratedCredentials
-> = (secretRotation) => {
+> = (secretRotation, _appConnectionDAL, _kmsService, gatewayService) => {
   const {
     connection,
     parameters: { username1, username2 },
@@ -38,29 +43,38 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     secretsMapping
   } = secretRotation;
 
-  const $validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
-    const client = await getSqlConnectionClient({
-      ...connection,
-      credentials: {
-        ...connection.credentials,
-        ...credentials
-      }
-    });
+  const executeOperation = <T>(
+    operation: (client: Knex) => Promise<T>,
+    credentialsOverride?: TSqlCredentialsRotationGeneratedCredentials[number]
+  ) => {
+    const finalCredentials = {
+      ...connection.credentials,
+      ...credentialsOverride
+    };
 
+    return executeWithPotentialGateway(
+      {
+        ...connection,
+        credentials: finalCredentials
+      },
+      gatewayService,
+      (client) => operation(client)
+    );
+  };
+
+  const $validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
     try {
-      await client.raw("SELECT 1");
+      await executeOperation(async (client) => {
+        await client.raw("SELECT 1");
+      }, credentials);
     } catch (error) {
       throw new Error(redactPasswords(error, [credentials]));
-    } finally {
-      await client.destroy();
     }
   };
 
   const issueCredentials: TRotationFactoryIssueCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
     callback
   ) => {
-    const client = await getSqlConnectionClient(connection);
-
     // For SQL, since we get existing users, we change both their passwords
     // on issue to invalidate their existing passwords
     const credentialsSet = [
@@ -69,15 +83,15 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     ];
 
     try {
-      await client.transaction(async (tx) => {
-        for await (const credentials of credentialsSet) {
-          await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
-        }
+      await executeOperation(async (client) => {
+        await client.transaction(async (tx) => {
+          for await (const credentials of credentialsSet) {
+            await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+          }
+        });
       });
     } catch (error) {
       throw new Error(redactPasswords(error, credentialsSet));
-    } finally {
-      await client.destroy();
     }
 
     for await (const credentials of credentialsSet) {
@@ -91,21 +105,19 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     credentialsToRevoke,
     callback
   ) => {
-    const client = await getSqlConnectionClient(connection);
-
     const revokedCredentials = credentialsToRevoke.map(({ username }) => ({ username, password: generatePassword() }));
 
     try {
-      await client.transaction(async (tx) => {
-        for await (const credentials of revokedCredentials) {
-          // invalidate previous passwords
-          await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
-        }
+      await executeOperation(async (client) => {
+        await client.transaction(async (tx) => {
+          for await (const credentials of revokedCredentials) {
+            // invalidate previous passwords
+            await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+          }
+        });
       });
     } catch (error) {
       throw new Error(redactPasswords(error, revokedCredentials));
-    } finally {
-      await client.destroy();
     }
 
     return callback();
@@ -115,17 +127,15 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     _,
     callback
   ) => {
-    const client = await getSqlConnectionClient(connection);
-
     // generate new password for the next active user
     const credentials = { username: activeIndex === 0 ? username2 : username1, password: generatePassword() };
 
     try {
-      await client.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+      await executeOperation(async (client) => {
+        await client.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+      });
     } catch (error) {
       throw new Error(redactPasswords(error, [credentials]));
-    } finally {
-      await client.destroy();
     }
 
     await $validateCredentials(credentials);

backend/src/lib/api-docs/constants.ts

@@ -2289,6 +2289,10 @@ export const AppConnections = {
     SUPABASE: {
       accessKey: "The Key used to access Supabase.",
       instanceUrl: "The URL used to access Supabase."
+    },
+    OKTA: {
+      instanceUrl: "The URL used to access your Okta organization.",
+      apiToken: "The API token used to authenticate with Okta."
     }
   }
 };
@@ -2594,6 +2598,9 @@ export const SecretRotations = {
     AWS_IAM_USER_SECRET: {
       userName: "The name of the client to rotate credentials for.",
       region: "The AWS region the client is present in."
+    },
+    OKTA_CLIENT_SECRET: {
+      clientId: "The ID of the Okta Application to rotate the client secret for."
     }
   },
   SECRETS_MAPPING: {
@@ -2616,6 +2623,10 @@ export const SecretRotations = {
     AWS_IAM_USER_SECRET: {
       accessKeyId: "The name of the secret that the access key ID will be mapped to.",
       secretAccessKey: "The name of the secret that the rotated secret access key will be mapped to."
+    },
+    OKTA_CLIENT_SECRET: {
+      clientId: "The name of the secret that the client ID will be mapped to.",
+      clientSecret: "The name of the secret that the rotated client secret will be mapped to."
     }
   }
 };

backend/src/lib/crypto/cryptography/crypto.ts

@@ -93,7 +93,13 @@ const cryptographyFactory = () => {
   };
 
   const verifyFipsLicense = (licenseService: Pick<TLicenseServiceFactory, "onPremFeatures">) => {
-    if (isFipsModeEnabled({ skipInitializationCheck: true }) && !licenseService.onPremFeatures?.fips) {
+    const appCfg = getConfig();
+
+    if (
+      !appCfg.isDevelopmentMode &&
+      isFipsModeEnabled({ skipInitializationCheck: true }) &&
+      !licenseService.onPremFeatures?.fips
+    ) {
       throw new CryptographyError({
         message: "FIPS mode is enabled but your license does not include FIPS support. Please contact support."
       });

backend/src/server/lib/cookie.ts

@@ -0,0 +1,43 @@
+import { FastifyReply } from "fastify";
+
+import { getConfig } from "@app/lib/config/env";
+import { logger } from "@app/lib/logger";
+
+/**
+ * `aod` (Auth Origin Domain) cookie is used to store the origin domain of the application when user was last authenticated.
+ *  This is useful for determining the target domain for authentication redirects, especially in cloud deployments.
+ *  It is set only in cloud mode to ensure that the cookie is shared across subdomains.
+ */
+export function addAuthOriginDomainCookie(res: FastifyReply) {
+  try {
+    const appCfg = getConfig();
+
+    // Only set the cookie if the app is running in cloud mode
+    if (!appCfg.isCloud) return;
+
+    const siteUrl = appCfg.SITE_URL!;
+    let domain: string;
+
+    const { hostname } = new URL(siteUrl);
+
+    const parts = hostname.split(".");
+
+    if (parts.length >= 2) {
+      // For `app.infisical.com` => `.infisical.com`
+      domain = `.${parts.slice(-2).join(".")}`;
+    } else {
+      // If somehow only "example", fallback to itself
+      domain = `.${hostname}`;
+    }
+
+    void res.setCookie("aod", siteUrl, {
+      domain,
+      path: "/",
+      sameSite: "strict",
+      httpOnly: false,
+      secure: appCfg.HTTPS_ENABLED
+    });
+  } catch (error) {
+    logger.error(error, "Failed to set auth origin domain cookie");
+  }
+}

backend/src/server/routes/index.ts

@@ -1706,7 +1706,9 @@ export const registerRoutes = async (
     appConnectionDAL,
     permissionService,
     kmsService,
-    licenseService
+    licenseService,
+    gatewayService,
+    gatewayDAL
   });
 
   const secretSyncService = secretSyncServiceFactory({
@@ -1804,7 +1806,8 @@ export const registerRoutes = async (
     snapshotService,
     secretQueueService,
     queueService,
-    appConnectionDAL
+    appConnectionDAL,
+    gatewayService
   });
 
   const certificateAuthorityService = certificateAuthorityServiceFactory({

backend/src/server/routes/v1/admin-router.ts

@@ -12,6 +12,7 @@ import { getConfig, overridableKeys } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { invalidateCacheLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -593,6 +594,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
         secure: appCfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       return {
         message: "Successfully set up admin account",
         user: user.user,

backend/src/server/routes/v1/app-connection-routers/app-connection-endpoints.ts

@@ -25,12 +25,14 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     credentials: I["credentials"];
     description?: string | null;
     isPlatformManagedCredentials?: boolean;
+    gatewayId?: string | null;
   }>;
   updateSchema: z.ZodType<{
     name?: string;
     credentials?: I["credentials"];
     description?: string | null;
     isPlatformManagedCredentials?: boolean;
+    gatewayId?: string | null;
   }>;
   sanitizedResponseSchema: z.ZodTypeAny;
 }) => {
@@ -224,10 +226,10 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const { name, method, credentials, description, isPlatformManagedCredentials } = req.body;
+      const { name, method, credentials, description, isPlatformManagedCredentials, gatewayId } = req.body;
 
       const appConnection = (await server.services.appConnection.createAppConnection(
-        { name, method, app, credentials, description, isPlatformManagedCredentials },
+        { name, method, app, credentials, description, isPlatformManagedCredentials, gatewayId },
         req.permission
       )) as T;
 
@@ -270,11 +272,11 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const { name, credentials, description, isPlatformManagedCredentials } = req.body;
+      const { name, credentials, description, isPlatformManagedCredentials, gatewayId } = req.body;
       const { connectionId } = req.params;
 
       const appConnection = (await server.services.appConnection.updateAppConnection(
-        { name, credentials, connectionId, description, isPlatformManagedCredentials },
+        { name, credentials, connectionId, description, isPlatformManagedCredentials, gatewayId },
         req.permission
       )) as T;
 

