From 69d41047e0ecfd968e5d87cd1853afae61a8accf Mon Sep 17 00:00:00 2001 From: Arvind Krishnakumar <61501885+arvindkrishnakumar-okta@users.noreply.github.com> Date: Fri, 20 Sep 2024 13:57:00 -0500 Subject: [PATCH] Upgrade to OASv3 2024.08.3 (#1558) * Upgrade to OASv3 2024.08.3 * Fix DefaultPropertiesParser resource close issue #1556 * Updated ReadmeSnipppets * Bump Snakeyaml from 2.2 to 2.3 --- README.md | 99 +- api/pom.xml | 4 +- .../application/OIDCApplicationBuilder.java | 4 + .../okta/sdk/resource/user/UserBuilder.java | 3 - .../resources/custom_templates/pojo.mustache | 2 +- coverage/pom.xml | 2 +- examples/pom.xml | 2 +- examples/quickstart/pom.xml | 9 +- .../src/main/java/quickstart/Quickstart.java | 18 +- .../main/java/quickstart/ReadmeSnippets.java | 108 +- impl/pom.xml | 2 +- .../impl/config/DefaultPropertiesParser.java | 7 +- .../GroupProfileDeserializer.java | 2 +- .../impl/resource/DefaultGroupBuilder.java | 18 +- .../DefaultOIDCApplicationBuilder.java | 27 + .../DefaultOktaSignOnPolicyBuilder.java | 4 +- .../sdk/impl/resource/DefaultUserBuilder.java | 17 +- .../serializer/GroupProfileSerializer.java | 10 - integration-tests/pom.xml | 2 +- .../com/okta/sdk/tests/it/AppsIT.groovy | 81 +- .../com/okta/sdk/tests/it/GroupsIT.groovy | 12 +- .../groovy/com/okta/sdk/tests/it/IdpIT.groovy | 98 +- .../com/okta/sdk/tests/it/PoliciesIT.groovy | 74 +- .../com/okta/sdk/tests/it/UsersIT.groovy | 150 +- .../sdk/tests/it/util/ClientProvider.groovy | 31 +- .../sdk/tests/it/util/OktaOrgCleaner.groovy | 21 +- .../com/okta/sdk/tests/it/util/Util.groovy | 8 +- pom.xml | 12 +- src/swagger/api.yaml | 23180 ++++++++++++++-- 29 files changed, 21427 insertions(+), 2580 deletions(-) diff --git a/README.md b/README.md index 3dca243c142..6c725b9a089 100644 --- a/README.md +++ b/README.md @@ -173,9 +173,6 @@ These examples will help you understand how to use this library. You can also br Once you initialize a `ApiClient` instance, you can pass this instance to the constructor of any API area clients (such as `UserApi`, `GroupApi`, `ApplicationApi` etc.). You can start using these clients to call management APIs relevant to the chosen API area. -Note: For creation (HTTP POST or PUT operation) of models that follow inheritance (e.g. Application, Policy | PolicyRule, UserFactor), use the APIs found in their respective `ApiHelper` class (e.g. `ApplicationApiHelper`, `PolicyApiHelper`, `UserFactorApiHelper`) -to ensure safe type cast to their respective subclass types. - ### Non-Admin users Non-admin users will require to be granted specific permissions to perform certain tasks and access resources. @@ -193,7 +190,7 @@ This library should be used with the Okta management API. For authentication, we [//]: # (method: getUser) ```java UserApi userApi = new UserApi(client); -userApi.getUser("userId", "true"); +userApi.getUser("userId", "application/json", "true"); ``` [//]: # (end: getUser) @@ -202,7 +199,7 @@ userApi.getUser("userId", "true"); [//]: # (method: listAllUsers) ```java UserApi userApi = new UserApi(client); -List users = userApi.listUsers(null, null, 5, null, null, null, null); +List users = userApi.listUsers("application/json", null, null, 5, null, null, null, null); // stream users.stream() @@ -221,10 +218,10 @@ For more examples of handling collections see the [pagination](#pagination) sect UserApi userApi = new UserApi(client); // search by email -List users = userApi.listUsers(null, null, 5, null, "profile.email eq \"jcoder@example.com\"", null, null); +List users = userApi.listUsers("application/json", null, null, 5, null, "profile.email eq \"jcoder@example.com\"", null, null); // filter parameter -userApi.listUsers(null, null, null, "status eq \"ACTIVE\"",null, null, null); +userApi.listUsers("application/json",null, null, null, "status eq \"ACTIVE\"",null, null, null); ``` [//]: # (end: userSearch) @@ -295,10 +292,10 @@ userApi.updateUser(user.getId(), updateUserRequest, true); UserApi userApi = new UserApi(client); // deactivate first -userApi.deactivateUser(user.getId(), false); +userApi.deleteUser(user.getId(), false, null); -// then delete -userApi.deleteUser(user.getId(), false); +// see https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/deleteUser +userApi.deleteUser(user.getId(), false, null); ``` [//]: # (end: deleteUser) @@ -418,7 +415,7 @@ swaApplicationSettingsApplication.buttonField("btn-login") SwaApplicationSettings swaApplicationSettings = new SwaApplicationSettings(); swaApplicationSettings.app(swaApplicationSettingsApplication); BrowserPluginApplication browserPluginApplication = new BrowserPluginApplication(); -browserPluginApplication.name("template_swa"); +browserPluginApplication.name(BrowserPluginApplication.NameEnum.SWA); browserPluginApplication.label("Sample Plugin App"); browserPluginApplication.settings(swaApplicationSettings); @@ -442,7 +439,7 @@ BookmarkApplication bookmarkApp = (BookmarkApplication) applicationApi.getApplic [//]: # (method: listApplications) ```java ApplicationApi applicationApi = new ApplicationApi(client); -List applications = applicationApi.listApplications(null, null, null, null, null, true); +List applications = applicationApi.listApplications(null, null, true, null, null, null, true); ``` [//]: # (end: listApplications) @@ -451,8 +448,8 @@ List applications = applicationApi.listApplications(null, null, nul [//]: # (method: getPolicy) ```java PolicyApi policyApi = new PolicyApi(client); -MultifactorEnrollmentPolicy mfaPolicy = - (MultifactorEnrollmentPolicy) policyApi.getPolicy("mfa-policy-id", null); +Policy policy = + policyApi.getPolicy("policy-id", null); ``` [//]: # (end: getPolicy) @@ -461,7 +458,7 @@ MultifactorEnrollmentPolicy mfaPolicy = [//]: # (method: listPolicies) ```java PolicyApi policyApi = new PolicyApi(client); -List policies = policyApi.listPolicies(PolicyType.PASSWORD.name(), LifecycleStatus.ACTIVE.name(), null, null, null, null); +List policies = policyApi.listPolicies(PolicyType.PASSWORD.name(), LifecycleStatus.ACTIVE.name(), null, null, null, null, null, null); ``` [//]: # (end: listPolicies) @@ -472,7 +469,7 @@ SystemLogApi systemLogApi = new SystemLogApi(client); // use a filter (start date, end date, filter, or query, sort order) all options are nullable List logEvents = - systemLogApi.listLogEvents(null, null, null, "interestingURI.com", 100, "ASCENDING", null); + systemLogApi.listLogEvents(null, null, null, "interestingURI.com", null, 100, "ASCENDING"); ``` [//]: # (end: listSysLogs) @@ -484,39 +481,41 @@ Not every API endpoint is represented by a method in this library. You can call ```java ApiClient apiClient = buildApiClient("orgBaseUrl", "apiKey"); -// Create a BookmarkApplication -BookmarkApplication bookmarkApplication = new BookmarkApplication(); -bookmarkApplication.setName("bookmark"); -bookmarkApplication.setLabel("Sample Bookmark App"); -bookmarkApplication.setSignOnMode(ApplicationSignOnMode.BOOKMARK); -BookmarkApplicationSettings bookmarkApplicationSettings = new BookmarkApplicationSettings(); -BookmarkApplicationSettingsApplication bookmarkApplicationSettingsApplication = - new BookmarkApplicationSettingsApplication(); -bookmarkApplicationSettingsApplication.setUrl("https://example.com/bookmark.htm"); -bookmarkApplicationSettingsApplication.setRequestIntegration(false); -bookmarkApplicationSettings.setApp(bookmarkApplicationSettingsApplication); -bookmarkApplication.setSettings(bookmarkApplicationSettings); -StringJoiner