Migrate from Okta-API-based auth to Okta-OIDC-based auth

What is the migration path to OIDC auth for an environment currently utilizing Okta-API-based auth?

The OIDC backend will still be Okta, so all our identity & group information will be the same.

We do not want to re-invent all our stuff and want to understand the best approach to migrating, retain all of the groups and policies. As seamless as possible.

Please advise. Thanks!

Assuming you’re assigning policies with Identity, you can pre-add aliases to your entities that correspond to the OIDC mount. That way when people log in they will get the same entity attached to their token, and thus any policies from their entity or group memberships.

Outside of that, there is no migration path. They are totally separate plugins.