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -71,6 +71,7 @@ import {
 import { LdapConnectionListItemSchema, SanitizedLdapConnectionSchema } from "@app/services/app-connection/ldap";
 import { MsSqlConnectionListItemSchema, SanitizedMsSqlConnectionSchema } from "@app/services/app-connection/mssql";
 import { MySqlConnectionListItemSchema, SanitizedMySqlConnectionSchema } from "@app/services/app-connection/mysql";
+import { OktaConnectionListItemSchema, SanitizedOktaConnectionSchema } from "@app/services/app-connection/okta";
 import {
   PostgresConnectionListItemSchema,
   SanitizedPostgresConnectionSchema
@@ -138,7 +139,8 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedZabbixConnectionSchema.options,
   ...SanitizedRailwayConnectionSchema.options,
   ...SanitizedChecklyConnectionSchema.options,
-  ...SanitizedSupabaseConnectionSchema.options
+  ...SanitizedSupabaseConnectionSchema.options,
+  ...SanitizedOktaConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -175,7 +177,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   ZabbixConnectionListItemSchema,
   RailwayConnectionListItemSchema,
   ChecklyConnectionListItemSchema,
-  SupabaseConnectionListItemSchema
+  SupabaseConnectionListItemSchema,
+  OktaConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -25,6 +25,7 @@ import { registerHumanitecConnectionRouter } from "./humanitec-connection-router
 import { registerLdapConnectionRouter } from "./ldap-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
 import { registerMySqlConnectionRouter } from "./mysql-connection-router";
+import { registerOktaConnectionRouter } from "./okta-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
 import { registerRailwayConnectionRouter } from "./railway-connection-router";
 import { registerRenderConnectionRouter } from "./render-connection-router";
@@ -72,5 +73,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Zabbix]: registerZabbixConnectionRouter,
     [AppConnection.Railway]: registerRailwayConnectionRouter,
     [AppConnection.Checkly]: registerChecklyConnectionRouter,
-    [AppConnection.Supabase]: registerSupabaseConnectionRouter
+    [AppConnection.Supabase]: registerSupabaseConnectionRouter,
+    [AppConnection.Okta]: registerOktaConnectionRouter
   };

backend/src/server/routes/v1/app-connection-routers/okta-connection-router.ts

@@ -0,0 +1,52 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateOktaConnectionSchema,
+  SanitizedOktaConnectionSchema,
+  UpdateOktaConnectionSchema
+} from "@app/services/app-connection/okta";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerOktaConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Okta,
+    server,
+    sanitizedResponseSchema: SanitizedOktaConnectionSchema,
+    createSchema: CreateOktaConnectionSchema,
+    updateSchema: UpdateOktaConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/apps`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          apps: z.object({ id: z.string(), label: z.string() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        params: { connectionId }
+      } = req;
+
+      const apps = await server.services.appConnection.okta.listApps(connectionId, req.permission);
+      return { apps };
+    }
+  });
+};

backend/src/server/routes/v1/auth-router.ts

@@ -42,6 +42,14 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
         maxAge: 0
       });
 
+      void res.cookie("aod", "", {
+        httpOnly: false,
+        path: "/",
+        sameSite: "lax",
+        secure: appCfg.HTTPS_ENABLED,
+        maxAge: 0
+      });
+
       return { message: "Successfully logged out" };
     }
   });

backend/src/server/routes/v1/sso-router.ts

@@ -22,6 +22,7 @@ import { logger } from "@app/lib/logger";
 import { ms } from "@app/lib/ms";
 import { fetchGithubEmails, fetchGithubUser } from "@app/lib/requests/github";
 import { authRateLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 import { AuthMethod } from "@app/services/auth/auth-type";
 import { OrgAuthMethod } from "@app/services/org/org-types";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
@@ -475,6 +476,8 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
         secure: appCfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       return {
         encryptionVersion: data.user.encryptionVersion,
         token: data.token.access,

backend/src/server/routes/v2/mfa-router.ts

@@ -4,6 +4,7 @@ import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { mfaRateLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 import { AuthModeMfaJwtTokenPayload, AuthTokenType, MfaMethod } from "@app/services/auth/auth-type";
 
 export const registerMfaRouter = async (server: FastifyZodProvider) => {
@@ -131,6 +132,8 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
         secure: appCfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       return {
         ...user,
         token: token.access,

backend/src/server/routes/v2/organization-router.ts

@@ -10,6 +10,7 @@ import {
 import { ApiDocsTags, ORGANIZATIONS } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 import { GenericResourceNameSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
@@ -396,6 +397,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         secure: cfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       return { organization, accessToken: tokens.accessToken };
     }
   });

backend/src/server/routes/v3/login-router.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 import { INFISICAL_PROVIDER_GITHUB_ACCESS_TOKEN } from "@app/lib/config/const";
 import { getConfig } from "@app/lib/config/env";
 import { authRateLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 
 export const registerLoginRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -93,6 +94,8 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
         secure: cfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       void res.cookie("infisical-project-assume-privileges", "", {
         httpOnly: true,
         path: "/",
@@ -155,6 +158,8 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
         secure: appCfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       void res.cookie("infisical-project-assume-privileges", "", {
         httpOnly: true,
         path: "/",

backend/src/server/routes/v3/signup-router.ts

@@ -4,6 +4,7 @@ import { UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { ForbiddenRequestError } from "@app/lib/errors";
 import { authRateLimit, smtpRateLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 import { GenericResourceNameSchema } from "@app/server/lib/schemas";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
@@ -170,6 +171,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
         secure: appCfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       return { message: "Successfully set up account", user, token: accessToken, organizationId };
     }
   });
@@ -239,6 +242,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
       });
       // TODO(akhilmhdh-pg): add telemetry service
 
+      addAuthOriginDomainCookie(res);
+
       return { message: "Successfully set up account", user, token: accessToken };
     }
   });

backend/src/services/app-connection/1password/1password-connection-fns.ts

@@ -31,12 +31,16 @@ export const validateOnePassConnectionCredentials = async (config: TOnePassConne
   const { apiToken } = config.credentials;
 
   try {
-    await request.get(`${instanceUrl}/v1/vaults`, {
+    const res = await request.get(`${instanceUrl}/v1/vaults`, {
       headers: {
         Authorization: `Bearer ${apiToken}`,
         Accept: "application/json"
       }
     });
+
+    if (!Array.isArray(res.data)) {
+      throw new AxiosError("Invalid response from 1Password API");
+    }
   } catch (error: unknown) {
     if (error instanceof AxiosError) {
       throw new BadRequestError({

backend/src/services/app-connection/app-connection-enums.ts

@@ -32,7 +32,8 @@ export enum AppConnection {
   Railway = "railway",
   Bitbucket = "bitbucket",
   Checkly = "checkly",
-  Supabase = "supabase"
+  Supabase = "supabase",
+  Okta = "okta"
 }
 
 export enum AWSRegion {

backend/src/services/app-connection/app-connection-fns.ts

@@ -5,6 +5,7 @@ import {
   validateOCIConnectionCredentials
 } from "@app/ee/services/app-connections/oci";
 import { getOracleDBConnectionListItem, OracleDBConnectionMethod } from "@app/ee/services/app-connections/oracledb";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
@@ -91,6 +92,7 @@ import { getLdapConnectionListItem, LdapConnectionMethod, validateLdapConnection
 import { getMsSqlConnectionListItem, MsSqlConnectionMethod } from "./mssql";
 import { MySqlConnectionMethod } from "./mysql/mysql-connection-enums";
 import { getMySqlConnectionListItem } from "./mysql/mysql-connection-fns";
+import { getOktaConnectionListItem, OktaConnectionMethod, validateOktaConnectionCredentials } from "./okta";
 import { getPostgresConnectionListItem, PostgresConnectionMethod } from "./postgres";
 import { getRailwayConnectionListItem, validateRailwayConnectionCredentials } from "./railway";
 import { RenderConnectionMethod } from "./render/render-connection-enums";
@@ -154,7 +156,8 @@ export const listAppConnectionOptions = () => {
     getRailwayConnectionListItem(),
     getBitbucketConnectionListItem(),
     getChecklyConnectionListItem(),
-    getSupabaseConnectionListItem()
+    getSupabaseConnectionListItem(),
+    getOktaConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
 
@@ -201,7 +204,8 @@ export const decryptAppConnectionCredentials = async ({
 };
 
 export const validateAppConnectionCredentials = async (
-  appConnection: TAppConnectionConfig
+  appConnection: TAppConnectionConfig,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
 ): Promise<TAppConnection["credentials"]> => {
   const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TAppConnectionCredentialsValidator> = {
     [AppConnection.AWS]: validateAwsConnectionCredentials as TAppConnectionCredentialsValidator,
@@ -239,10 +243,11 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.Railway]: validateRailwayConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Bitbucket]: validateBitbucketConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Checkly]: validateChecklyConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Supabase]: validateSupabaseConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.Supabase]: validateSupabaseConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Okta]: validateOktaConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
-  return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
+  return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection, gatewayService);
 };
 
 export const getAppConnectionMethodName = (method: TAppConnection["method"]) => {
@@ -278,6 +283,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case CloudflareConnectionMethod.APIToken:
     case BitbucketConnectionMethod.ApiToken:
     case ZabbixConnectionMethod.ApiToken:
+    case OktaConnectionMethod.ApiToken:
       return "API Token";
     case PostgresConnectionMethod.UsernameAndPassword:
     case MsSqlConnectionMethod.UsernameAndPassword:
@@ -365,7 +371,8 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.Railway]: platformManagedCredentialsNotSupported,
   [AppConnection.Bitbucket]: platformManagedCredentialsNotSupported,
   [AppConnection.Checkly]: platformManagedCredentialsNotSupported,
-  [AppConnection.Supabase]: platformManagedCredentialsNotSupported
+  [AppConnection.Supabase]: platformManagedCredentialsNotSupported,
+  [AppConnection.Okta]: platformManagedCredentialsNotSupported
 };
 
 export const enterpriseAppCheck = async (

backend/src/services/app-connection/app-connection-maps.ts

@@ -34,7 +34,8 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.Railway]: "Railway",
   [AppConnection.Bitbucket]: "Bitbucket",
   [AppConnection.Checkly]: "Checkly",
-  [AppConnection.Supabase]: "Supabase"
+  [AppConnection.Supabase]: "Supabase",
+  [AppConnection.Okta]: "Okta"
 };
 
 export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanType> = {
@@ -71,5 +72,6 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.Railway]: AppConnectionPlanType.Regular,
   [AppConnection.Bitbucket]: AppConnectionPlanType.Regular,
   [AppConnection.Checkly]: AppConnectionPlanType.Regular,
-  [AppConnection.Supabase]: AppConnectionPlanType.Regular
+  [AppConnection.Supabase]: AppConnectionPlanType.Regular,
+  [AppConnection.Okta]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-schemas.ts