localVarQueryStringJoiner = new StringJoiner("&"); -List localVarQueryParams = new ArrayList<>(); -List localVarCollectionQueryParams = new ArrayList<>(); -Map localVarHeaderParams = new HashMap<>(); -Map localVarCookieParams = new HashMap<>(); -Map localVarFormParams = new HashMap<>(); -BookmarkApplication createdApp = apiClient.invokeAPI( - "/api/v1/apps", // path - HttpMethod.POST.name(), // http method - localVarQueryParams, // query params - localVarCollectionQueryParams, // collection query params - localVarQueryStringJoiner.toString(), - bookmarkApplication, // request body - localVarHeaderParams, // header params - localVarCookieParams, // cookie params - localVarFormParams, // form params - MediaType.APPLICATION_JSON_VALUE, // accept - MediaType.APPLICATION_JSON_VALUE, // content type - new String[]{ "apiToken", "oauth2" }, // auth names - new TypeReference() { } // return type -); +// Create a User +String email = "joe.coder+" + UUID.randomUUID() + "@example.com"; +UserProfile userProfile = new com.okta.sdk.resource.model.UserProfile() + .firstName("Joe") + .lastName("Coder") + .email(email) + .mobilePhone("1234567890") + .login(email); +com.okta.sdk.resource.model.CreateUserRequest createUserRequest = new com.okta.sdk.resource.model.CreateUserRequest(); +createUserRequest.setProfile(userProfile); +List queryParams = new ArrayList(); +queryParams.addAll(client.parameterToPair("activate", "true")); +queryParams.addAll(client.parameterToPair("provider", null)); +queryParams.addAll(client.parameterToPair("nextLogin", null)); +List collectionQueryParams = new ArrayList(); +Map headerParams = new HashMap(); +Map cookieParams = new HashMap(); +Map formParams = new HashMap(); +TypeReference returnType = new TypeReference() { +}; + +com.okta.sdk.resource.model.User user = client.invokeAPI( + "/api/v1/users", + "POST", + queryParams, + collectionQueryParams, + new StringJoiner("&").toString(), + createUserRequest, + headerParams, + cookieParams, + formParams, + "application/json", + "application/json", + new String[] { "apiToken", "oauth2" }, + returnType); ``` [//]: # (end: callAnotherEndpoint) @@ -530,7 +529,7 @@ UserApi userApi = new UserApi(client); List users = new ArrayList<>(); String after = null; do { - users.addAll(userApi.listUsers(null, after, 200, null, null, null, null)); + users.addAll(userApi.listUsers("application/json",null, after, 200, null, null, null, null)); after = PaginationUtil.getAfter(userApi.getApiClient()); } while (StringUtils.isNotBlank(after)); ``` diff --git a/api/pom.xml b/api/pom.xml index 6592bcdb212..40f239b6bd1 100644 --- a/api/pom.xml +++ b/api/pom.xml @@ -21,7 +21,7 @@ com.okta.sdk okta-sdk-root - 18.0.1-SNAPSHOT + 19.0.0-SNAPSHOT okta-sdk-api @@ -36,7 +36,7 @@ UTF-8 1.6.8 - 7.7.0 + 7.8.0 0.2.6 2.1.1 3.0.2 diff --git a/api/src/main/java/com/okta/sdk/resource/application/OIDCApplicationBuilder.java b/api/src/main/java/com/okta/sdk/resource/application/OIDCApplicationBuilder.java index f9f8c293bde..016fa97dfc0 100644 --- a/api/src/main/java/com/okta/sdk/resource/application/OIDCApplicationBuilder.java +++ b/api/src/main/java/com/okta/sdk/resource/application/OIDCApplicationBuilder.java @@ -58,6 +58,10 @@ static OIDCApplicationBuilder instance() { OIDCApplicationBuilder setClientId(String clientId); + OIDCApplicationBuilder setLoginUrl(String loginUrl); + + OIDCApplicationBuilder setRedirectUrl(String redirectUrl); + OIDCApplicationBuilder setClientSecret(String clientSecret); OIDCApplicationBuilder setAutoKeyRotation(Boolean autoKeyRotation); diff --git a/api/src/main/java/com/okta/sdk/resource/user/UserBuilder.java b/api/src/main/java/com/okta/sdk/resource/user/UserBuilder.java index 342bba4b9ce..4bc26249e70 100644 --- a/api/src/main/java/com/okta/sdk/resource/user/UserBuilder.java +++ b/api/src/main/java/com/okta/sdk/resource/user/UserBuilder.java @@ -21,7 +21,6 @@ import com.okta.sdk.resource.model.AuthenticationProvider; import com.okta.sdk.resource.model.User; import com.okta.sdk.resource.model.UserNextLogin; -import com.okta.sdk.resource.model.UserType; import java.util.Arrays; import java.util.List; @@ -107,8 +106,6 @@ static UserBuilder instance() { UserBuilder setProvider(AuthenticationProvider provider); - UserBuilder setType(UserType userType); - UserBuilder setType(String userTypeId); default UserBuilder setGroups(String... groupIds) { diff --git a/api/src/main/resources/custom_templates/pojo.mustache b/api/src/main/resources/custom_templates/pojo.mustache index 326ecf19c81..4dda2ccd93c 100644 --- a/api/src/main/resources/custom_templates/pojo.mustache +++ b/api/src/main/resources/custom_templates/pojo.mustache @@ -172,7 +172,7 @@ public {{classname}}() { {{#parent}}{{#parcelableModel}} public {{classname}} put{{nameInCamelCase}}Item(String key, {{{items.datatypeWithEnum}}} {{name}}Item) { {{#vendorExtensions.x-is-jackson-optional-nullable}} if (this.{{name}} == null || !this.{{name}}.isPresent()) { - this.{{name}} = JsonNullable.<{{{datatypeWithEnum}}}>of({{{defaultValue}}}); + this.{{name}} = JsonNullable.<{{{datatypeWithEnum}}}>of(null); } try { this.{{name}}.get().put(key, {{name}}Item); diff --git a/coverage/pom.xml b/coverage/pom.xml index 75f4692904b..3cc4ffed8c8 100644 --- a/coverage/pom.xml +++ b/coverage/pom.xml @@ -21,7 +21,7 @@ com.okta.sdk okta-sdk-root - 18.0.1-SNAPSHOT + 19.0.0-SNAPSHOT okta-sdk-coverage diff --git a/examples/pom.xml b/examples/pom.xml index d1fcfae422c..131a1fe20fb 100644 --- a/examples/pom.xml +++ b/examples/pom.xml @@ -21,7 +21,7 @@ com.okta.sdk okta-sdk-root - 18.0.1-SNAPSHOT + 19.0.0-SNAPSHOT okta-sdk-examples diff --git a/examples/quickstart/pom.xml b/examples/quickstart/pom.xml index 9e2b0add21d..9d937f5c193 100644 --- a/examples/quickstart/pom.xml +++ b/examples/quickstart/pom.xml @@ -20,7 +20,7 @@ com.okta.sdk okta-sdk-examples - 18.0.1-SNAPSHOT + 19.0.0-SNAPSHOT ../pom.xml @@ -73,6 +73,13 @@ quickstart.Quickstart + + org.apache.maven.plugins + maven-pmd-plugin + + true + + diff --git a/examples/quickstart/src/main/java/quickstart/Quickstart.java b/examples/quickstart/src/main/java/quickstart/Quickstart.java index dfca5bf2567..b5dd145ba8b 100644 --- a/examples/quickstart/src/main/java/quickstart/Quickstart.java +++ b/examples/quickstart/src/main/java/quickstart/Quickstart.java @@ -47,8 +47,8 @@ public static void main(String[] args) throws ApiException { ClientBuilder builder; ApiClient client; - Group group = null; - User user = null; + com.okta.sdk.resource.model.Group group = null; + com.okta.sdk.resource.model.User user = null; UserApi userApi = null; GroupApi groupApi = null; @@ -89,13 +89,13 @@ public static void main(String[] args) throws ApiException { println("User created with ID: " + userId); // You can look up user by ID - println("User lookup by ID: "+ Objects.requireNonNull(userApi.getUser(userId, "false").getProfile()).getLogin()); + println("User lookup by ID: "+ Objects.requireNonNull(userApi.getUser(userId, null,"false").getProfile()).getLogin()); // or by Email - println("User lookup by Email: "+ Objects.requireNonNull(userApi.getUser(email, "false").getProfile()).getLogin()); + println("User lookup by Email: "+ Objects.requireNonNull(userApi.getUser(email, null,"false").getProfile()).getLogin()); // get