Dataface Tasks
    Heartbeat snapshot (JSON)

    Suite Okta login via OIDC

    IDM2-CLOUD-002
    Statusnot_started
    Priorityp1
    Milestonem2-internal-adoption-design-partners
    Ownerui-design-frontend-dev

    Problem

    Cloud Suite will likely need a Fivetran-friendly internal login path even if Google is the primary public-facing account system. Internal dogfooding, support, and employee access are easier if users can sign in with the company identity provider. If Okta is bolted on independently or before the Google login foundation is settled, the app risks ending up with duplicated auth logic, conflicting provider flows, and unclear account-linking behavior.

    Context

    • This task depends on task-m1-suite-google-auth-permissions-sync.md completing first.
    • Cloud already uses django-allauth, so Okta should be added through the OpenID Connect provider instead of a second auth framework.
    • Google remains the primary external login path; Okta is a secondary internal-access option.
    • Internal access policy, allowed groups, and redirect domains may require coordination with IT.

    Possible Solutions

    • Recommended: Add Okta as an OpenID Connect provider through django-allauth.
    • Reuses the same session/account plumbing as Google.
    • Keeps provider configuration consistent across environments.
    • Makes account linking by email easier to reason about.
    • Add Okta with a separate OIDC library.
    • Works, but increases auth surface area and duplicates framework concerns.
    • Rely only on Google login for all internal users.
    • Simpler, but less aligned with Fivetran internal identity norms and group-based access control.

    Plan

    • Add allauth OIDC provider configuration for Okta.
    • Define provider-specific env vars / secrets and callback URLs.
    • Decide account-linking behavior between Google and Okta identities using the same employee email.
    • Update login UI to present Okta as an internal/Fivetran login option without confusing public users.
    • Document operational steps for group assignment, redirect URIs, and rollout.

    Implementation Progress

    • Blocked on the Google login foundation in task-m1-suite-google-auth-permissions-sync.md.

    QA Exploration

    • [ ] QA exploration completed (or N/A for non-UI tasks)

    Review Feedback

    • [ ] Review cleared