@@ -18,7 +18,7 @@ export const BaseAppConnectionSchema = AppConnectionsSchema.omit({
 
 export const GenericCreateAppConnectionFieldsSchema = (
   app: AppConnection,
-  { supportsPlatformManagedCredentials = false }: TAppConnectionBaseConfig = {}
+  { supportsPlatformManagedCredentials = false, supportsGateways = false }: TAppConnectionBaseConfig = {}
 ) =>
   z.object({
     name: slugSchema({ field: "name" }).describe(AppConnections.CREATE(app).name),
@@ -30,12 +30,23 @@ export const GenericCreateAppConnectionFieldsSchema = (
       .describe(AppConnections.CREATE(app).description),
     isPlatformManagedCredentials: supportsPlatformManagedCredentials
       ? z.boolean().optional().default(false).describe(AppConnections.CREATE(app).isPlatformManagedCredentials)
-      : z.literal(false).optional().describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`)
+      : z
+          .literal(false, {
+            errorMap: () => ({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` })
+          })
+          .optional()
+          .describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`),
+    gatewayId: supportsGateways
+      ? z.string().uuid().nullish().describe("The Gateway ID to use for this connection.")
+      : z
+          .undefined({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` })
+          .or(z.null({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` }))
+          .describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`)
   });
 
 export const GenericUpdateAppConnectionFieldsSchema = (
   app: AppConnection,
-  { supportsPlatformManagedCredentials = false }: TAppConnectionBaseConfig = {}
+  { supportsPlatformManagedCredentials = false, supportsGateways = false }: TAppConnectionBaseConfig = {}
 ) =>
   z.object({
     name: slugSchema({ field: "name" }).describe(AppConnections.UPDATE(app).name).optional(),
@@ -47,5 +58,16 @@ export const GenericUpdateAppConnectionFieldsSchema = (
       .describe(AppConnections.UPDATE(app).description),
     isPlatformManagedCredentials: supportsPlatformManagedCredentials
       ? z.boolean().optional().describe(AppConnections.UPDATE(app).isPlatformManagedCredentials)
-      : z.literal(false).optional().describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`)
+      : z
+          .literal(false, {
+            errorMap: () => ({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` })
+          })
+          .optional()
+          .describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`),
+    gatewayId: supportsGateways
+      ? z.string().uuid().nullish().describe("The Gateway ID to use for this connection.")
+      : z
+          .undefined({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` })
+          .or(z.null({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` }))
+          .describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`)
   });

backend/src/services/app-connection/app-connection-service.ts

@@ -3,8 +3,14 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { ValidateOCIConnectionCredentialsSchema } from "@app/ee/services/app-connections/oci";
 import { ociConnectionService } from "@app/ee/services/app-connections/oci/oci-connection-service";
 import { ValidateOracleDBConnectionCredentialsSchema } from "@app/ee/services/app-connections/oracledb";
+import { TGatewayDALFactory } from "@app/ee/services/gateway/gateway-dal";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionAppConnectionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  OrgPermissionAppConnectionActions,
+  OrgPermissionGatewayActions,
+  OrgPermissionSubjects
+} from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { DatabaseErrorCode } from "@app/lib/error-codes";
@@ -73,6 +79,8 @@ import { humanitecConnectionService } from "./humanitec/humanitec-connection-ser
 import { ValidateLdapConnectionCredentialsSchema } from "./ldap";
 import { ValidateMsSqlConnectionCredentialsSchema } from "./mssql";
 import { ValidateMySqlConnectionCredentialsSchema } from "./mysql";
+import { ValidateOktaConnectionCredentialsSchema } from "./okta";
+import { oktaConnectionService } from "./okta/okta-connection-service";
 import { ValidatePostgresConnectionCredentialsSchema } from "./postgres";
 import { ValidateRailwayConnectionCredentialsSchema } from "./railway";
 import { railwayConnectionService } from "./railway/railway-connection-service";
@@ -96,6 +104,8 @@ export type TAppConnectionServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
+  gatewayDAL: Pick<TGatewayDALFactory, "find">;
 };
 
 export type TAppConnectionServiceFactory = ReturnType<typeof appConnectionServiceFactory>;
@@ -134,14 +144,17 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.Railway]: ValidateRailwayConnectionCredentialsSchema,
   [AppConnection.Bitbucket]: ValidateBitbucketConnectionCredentialsSchema,
   [AppConnection.Checkly]: ValidateChecklyConnectionCredentialsSchema,
-  [AppConnection.Supabase]: ValidateSupabaseConnectionCredentialsSchema
+  [AppConnection.Supabase]: ValidateSupabaseConnectionCredentialsSchema,
+  [AppConnection.Okta]: ValidateOktaConnectionCredentialsSchema
 };
 
 export const appConnectionServiceFactory = ({
   appConnectionDAL,
   permissionService,
   kmsService,
-  licenseService
+  licenseService,
+  gatewayService,
+  gatewayDAL
 }: TAppConnectionServiceFactoryDep) => {
   const listAppConnectionsByOrg = async (actor: OrgServiceActor, app?: AppConnection) => {
     const { permission } = await permissionService.getOrgPermission(
@@ -222,7 +235,7 @@ export const appConnectionServiceFactory = ({
   };
 
   const createAppConnection = async (
-    { method, app, credentials, ...params }: TCreateAppConnectionDTO,
+    { method, app, credentials, gatewayId, ...params }: TCreateAppConnectionDTO,
     actor: OrgServiceActor
   ) => {
     const { permission } = await permissionService.getOrgPermission(
@@ -238,6 +251,20 @@ export const appConnectionServiceFactory = ({
       OrgPermissionSubjects.AppConnections
     );
 
+    if (gatewayId) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+
+      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actor.orgId });
+      if (!gateway) {
+        throw new NotFoundError({
+          message: `Gateway with ID ${gatewayId} not found for org`
+        });
+      }
+    }
+
     await enterpriseAppCheck(
       licenseService,
       app,
@@ -245,12 +272,16 @@ export const appConnectionServiceFactory = ({
       "Failed to create app connection due to plan restriction. Upgrade plan to access enterprise app connections."
     );
 
-    const validatedCredentials = await validateAppConnectionCredentials({
-      app,
-      credentials,
-      method,
-      orgId: actor.orgId
-    } as TAppConnectionConfig);
+    const validatedCredentials = await validateAppConnectionCredentials(
+      {
+        app,
+        credentials,
+        method,
+        orgId: actor.orgId,
+        gatewayId
+      } as TAppConnectionConfig,
+      gatewayService
+    );
 
     try {
       const createConnection = async (connectionCredentials: TAppConnection["credentials"]) => {
@@ -265,6 +296,7 @@ export const appConnectionServiceFactory = ({
           encryptedCredentials,
           method,
           app,
+          gatewayId,
           ...params
         });
       };
@@ -277,9 +309,11 @@ export const appConnectionServiceFactory = ({
             app,
             orgId: actor.orgId,
             credentials: validatedCredentials,
-            method
+            method,
+            gatewayId
           } as TAppConnectionConfig,
-          (platformCredentials) => createConnection(platformCredentials)
+          (platformCredentials) => createConnection(platformCredentials),
+          gatewayService
         );
       } else {
         connection = await createConnection(validatedCredentials);
@@ -300,7 +334,7 @@ export const appConnectionServiceFactory = ({
   };
 
   const updateAppConnection = async (
-    { connectionId, credentials, ...params }: TUpdateAppConnectionDTO,
+    { connectionId, credentials, gatewayId, ...params }: TUpdateAppConnectionDTO,
     actor: OrgServiceActor
   ) => {
     const appConnection = await appConnectionDAL.findById(connectionId);
@@ -327,6 +361,22 @@ export const appConnectionServiceFactory = ({
       OrgPermissionSubjects.AppConnections
     );
 
+    if (gatewayId !== appConnection.gatewayId) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+
+      if (gatewayId) {
+        const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actor.orgId });
+        if (!gateway) {
+          throw new NotFoundError({
+            message: `Gateway with ID ${gatewayId} not found for org`
+          });
+        }
+      }
+    }
+
     // prevent updating credentials or management status if platform managed
     if (appConnection.isPlatformManagedCredentials && (params.isPlatformManagedCredentials === false || credentials)) {
       throw new BadRequestError({
@@ -351,12 +401,16 @@ export const appConnectionServiceFactory = ({
           } Connection with method ${getAppConnectionMethodName(method)}`
         });
 
-      updatedCredentials = await validateAppConnectionCredentials({
-        app,
-        orgId: actor.orgId,
-        credentials,
-        method
-      } as TAppConnectionConfig);
+      updatedCredentials = await validateAppConnectionCredentials(
+        {
+          app,
+          orgId: actor.orgId,
+          credentials,
+          method,
+          gatewayId
+        } as TAppConnectionConfig,
+        gatewayService
+      );
 
       if (!updatedCredentials)
         throw new BadRequestError({ message: "Unable to validate connection - check credentials" });
@@ -375,6 +429,7 @@ export const appConnectionServiceFactory = ({
         return appConnectionDAL.updateById(connectionId, {
           orgId: actor.orgId,
           encryptedCredentials,
+          gatewayId,
           ...params
         });
       };
@@ -391,9 +446,11 @@ export const appConnectionServiceFactory = ({
             app,
             orgId: actor.orgId,
             credentials: updatedCredentials,
-            method
+            method,
+            gatewayId
           } as TAppConnectionConfig,
-          (platformCredentials) => updateConnection(platformCredentials)
+          (platformCredentials) => updateConnection(platformCredentials),
+          gatewayService
         );
       } else {
         updatedConnection = await updateConnection(updatedCredentials);
@@ -549,6 +606,7 @@ export const appConnectionServiceFactory = ({
     railway: railwayConnectionService(connectAppConnectionById),
     bitbucket: bitbucketConnectionService(connectAppConnectionById),
     checkly: checklyConnectionService(connectAppConnectionById),
-    supabase: supabaseConnectionService(connectAppConnectionById)
+    supabase: supabaseConnectionService(connectAppConnectionById),
+    okta: oktaConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -9,6 +9,7 @@ import {
   TOracleDBConnectionInput,
   TValidateOracleDBConnectionCredentialsSchema
 } from "@app/ee/services/app-connections/oracledb";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { TSqlConnectionConfig } from "@app/services/app-connection/shared/sql/sql-connection-types";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
@@ -142,6 +143,12 @@ import {
 } from "./ldap";
 import { TMsSqlConnection, TMsSqlConnectionInput, TValidateMsSqlConnectionCredentialsSchema } from "./mssql";
 import { TMySqlConnection, TMySqlConnectionInput, TValidateMySqlConnectionCredentialsSchema } from "./mysql";
+import {
+  TOktaConnection,
+  TOktaConnectionConfig,
+  TOktaConnectionInput,
+  TValidateOktaConnectionCredentialsSchema
+} from "./okta";
 import {
   TPostgresConnection,
   TPostgresConnectionInput,
@@ -231,6 +238,7 @@ export type TAppConnection = { id: string } & (
   | TRailwayConnection
   | TChecklyConnection
   | TSupabaseConnection
+  | TOktaConnection
 );
 