the list of users - List users = userApi.listUsers(null, null, null, "status eq \"ACTIVE\"", null, null, null); + List users = userApi.listUsers(null, null, null, null, "status eq \"ACTIVE\"", null, null, null); // get the first user in the collection println("First user in collection: " + Objects.requireNonNull(Objects.requireNonNull(users.stream().findFirst().orElse(null)).getProfile()).getEmail()); @@ -111,10 +111,12 @@ public static void main(String[] args) throws ApiException { // deactivate (if de-provisioned) and delete user if (user != null) { - if (!Objects.equals(user.getStatus(), UserStatus.DEPROVISIONED)) { - userApi.deactivateUser(user.getId(), false); + if (!Objects.equals(user.getStatus(), com.okta.sdk.resource.model.UserStatus.DEPROVISIONED)) { + // This operation on a User that has not been deactivated/deprovisioned causes that User to be deactivated. + userApi.deleteUser(user.getId(), false, null); } - userApi.deleteUser(user.getId(), false); + // A second delete operation is required to delete the User. + userApi.deleteUser(user.getId(), false, null); } // delete group diff --git a/examples/quickstart/src/main/java/quickstart/ReadmeSnippets.java b/examples/quickstart/src/main/java/quickstart/ReadmeSnippets.java index b5c33028c30..4d91878f89f 100644 --- a/examples/quickstart/src/main/java/quickstart/ReadmeSnippets.java +++ b/examples/quickstart/src/main/java/quickstart/ReadmeSnippets.java @@ -23,8 +23,9 @@ import com.okta.sdk.client.AuthorizationMode; import com.okta.sdk.client.Clients; import com.okta.sdk.helper.PaginationUtil; +import com.okta.sdk.resource.api.GroupApi; +import com.okta.sdk.resource.api.UserApi; import com.okta.sdk.resource.group.GroupBuilder; -import com.okta.sdk.resource.model.UserFactorType; import com.okta.sdk.resource.user.UserBuilder; import com.okta.sdk.resource.client.ApiClient; @@ -81,12 +82,12 @@ private void createOAuth2Client() { private void getUser() throws ApiException { UserApi userApi = new UserApi(client); - userApi.getUser("userId", "true"); + userApi.getUser("userId", "application/json", "true"); } private void listAllUsers() throws ApiException { UserApi userApi = new UserApi(client); - List users = userApi.listUsers(null, null, 5, null, null, null, null); + List users = userApi.listUsers("application/json", null, null, 5, null, null, null, null); // stream users.stream() @@ -98,10 +99,10 @@ private void listAllUsers() throws ApiException { private void userSearch() throws ApiException { UserApi userApi = new UserApi(client); // search by email - List users = userApi.listUsers(null, null, 5, null, "profile.email eq \"jcoder@example.com\"", null, null); + List users = userApi.listUsers("application/json", null, null, 5, null, "profile.email eq \"jcoder@example.com\"", null, null); // filter parameter - userApi.listUsers(null, null, null, "status eq \"ACTIVE\"",null, null, null); + userApi.listUsers("application/json",null, null, null, "status eq \"ACTIVE\"",null, null, null); } private void createUser() throws ApiException { @@ -153,9 +154,11 @@ private void deleteUser() throws ApiException { UserApi userApi = new UserApi(client); // deactivate first - userApi.deactivateUser(user.getId(), false); + userApi.deleteUser(user.getId(), false, null); + // then delete - userApi.deleteUser(user.getId(), false); + // see https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/deleteUser + userApi.deleteUser(user.getId(), false, null); } private void listGroups() throws ApiException { @@ -245,7 +248,7 @@ private void verifyFactor() throws ApiException { private void listApplications() throws ApiException { ApplicationApi applicationApi = new ApplicationApi(client); - List applications = applicationApi.listApplications(null, null, null, null, null, true); + List applications = applicationApi.listApplications(null, null, true, null, null, null, true); } private void getApplication() throws ApiException { @@ -265,7 +268,7 @@ private void createSwaApplication() throws ApiException { SwaApplicationSettings swaApplicationSettings = new SwaApplicationSettings(); swaApplicationSettings.app(swaApplicationSettingsApplication); BrowserPluginApplication browserPluginApplication = new BrowserPluginApplication(); - browserPluginApplication.name("template_swa"); + browserPluginApplication.name(BrowserPluginApplication.NameEnum.SWA); browserPluginApplication.label("Sample Plugin App"); browserPluginApplication.settings(swaApplicationSettings); @@ -277,14 +280,14 @@ private void createSwaApplication() throws ApiException { private void listPolicies() throws ApiException { PolicyApi policyApi = new PolicyApi(client); - List policies = policyApi.listPolicies(PolicyType.PASSWORD.name(), LifecycleStatus.ACTIVE.name(), null, null, null, null); + List policies = policyApi.listPolicies(PolicyType.PASSWORD.name(), LifecycleStatus.ACTIVE.name(), null, null, null, null, null, null); } private void getPolicy() throws ApiException { PolicyApi policyApi = new PolicyApi(client); - MultifactorEnrollmentPolicy mfaPolicy = - (MultifactorEnrollmentPolicy) policyApi.getPolicy("mfa-policy-id", null); + Policy policy = + policyApi.getPolicy("policy-id", null); } private void listSysLogs() throws ApiException { @@ -292,48 +295,55 @@ private void listSysLogs() throws ApiException { // use a filter (start date, end date, filter, or query, sort order) all options are nullable List logEvents = - systemLogApi.listLogEvents(null, null, null, "interestingURI.com", 100, "ASCENDING", null); + systemLogApi.listLogEvents(null, null, null, "interestingURI.com", null, 100, "ASCENDING"); } private void callAnotherEndpoint() throws ApiException { ApiClient apiClient = buildApiClient("orgBaseUrl", "apiKey"); - // Create a BookmarkApplication - BookmarkApplication bookmarkApplication = new BookmarkApplication(); - bookmarkApplication.setName("bookmark"); - bookmarkApplication.setLabel("Sample Bookmark App"); - bookmarkApplication.setSignOnMode(ApplicationSignOnMode.BOOKMARK); - BookmarkApplicationSettings bookmarkApplicationSettings = new BookmarkApplicationSettings(); - BookmarkApplicationSettingsApplication bookmarkApplicationSettingsApplication = - new BookmarkApplicationSettingsApplication(); - bookmarkApplicationSettingsApplication.setUrl("https://example.com/bookmark.htm"); - bookmarkApplicationSettingsApplication.setRequestIntegration(false); - bookmarkApplicationSettings.setApp(bookmarkApplicationSettingsApplication); - bookmarkApplication.setSettings(bookmarkApplicationSettings); - - StringJoiner localVarQueryStringJoiner = new StringJoiner("&"); - List localVarQueryParams = new ArrayList<>(); - List localVarCollectionQueryParams = new ArrayList<>(); - Map localVarHeaderParams = new HashMap<>(); - Map localVarCookieParams = new HashMap<>(); - Map localVarFormParams = new HashMap<>(); - - BookmarkApplication createdApp = apiClient.invokeAPI( - "/api/v1/apps", // path - HttpMethod.POST.name(), // http method - localVarQueryParams, // query params - localVarCollectionQueryParams, // collection query params - localVarQueryStringJoiner.toString(), - bookmarkApplication, // request body - localVarHeaderParams, // header params - localVarCookieParams, // cookie params - localVarFormParams, // form params - MediaType.APPLICATION_JSON_VALUE, // accept - MediaType.APPLICATION_JSON_VALUE, // content type - new String[]{ "apiToken", "oauth2" }, // auth names - new TypeReference() { } // return type - ); + // Create a User + String email = "joe.coder+" + UUID.randomUUID() + "@example.com"; + + UserProfile userProfile = new com.okta.sdk.resource.model.UserProfile() + .firstName("Joe") + .lastName("Coder") + .email(email) + .mobilePhone("1234567890") + .login(email); + + com.okta.sdk.resource.model.CreateUserRequest createUserRequest = new com.okta.sdk.resource.model.CreateUserRequest(); + createUserRequest.setProfile(userProfile); + + List queryParams = new ArrayList(); + queryParams.addAll(client.parameterToPair("activate", "true")); + queryParams.addAll(client.parameterToPair("provider", null)); + queryParams.addAll(client.parameterToPair("nextLogin", null)); + + List collectionQueryParams = new ArrayList(); + + Map headerParams = new HashMap(); + Map cookieParams = new HashMap(); + Map formParams = new HashMap(); + + TypeReference returnType = new TypeReference() { + }; + + com.okta.sdk.resource.model.User user = client.invokeAPI( + "/api/v1/users", + "POST", + queryParams, + collectionQueryParams, + new StringJoiner("&").toString(), + createUserRequest, + headerParams, + cookieParams, + formParams, + "application/json", + "application/json", + new String[] { "apiToken", "oauth2" }, + returnType); + } private void paginate() throws ApiException { @@ -343,7 +353,7 @@ private void paginate() throws ApiException { String after = null; do { - users.addAll(userApi.listUsers(null, after, 200, null, null, null, null)); + users.addAll(userApi.listUsers("application/json",null, after, 200, null, null, null, null)); after = PaginationUtil.getAfter(userApi.getApiClient()); } while (StringUtils.isNotBlank(after)); } diff --git a/impl/pom.xml b/impl/pom.xml index 0fd24ce8589..b6e7d13b16c 100644 --- a/impl/pom.xml +++ b/impl/pom.xml @@ -21,7 +21,7 @@ com.okta.sdk okta-sdk-root - 18.0.1-SNAPSHOT + 19.0.0-SNAPSHOT okta-sdk-impl diff --git a/impl/src/main/java/com/okta/sdk/impl/config/DefaultPropertiesParser.java b/impl/src/main/java/com/okta/sdk/impl/config/DefaultPropertiesParser.java index 6c9d1a9797e..462dec76f5c 100644 --- a/impl/src/main/java/com/okta/sdk/impl/config/DefaultPropertiesParser.java +++ b/impl/src/main/java/com/okta/sdk/impl/config/DefaultPropertiesParser.java @@ -43,12 +43,11 @@ public Map parse(String source) { return parse(scanner); } + @SuppressWarnings("PMD.CloseResource") @Override public Map parse(Resource resource) throws IOException { - Scanner scanner; - try (InputStream inputStream = resource.getInputStream()) { - scanner = new Scanner(inputStream, StandardCharsets.UTF_8.name()); - } + InputStream is = resource.getInputStream(); + Scanner scanner = new Scanner(is, StandardCharsets.UTF_8.name()); return parse(scanner); } diff --git a/impl/src/main/java/com/okta/sdk/impl/deserializer/GroupProfileDeserializer.java b/impl/src/main/java/com/okta/sdk/impl/deserializer/GroupProfileDeserializer.java index 779a4e38231..1223648a4a3 100644 --- a/impl/src/main/java/com/okta/sdk/impl/deserializer/GroupProfileDeserializer.java +++ b/impl/src/main/java/com/okta/sdk/impl/deserializer/GroupProfileDeserializer.java @@ -64,7 +64,7 @@ public GroupProfile deserialize(JsonParser jp, DeserializationContext ctxt) thro break; default: - groupProfile.getAdditionalProperties().put(key, value); + break; } } diff --git a/impl/src/main/java/com/okta/sdk/impl/resource/DefaultGroupBuilder.java b/impl/src/main/java/com/okta/sdk/impl/resource/DefaultGroupBuilder.java index 328d3774d2d..6ce033aa991 100644 --- a/impl/src/main/java/com/okta/sdk/impl/resource/DefaultGroupBuilder.java +++ b/impl/src/main/java/com/okta/sdk/impl/resource/DefaultGroupBuilder.java @@ -19,8 +19,9 @@ import com.okta.sdk.resource.group.GroupBuilder; import com.okta.sdk.resource.client.ApiException; import com.okta.sdk.resource.api.GroupApi; +import com.okta.sdk.resource.model.AddGroupRequest; import com.okta.sdk.resource.model.Group; -import com.okta.sdk.resource.model.GroupProfile; +import com.okta.sdk.resource.model.OktaUserGroupProfile; public class DefaultGroupBuilder implements GroupBuilder { @@ -42,12 +43,15 @@ public GroupBuilder setDescription(String description) { @Override public Group buildAndCreate(GroupApi client) throws ApiException { - Group group = new Group(); - GroupProfile groupProfile = new GroupProfile(); - groupProfile.setName(name); - if (Strings.hasText(description)) groupProfile.setDescription(description); - group.setProfile(groupProfile); + OktaUserGroupProfile oktaUserGroupProfile = new OktaUserGroupProfile(); + oktaUserGroupProfile.setName(name); + if (Strings.hasText(description)) { + oktaUserGroupProfile.setDescription(description); + } - return client.createGroup(group); + AddGroupRequest addGroupRequest = new AddGroupRequest(); + addGroupRequest.setProfile(oktaUserGroupProfile); + + return client.addGroup(addGroupRequest); } } \ No newline at end of file diff --git a/impl/src/main/java/com/okta/sdk/impl/resource/DefaultOIDCApplicationBuilder.java b/impl/src/main/java/com/okta/sdk/impl/resource/DefaultOIDCApplicationBuilder.java index aed0e42dabc..4edaad7d523 100644 --- a/impl/src/main/java/com/okta/sdk/impl/resource/DefaultOIDCApplicationBuilder.java +++ b/impl/src/main/java/com/okta/sdk/impl/resource/DefaultOIDCApplicationBuilder.java @@ -19,6 +19,7 @@ import com.okta.sdk.resource.application.OIDCApplicationBuilder; import com.okta.sdk.resource.client.ApiException; import com.okta.sdk.resource.api.ApplicationApi; +import com.okta.sdk.resource.model.AutoLoginApplicationSettingsSignOn; import java.util.ArrayList; import java.util.List; @@ -31,6 +32,8 @@ public class DefaultOIDCApplicationBuilder extends DefaultApplicationBuilder grantTypes = new ArrayList<>(); private String logoUri; private String policyUri; + private String loginUrl; + private String redirectUrl; private List postLogoutRedirectUris = new ArrayList<>(); private List redirectUris = new ArrayList<>(); private List responseTypes = new ArrayList<>(); @@ -127,6 +130,18 @@ public OIDCApplicationBuilder setClientId(String clientId) { return this; } + @Override + public OIDCApplicationBuilder setLoginUrl(String loginUrl) { + this.loginUrl = loginUrl; + return this; + } + + @Override + public OIDCApplicationBuilder setRedirectUrl(String redirectUrl) { + this.redirectUrl = redirectUrl; + return this; + } + @Override public OIDCApplicationBuilder setClientSecret(String clientSecret) { this.clientSecret = clientSecret; @@ -174,6 +189,8 @@ private com.okta.sdk.resource.model.OpenIdConnectApplication build() { if (Strings.hasText(label)) application.setLabel(label); + if (Strings.hasText(name)) application.setName(name); + application.setSignOnMode(com.okta.sdk.resource.model.ApplicationSignOnMode.OPENID_CONNECT); // Accessibility @@ -273,6 +290,16 @@ private com.okta.sdk.resource.model.OpenIdConnectApplication build() { openIdConnectApplicationSettings.setOauthClient(openIdConnectApplicationSettingsClient); + AutoLoginApplicationSettingsSignOn autoLoginApplicationSettingsSignOn = new AutoLoginApplicationSettingsSignOn(); + if (Strings.hasText(loginUrl)) + autoLoginApplicationSettingsSignOn.setLoginUrl(loginUrl); + + if (Strings.hasText(redirectUrl)) + autoLoginApplicationSettingsSignOn.setRedirectUrl(redirectUrl); + + if (Strings.hasText(autoLoginApplicationSettingsSignOn.getLoginUrl())) + openIdConnectApplicationSettings.setSignOn(autoLoginApplicationSettingsSignOn); + if (!schemasJsonWebKeys.isEmpty()) { com.okta.sdk.resource.model.OpenIdConnectApplicationSettingsClientKeys openIdConnectApplicationSettingsClientKeys = new com.okta.sdk.resource.model.OpenIdConnectApplicationSettingsClientKeys(); openIdConnectApplicationSettingsClientKeys.setKeys(schemasJsonWebKeys); diff --git a/impl/src/main/java/com/okta/sdk/impl/resource/DefaultOktaSignOnPolicyBuilder.java b/impl/src/main/java/com/okta/sdk/impl/resource/DefaultOktaSignOnPolicyBuilder.java index 0e082ba84f4..a51939908d1 100644 --- a/impl/src/main/java/com/okta/sdk/impl/resource/DefaultOktaSignOnPolicyBuilder.java +++ b/impl/src/main/java/com/okta/sdk/impl/resource/DefaultOktaSignOnPolicyBuilder.java @@ -15,7 +15,6 @@ */ package com.okta.sdk.impl.resource; -import com.okta.commons.lang.Collections; import com.okta.commons.lang.Strings; import com.okta.sdk.resource.client.ApiException; import com.okta.sdk.resource.api.PolicyApi; @@ -76,6 +75,8 @@ private OktaSignOnPolicy build() { if (Objects.nonNull(status)) policy.setStatus(status); + // https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/createPolicy!path=0/conditions&t=request + /* policy.setConditions( new OktaSignOnPolicyConditions()); OktaSignOnPolicyConditions oktaSignOnPolicyConditions = policy.getConditions(); @@ -94,6 +95,7 @@ private OktaSignOnPolicy build() { policyPeopleCondition.setUsers(userCondition); oktaSignOnPolicyConditions.setPeople(policyPeopleCondition); } + */ return policy; } diff --git a/impl/src/main/java/com/okta/sdk/impl/resource/DefaultUserBuilder.java b/impl/src/main/java/com/okta/sdk/impl/resource/DefaultUserBuilder.java index 49161012bd7..cbd66192c0a 100644 --- a/impl/src/main/java/com/okta/sdk/impl/resource/DefaultUserBuilder.java +++ b/impl/src/main/java/com/okta/sdk/impl/resource/DefaultUserBuilder.java @@ -23,6 +23,7 @@ import com.okta.sdk.resource.api.UserApi; import com.okta.sdk.resource.model.AuthenticationProvider; import com.okta.sdk.resource.model.CreateUserRequest; +import com.okta.sdk.resource.model.CreateUserRequestType; import com.okta.sdk.resource.model.PasswordCredential; import com.okta.sdk.resource.model.PasswordCredentialHash; import com.okta.sdk.resource.model.PasswordCredentialHashAlgorithm; @@ -32,7 +33,6 @@ import com.okta.sdk.resource.model.UserCredentials; import com.okta.sdk.resource.model.UserNextLogin; import com.okta.sdk.resource.model.UserProfile; -import com.okta.sdk.resource.model.UserType; import java.util.ArrayList; import java.util.Arrays; @@ -77,7 +77,6 @@ public class DefaultUserBuilder implements UserBuilder { private String mobilePhone; private Boolean active; private AuthenticationProvider provider; - private UserType userType; private String userTypeId; private UserNextLogin nextLogin; private List groupIds = new ArrayList<>(); @@ -289,12 +288,6 @@ public UserBuilder setProvider(AuthenticationProvider provider) { return this; } - @Override - public UserBuilder setType(UserType userType) { - this.userType = userType; - return this; - } - @Override public UserBuilder setType(String userTypeId) { this.userTypeId = userTypeId; @@ -360,11 +353,9 @@ private CreateUserRequest build() { } if (Strings.hasText(userTypeId)) { - UserType userType = new UserType(); - userType.setId(userTypeId); - createUserRequest.setType(userType); - } else if (userType != null) { - createUserRequest.setType(userType); + CreateUserRequestType createUserRequestType = new CreateUserRequestType(); + createUserRequestType.setId(userTypeId); + createUserRequest.setType(createUserRequestType); } if (!Collections.isEmpty(groupIds)) { diff --git a/impl/src/main/java/com/okta/sdk/impl/serializer/GroupProfileSerializer.java b/impl/src/main/java/com/okta/sdk/impl/serializer/GroupProfileSerializer.java index 0adbb4369a6..0440c4e7b1d 100644 --- a/impl/src/main/java/com/okta/sdk/impl/serializer/GroupProfileSerializer.java +++ b/impl/src/main/java/com/okta/sdk/impl/serializer/GroupProfileSerializer.java @@ -22,8 +22,6 @@ import com.okta.sdk.resource.model.GroupProfile; import java.io.IOException; -import java.util.Map; -import java.util.Objects; public class GroupProfileSerializer extends StdSerializer { @@ -50,14 +48,6 @@ public void serialize(GroupProfile groupProfile, JsonGenerator jgen, SerializerP jgen.writeStringField(GroupProfile.JSON_PROPERTY_DESCRIPTION, groupProfile.getDescription()); } - Map additionalProperties = groupProfile.getAdditionalProperties(); - - if (Objects.nonNull(additionalProperties) && !additionalProperties.isEmpty()) { - for (Map.Entry entry : additionalProperties.entrySet()) { - jgen.writeObjectField(entry.getKey(), entry.getValue()); - } - } - jgen.writeEndObject(); } } diff --git a/integration-tests/pom.xml b/integration-tests/pom.xml index f0a298d4013..635923911d2 100644 --- a/integration-tests/pom.xml +++ b/integration-tests/pom.xml @@ -20,7 +20,7 @@ com.okta.sdk okta-sdk-root - 18.0.1-SNAPSHOT + 19.0.0-SNAPSHOT ../pom.xml diff --git a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/AppsIT.groovy b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/AppsIT.groovy index a90a029cb79..1c37a7f439e 100644 --- a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/AppsIT.groovy +++ b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/AppsIT.groovy @@ -48,7 +48,6 @@ import com.okta.sdk.resource.model.OpenIdConnectApplicationSettingsClient import com.okta.sdk.resource.model.OpenIdConnectApplicationType import com.okta.sdk.resource.model.SamlApplication import com.okta.sdk.resource.model.SamlApplicationSettings -import com.okta.sdk.resource.model.SamlApplicationSettingsApplication import com.okta.sdk.resource.model.SamlApplicationSettingsSignOn import com.okta.sdk.resource.model.SamlAttributeStatement import com.okta.sdk.resource.model.SignOnInlineHook @@ -62,8 +61,6 @@ import org.testng.annotations.Test import static org.hamcrest.MatcherAssert.assertThat import static org.hamcrest.Matchers.equalTo -import static org.hamcrest.Matchers.greaterThanOrEqualTo -import static org.hamcrest.Matchers.hasSize import static org.hamcrest.Matchers.notNullValue /** @@ -80,7 +77,7 @@ class AppsIT extends ITSupport { void basicAuthAppTest() { BasicAuthApplication basicAuthApplication = new BasicAuthApplication() - basicAuthApplication.name("template_basic_auth") + basicAuthApplication.name(BasicAuthApplication.NameEnum.TEMPLATE_BASIC_AUTH) .label(prefix + UUID.randomUUID().toString()) .signOnMode(ApplicationSignOnMode.BASIC_AUTH) BasicApplicationSettingsApplication basicApplicationSettingsApplication = @@ -106,7 +103,7 @@ class AppsIT extends ITSupport { void bookmarkAppTest() { BookmarkApplication bookmarkApplication = new BookmarkApplication() - bookmarkApplication.name("bookmark") + bookmarkApplication.name(BookmarkApplication.NameEnum.BOOKMARK) .label(prefix + UUID.randomUUID().toString()) .signOnMode(ApplicationSignOnMode.BOOKMARK) BookmarkApplicationSettingsApplication bookmarkApplicationSettingsApplication = @@ -156,7 +153,7 @@ class AppsIT extends ITSupport { SwaApplicationSettings swaApplicationSettings = new SwaApplicationSettings() swaApplicationSettings.app(swaApplicationSettingsApplication) BrowserPluginApplication browserPluginApplication = new