feat: okta profile tool

[Weves]

Description

Fixes https://linear.app/danswer/issue/DAN-2317/okta-user-profile-tool

How Has This Been Tested?

Tested locally.

Backporting (check the box to trigger backport action)

Note: You have to check that the action passes, otherwise resolve the conflicts manually and tag the patches.

• This PR should be backported (make sure to check that the backport attempt succeeds)
• [Optional] Override Linear Check

---

Summary by cubic

Added a new Okta Profile tool that lets the assistant fetch and display user profile information from Okta using OAuth and Okta Admin API.

• New Features
• Okta Profile tool is enabled by environment variables and appears in the tool list.
• Fetches user details from Okta, including name, email, department, and account status.
• Integrates with the chat UI to show profile results when used.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Project	Deployment	Preview	Comments	Updated (UTC)
internal-search	✅ Ready	Preview	Comment	Aug 13, 2025 4:40pm

[greptile-apps]

Greptile Summary

This PR introduces a new Okta Profile Tool that enables users to retrieve their profile information from Okta through the chat interface. The implementation follows Onyx's established tool architecture pattern and includes several key components:

Core Implementation: The OktaProfileTool class (backend/onyx/tools/tool_implementations/okta_profile/okta_profile_tool.py) inherits from BaseTool and implements the standard tool interface. It orchestrates a multi-step authentication flow: first extracting user IDs from OAuth tokens via OIDC userinfo/introspection endpoints, then fetching full profile data using Okta's Users API with SSWS authentication.

Configuration Integration: New environment-based configurations were added to app_configs.py including OKTA_PROFILE_TOOL_ENABLED (feature flag), OKTA_API_TOKEN (for Users API access), and OPENID_CONFIG_URL (for OIDC configuration). These follow the existing configuration patterns in the codebase.

Tool System Integration: The tool is properly integrated into the existing tool constructor (tool_constructor.py) with comprehensive validation checks for required OAuth credentials and Okta API tokens. It's also conditionally registered in the built-in tools system (built_in_tools.py) using the same pattern as other external service integrations like InternetSearchTool.

Performance Optimizations: Import optimizations were made in llm/models.py and tools/tool.py to reduce runtime dependencies by converting heavy imports to lazy loading and moving type-only imports under TYPE_CHECKING blocks.

UI Enhancements: Minor frontend improvements in Messages.tsx include more explicit array length checking and consistent spacing for tool displays.

The tool integrates seamlessly with Onyx's existing authentication system, leveraging user OAuth tokens for secure profile retrieval while maintaining the established patterns for tool validation, error handling, and conditional availability based on environment configuration.

Confidence score: 3/5

• This PR introduces significant new functionality with external API dependencies that could potentially cause issues if Okta services are unavailable or misconfigured
• Score reflects concerns about error handling that may expose sensitive information in logs and the complexity of the multi-step authentication flow with multiple potential failure points
• Pay close attention to backend/onyx/tools/tool_implementations/okta_profile/okta_profile_tool.py for security implications and error handling robustness

_{7 files reviewed, 6 comments}

_{Edit Code Review Bot Settings | Greptile}

[cubic-dev-ai]

cubic analysis

2 issues found across 7 files • Review in cubic

_{React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[evan-onyx]

left some qs that can become TODOs if necessary