fix(source-okta): Fix OAuth with private key PEM parsing issue

[Airbyte-Support]

What

Fixes a critical issue where OAuth authentication with private key fails in the Okta connector (and potentially other connectors using OAuth with private key in the connector builder) with the error:

jwt.exceptions.InvalidKeyError: Could not parse the provided public key.

This occurs because the private key string from Airbyte Cloud contains escaped newlines (\\n) instead of actual newline characters, causing PyJWT to fail parsing the PEM-formatted key.

How

Added a normalization step in CustomOauth2PrivateKeyAuthenticator.token() that converts escaped newlines to actual newlines before passing the private key to jwt.encode(). This follows the same pattern used elsewhere in the codebase (see commit e53e290).

# Normalize escaped newlines in the private key to actual newlines
if "\\n" in private_key:
    private_key = private_key.replace("\\n", "\n")

Review guide

1. airbyte-integrations/connectors/source-okta/source_okta/components.py - Review the normalization logic in the token() method (lines 91-93)
2. Consider whether this fix should be:
   • Applied to other connectors with similar OAuth private key flows
   • Moved to a shared utility function in the CDK
   • Accompanied by a unit test

User Impact

Positive:

• Users can now successfully authenticate to Okta using OAuth 2.0 with private key
• This also fixes the same issue for any custom connectors built in the connector builder that use OAuth with private key

Negative:

• None expected. The fix is a simple normalization that only applies when escaped newlines are present.

Can this PR be safely reverted and rolled back?

• YES 💚
• NO ❌

The change is minimal and only affects the OAuth with private key authentication flow. Reverting would simply restore the broken behavior.

---

Link to Devin run: https://app.devin.ai/sessions/ccfafd12c230478f82106eb1bac5de88

Requested by: @Airbyte-Support ([email protected])

Note: This fix was implemented based on error logs and pattern matching with historical fixes in the codebase. Ideally, this should be tested with an actual Okta instance using OAuth with private key authentication before merging.

[devin-ai-integration]

Original prompt from [email protected]

@Devin Hi
Thread URL: https://airbytehq-team.slack.com/archives/D09QB1SEDDX/p1763952090971809

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

Helpful Resources

• Breaking Changes Guide - Breaking changes, migration guides, and upgrade deadlines
• Developing Connectors Locally
• Managing Connector Secrets
• On-Demand Live Tests
• On-Demand Regression Tests
• #connector-ci-issues
• #connector-publish-updates
• #connector-build-statuses

PR Slash Commands

Airbyte Maintainers (that's you!) can execute the following slash commands on your PR:

• /format-fix - Fixes most formatting issues.
• /bump-version - Bumps connector versions.
  • You can specify a custom changelog by passing changelog. Example: /bump-version changelog="My cool update"
  • Leaving the changelog arg blank will auto-populate the changelog from the PR title.
• /run-cat-tests - Runs legacy CAT tests (Connector Acceptance Tests)
• /run-live-tests - Runs live tests for the modified connector(s).
• /run-regression-tests - Runs regression tests for the modified connector(s).
• /build-connector-images - Builds and publishes a pre-release docker image for the modified connector(s).
• JVM connectors:
  • /update-connector-cdk-version connector=<CONNECTOR_NAME> - Updates the specified connector to the latest CDK version.
    Example: /update-connector-cdk-version connector=destination-bigquery
  • /bump-bulk-cdk-version bump=patch changelog='foo' - Bump the Bulk CDK's version. bump can be major/minor/patch.
• Python connectors:
  • /poe connector source-example lock - Run the Poe lock task on the source-example connector, committing the results back to the branch.
  • /poe source example lock - Alias for /poe connector source-example lock.
  • /poe source example use-cdk-branch my/branch - Pin the source-example CDK reference to the branch name specified.
  • /poe source example use-cdk-latest - Update the source-example CDK dependency to the latest available version.

📝 Edit this welcome message.

[github-actions]

source-okta Connector Test Results

3 tests   0 ✅  1s ⏱️
1 suites  0 💤
1 files    0 ❌  3 🔥

For more details on these errors, see this check.

Results for commit 77d45c0.

♻️ This comment has been updated with latest results.

[github-actions]

Deploy preview for airbyte-docs ready!

✅ Preview
https://airbyte-docs-m2xz6ua7u-airbyte-growth.vercel.app

Built with commit 77d45c0.
This pull request is being automatically deployed with vercel-action