docs(console): update microsoft entra id oidc and okta readme (#7702)

Rany0101 · charIeszhao · Copilot · web-flow · commit 2b0cc1599720 · 2025-08-26T05:33:52.000Z
* chore: update microsoft entra id oidc and okta readme

Update enterprise SSO connector README for token storage:
1. Microsoft Entra ID (OIDC)
2. Okta

* fix: typos

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

---------

Co-authored-by: Charles Zhao &lt;charleszhao@silverhand.io&gt;
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/packages/console/src/assets/docs/single-sign-on/azure-oidc/README.mdx b/packages/console/src/assets/docs/single-sign-on/azure-oidc/README.mdx
@@ -6,6 +6,7 @@ import configApplication from './assets/config_application.webp';
 import applicationDetails from './assets/application_details.webp';
 import createSecret from './assets/create_secret.webp';
 import endpoints from './assets/endpoints.webp';
+import permissions from './assets/add_api_permissions.webp';
 
 <Step index={0} title="Create an Microsoft EntraID OIDC application">
 
@@ -69,9 +70,53 @@ Click `Save` to finish the configuration process
 
 </Step>
 
-<Step index={2} title="Set email domains and enable the SSO connector">
+<Step index={2} title="Additional scopes (Optional)">
 
-Provide the email `domains` of your organization on the connector `experience` tab. This will enabled the SSO connector as an authentication method for those users.
+Scopes define the permissions your app requests from users and control which data your app can access from their Microsoft Entra ID accounts. Requesting Microsoft Graph permissions requires configuration on both sides:
+
+**In Microsoft Entra admin center:**
+
+1. Navigate to **Microsoft Entra ID > App registrations** and select your application.
+2. Go to **API permissions > Add a permission > Microsoft Graph > Delegated permissions**.
+3. Select only the permissions your app requires:
+   - OpenID permissions:
+     - `openid` (Required) - Sign users in
+     - `profile` (Required) - View users' basic profile
+     - `email` (Required) - View users' email address
+     - `offline_access` (Optional) - Required only if you enable **Store tokens for persistent API access** in the Logto connector and need to obtain refresh tokens for long-lived access to Microsoft Graph APIs.
+   - API access (Optional): Add any additional permissions needed for your app. Common Microsoft Graph permissions include `Mail.Read`, `Calendars.Read`, `Files.Read`, etc. Browse the [Microsoft Graph permissions reference](https://docs.microsoft.com/en-us/graph/permissions-reference) to find available permissions.
+4. Click **Add permissions** to confirm the selection.
+5. If your app requires admin consent for certain permissions, click **Grant admin consent for [Your Organization]**.
+
+<center>
+  <img src={permissions} alt="Add Microsoft API permissions" />
+</center>
+
+**In Logto Microsoft Entra ID connector:**
+
+1. Logto automatically includes `openid`, `profile`, and `email` scopes to retrieve basic user identity information. You can leave the `Scopes` field blank if you only need basic user information.
+2. Add `offline_access` to the `Scopes` field if you plan to store tokens for persistent API access. This scope enables refresh tokens for long-lived API access.
+3. Add additional scopes (separated by spaces) in the `Scopes` field to request more data from Microsoft Graph. Use standard scope names, for example: `User.Read Mail.Read Calendars.Read`
+
+**Tip**: If your app requests these scopes to access the Microsoft Graph API and perform actions, make sure to enable **Store tokens for persistent API access** in Logto Microsoft Entra ID connector. See the next section for details.
+
+</Step>
+
+
+<Step index={3} title="Store tokens to access Microsoft APIs (Optional)">
+
+If you want to access [Microsoft Graph APIs](https://docs.microsoft.com/en-us/graph/api/overview) and perform actions with user authorization, Logto needs to get specific API scopes and store tokens.
+
+1. Add the required scopes in your Microsoft Entra admin center API permissions configuration and Logto Microsoft Entra ID connector.
+2. Enable **Store tokens for persistent API access** in Logto Microsoft Entra ID connector. Logto will securely store Microsoft access and refresh tokens in the Secret Vault.
+3. To ensure refresh tokens are returned, add the `offline_access` scope to your Microsoft Entra ID application permissions and include it in your Logto Microsoft Entra ID connector scopes. This scope allows your application to maintain access to resources for extended periods.
+
+</Step>
+
+
+<Step index={4} title="Set email domains and enable the SSO connector">
+
+Provide the email `domains` of your organization on the connector `experience` tab. This will enable the SSO connector as an authentication method for those users.
 