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -272,6 +280,7 @@ export type TAppConnectionInput = { id: string } & (
   | TRailwayConnectionInput
   | TChecklyConnectionInput
   | TSupabaseConnectionInput
+  | TOktaConnectionInput
 );
 
 export type TSqlConnectionInput =
@@ -282,7 +291,7 @@ export type TSqlConnectionInput =
 
 export type TCreateAppConnectionDTO = Pick<
   TAppConnectionInput,
-  "credentials" | "method" | "name" | "app" | "description" | "isPlatformManagedCredentials"
+  "credentials" | "method" | "name" | "app" | "description" | "isPlatformManagedCredentials" | "gatewayId"
 >;
 
 export type TUpdateAppConnectionDTO = Partial<Omit<TCreateAppConnectionDTO, "method" | "app">> & {
@@ -320,7 +329,8 @@ export type TAppConnectionConfig =
   | TZabbixConnectionConfig
   | TRailwayConnectionConfig
   | TChecklyConnectionConfig
-  | TSupabaseConnectionConfig;
+  | TSupabaseConnectionConfig
+  | TOktaConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
   | TValidateAwsConnectionCredentialsSchema
@@ -356,7 +366,8 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateZabbixConnectionCredentialsSchema
   | TValidateRailwayConnectionCredentialsSchema
   | TValidateChecklyConnectionCredentialsSchema
-  | TValidateSupabaseConnectionCredentialsSchema;
+  | TValidateSupabaseConnectionCredentialsSchema
+  | TValidateOktaConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {
   connectionId: string;
@@ -369,14 +380,17 @@ export type TListAwsConnectionIamUsers = {
 };
 
 export type TAppConnectionCredentialsValidator = (
-  appConnection: TAppConnectionConfig
+  appConnection: TAppConnectionConfig,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
 ) => Promise<TAppConnection["credentials"]>;
 
 export type TAppConnectionTransitionCredentialsToPlatform = (
   appConnection: TAppConnectionConfig,
-  callback: (credentials: TAppConnection["credentials"]) => Promise<TAppConnectionRaw>
+  callback: (credentials: TAppConnection["credentials"]) => Promise<TAppConnectionRaw>,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
 ) => Promise<TAppConnectionRaw>;
 
 export type TAppConnectionBaseConfig = {
   supportsPlatformManagedCredentials?: boolean;
+  supportsGateways?: boolean;
 };

backend/src/services/app-connection/github-radar/github-radar-connection-fns.ts

@@ -9,6 +9,7 @@ import { getAppConnectionMethodName } from "@app/services/app-connection/app-con
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
 
 import { AppConnection } from "../app-connection-enums";
+import { GithubTokenRespData, isGithubErrorResponse } from "../github/github-connection-fns";
 import { GitHubRadarConnectionMethod } from "./github-radar-connection-enums";
 import {
   TGitHubRadarConnection,
@@ -71,13 +72,6 @@ export const listGitHubRadarRepositories = async (appConnection: TGitHubRadarCon
   return repositories;
 };
 
-type TokenRespData = {
-  access_token: string;
-  scope: string;
-  token_type: string;
-  error?: string;
-};
-
 export const validateGitHubRadarConnectionCredentials = async (config: TGitHubRadarConnectionConfig) => {
   const { credentials, method } = config;
 
@@ -93,10 +87,10 @@ export const validateGitHubRadarConnectionCredentials = async (config: TGitHubRa
     });
   }
 
-  let tokenResp: AxiosResponse<TokenRespData>;
+  let tokenResp: AxiosResponse<GithubTokenRespData>;
 
   try {
-    tokenResp = await request.get<TokenRespData>("https://github.com/login/oauth/access_token", {
+    tokenResp = await request.get<GithubTokenRespData>("https://github.com/login/oauth/access_token", {
       params: {
         client_id: INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID,
         client_secret: INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET,
@@ -108,19 +102,27 @@ export const validateGitHubRadarConnectionCredentials = async (config: TGitHubRa
         "Accept-Encoding": "application/json"
       }
     });
+
+    if (isGithubErrorResponse(tokenResp?.data)) {
+      throw new BadRequestError({
+        message: `Unable to validate credentials: GitHub responded with an error: ${tokenResp.data.error} - ${tokenResp.data.error_description}`
+      });
+    }
   } catch (e: unknown) {
+    if (e instanceof BadRequestError) {
+      throw e;
+    }
+
     throw new BadRequestError({
       message: `Unable to validate connection: verify credentials`
     });
   }
 
-  if (tokenResp.status !== 200) {
-    throw new BadRequestError({
-      message: `Unable to validate credentials: GitHub responded with a status code of ${tokenResp.status} (${tokenResp.statusText}). Verify credentials and try again.`
-    });
-  }
-
   if (method === GitHubRadarConnectionMethod.App) {
+    if (!tokenResp.data.access_token) {
+      throw new InternalServerError({ message: `Missing access token: ${tokenResp.data.error}` });
+    }
+
     const installationsResp = await request.get<{
       installations: {
         id: number;
@@ -149,10 +151,6 @@ export const validateGitHubRadarConnectionCredentials = async (config: TGitHubRa
     }
   }
 
-  if (!tokenResp.data.access_token) {
-    throw new InternalServerError({ message: `Missing access token: ${tokenResp.data.error}` });
-  }
-
   switch (method) {
     case GitHubRadarConnectionMethod.App:
       return {

backend/src/services/app-connection/github/github-connection-fns.ts

@@ -144,14 +144,14 @@ export const getGitHubEnvironments = async (appConnection: TGitHubConnection, ow
   }
 };
 
-type TokenRespData = {
+export type GithubTokenRespData = {
   access_token?: string;
   scope: string;
   token_type: string;
   error?: string;
 };
 
-function isErrorResponse(data: TokenRespData): data is TokenRespData & {
+export function isGithubErrorResponse(data: GithubTokenRespData): data is GithubTokenRespData & {
   error: string;
   error_description: string;
   error_uri: string;
@@ -191,10 +191,10 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
     });
   }
 
-  let tokenResp: AxiosResponse<TokenRespData>;
+  let tokenResp: AxiosResponse<GithubTokenRespData>;
 
   try {
-    tokenResp = await request.get<TokenRespData>("https://github.com/login/oauth/access_token", {
+    tokenResp = await request.get<GithubTokenRespData>("https://github.com/login/oauth/access_token", {
       params: {
         client_id: clientId,
         client_secret: clientSecret,
@@ -207,7 +207,7 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
       }
     });
 
-    if (isErrorResponse(tokenResp?.data)) {
+    if (isGithubErrorResponse(tokenResp?.data)) {
       throw new BadRequestError({
         message: `Unable to validate credentials: GitHub responded with an error: ${tokenResp.data.error} - ${tokenResp.data.error_description}`
       });

backend/src/services/app-connection/mssql/mssql-connection-schemas.ts

@@ -49,7 +49,10 @@ export const ValidateMsSqlConnectionCredentialsSchema = z.discriminatedUnion("me
 ]);
 
 export const CreateMsSqlConnectionSchema = ValidateMsSqlConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.MsSql, { supportsPlatformManagedCredentials: true })
+  GenericCreateAppConnectionFieldsSchema(AppConnection.MsSql, {
+    supportsPlatformManagedCredentials: true,
+    supportsGateways: true
+  })
 );
 
 export const UpdateMsSqlConnectionSchema = z
@@ -58,7 +61,12 @@ export const UpdateMsSqlConnectionSchema = z
       AppConnections.UPDATE(AppConnection.MsSql).credentials
     )
   })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.MsSql, { supportsPlatformManagedCredentials: true }));
+  .and(
+    GenericUpdateAppConnectionFieldsSchema(AppConnection.MsSql, {
+      supportsPlatformManagedCredentials: true,
+      supportsGateways: true
+    })
+  );
 
 export const MsSqlConnectionListItemSchema = z.object({
   name: z.literal("Microsoft SQL Server"),

backend/src/services/app-connection/mysql/mysql-connection-schemas.ts

@@ -47,7 +47,10 @@ export const ValidateMySqlConnectionCredentialsSchema = z.discriminatedUnion("me
 ]);
 
 export const CreateMySqlConnectionSchema = ValidateMySqlConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.MySql, { supportsPlatformManagedCredentials: true })
+  GenericCreateAppConnectionFieldsSchema(AppConnection.MySql, {
+    supportsPlatformManagedCredentials: true,
+    supportsGateways: true
+  })
 );
 
 export const UpdateMySqlConnectionSchema = z
@@ -56,7 +59,12 @@ export const UpdateMySqlConnectionSchema = z
       AppConnections.UPDATE(AppConnection.MySql).credentials
     )
   })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.MySql, { supportsPlatformManagedCredentials: true }));
+  .and(
+    GenericUpdateAppConnectionFieldsSchema(AppConnection.MySql, {
+      supportsPlatformManagedCredentials: true,
+      supportsGateways: true
+    })
+  );
 
 export const MySqlConnectionListItemSchema = z.object({
   name: z.literal("MySQL"),

backend/src/services/app-connection/okta/index.ts

@@ -0,0 +1,4 @@
+export * from "./okta-connection-enums";
+export * from "./okta-connection-fns";
+export * from "./okta-connection-schemas";
+export * from "./okta-connection-types";

backend/src/services/app-connection/okta/okta-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum OktaConnectionMethod {
+  ApiToken = "api-token"
+}

backend/src/services/app-connection/okta/okta-connection-fns.ts

@@ -0,0 +1,57 @@
+import { request } from "@app/lib/config/request";
+import { UnauthorizedError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { OktaConnectionMethod } from "./okta-connection-enums";
+import { TOktaApp, TOktaConnection, TOktaConnectionConfig } from "./okta-connection-types";
+
+export const getOktaConnectionListItem = () => {
+  return {
+    name: "Okta" as const,
+    app: AppConnection.Okta as const,
+    methods: Object.values(OktaConnectionMethod) as [OktaConnectionMethod.ApiToken]
+  };
+};
+
+export const getOktaInstanceUrl = async (config: TOktaConnectionConfig) => {
+  const instanceUrl = removeTrailingSlash(config.credentials.instanceUrl);
+  await blockLocalAndPrivateIpAddresses(instanceUrl);
+  return instanceUrl;
+};
+
+export const validateOktaConnectionCredentials = async (config: TOktaConnectionConfig) => {
+  const { apiToken } = config.credentials;
+  const instanceUrl = await getOktaInstanceUrl(config);
+
+  try {
+    await request.get(`${instanceUrl}/api/v1/users/me`, {
+      headers: {
+        Accept: "application/json",
+        Authorization: `SSWS ${apiToken}`
+      },
+      validateStatus: (status) => status === 200
+    });
+  } catch (error: unknown) {
+    throw new UnauthorizedError({
+      message: "Unable to validate connection: invalid credentials"
+    });
+  }
+
+  return config.credentials;
+};
+
+export const listOktaApps = async (appConnection: TOktaConnection) => {
+  const { apiToken } = appConnection.credentials;
+  const instanceUrl = await getOktaInstanceUrl(appConnection);
+
+  const { data } = await request.get<TOktaApp[]>(`${instanceUrl}/api/v1/apps`, {
+    headers: {
+      Accept: "application/json",
+      Authorization: `SSWS ${apiToken}`
+    }
+  });
+
+  return data.filter((app) => app.status === "ACTIVE" && app.name === "oidc_client");
+};

