feat(okta): add okta private key support

[jordan-umusu]

Summary by cubic

Add Okta private key JWT (JWT Bearer) support across backend, UI, and registry tools, enabling service apps to authenticate without API tokens. Also makes authorization_endpoint optional unless using authorization_code.

• New Features

  • Backend: Added OAuth grant type jwt_bearer with JWTBearerOAuthProvider (RFC 7523), token refresh flow, and provider dependency. Uses PEM private key in client_secret to sign assertions.
  • Frontend: Added “Private key JWT” grant option. Hides authorization endpoint for jwt_bearer and treats it as optional otherwise. Updated validation, types, and placeholders (PEM input).
  • Registry: Updated all Okta and Okta OAR tools to accept an OAuth secret (provider_id: okta, grant_type: jwt_bearer). Authorization header now prefers Bearer OKTA_SERVICE_TOKEN, with SSWS API token as fallback.

• Migration

  • Create a custom provider with grant_type=jwt_bearer, set token_endpoint and client_id, and paste the PEM private key into client_secret.
  • In workflows, add a secret of type: oauth with provider_id: okta and grant_type: jwt_bearer, or keep existing API token for fallback.
  • No authorization endpoint needed for jwt_bearer.

^{Written for commit 5e42105. Summary will update on new commits.}

[blacksmith-sh]

Found 23 test failures on Blacksmith runners:

Failures

Test	View Logs
test_template_action_validation[('okta', 'activate_user/yml')]	View Logs
test_template_action_validation[('okta', 'add_to_group/yml')]	View Logs
test_template_action_validation[('okta', 'assign_group_to_app/yml')]	View Logs
test_template_action_validation[('okta', 'clear_user_sessions/yml')]	View Logs
test_template_action_validation[('okta', 'create_user/yml')]	View Logs
test_template_action_validation[('okta', 'expire_password/yml')]	View Logs
test_template_action_validation[('okta', 'expire_password_with_temporary_password/ yml')]	View Logs
test_template_action_validation[('okta', 'get_group_members/yml')]	View Logs
test_template_action_validation[('okta', 'get_groups_assigned_to_user/yml')]	View Logs
test_template_action_validation[('okta', 'get_user/yml')]	View Logs
test_template_action_validation[('okta', 'list_groups_in_org/yml')]	View Logs
test_template_action_validation[('okta', 'list_users/yml')]	View Logs
test_template_action_validation[('okta', 'lookup_user_by_email/yml')]	View Logs
test_template_action_validation[('okta', 'remove_from_group/yml')]	View Logs
test_template_action_validation[('okta', 'reset_password/yml')]	View Logs
test_template_action_validation[('okta', 'revoke_sessions/yml')]	View Logs
test_template_action_validation[('okta', 'search_users/yml')]	View Logs
test_template_action_validation[('okta', 'suspend_user/yml')]	View Logs
test_template_action_validation[('okta', 'unsuspend_user/yml')]	View Logs
test_template_action_validation[('okta_oar', 'create_message/yml')]	View Logs
test_template_action_validation[('okta_oar', 'get_requests/yml')]	View Logs
test_template_action_validation[('okta_oar', 'get_specific_request/yml')]	View Logs
test_template_action_validation[('okta_oar', 'get_user/yml')]	View Logs