diff --git a/_kratos/kratos.yml b/_kratos/kratos.yml
index a276505..c8995e7 100644
--- a/_kratos/kratos.yml
+++ b/_kratos/kratos.yml
@@ -2,11 +2,33 @@ version: v0.7.1-alpha.1
 
 dsn: postgres://admindbuser:admindbpassword@localhost:5432/admindb?sslmode=disable&max_conns=20&max_idle_conns=4
 
+dev: true
+
 serve:
   public:
     base_url: http://127.0.0.1:4433/
     cors:
       enabled: true
+      allowed_origins:
+        - http://127.0.0.1:3000
+        - http://127.0.0.1:3000/*
+        - http://127.0.0.1:19006
+        - http://127.0.0.1:19006/*
+        - http://127.0.0.1:4455
+        - http://127.0.0.1:4455/*
+      allowed_methods:
+        - POST
+        - GET
+        - PUT
+        - PATCH
+        - DELETE
+      allowed_headers:
+        - Authorization
+        - Cookie
+        - Content-Type
+      exposed_headers:
+        - Content-Type
+        - Set-Cookie
   admin:
     base_url: http://127.0.0.1:4434/
 
@@ -19,6 +41,24 @@ selfservice:
     password:
       enabled: true
     oidc:
+      config:
+        providers:
+          - provider: generic
+            id: okta
+            client_id: 0oa4g7baw738BjuNp5d7
+            client_secret: Ezuu9lExU6b8zaQ9LayTFk6fjDauITw8i83kdZmE
+            mapper_url: file://etc/config/kratos/okta-mapper.jsonnet
+            issuer_url: https://dev-59990879.okta.com/oauth2/default
+            scope:
+              - email
+            # auth_url: http://openid-connect-provider/oauth2/auth
+            requested_claims:
+              email:
+                essential: true
+      enabled: true
+    link:
+      enabled: true
+    profile:
       enabled: true
 
   flows:
@@ -44,12 +84,12 @@ selfservice:
         default_browser_return_url: http://127.0.0.1:4455/auth/login
 
     login:
-      ui_url: http://127.0.0.1:4455/auth/login
+      ui_url: http://127.0.0.1:4455/login
       lifespan: 10m
 
     registration:
       lifespan: 10m
-      ui_url: http://127.0.0.1:4455/auth/registration
+      ui_url: http://127.0.0.1:4455/registration
       after:
         password:
           hooks:
diff --git a/_kratos/okta-mapper.jsonnet b/_kratos/okta-mapper.jsonnet
new file mode 100644
index 0000000..9254df7
--- /dev/null
+++ b/_kratos/okta-mapper.jsonnet
@@ -0,0 +1,9 @@
+local claims = std.extVar('claims');
+
+{
+  identity: {
+    traits: {
+      email: claims.email,
+    },
+  },
+}
diff --git a/pkg/auth/v3/service.go b/pkg/auth/v3/service.go
index eeabae3..a0f707b 100644
--- a/pkg/auth/v3/service.go
+++ b/pkg/auth/v3/service.go
@@ -114,7 +114,6 @@ func (ac *authContext) authorize(ctx context.Context, req *commonv3.IsRequestAll
 		Params: []string{"u:" + res.SessionData.Username, "*", proj, org, req.Url, req.Method},
 	}
 	authenticated, err := ac.as.Enforce(ctx, &er)
-
 	if err != nil {
 		return err
 	}
diff --git a/pkg/enforcer/enforcer.go b/pkg/enforcer/enforcer.go
index a2c108f..665cdb8 100644
--- a/pkg/enforcer/enforcer.go
+++ b/pkg/enforcer/enforcer.go
@@ -18,6 +18,19 @@ func NewCasbinEnforcer(db *gorm.DB) *casbinEnforcer {
 	}
 }
 
+// KeyMatchCu custom matching function ref: https://casbin.org/docs/en/function
+func KeyMatchCu(key1 string, key2 string) bool {
+	// admin:ops_star
+	if key2 == "*" {
+		return true
+	}
+	// FIXME: instead add permissions for userinfo
+	if key1 == "/auth/v3/userinfo" {
+		return true
+	}
+	return util.KeyMatch2(key1, key2)
+}
+
 func (e *casbinEnforcer) Init() (*casbin.CachedEnforcer, error) {
 	adapter, err := gormadapter.NewAdapterByDB(e.db)
 	if err != nil {
@@ -39,7 +52,7 @@ g2 = _, _
 e = some(where (p.eft == allow))
 
 [matchers]
-m = g2(r.sub, p.sub) && globMatch(r.ns, p.ns) && globMatch(r.proj, p.proj) && r.org == p.org && g(r.obj, p.obj, r.act)
+m = g2(r.sub, p.sub) && (globMatch(r.ns, p.ns) || globMatch(p.ns, r.ns)) && (globMatch(r.proj, p.proj) || globMatch(p.proj, r.proj)) && (globMatch(r.org, p.org) || globMatch(p.org, r.org)) && g(r.obj, p.obj, r.act)
 `
 	m, err := model.NewModelFromString(modelText)
 	if err != nil {
@@ -51,7 +64,8 @@ m = g2(r.sub, p.sub) && globMatch(r.ns, p.ns) && globMatch(r.proj, p.proj) && r.
 		return nil, err
 	}
 
-	enforcer.Enforcer.AddNamedDomainMatchingFunc("g", "", util.KeyMatch2)
+	// enforcer.Enforcer.AddNamedDomainMatchingFunc("g", "", )
+	enforcer.Enforcer.AddNamedMatchingFunc("g", "", KeyMatchCu)
 
 	return enforcer, nil
 }
diff --git a/scripts/initialize/permissions/base/ops_star_all.json b/scripts/initialize/permissions/base/ops_star_all.json
index 30bbf9c..03f1277 100644
--- a/scripts/initialize/permissions/base/ops_star_all.json
+++ b/scripts/initialize/permissions/base/ops_star_all.json
@@ -2,7 +2,7 @@
   "name": "ops_star.all",
   "resource_urls": [
     {
-      "url": "/:*",
+      "url": "*",
       "methods": [
         "GET",
         "POST",
@@ -16,4 +16,4 @@
   "description": "Provides complete access, make me a super admin.",
   "authenticated": true,
   "scope": "ORGANIZATION"
-}
\ No newline at end of file
+}