backend/src/services/app-connection/okta/okta-connection-schemas.ts

@@ -0,0 +1,69 @@
+import RE2 from "re2";
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { OktaConnectionMethod } from "./okta-connection-enums";
+
+export const OktaConnectionApiTokenCredentialsSchema = z.object({
+  instanceUrl: z
+    .string()
+    .trim()
+    .url("Invalid Instance URL")
+    .min(1, "Instance URL required")
+    .max(255)
+    .describe(AppConnections.CREDENTIALS.OKTA.instanceUrl),
+  apiToken: z
+    .string()
+    .trim()
+    .min(1, "API Token required")
+    .refine((value) => new RE2("^00[a-zA-Z0-9_-]{40}$").test(value), "Invalid Okta API Token format")
+    .describe(AppConnections.CREDENTIALS.OKTA.apiToken)
+});
+
+const BaseOktaConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Okta) });
+
+export const OktaConnectionSchema = BaseOktaConnectionSchema.extend({
+  method: z.literal(OktaConnectionMethod.ApiToken),
+  credentials: OktaConnectionApiTokenCredentialsSchema
+});
+
+export const SanitizedOktaConnectionSchema = z.discriminatedUnion("method", [
+  BaseOktaConnectionSchema.extend({
+    method: z.literal(OktaConnectionMethod.ApiToken),
+    credentials: OktaConnectionApiTokenCredentialsSchema.pick({
+      instanceUrl: true
+    })
+  })
+]);
+
+export const ValidateOktaConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z.literal(OktaConnectionMethod.ApiToken).describe(AppConnections.CREATE(AppConnection.Okta).method),
+    credentials: OktaConnectionApiTokenCredentialsSchema.describe(AppConnections.CREATE(AppConnection.Okta).credentials)
+  })
+]);
+
+export const CreateOktaConnectionSchema = ValidateOktaConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Okta)
+);
+
+export const UpdateOktaConnectionSchema = z
+  .object({
+    credentials: OktaConnectionApiTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Okta).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Okta));
+
+export const OktaConnectionListItemSchema = z.object({
+  name: z.literal("Okta"),
+  app: z.literal(AppConnection.Okta),
+  methods: z.nativeEnum(OktaConnectionMethod).array()
+});

backend/src/services/app-connection/okta/okta-connection-service.ts

@@ -0,0 +1,23 @@
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listOktaApps } from "./okta-connection-fns";
+import { TOktaConnection } from "./okta-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TOktaConnection>;
+
+export const oktaConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listApps = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Okta, connectionId, actor);
+    const apps = await listOktaApps(appConnection);
+    return apps;
+  };
+
+  return {
+    listApps
+  };
+};

backend/src/services/app-connection/okta/okta-connection-types.ts

@@ -0,0 +1,29 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateOktaConnectionSchema,
+  OktaConnectionSchema,
+  ValidateOktaConnectionCredentialsSchema
+} from "./okta-connection-schemas";
+
+export type TOktaConnection = z.infer<typeof OktaConnectionSchema>;
+
+export type TOktaConnectionInput = z.infer<typeof CreateOktaConnectionSchema> & {
+  app: AppConnection.Okta;
+};
+
+export type TValidateOktaConnectionCredentialsSchema = typeof ValidateOktaConnectionCredentialsSchema;
+
+export type TOktaConnectionConfig = DiscriminativePick<TOktaConnectionInput, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type TOktaApp = {
+  id: string;
+  label: string;
+  status: "ACTIVE" | "INACTIVE";
+  name: "oidc_client"; // "oidc_client" or other types
+};

backend/src/services/app-connection/postgres/postgres-connection-schemas.ts

@@ -47,7 +47,10 @@ export const ValidatePostgresConnectionCredentialsSchema = z.discriminatedUnion(
 ]);
 
 export const CreatePostgresConnectionSchema = ValidatePostgresConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.Postgres, { supportsPlatformManagedCredentials: true })
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Postgres, {
+    supportsPlatformManagedCredentials: true,
+    supportsGateways: true
+  })
 );
 
 export const UpdatePostgresConnectionSchema = z
@@ -56,7 +59,12 @@ export const UpdatePostgresConnectionSchema = z
       AppConnections.UPDATE(AppConnection.Postgres).credentials
     )
   })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Postgres, { supportsPlatformManagedCredentials: true }));
+  .and(
+    GenericUpdateAppConnectionFieldsSchema(AppConnection.Postgres, {
+      supportsPlatformManagedCredentials: true,
+      supportsGateways: true
+    })
+  );
 
 export const PostgresConnectionListItemSchema = z.object({
   name: z.literal("PostgreSQL"),

backend/src/services/app-connection/shared/sql/sql-connection-fns.ts

@@ -1,11 +1,13 @@
 import knex, { Knex } from "knex";
 
 import { verifyHostInputValidity } from "@app/ee/services/dynamic-secret/dynamic-secret-fns";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import {
   TSqlCredentialsRotationGeneratedCredentials,
   TSqlCredentialsRotationWithConnection
 } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-types";
 import { BadRequestError, DatabaseError } from "@app/lib/errors";
+import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { TAppConnectionRaw, TSqlConnection } from "@app/services/app-connection/app-connection-types";
@@ -98,25 +100,80 @@ export const getSqlConnectionClient = async (appConnection: Pick<TSqlConnection,
   return client;
 };
 
-export const validateSqlConnectionCredentials = async (config: TSqlConnectionConfig) => {
-  const { credentials, app } = config;
+export const executeWithPotentialGateway = async <T>(
+  config: TSqlConnectionConfig,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">,
+  operation: (client: Knex) => Promise<T>
+): Promise<T> => {
+  const { credentials, app, gatewayId } = config;
 
-  let client: Knex | undefined;
+  if (gatewayId && gatewayService) {
+    const [targetHost] = await verifyHostInputValidity(credentials.host, true);
+    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(gatewayId);
+    const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
 
+    return withGatewayProxy(
+      async (proxyPort) => {
+        const client = knex({
+          client: SQL_CONNECTION_CLIENT_MAP[app],
+          connection: {
+            database: credentials.database,
+            port: proxyPort,
+            host: "localhost",
+            user: credentials.username,
+            password: credentials.password,
+            connectionTimeoutMillis: EXTERNAL_REQUEST_TIMEOUT,
+            ...getConnectionConfig({ app, credentials })
+          }
+        });
+        try {
+          return await operation(client);
+        } finally {
+          await client.destroy();
+        }
+      },
+      {
+        protocol: GatewayProxyProtocol.Tcp,
+        targetHost,
+        targetPort: credentials.port,
+        relayHost,
+        relayPort: Number(relayPort),
+        identityId: relayDetails.identityId,
+        orgId: relayDetails.orgId,
+        tlsOptions: {
+          ca: relayDetails.certChain,
+          cert: relayDetails.certificate,
+          key: relayDetails.privateKey.toString()
+        }
+      }
+    );
+  }
+
+  // Non-gateway path
+  const client = await getSqlConnectionClient({ app, credentials });
   try {
-    client = await getSqlConnectionClient({ app, credentials });
+    return await operation(client);
+  } finally {
+    await client.destroy();
+  }
+};
 
-    await client.raw(`Select 1`);
-
-    return credentials;
+export const validateSqlConnectionCredentials = async (
+  config: TSqlConnectionConfig,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
+) => {
+  try {
+    await executeWithPotentialGateway(config, gatewayService, async (client) => {
+      await client.raw(`Select 1`);
+    });
+    return config.credentials;
   } catch (error) {
     throw new BadRequestError({
       message: `Unable to validate connection: ${
-        (error as Error)?.message?.replaceAll(credentials.password, "********************") ?? "verify credentials"
+        (error as Error)?.message?.replaceAll(config.credentials.password, "********************") ??
+        "verify credentials"
       }`
     });
-  } finally {
-    await client?.destroy();
   }
 };
 
@@ -132,22 +189,23 @@ export const SQL_CONNECTION_ALTER_LOGIN_STATEMENT: Record<
 
 export const transferSqlConnectionCredentialsToPlatform = async (
   config: TSqlConnectionConfig,
-  callback: (credentials: TSqlConnectionConfig["credentials"]) => Promise<TAppConnectionRaw>
+  callback: (credentials: TSqlConnectionConfig["credentials"]) => Promise<TAppConnectionRaw>,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
 ) => {
   const { credentials, app } = config;
 
-  const client = await getSqlConnectionClient({ app, credentials });
-
   const newPassword = alphaNumericNanoId(32);
 
   try {
-    return await client.transaction(async (tx) => {
-      await tx.raw(
-        ...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[app]({ username: credentials.username, password: newPassword })
-      );
-      return callback({
-        ...credentials,
-        password: newPassword
+    return await executeWithPotentialGateway(config, gatewayService, (client) => {
+      return client.transaction(async (tx) => {
+        await tx.raw(
+          ...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[app]({ username: credentials.username, password: newPassword })
+        );
+        return callback({
+          ...credentials,
+          password: newPassword
+        });
       });
     });
   } catch (error) {
@@ -161,7 +219,5 @@ export const transferSqlConnectionCredentialsToPlatform = async (
         (error as Error)?.message?.replaceAll(newPassword, "********************") ??
         "Encountered an error transferring credentials to platform"
     });
-  } finally {
-    await client.destroy();
   }
 };

backend/src/services/app-connection/shared/sql/sql-connection-types.ts

@@ -1,6 +1,9 @@
 import { DiscriminativePick } from "@app/lib/types";
 import { TSqlConnectionInput } from "@app/services/app-connection/app-connection-types";
 