BrowserPluginApplication() - browserPluginApplication.name("template_swa") + browserPluginApplication.name(BrowserPluginApplication.NameEnum.SWA) browserPluginApplication.label(prefix + UUID.randomUUID().toString()) browserPluginApplication.settings(swaApplicationSettings) @@ -363,76 +360,4 @@ class AppsIT extends ITSupport { assertThat(retrievedApp.getSignOnMode(), equalTo(ApplicationSignOnMode.SAML_2_0)) assertThat(retrievedApp.getStatus(), equalTo(ApplicationLifecycleStatus.ACTIVE)) } - - //TODO: fix me - @Test - void testUploadApplicationLogo() { - /** - * Currently there is no way to check the logo. - * Just make sure that no exception was thrown during the upload. - */ - - SamlApplication org2OrgApplication = new SamlApplication() - org2OrgApplication.name("okta_org2org") - .label(prefix + UUID.randomUUID().toString()) - .signOnMode(ApplicationSignOnMode.SAML_2_0) - - SamlApplicationSettingsApplication samlApplicationSettingsApplication = new SamlApplicationSettingsApplication() - samlApplicationSettingsApplication.setAcsUrl("https://example.com/acs.html") - samlApplicationSettingsApplication.setAudRestriction("https://example.com/login.html") - samlApplicationSettingsApplication.setBaseUrl("https://example.com/home.html") - SamlApplicationSettings samlApplicationSettings = new SamlApplicationSettings() - samlApplicationSettings.app(samlApplicationSettingsApplication) - org2OrgApplication.settings(samlApplicationSettings) - - Application createdApp = applicationApi.createApplication(org2OrgApplication, true, null) - registerForCleanup(createdApp) - -// File file = new File("/tmp/okta_logo_favicon.png") -// println("Uploading logo file " + file.getName() + " of size: " + file.size()) -// -// applicationApi.uploadApplicationLogo(createdApp.getId(), file) - } - - //TODO: this test is unnecessary (helper is no more), remove it - @Test - void testApplicationApiHelper() { - - BookmarkApplication bookmarkApplication = new BookmarkApplication() - bookmarkApplication.name("bookmark") - .label(prefix + UUID.randomUUID().toString()) - .signOnMode(ApplicationSignOnMode.BOOKMARK) - BookmarkApplicationSettingsApplication bookmarkApplicationSettingsApplication = - new BookmarkApplicationSettingsApplication() - bookmarkApplicationSettingsApplication.url("https://example.com/bookmark.htm") - .requestIntegration(false) - BookmarkApplicationSettings bookmarkApplicationSettings = new BookmarkApplicationSettings() - bookmarkApplicationSettings.app(bookmarkApplicationSettingsApplication) - bookmarkApplication.settings(bookmarkApplicationSettings) - - // create - BookmarkApplication createdApp = - applicationApi.createApplication(bookmarkApplication, true, null) as BookmarkApplication - registerForCleanup(createdApp) - - assertThat(createdApp, notNullValue()) - assertThat(createdApp.getId(), notNullValue()) - assertThat(createdApp.getLabel(), equalTo(bookmarkApplication.getLabel())) - assertThat(createdApp.getSignOnMode(), equalTo(ApplicationSignOnMode.BOOKMARK)) - assertThat(createdApp.getStatus(), equalTo(ApplicationLifecycleStatus.ACTIVE)) - - // retrieve app (sub-typed) - BookmarkApplication retrievedBookmarkApplication = - (BookmarkApplication) applicationApi.getApplication(createdApp.getId(), null) - assertThat(retrievedBookmarkApplication, notNullValue()) - assertThat(retrievedBookmarkApplication.getId(), equalTo(createdApp.getId())) - assertThat(retrievedBookmarkApplication.getLabel(), equalTo(createdApp.getLabel())) - assertThat(retrievedBookmarkApplication.getSignOnMode(), equalTo(createdApp.getSignOnMode())) - assertThat(retrievedBookmarkApplication.getStatus(), equalTo(createdApp.getStatus())) - - List retrievedApplications = - applicationApi.listApplications(null, null, null, null, null, true) - assertThat(retrievedApplications, notNullValue()) - assertThat(retrievedApplications, hasSize(greaterThanOrEqualTo(1))) - } } diff --git a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/GroupsIT.groovy b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/GroupsIT.groovy index 75e5b4b52bf..8109e02b81e 100644 --- a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/GroupsIT.groovy +++ b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/GroupsIT.groovy @@ -15,6 +15,8 @@ */ package com.okta.sdk.tests.it +import com.okta.sdk.resource.model.AddGroupRequest +import com.okta.sdk.resource.model.OktaUserGroupProfile import com.okta.sdk.tests.Scenario import com.okta.sdk.tests.it.util.ITSupport import com.okta.sdk.resource.group.GroupBuilder @@ -109,10 +111,12 @@ class GroupsIT extends ITSupport { validateGroup(group, groupName) // 2. Update the group name and description - group.getProfile().name = groupNameUpdated - group.getProfile().description = 'Description updated' - - groupApi.replaceGroup(group.getId(), group) + OktaUserGroupProfile oktaUserGroupProfile = new OktaUserGroupProfile() + oktaUserGroupProfile.setName(groupNameUpdated) + oktaUserGroupProfile.setDescription('Description updated') + AddGroupRequest addGroupRequest = new AddGroupRequest() + addGroupRequest.setProfile(oktaUserGroupProfile) + group = groupApi.replaceGroup(group.getId(), addGroupRequest) validateGroup(group, groupNameUpdated, 'Description updated') } diff --git a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/IdpIT.groovy b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/IdpIT.groovy index 3143a6e127d..ceed2487822 100644 --- a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/IdpIT.groovy +++ b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/IdpIT.groovy @@ -15,6 +15,45 @@ */ package com.okta.sdk.tests.it +import com.okta.sdk.resource.api.IdentityProviderUsersApi +import com.okta.sdk.resource.model.IdentityProvider +import com.okta.sdk.resource.model.IdentityProviderApplicationUser +import com.okta.sdk.resource.model.IdentityProviderCredentials +import com.okta.sdk.resource.model.IdentityProviderCredentialsClient +import com.okta.sdk.resource.model.IdentityProviderIssuerMode +import com.okta.sdk.resource.model.IdentityProviderPolicy +import com.okta.sdk.resource.model.IdentityProviderType +import com.okta.sdk.resource.model.IssuerMode +import com.okta.sdk.resource.model.LifecycleStatus +import com.okta.sdk.resource.model.OidcAlgorithms +import com.okta.sdk.resource.model.OidcRequestAlgorithm +import com.okta.sdk.resource.model.PolicyAccountLink +import com.okta.sdk.resource.model.PolicyAccountLinkAction +import com.okta.sdk.resource.model.PolicySubject +import com.okta.sdk.resource.model.PolicySubjectMatchType +import com.okta.sdk.resource.model.PolicyUserNameTemplate +import com.okta.sdk.resource.model.Protocol +import com.okta.sdk.resource.model.ProtocolAlgorithmType +import com.okta.sdk.resource.model.ProtocolAlgorithmTypeSignature +import com.okta.sdk.resource.model.ProtocolAlgorithmTypeSignatureScope +import com.okta.sdk.resource.model.ProtocolAlgorithms +import com.okta.sdk.resource.model.ProtocolEndpoint +import com.okta.sdk.resource.model.ProtocolEndpointBinding +import com.okta.sdk.resource.model.ProtocolEndpointType +import com.okta.sdk.resource.model.ProtocolEndpoints +import com.okta.sdk.resource.model.ProtocolType +import com.okta.sdk.resource.model.Provisioning +import com.okta.sdk.resource.model.ProvisioningAction +import com.okta.sdk.resource.model.ProvisioningConditions +import com.okta.sdk.resource.model.ProvisioningDeprovisionedAction +import com.okta.sdk.resource.model.ProvisioningDeprovisionedCondition +import com.okta.sdk.resource.model.ProvisioningGroups +import com.okta.sdk.resource.model.ProvisioningGroupsAction +import com.okta.sdk.resource.model.ProvisioningSuspendedAction +import com.okta.sdk.resource.model.ProvisioningSuspendedCondition +import com.okta.sdk.resource.model.SocialAuthToken +import com.okta.sdk.resource.model.User +import com.okta.sdk.resource.model.UserIdentityProviderLinkRequest import com.okta.sdk.tests.it.util.ITSupport import com.okta.sdk.resource.api.IdentityProviderApi import com.okta.sdk.resource.model.