diff --git a/.env.example b/.env.example index 6770e88..c02d5f2 100644 --- a/.env.example +++ b/.env.example @@ -12,6 +12,8 @@ OKTA_SCOPES=okta.users.read okta.groups.read # Optional: For Private Key JWT authentication (browserless) # Uncomment and set these if using Private Key JWT instead of Device Authorization +# OKTA_PRIVATE_KEY can be either the PEM content directly or a path to a PEM file +# OKTA_PRIVATE_KEY=/path/to/private_key.pem # OKTA_PRIVATE_KEY= # OKTA_KEY_ID= diff --git a/src/okta_mcp_server/utils/auth/auth_manager.py b/src/okta_mcp_server/utils/auth/auth_manager.py index 2dcdceb..8be755f 100644 --- a/src/okta_mcp_server/utils/auth/auth_manager.py +++ b/src/okta_mcp_server/utils/auth/auth_manager.py @@ -45,15 +45,22 @@ def __init__(self): self.scopes = f"{self.scopes} {os.environ.get('OKTA_SCOPES', '').strip()}" # Check for browserless auth configuration - self.private_key = os.environ.get("OKTA_PRIVATE_KEY") + private_key_value = os.environ.get("OKTA_PRIVATE_KEY") self.key_id = os.environ.get("OKTA_KEY_ID") + if private_key_value and os.path.isfile(private_key_value): + logger.info(f"Loading private key from file: {private_key_value}") + with open(private_key_value) as f: + self.private_key = f.read() + else: + self.private_key = private_key_value + # Process private key if it contains escaped newlines + if self.private_key and "\\n" in self.private_key: + self.private_key = self.private_key.replace("\\n", "\n") + if self.private_key and self.key_id: self.use_browserless_auth = True logger.info("Browserless authentication is available and will be used") - # Process private key if it contains escaped newlines - if "\\n" in self.private_key: - self.private_key = self.private_key.replace("\\n", "\n") else: if self.private_key and not self.key_id: logger.warning("Private key found but OKTA_KEY_ID is missing. Using device flow instead.")