-export type TSqlConnectionConfig = DiscriminativePick<TSqlConnectionInput, "method" | "app" | "credentials"> & {
+export type TSqlConnectionConfig = DiscriminativePick<
+  TSqlConnectionInput,
+  "method" | "app" | "credentials" | "gatewayId"
+> & {
   orgId: string;
 };

backend/src/services/certificate-authority/certificate-authority-dal.ts

@@ -218,7 +218,7 @@ export const certificateAuthorityDALFactory = (db: TDbClient) => {
   };
 
   const findWithAssociatedCa = async (
-    filter: Parameters<(typeof caOrm)["find"]>[0] & { dn?: string; type?: string },
+    filter: Parameters<(typeof caOrm)["find"]>[0] & { dn?: string; type?: string; serialNumber?: string },
     { offset, limit, sort = [["createdAt", "desc"]] }: TFindOpt<TCertificateAuthorities> = {},
     tx?: Knex
   ) => {

backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts

@@ -1068,11 +1068,11 @@ export const internalCertificateAuthorityServiceFactory = ({
       throw new BadRequestError({ message: "Invalid certificate chain" });
 
     const parentCertObj = chainItems[1];
-    const parentCertSubject = parentCertObj.subject;
+    const parentSerialNumber = parentCertObj.serialNumber;
 
     const [parentCa] = await certificateAuthorityDAL.findWithAssociatedCa({
       [`${TableName.CertificateAuthority}.projectId` as "projectId"]: ca.projectId,
-      [`${TableName.InternalCertificateAuthority}.dn` as "dn"]: parentCertSubject
+      [`${TableName.InternalCertificateAuthority}.serialNumber` as "serialNumber"]: parentSerialNumber
     });
 
     const certificateManagerKmsId = await getProjectKmsCertificateKeyId({

backend/src/services/identity-aws-auth/identity-aws-auth-validators.ts

@@ -37,7 +37,7 @@ export const validateAccountIds = z
 export const validatePrincipalArns = z
   .string()
   .trim()
-  .max(2048)
+  .max(4096)
   .default("")
   // Custom validation for ARN format
   .refine(

backend/src/services/secret-import/secret-import-fns.ts

@@ -174,6 +174,7 @@ export const fnSecretsV2FromImports = async ({
     skipMultilineEncoding?: boolean | null;
     secretPath: string;
     environment: string;
+    secretKey: string;
   }) => Promise<string | undefined>;
   hasSecretAccess: (environment: string, secretPath: string, secretName: string, secretTagSlugs: string[]) => boolean;
 }) => {
@@ -293,7 +294,8 @@ export const fnSecretsV2FromImports = async ({
               value: decryptedSecret.secretValue,
               secretPath: processedImport.secretPath,
               environment: processedImport.environment,
-              skipMultilineEncoding: decryptedSecret.skipMultilineEncoding
+              skipMultilineEncoding: decryptedSecret.skipMultilineEncoding,
+              secretKey: decryptedSecret.secretKey
             });
             // eslint-disable-next-line no-param-reassign
             processedImport.secrets[index].secretValue = expandedSecretValue || "";

backend/src/services/secret-sync/render/render-sync-fns.ts

@@ -1,4 +1,6 @@
 /* eslint-disable no-await-in-loop */
+import { isAxiosError } from "axios";
+
 import { request } from "@app/lib/config/request";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
 import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
@@ -71,7 +73,7 @@ const putEnvironmentSecret = async (secretSync: TRenderSyncWithCredentials, secr
   );
 };
 
-const deleteEnvironmentSecret = async (secretSync: TRenderSyncWithCredentials, secret: TRenderSecret) => {
+const deleteEnvironmentSecret = async (secretSync: TRenderSyncWithCredentials, secret: Pick<TRenderSecret, "key">) => {
   const {
     destinationConfig,
     connection: {
@@ -79,15 +81,24 @@ const deleteEnvironmentSecret = async (secretSync: TRenderSyncWithCredentials, s
     }
   } = secretSync;
 
-  await request.delete(
-    `${IntegrationUrls.RENDER_API_URL}/v1/services/${destinationConfig.serviceId}/env-vars/${secret.key}`,
-    {
-      headers: {
-        Authorization: `Bearer ${apiKey}`,
-        Accept: "application/json"
+  try {
+    await request.delete(
+      `${IntegrationUrls.RENDER_API_URL}/v1/services/${destinationConfig.serviceId}/env-vars/${secret.key}`,
+      {
+        headers: {
+          Authorization: `Bearer ${apiKey}`,
+          Accept: "application/json"
+        }
       }
+    );
+  } catch (error) {
+    if (isAxiosError(error) && error.response?.status === 404) {
+      // If the secret does not exist, we can ignore this error
+      return;
     }
-  );
+
+    throw error;
+  }
 };
 
 const sleep = async () =>
@@ -99,6 +110,11 @@ export const RenderSyncFns = {
   syncSecrets: async (secretSync: TRenderSyncWithCredentials, secretMap: TSecretMap) => {
     const renderSecrets = await getRenderEnvironmentSecrets(secretSync);
     for await (const key of Object.keys(secretMap)) {
+      // If value is empty skip it as render does not allow empty variables
+      if (secretMap[key].value === "") {
+        // eslint-disable-next-line no-continue
+        continue;
+      }
       await putEnvironmentSecret(secretSync, secretMap, key);
       await sleep();
     }

backend/src/services/secret-sync/secret-sync-queue.ts

@@ -231,7 +231,8 @@ export const secretSyncQueueFactory = ({
           environment: environment.slug,
           secretPath: folder.path,
           skipMultilineEncoding: secret.skipMultilineEncoding,
-          value: secretValue
+          value: secretValue,
+          secretKey
         });
         secretMap[secretKey] = { value: expandedSecretValue || "" };
 

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -614,6 +614,7 @@ export const expandSecretReferencesFactory = ({
     secretPath: string;
     environment: string;
     shouldStackTrace?: boolean;
+    secretKey: string;
   }) => {
     const stackTrace = { ...dto, key: "root", children: [] } as TSecretReferenceTraceNode;
 
@@ -656,7 +657,7 @@ export const expandSecretReferencesFactory = ({
             const referredValue = await fetchSecret(environment, secretPath, secretKey);
             if (!canExpandValue(environment, secretPath, secretKey, referredValue.tags))
               throw new ForbiddenRequestError({
-                message: `You are attempting to reference secret named ${secretKey} from environment ${environment} in path ${secretPath} which you do not have access to read value on.`
+                message: `You do not have permission to read secret '${secretKey}' in environment '${environment}' at path '${secretPath}', which is referenced by secret '${dto.secretKey}' in environment '${dto.environment}' at path '${dto.secretPath}'.`
               });
 
             const cacheKey = getCacheUniqueKey(environment, secretPath);
@@ -675,7 +676,7 @@ export const expandSecretReferencesFactory = ({
             const referedValue = await fetchSecret(secretReferenceEnvironment, secretReferencePath, secretReferenceKey);
             if (!canExpandValue(secretReferenceEnvironment, secretReferencePath, secretReferenceKey, referedValue.tags))
               throw new ForbiddenRequestError({
-                message: `You are attempting to reference secret named ${secretReferenceKey} from environment ${secretReferenceEnvironment} in path ${secretReferencePath} which you do not have access to read value on.`
+                message: `You do not have permission to read secret '${secretReferenceKey}' in environment '${secretReferenceEnvironment}' at path '${secretReferencePath}', which is referenced by secret '${dto.secretKey}' in environment '${dto.environment}' at path '${dto.secretPath}'.`
               });
 
             const cacheKey = getCacheUniqueKey(secretReferenceEnvironment, secretReferencePath);
@@ -692,6 +693,7 @@ export const expandSecretReferencesFactory = ({
             secretPath: referencedSecretPath,
             environment: referencedSecretEnvironmentSlug,
             depth: depth + 1,
+            secretKey: referencedSecretKey,
             trace
           };
 
@@ -726,6 +728,7 @@ export const expandSecretReferencesFactory = ({
     skipMultilineEncoding?: boolean | null;
     secretPath: string;
     environment: string;
+    secretKey: string;
   }) => {
     if (!inputSecret.value) return inputSecret.value;
 
@@ -741,6 +744,7 @@ export const expandSecretReferencesFactory = ({
     value?: string;
     secretPath: string;
     environment: string;
+    secretKey: string;
   }) => {
     const { stackTrace, expandedValue } = await recursivelyExpandSecret({ ...inputSecret, shouldStackTrace: true });
     return { stackTrace, expandedValue };

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -1105,7 +1105,7 @@ export const secretV2BridgeServiceFactory = ({
 
     if (shouldExpandSecretReferences) {
       const secretsGroupByPath = groupBy(decryptedSecrets, (i) => i.secretPath);
-      await Promise.allSettled(
+      const settledPromises = await Promise.allSettled(
         Object.keys(secretsGroupByPath).map((groupedPath) =>
           Promise.allSettled(
             secretsGroupByPath[groupedPath].map(async (decryptedSecret, index) => {
@@ -1113,7 +1113,8 @@ export const secretV2BridgeServiceFactory = ({
                 value: decryptedSecret.secretValue,
                 secretPath: groupedPath,
                 environment,
-                skipMultilineEncoding: decryptedSecret.skipMultilineEncoding
+                skipMultilineEncoding: decryptedSecret.skipMultilineEncoding,
+                secretKey: decryptedSecret.secretKey
               });
               // eslint-disable-next-line no-param-reassign
               secretsGroupByPath[groupedPath][index].secretValue = expandedSecretValue || "";
@@ -1121,6 +1122,35 @@ export const secretV2BridgeServiceFactory = ({
           )
         )
       );
+      const errors: { path: string; error: string }[] = [];
+
+      settledPromises.forEach((outerResult: PromiseSettledResult<PromiseSettledResult<void>[]>, outerIndex) => {
+        const groupedPath = Object.keys(secretsGroupByPath)[outerIndex];
+
+        if (outerResult.status === "rejected") {
+          errors.push({
+            path: groupedPath,
+            error: `Failed to process secret group: ${outerResult.reason}`
+          });
+        } else {
+          // Check inner promise results
+          outerResult.value.forEach((innerResult: PromiseSettledResult<void>) => {
+            if (innerResult.status === "rejected") {
+              const reason = innerResult.reason as ForbiddenRequestError;
+              errors.push({
+                path: groupedPath,
+                error: reason.message
+              });
+            }
+          });
+        }
+      });
+      if (errors.length > 0) {
+        throw new ForbiddenRequestError({
+          message: "Failed to expand one or more secret references",
+          details: errors.map((err) => err.error)
+        });
+      }
     }
 
     if (!includeImports) {
@@ -1424,7 +1454,8 @@ export const secretV2BridgeServiceFactory = ({
         environment,
         secretPath: path,
         value: secretValue,
-        skipMultilineEncoding: secret.skipMultilineEncoding
+        skipMultilineEncoding: secret.skipMultilineEncoding,
+        secretKey: secret.key
       });
 
       secretValue = expandedSecretValue || "";
@@ -2722,7 +2753,8 @@ export const secretV2BridgeServiceFactory = ({
     const { expandedValue, stackTrace } = await getExpandedSecretStackTrace({
       environment,
       secretPath,
-      value: decryptedSecretValue
+      value: decryptedSecretValue,
+      secretKey: secretName
     });
 
     return { tree: stackTrace, value: expandedValue };

