Teleport OIDC integration w/Okta fails, user experience and docs should be better

[aberoham]

What happened:

Attempting to integrate Teleport with Okta via OIDC seems to work but it does not. In debug mode Teleport Enterprise kicks out a couple of low-level OAuth errors without hints that Okta only works with SAML.

What you expected to happen:

Documentation should have redirected me to SAML and noted that Okta's "classic UI" must be used. Further details in docs or debug output of why Okta via OIDC doesn't work would also be nice.

How to reproduce it (as minimally and precisely as possible):

Sign up for an Okta developer preview account and add Teleport as a custom app using their default workflow (without switching to 'Classic UI' and digging for SAML)

Environment:

• Teleport version (use teleport version): Teleport Enterprise v2.5.0-alpha.3
• Tsh version (use tsh version): same
• OS (e.g. from /etc/os-release): Ubuntu

Relevant Debug Logs If Applicable

When using: issuer_url: "https://dev-[REDACTED].oktapreview.com/oauth2/default" in Teleport's oidc connector definition, would get the error go-oidc: provider config sync failed, retrying in 1m0s: token_endpoint_auth_signing_alg_values_supported cannot include 'none'

When using: issuer_url: "https://dev-804184.oktapreview.com/oauth2/v1/token" in oidc connector def, would get the error go-oidc: provider config sync failed, retrying in 1m0s: missing required field subject_types_supported

Googling those two errors and looking at Okta developer forums I see hints that Okta may have fixed their OIDC implementation in the second half of 2017.

[russjones]

@benarent Do we want to support Okta and OIDC or just push people to use SAML?

[zmb3]

This was fixed in #11718 and will be in the next set of releases.