 Users with email addresses in the specified domains will be exclusively limited to use your SSO connector as their only authentication method.
 
diff --git a/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/add_api_permissions.webp b/packages/console/src/assets/docs/single-sign-on/azure-oidc/assets/add_api_permissions.webp
diff --git a/packages/console/src/assets/docs/single-sign-on/okta/README.mdx b/packages/console/src/assets/docs/single-sign-on/okta/README.mdx
@@ -64,17 +64,45 @@ If the `issuer` link you provided is valid, you will see a parsed full list of O
 
 </Step>
 
-<Step index={4} title="Additional Scopes (Optional)">
+<Step index={4} title="Additional scopes (Optional)">
 
-Use the `Scope` field to add additional scopes to your OAuth request. This will allow you to request for more information from the Okta OAuth server. Please refer to the [Okta documentation](https://developer.okta.com/docs/reference/api/oidc/#scopes) for more details about the available scopes.
+Scopes define the permissions your app requests from users and control which data your app can access from their Okta accounts. Requesting additional Okta permissions requires configuration on both sides:
 
-\*Regardless of the custom scope settings, Logto will always send the `openid`, `profile` and `email` scopes to the IdP. This is to ensure that Logto can retrieve the user's identity information and email address properly.
+**In Okta admin console:**
+
+1. Navigate to **Applications > Applications** and select your OIDC application.
+2. Go to the **Assignments** tab to ensure your app has access to the required users and groups.
+3. For custom scopes, navigate to **Security > API > Authorization Servers** and select your authorization server.
+4. Add custom scopes if needed:
+   - Click **Scopes** and then **Add Scope**
+   - Define scope names like `okta.users.read` or `okta.groups.read` for accessing Okta APIs
+   - Configure consent requirements for each scope
+
+For a complete list of available scopes and their descriptions, please refer to the [Okta OIDC documentation](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#scopes).
+
+**In Logto Okta connector:**
+
+1. Logto automatically includes `openid`, `profile`, and `email` scopes to retrieve basic user identity information. You can leave the `Scopes` field blank if you only need basic user information.
+2. Add `offline_access` to the `Scopes` field if you plan to store tokens for persistent API access. This scope enables refresh tokens for long-lived API access.
+3. Add additional scopes (separated by spaces) in the `Scopes` field to request more data from Okta. For example: `okta.users.read okta.groups.read`
+
+**Tip:** If your app requests these scopes to access Okta APIs and perform actions, make sure to enable **Store tokens for persistent API access** in Logto Okta connector. See the next section for details.
+
+</Step>
+
+<Step index={5} title="Store tokens to access Okta APIs (Optional)">
+
+If you want to access [Okta scopes](https://developer.okta.com/docs/guides/request-user-consent/main/#enable-consent-for-scopes) and perform actions with user authorization, Logto needs to get specific scopes and store tokens.
+
+1. Add the required scopes in your Okta developer console API permissions configuration and Logto Okta connector.
+2. Enable **Store tokens for persistent API access** in Logto Okta connector. Logto will securely store Okta access and refresh tokens in the Secret Vault.
+3. To ensure refresh tokens are returned, add the `offline_access` scope to your Okta application permissions and include it in your Logto Okta connector scopes. This scope allows your application to maintain access to resources for extended periods.
 
 </Step>
 
-<Step index={5} title="Set email domains and enable the SSO connector">
+<Step index={6} title="Set email domains and enable the SSO connector">
 
-Provide the email `domains` of your organization on the connector `experience` tab. This will enabled the SSO connector as an authentication method for those users.
+Provide the email `domains` of your organization on the connector `experience` tab. This will enable the SSO connector as an authentication method for those users.
 
 Users with email addresses in the specified domains will be exclusively limited to use your SSO connector as their only authentication method.
 