backend/src/services/secret/secret-queue.ts

@@ -426,7 +426,8 @@ export const secretQueueFactory = ({
           environment: dto.environment,
           secretPath: dto.secretPath,
           skipMultilineEncoding: secret.skipMultilineEncoding,
-          value: secretValue
+          value: secretValue,
+          secretKey
         });
         content[secretKey] = { value: expandedSecretValue || "" };
 

docs/api-reference/endpoints/app-connections/okta/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/okta/available"
+---

docs/api-reference/endpoints/app-connections/okta/create.mdx

@@ -0,0 +1,8 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/okta"
+---
+
+<Note>
+    Check out the configuration docs for [Okta Connections](/integrations/app-connections/okta) to learn how to obtain the required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/okta/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/okta/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/okta/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/okta/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/okta/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/okta/connection-name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/okta/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/okta"
+---

docs/api-reference/endpoints/app-connections/okta/update.mdx

@@ -0,0 +1,8 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/okta/{connectionId}"
+---
+
+<Note>
+    Check out the configuration docs for [Okta Connections](/integrations/app-connections/okta) to learn how to obtain the required credentials.
+</Note>

docs/api-reference/endpoints/secret-rotations/okta-client-secret/create.mdx

@@ -0,0 +1,8 @@
+---
+title: "Create"
+openapi: "POST /api/v2/secret-rotations/okta-client-secret"
+---
+
+<Note>
+    Check out the configuration docs for [Okta Client Secret Rotations](/documentation/platform/secret-rotation/okta-client-secret) to learn how to obtain the required parameters.
+</Note>

docs/api-reference/endpoints/secret-rotations/okta-client-secret/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v2/secret-rotations/okta-client-secret/{rotationId}"
+---

docs/api-reference/endpoints/secret-rotations/okta-client-secret/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v2/secret-rotations/okta-client-secret/{rotationId}"
+---

docs/api-reference/endpoints/secret-rotations/okta-client-secret/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v2/secret-rotations/okta-client-secret/rotation-name/{rotationName}"
+---

docs/api-reference/endpoints/secret-rotations/okta-client-secret/get-generated-credentials-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get Credentials by ID"
+openapi: "GET /api/v2/secret-rotations/okta-client-secret/{rotationId}/generated-credentials"
+---

docs/api-reference/endpoints/secret-rotations/okta-client-secret/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v2/secret-rotations/okta-client-secret"
+---

docs/api-reference/endpoints/secret-rotations/okta-client-secret/rotate-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Rotate Secrets"
+openapi: "POST /api/v2/secret-rotations/okta-client-secret/{rotationId}/rotate-secrets"
+---

docs/api-reference/endpoints/secret-rotations/okta-client-secret/update.mdx

@@ -0,0 +1,8 @@
+---
+title: "Update"
+openapi: "PATCH /api/v2/secret-rotations/okta-client-secret/{rotationId}"
+---
+
+<Note>
+    Check out the configuration docs for [Okta Client Secret Rotations](/documentation/platform/secret-rotation/okta-client-secret) to learn how to obtain the required parameters.
+</Note>

docs/docs.json

@@ -78,7 +78,10 @@
               },
               {
                 "group": "Infisical SSH",
-                "pages": ["documentation/platform/ssh/overview", "documentation/platform/ssh/host-groups"]
+                "pages": [
+                  "documentation/platform/ssh/overview",
+                  "documentation/platform/ssh/host-groups"
+                ]
               },
               {
                 "group": "Key Management (KMS)",
@@ -146,6 +149,7 @@
                   "documentation/platform/secret-rotation/ldap-password",
                   "documentation/platform/secret-rotation/mssql-credentials",
                   "documentation/platform/secret-rotation/mysql-credentials",
+                  "documentation/platform/secret-rotation/okta-client-secret",
                   "documentation/platform/secret-rotation/oracledb-credentials",
                   "documentation/platform/secret-rotation/postgres-credentials"
                 ]
@@ -375,7 +379,10 @@
               },
               {
                 "group": "Architecture",
-                "pages": ["internals/architecture/components", "internals/architecture/cloud"]
+                "pages": [
+                  "internals/architecture/components",
+                  "internals/architecture/cloud"
+                ]
               },
               "internals/security",
               "internals/service-tokens"
@@ -481,6 +488,7 @@
                   "integrations/app-connections/mssql",
                   "integrations/app-connections/mysql",
                   "integrations/app-connections/oci",
+                  "integrations/app-connections/okta",
                   "integrations/app-connections/oracledb",
                   "integrations/app-connections/postgres",
                   "integrations/app-connections/railway",
@@ -551,7 +559,10 @@
               "integrations/cloud/gcp-secret-manager",
               {
                 "group": "Cloudflare",
-                "pages": ["integrations/cloud/cloudflare-pages", "integrations/cloud/cloudflare-workers"]
+                "pages": [
+                  "integrations/cloud/cloudflare-pages",
+                  "integrations/cloud/cloudflare-workers"
+                ]
               },
               "integrations/cloud/terraform-cloud",
               "integrations/cloud/databricks",
@@ -663,7 +674,11 @@
                   "cli/commands/reset",
                   {
                     "group": "infisical scan",
-                    "pages": ["cli/commands/scan", "cli/commands/scan-git-changes", "cli/commands/scan-install"]
+                    "pages": [
+                      "cli/commands/scan",
+                      "cli/commands/scan-git-changes",
+                      "cli/commands/scan-install"
+                    ]
                   }
                 ]
               },
@@ -987,7 +1002,9 @@
                 "pages": [
                   {
                     "group": "Kubernetes",
-                    "pages": ["api-reference/endpoints/dynamic-secrets/kubernetes/create-lease"]
+                    "pages": [
+                      "api-reference/endpoints/dynamic-secrets/kubernetes/create-lease"
+                    ]
                   },
                   "api-reference/endpoints/dynamic-secrets/create",
                   "api-reference/endpoints/dynamic-secrets/update",
@@ -1093,6 +1110,19 @@
                       "api-reference/endpoints/secret-rotations/mysql-credentials/update"
                     ]
                   },
+                  {
+                    "group": "Okta Client Secret",
+                    "pages": [
+                      "api-reference/endpoints/secret-rotations/okta-client-secret/create",
+                      "api-reference/endpoints/secret-rotations/okta-client-secret/delete",
+                      "api-reference/endpoints/secret-rotations/okta-client-secret/get-by-id",
+                      "api-reference/endpoints/secret-rotations/okta-client-secret/get-by-name",
+                      "api-reference/endpoints/secret-rotations/okta-client-secret/get-generated-credentials-by-id",
+                      "api-reference/endpoints/secret-rotations/okta-client-secret/list",
+                      "api-reference/endpoints/secret-rotations/okta-client-secret/rotate-secrets",
+                      "api-reference/endpoints/secret-rotations/okta-client-secret/update"
+                    ]
+                  },
                   {
                     "group": "OracleDB Credentials",
                     "pages": [
@@ -1496,6 +1526,18 @@
                       "api-reference/endpoints/app-connections/oci/delete"
                     ]
                   },
+                  {
+                    "group": "Okta",
+                    "pages": [
+                      "api-reference/endpoints/app-connections/okta/list",
+                      "api-reference/endpoints/app-connections/okta/available",
+                      "api-reference/endpoints/app-connections/okta/get-by-id",
+                      "api-reference/endpoints/app-connections/okta/get-by-name",
+                      "api-reference/endpoints/app-connections/okta/create",
+                      "api-reference/endpoints/app-connections/okta/update",
+                      "api-reference/endpoints/app-connections/okta/delete"
+                    ]
+                  },
                   {
                     "group": "OracleDB",
                     "pages": [

docs/documentation/platform/secret-rotation/okta-client-secret.mdx

@@ -0,0 +1,145 @@
+---
+title: "Okta Client Secret"
+description: "Learn how to automatically rotate Okta Client Secrets."
+---
+
+## Prerequisites
+
+- Create an [Okta Connection](/integrations/app-connections/okta).
+
+## Create an Okta Client Secret Rotation in Infisical
+
+<Tabs>
+    <Tab title="Infisical UI">
+        1. Navigate to your Secret Manager Project's Dashboard and select **Add Secret Rotation** from the actions dropdown.
+
+        ![Secret Manager Dashboard](/images/secret-rotations-v2/generic/add-secret-rotation.png)
+
+        2. Select the **Okta Client Secret** option.
+
+        ![Select Okta Client Secret](/images/secret-rotations-v2/okta-client-secret/select-okta.png)
+
+        3. Configure the rotation behavior, then click **Next**.
+
+        ![Rotation Configuration](/images/secret-rotations-v2/okta-client-secret/configuration.png)
+
+        - **Okta Connection** - the connection that will perform the rotation of the specified application's Client Secret.
+        - **Rotation Interval** - the interval, in days, that once elapsed will trigger a rotation.
+        - **Rotate At** - the local time of day when rotation should occur once the interval has elapsed.
+        - **Auto-Rotation Enabled** - whether secrets should automatically be rotated once the rotation interval has elapsed. Disable this option to manually rotate secrets or pause secret rotation.
+
+        4. Select the Okta application whose Client Secret you want to rotate. Then click **Next**.
+
+        ![Rotation Parameters](/images/secret-rotations-v2/okta-client-secret/parameters.png)
+
+        5. Specify the secret names that the client credentials should be mapped to. Then click **Next**.
+
+        ![Rotation Secrets Mapping](/images/secret-rotations-v2/okta-client-secret/mappings.png)
+
+        - **Client ID** - the name of the secret that the application Client ID will be mapped to.
+        - **Client Secret** - the name of the secret that the rotated Client Secret will be mapped to.
+
+        6. Give your rotation a name and description (optional). Then click **Next**.
+
+        ![Rotation Details](/images/secret-rotations-v2/okta-client-secret/details.png)
+
+        - **Name** - the name of the secret rotation configuration. Must be slug-friendly.
+        - **Description** (optional) - a description of this rotation configuration.
+
+        7. Review your configuration, then click **Create Secret Rotation**.
+
+        ![Rotation Review](/images/secret-rotations-v2/okta-client-secret/review.png)
+
+        8. Your **Okta Client Secret** credentials are now available for use via the mapped secrets.
+
+        ![Rotation Created](/images/secret-rotations-v2/okta-client-secret/created.png)
+    </Tab>
+    <Tab title="API">
+        To create an Okta Client Secret Rotation, make an API request to the [Create Okta Client Secret Rotation](/api-reference/endpoints/secret-rotations/okta-client-secret/create) API endpoint.
+
+        You will first need the **Client ID** of the Okta application you want to rotate the secret for. This can be obtained from the applications dashboard.
+
+        ![Okta Client ID](/images/secret-rotations-v2/okta-client-secret/client-id.png)
+
+        ### Sample request
+
+        ```bash Request
+        curl --request POST \
+        --url https://us.infisical.com/api/v2/secret-rotations/okta-client-secret \
+        --header 'Content-Type: application/json' \
+        --data '{
+            "name": "my-okta-rotation",
+            "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "description": "my client secret rotation",
+            "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "environment": "dev",
+            "secretPath": "/",
+            "isAutoRotationEnabled": true,
+            "rotationInterval": 30,
+            "rotateAtUtc": {
+                "hours": 0,
+                "minutes": 0
+            },
+            "parameters": {
+                "clientId": "...",
+            },
+            "secretsMapping": {
+                "clientId": "OKTA_CLIENT_ID",
+                "clientSecret": "OKTA_CLIENT_SECRET"
+            }
+        }'
+        ```
+
+        ### Sample response
+
+        ```bash Response
+        {
+            "secretRotation": {
+                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "name": "my-okta-rotation",
+                "description": "my client secret rotation",
+                "secretsMapping": {
+                    "clientId": "OKTA_CLIENT_ID",
+                    "clientSecret": "OKTA_CLIENT_SECRET"
+                },
+                "isAutoRotationEnabled": true,
+                "activeIndex": 0,
+                "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "createdAt": "2023-11-07T05:31:56Z",
+                "updatedAt": "2023-11-07T05:31:56Z",
+                "rotationInterval": 30,
+                "rotationStatus": "success",
+                "lastRotationAttemptedAt": "2023-11-07T05:31:56Z",
+                "lastRotatedAt": "2023-11-07T05:31:56Z",
+                "lastRotationJobId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "nextRotationAt": "2023-11-07T05:31:56Z",
+                "connection": {
+                    "app": "okta",
+                    "name": "my-okta-connection",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "environment": {
+                    "slug": "dev",
+                    "name": "Development",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "folder": {
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                    "path": "/"
+                },
+                "rotateAtUtc": {
+                    "hours": 0,
+                    "minutes": 0
+                },
+                "lastRotationMessage": null,
+                "type": "okta-client-secret",
+                "parameters": {
+                    "clientId": "..."
+                }
+            }
+        }
+        ```
+    </Tab>
+</Tabs>

