Consider moving Okta group settings to application.yml

Summary

This issue proposes moving Okta group configuration values from environment variables to application.yml, similar to how we handle other environment-specific configurations like Zuora settings.

Current State

The following Okta-related configurations are currently stored as secrets:

okta_issuer: "https://dev-instance-id.okta.com/oauth2/default"
okta_readonly_admin_access_group: "group name"
okta_redirect_uri: "http://cdot-env-specific/auth/okta/callback"
okta_support_admin_group: "group name"
okta_support_ops_admin_group: "group name"
okta_write_customers_admin_access_group: "group name"
okta_write_licenses_admin_access_group: "group name"
okta_internal_license_provisioning_admin_group: "group name"
okta_sales_admin_group: "group name"

Proposal

Move these configurations to application.yml under an okta namespace, structured similarly to our existing Zuora configuration pattern.

Justification

Okta group names are available in the codebase already via our Okta group mapping documentation and:

These are environment-specific configurations, not necessarily secrets
Centralizing configuration in application.yml improves maintainability and discoverability
Follows the existing pattern used for Zuora and other service configurations
Makes it easier to review and audit configuration differences across environments

⁉️ Open questions

Are there any security concerns with storing Okta group names in application.yml?
Should okta_issuer and okta_redirect_uri be treated differently from group names?

Edited Jan 21, 2026 by Vladlena Shumilo