docs/integrations/app-connections/okta.mdx

@@ -0,0 +1,99 @@
+---
+title: "Okta Connection"
+description: "Learn how to configure an Okta Connection for Infisical."
+---
+
+Infisical supports the use of [API Tokens](https://developer.okta.com/docs/guides/create-an-api-token/main/) to connect with Okta.
+
+## Create Okta API Token
+
+<Steps>
+    <Step title="Create API Token">
+        From the Okta admin dashboard, navigate to **Security > API > Tokens** and click **Create token**.
+
+        ![Create API Token](/images/app-connections/okta/step-1.png)
+    </Step>
+    <Step title="Provide Info">
+        Enter the token name and select **Any IP** for the second dropdown, then click **Create token**.
+
+        ![Provide Info](/images/app-connections/okta/step-2.png)
+    </Step>
+    <Step title="Copy Token">
+        Copy the token from the modal for later steps.
+
+        ![Copy Token](/images/app-connections/okta/step-3.png)
+    </Step>
+</Steps>
+
+## Create Okta Connection in Infisical
+
+<Tabs>
+    <Tab title="Infisical UI">
+        <Steps>
+            <Step title="Navigate to App Connections">
+                In your Infisical dashboard, go to **Organization Settings** and select the [**App Connections**](https://app.infisical.com/organization/app-connections) tab.
+
+                ![App Connections Tab](/images/app-connections/general/add-connection.png)
+            </Step>
+            <Step title="Select Okta Connection">
+                Click the **Add Connection** button and select **Okta** from the list of available connections.
+            </Step>
+            <Step title="Fill out Connection Modal">
+                Complete the Okta Connection form by entering:
+                - A descriptive name for the connection
+                - An optional description for future reference
+                - Your Okta instance URL
+                - The API Token from earlier steps
+
+                ![Connection Modal](/images/app-connections/okta/step-4.png)
+            </Step>
+            <Step title="Connection Created">
+                After clicking Create, your **Okta Connection** is established and ready to use with your Infisical projects.
+
+                ![Connection Created](/images/app-connections/okta/step-5.png)
+            </Step>
+        </Steps>
+    </Tab>
+    <Tab title="API">
+        To create a Okta Connection, make an API request to the [Create Okta Connection](/api-reference/endpoints/app-connections/okta/create) API endpoint.
+
+        ### Sample request
+
+        ```bash Request
+        curl    --request POST \
+                --url https://app.infisical.com/api/v1/app-connections/okta \
+                --header 'Content-Type: application/json' \
+                --data '{
+                    "name": "my-okta-connection",
+                    "method": "api-token",
+                    "credentials": {
+                        "instanceUrl": "https://example.okta.com",
+                        "apiToken": "<YOUR-API-TOKEN>"
+                    }
+                }'
+        ```
+
+        ### Sample response
+
+        ```bash Response
+        {
+          "appConnection": {
+              "id": "e5d18aca-86f7-4026-a95e-efb8aeb0d8e6",
+              "name": "my-okta-connection",
+              "description": null,
+              "version": 1,
+              "orgId": "6f03caa1-a5de-43ce-b127-95a145d3464c",
+              "createdAt": "2025-04-23T19:46:34.831Z",
+              "updatedAt": "2025-04-23T19:46:34.831Z",
+              "isPlatformManagedCredentials": false,
+              "credentialsHash": "7c2d371dec195f82a6a0d5b41c970a229cfcaf88e894a5b6395e2dbd0280661f",
+              "app": "okta",
+              "method": "api-token",
+              "credentials": {
+                  "instanceUrl": "https://example.okta.com"
+              }
+          }
+        }
+        ```
+    </Tab>
+</Tabs>

frontend/src/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredentials/ViewOktaClientSecretRotationGeneratedCredentials.tsx

@@ -0,0 +1,38 @@
+import { CredentialDisplay } from "@app/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredentials/shared/CredentialDisplay";
+import { TOktaClientSecretRotationGeneratedCredentialsResponse } from "@app/hooks/api/secretRotationsV2/types/okta-client-secret-rotation";
+
+import { ViewRotationGeneratedCredentialsDisplay } from "./shared";
+
+type Props = {
+  generatedCredentialsResponse: TOktaClientSecretRotationGeneratedCredentialsResponse;
+};
+
+export const ViewOktaClientSecretRotationGeneratedCredentials = ({
+  generatedCredentialsResponse: { generatedCredentials, activeIndex }
+}: Props) => {
+  const inactiveIndex = activeIndex === 0 ? 1 : 0;
+
+  const activeCredentials = generatedCredentials[activeIndex];
+  const inactiveCredentials = generatedCredentials[inactiveIndex];
+
+  return (
+    <ViewRotationGeneratedCredentialsDisplay
+      activeCredentials={
+        <>
+          <CredentialDisplay label="Client ID">{activeCredentials?.clientId}</CredentialDisplay>
+          <CredentialDisplay isSensitive label="Client Secret">
+            {activeCredentials?.clientSecret}
+          </CredentialDisplay>
+        </>
+      }
+      inactiveCredentials={
+        <>
+          <CredentialDisplay label="Client ID">{inactiveCredentials?.clientId}</CredentialDisplay>
+          <CredentialDisplay isSensitive label="Client Secret">
+            {inactiveCredentials?.clientSecret}
+          </CredentialDisplay>
+        </>
+      }
+    />
+  );
+};

frontend/src/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredentials/ViewSecretRotationV2GeneratedCredentials.tsx

@@ -22,6 +22,7 @@ import {
 
 import { ViewSqlCredentialsRotationGeneratedCredentials } from "./shared";
 import { ViewAwsIamUserSecretRotationGeneratedCredentials } from "./ViewAwsIamUserSecretRotationGeneratedCredentials";
+import { ViewOktaClientSecretRotationGeneratedCredentials } from "./ViewOktaClientSecretRotationGeneratedCredentials";
 
 type Props = {
   secretRotation?: TSecretRotationV2;
@@ -99,6 +100,13 @@ const Content = ({ secretRotation }: ContentProps) => {
         />
       );
       break;
+    case SecretRotation.OktaClientSecret:
+      Component = (
+        <ViewOktaClientSecretRotationGeneratedCredentials
+          generatedCredentialsResponse={generatedCredentialsResponse}
+        />
+      );
+      break;
     default:
       throw new Error("Unhandled View Generated Credential Rotation Type");
   }

frontend/src/components/secret-rotations-v2/forms/SecretRotationV2ParametersFields/OktaClientSecretRotationParametersFields.tsx

@@ -0,0 +1,51 @@
+import { Controller, useFormContext } from "react-hook-form";
+import { SingleValue } from "react-select";
+
+import { TSecretRotationV2Form } from "@app/components/secret-rotations-v2/forms/schemas";
+import { FilterableSelect, FormControl } from "@app/components/v2";
+import { useOktaConnectionListApps } from "@app/hooks/api/appConnections/okta";
+import { TOktaApp } from "@app/hooks/api/appConnections/okta/types";
+import { SecretRotation } from "@app/hooks/api/secretRotationsV2";
+
+export const OktaClientSecretRotationParametersFields = () => {
+  const { control, watch, setValue } = useFormContext<
+    TSecretRotationV2Form & {
+      type: SecretRotation.OktaClientSecret;
+    }
+  >();
+
+  const connectionId = watch("connection.id");
+
+  const { data: apps, isPending: isAppsPending } = useOktaConnectionListApps(connectionId, {
+    enabled: Boolean(connectionId)
+  });
+
+  return (
+    <Controller
+      name="parameters.clientId"
+      control={control}
+      render={({ field: { value, onChange }, fieldState: { error } }) => (
+        <FormControl
+          isError={Boolean(error)}
+          errorText={error?.message}
+          label="OpenID Connect Application"
+        >
+          <FilterableSelect
+            menuPlacement="top"
+            isLoading={isAppsPending && Boolean(connectionId)}
+            isDisabled={!connectionId}
+            value={apps?.find((app) => app.id === value) ?? null}
+            onChange={(option) => {
+              onChange((option as SingleValue<TOktaApp>)?.id ?? null);
+              setValue("parameters.clientId", (option as SingleValue<TOktaApp>)?.id ?? "");
+            }}
+            options={apps}
+            placeholder="Select an application..."
+            getOptionLabel={(option) => option.label}
+            getOptionValue={(option) => option.id}
+          />
+        </FormControl>
+      )}
+    />
+  );
+};