* @@ -30,6 +69,7 @@ import static org.hamcrest.Matchers.* class IdpIT extends ITSupport { IdentityProviderApi identityProviderApi = new IdentityProviderApi(getClient()) + IdentityProviderUsersApi identityProviderUsersApi = new IdentityProviderUsersApi(getClient()) @Test (groups = "group2") void oidcIdpLifecycleTest() { @@ -40,7 +80,7 @@ class IdpIT extends ITSupport { IdentityProvider idp = new IdentityProvider() idp.setName(name) idp.setType(IdentityProviderType.OIDC) - idp.setIssuerMode(IssuerMode.ORG_URL) + idp.setIssuerMode(IdentityProviderIssuerMode.ORG_URL) Protocol protocol = new Protocol() ProtocolAlgorithmType protocolAlgorithmTypeReq = new ProtocolAlgorithmType() @@ -155,7 +195,7 @@ class IdpIT extends ITSupport { IdentityProvider newIdp = new IdentityProvider() newIdp.setName(newName) newIdp.setType(IdentityProviderType.OIDC) - newIdp.setIssuerMode(IssuerMode.ORG_URL) + newIdp.setIssuerMode(IdentityProviderIssuerMode.ORG_URL) protocol = new Protocol() protocolAlgorithmTypeReq = new ProtocolAlgorithmType() @@ -286,7 +326,7 @@ class IdpIT extends ITSupport { IdentityProvider idp = new IdentityProvider() idp.setName(name) idp.setType(IdentityProviderType.OIDC) - idp.setIssuerMode(IssuerMode.ORG_URL) + idp.setIssuerMode(IdentityProviderIssuerMode.ORG_URL) Protocol protocol = new Protocol() ProtocolAlgorithmType protocolAlgorithmTypeReq = new ProtocolAlgorithmType() @@ -379,24 +419,24 @@ class IdpIT extends ITSupport { registerForCleanup(createdIdp) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), hasSize(0)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), hasSize(0)) // link user UserIdentityProviderLinkRequest userIdentityProviderLinkRequest = new UserIdentityProviderLinkRequest() userIdentityProviderLinkRequest.setExternalId("external-id") - identityProviderApi.linkUserToIdentityProvider(createdIdp.getId(), createdUser.getId(), userIdentityProviderLinkRequest) + identityProviderUsersApi.linkUserToIdentityProvider(createdIdp.getId(), createdUser.getId(), userIdentityProviderLinkRequest) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), hasSize(1)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), hasSize(1)) // unlink user - identityProviderApi.unlinkUserFromIdentityProvider(createdIdp.getId(), createdUser.getId()) + identityProviderUsersApi.unlinkUserFromIdentityProvider(createdIdp.getId(), createdUser.getId()) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), hasSize(0)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), hasSize(0)) // list social auth tokens - List socialAuthTokenList = identityProviderApi.listSocialAuthTokens(createdIdp.getId(), createdUser.getId()) + List socialAuthTokenList = identityProviderUsersApi.listSocialAuthTokens(createdIdp.getId(), createdUser.getId()) assertThat(socialAuthTokenList, iterableWithSize(0)) // deactivate @@ -466,21 +506,21 @@ class IdpIT extends ITSupport { registerForCleanup(createdIdp) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) // link user UserIdentityProviderLinkRequest userIdentityProviderLinkRequest = new UserIdentityProviderLinkRequest() userIdentityProviderLinkRequest.setExternalId("external-id") - identityProviderApi.linkUserToIdentityProvider(createdIdp.getId(), createdUser.getId(), userIdentityProviderLinkRequest) + identityProviderUsersApi.linkUserToIdentityProvider(createdIdp.getId(), createdUser.getId(), userIdentityProviderLinkRequest) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(1)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(1)) // unlink user - identityProviderApi.unlinkUserFromIdentityProvider(createdIdp.getId(), createdUser.getId()) + identityProviderUsersApi.unlinkUserFromIdentityProvider(createdIdp.getId(), createdUser.getId()) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) // deactivate identityProviderApi.deactivateIdentityProvider(createdIdp.getId()) @@ -549,21 +589,21 @@ class IdpIT extends ITSupport { registerForCleanup(createdIdp) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) // link user UserIdentityProviderLinkRequest userIdentityProviderLinkRequest = new UserIdentityProviderLinkRequest() userIdentityProviderLinkRequest.setExternalId("external-id") - identityProviderApi.linkUserToIdentityProvider(createdIdp.getId(), createdUser.getId(), userIdentityProviderLinkRequest) + identityProviderUsersApi.linkUserToIdentityProvider(createdIdp.getId(), createdUser.getId(), userIdentityProviderLinkRequest) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(1)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(1)) // unlink user - identityProviderApi.unlinkUserFromIdentityProvider(createdIdp.getId(), createdUser.getId()) + identityProviderUsersApi.unlinkUserFromIdentityProvider(createdIdp.getId(), createdUser.getId()) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) // deactivate identityProviderApi.deactivateIdentityProvider(createdIdp.getId()) @@ -632,21 +672,21 @@ class IdpIT extends ITSupport { registerForCleanup(createdIdp) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) // link user UserIdentityProviderLinkRequest userIdentityProviderLinkRequest = new UserIdentityProviderLinkRequest() userIdentityProviderLinkRequest.setExternalId("external-id") - identityProviderApi.linkUserToIdentityProvider(createdIdp.getId(), createdUser.getId(), userIdentityProviderLinkRequest) + identityProviderUsersApi.linkUserToIdentityProvider(createdIdp.getId(), createdUser.getId(), userIdentityProviderLinkRequest) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(1)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(1)) // unlink user - identityProviderApi.unlinkUserFromIdentityProvider(createdIdp.getId(), createdUser.getId()) + identityProviderUsersApi.unlinkUserFromIdentityProvider(createdIdp.getId(), createdUser.getId()) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) // deactivate identityProviderApi.deactivateIdentityProvider(createdIdp.getId()) @@ -715,21 +755,21 @@ class IdpIT extends ITSupport { registerForCleanup(createdIdp) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) // link user UserIdentityProviderLinkRequest userIdentityProviderLinkRequest = new UserIdentityProviderLinkRequest() userIdentityProviderLinkRequest.setExternalId("external-id") - identityProviderApi.linkUserToIdentityProvider(createdIdp.getId(), createdUser.getId(), userIdentityProviderLinkRequest) + identityProviderUsersApi.linkUserToIdentityProvider(createdIdp.getId(), createdUser.getId(), userIdentityProviderLinkRequest) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(1)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(1)) // unlink user - identityProviderApi.unlinkUserFromIdentityProvider(createdIdp.getId(), createdUser.getId()) + identityProviderUsersApi.unlinkUserFromIdentityProvider(createdIdp.getId(), createdUser.getId()) // list linked idp users - assertThat(identityProviderApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) + assertThat(identityProviderUsersApi.listIdentityProviderApplicationUsers(createdIdp.getId(), null, null, null, null), iterableWithSize(0)) // deactivate identityProviderApi.deactivateIdentityProvider(createdIdp.getId()) diff --git a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/PoliciesIT.groovy b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/PoliciesIT.groovy index 002832df157..94ba93df2f7 100644 --- a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/PoliciesIT.groovy +++ b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/PoliciesIT.groovy @@ -17,6 +17,29 @@ package com.okta.sdk.tests.it import com.okta.sdk.resource.application.OIDCApplicationBuilder import com.okta.sdk.resource.group.GroupBuilder +import com.okta.sdk.resource.model.AccessPolicy +import com.okta.sdk.resource.model.AccessPolicyRule +import com.okta.sdk.resource.model.AccessPolicyRuleActions +import com.okta.sdk.resource.model.AccessPolicyRuleApplicationSignOn +import com.okta.sdk.resource.model.AccessPolicyRuleApplicationSignOnAccess +import com.okta.sdk.resource.model.Application +import com.okta.sdk.resource.model.ApplicationSignOnMode +import com.okta.sdk.resource.model.LifecycleStatus +import com.okta.sdk.resource.model.OAuthEndpointAuthenticationMethod +import com.okta.sdk.resource.model.OAuthGrantType +import com.okta.sdk.resource.model.OAuthResponseType +import com.okta.sdk.resource.model.OktaSignOnPolicy +import com.okta.sdk.resource.model.OktaSignOnPolicyRule +import com.okta.sdk.resource.model.OktaSignOnPolicyRuleActions +import com.okta.sdk.resource.model.OktaSignOnPolicyRuleSignonActions +import com.okta.sdk.resource.model.OpenIdConnectApplicationType +import com.okta.sdk.resource.model.Policy +import com.okta.sdk.resource.model.PolicyAccess +import com.okta.sdk.resource.model.PolicyRuleType +import com.okta.sdk.resource.model.PolicyRuleVerificationMethodType +import com.okta.sdk.resource.model.PolicyType +import com.okta.sdk.resource.model.ProfileEnrollmentPolicy +import com.okta.sdk.resource.model.VerificationMethod import com.okta.sdk.resource.policy.OktaSignOnPolicyBuilder import com.okta.sdk.tests.NonOIEEnvironmentOnly import com.okta.sdk.tests.it.util.ITSupport @@ -59,16 +82,16 @@ class PoliciesIT extends ITSupport { assertThat(policy, notNullValue()) assertThat(policy.getType(), is(PolicyType.OKTA_SIGN_ON)) assertThat(policy.getConditions(), notNullValue()) - assertThat(policy.getConditions().getPeople().getGroups().getInclude(), is(Collections.singletonList(group.getId()))) - assertThat(policy.getConditions().getPeople().getGroups().getExclude(), nullValue()) + assertThat(policy.getConditions().getPeople().getGroups().getInclude(), hasSize(1)) + assertThat(policy.getConditions().getPeople().getGroups().getExclude(), hasSize(0)) OktaSignOnPolicy retrievedPolicy = (OktaSignOnPolicy) policyApi.getPolicy(policy.getId(), null) assertThat(retrievedPolicy, notNullValue()) assertThat(retrievedPolicy.getType(), is(PolicyType.OKTA_SIGN_ON)) assertThat(retrievedPolicy.getConditions(), notNullValue()) - assertThat(retrievedPolicy.getConditions().getPeople().getGroups().getInclude(), is(Collections.singletonList(group.getId()))) - assertThat(retrievedPolicy.getConditions().getPeople().getGroups().getExclude(), nullValue()) + assertThat(retrievedPolicy.getConditions().getPeople().getGroups().getInclude(), hasSize(1)) + assertThat(retrievedPolicy.getConditions().getPeople().getGroups().getExclude(), hasSize(0)) } // disable running them in bacon @@ -82,7 +105,7 @@ class PoliciesIT extends ITSupport { .description("IT created Policy - createProfileEnrollmentPolicy") ProfileEnrollmentPolicy createdProfileEnrollmentPolicy = - policyApi.createPolicy(profileEnrollmentPolicy, false) + policyApi.createPolicy(profileEnrollmentPolicy, false) as ProfileEnrollmentPolicy registerForCleanup(createdProfileEnrollmentPolicy) @@ -103,14 +126,15 @@ class PoliciesIT extends ITSupport { @Test (groups = "bacon") void createAccessPolicyRule() { - String name = "java-sdk-it-" + UUID.randomUUID().toString() + String name = "oidc_client" + String label = "java-sdk-it-" + UUID.randomUUID().toString() ApplicationApi applicationApi = new ApplicationApi(getClient()) PolicyApi policyApi = new PolicyApi(getClient()) Application oidcApp = OIDCApplicationBuilder.instance() .setName(name) - .setLabel(name) + .setLabel(label) .addRedirectUris("https://www.example.com") .setPostLogoutRedirectUris(Collections.singletonList("https://www.example.com/logout")) .setResponseTypes(Arrays.asList(OAuthResponseType.TOKEN, OAuthResponseType.CODE)) @@ -124,6 +148,8 @@ class PoliciesIT extends ITSupport { .setWeb(true) .setLoginRedirectUrl("https://www.myapp.com") .setErrorRedirectUrl("https://www.myapp.com/error") + .setLoginUrl("https://www.myapp/com/login") + .setRedirectUrl("https://www.myapp.com/new") .buildAndCreate(applicationApi) registerForCleanup(oidcApp) @@ -139,32 +165,32 @@ class PoliciesIT extends ITSupport { assertThat(accessPolicy, notNullValue()) AccessPolicyRule accessPolicyRule = new AccessPolicyRule() - accessPolicyRule.name(name) + accessPolicyRule.name(label) accessPolicyRule.setType(PolicyRuleType.ACCESS_POLICY) AccessPolicyRuleActions accessPolicyRuleActions = new AccessPolicyRuleActions() AccessPolicyRuleApplicationSignOn accessPolicyRuleApplicationSignOn = new AccessPolicyRuleApplicationSignOn() - accessPolicyRuleApplicationSignOn.access("DENY") + accessPolicyRuleApplicationSignOn.access(AccessPolicyRuleApplicationSignOnAccess.DENY) VerificationMethod verificationMethod = new VerificationMethod() - verificationMethod.type("ASSURANCE") - .factorMode("1FA") - .reauthenticateIn("PT43800H") + verificationMethod.type(PolicyRuleVerificationMethodType.ASSURANCE) +// .factorMode("1FA") +// .reauthenticateIn("PT43800H") accessPolicyRuleApplicationSignOn.verificationMethod(verificationMethod) accessPolicyRuleActions.appSignOn(accessPolicyRuleApplicationSignOn) accessPolicyRule.actions(accessPolicyRuleActions) AccessPolicyRule createdAccessPolicyRule = - policyApi.createPolicyRule(accessPolicy.getId(), accessPolicyRule, true) as AccessPolicyRule + policyApi.createPolicyRule(accessPolicy.getId(), accessPolicyRule, null, true) as AccessPolicyRule assertThat(createdAccessPolicyRule, notNullValue()) - assertThat(createdAccessPolicyRule.getName(), is(name)) + assertThat(createdAccessPolicyRule.getName(), is(label)) AccessPolicyRuleActions createdAccessPolicyRuleActions = createdAccessPolicyRule.getActions() - assertThat(createdAccessPolicyRuleActions.getAppSignOn().getAccess(), is("DENY")) - assertThat(createdAccessPolicyRuleActions.getAppSignOn().getVerificationMethod().getType(), is("ASSURANCE")) - assertThat(createdAccessPolicyRuleActions.getAppSignOn().getVerificationMethod().getFactorMode(), is("1FA")) - assertThat(createdAccessPolicyRuleActions.getAppSignOn().getVerificationMethod().getReauthenticateIn(), is("PT43800H")) + assertThat(createdAccessPolicyRuleActions.getAppSignOn().getAccess(), is(AccessPolicyRuleApplicationSignOnAccess.DENY)) + assertThat(createdAccessPolicyRuleActions.getAppSignOn().getVerificationMethod().getType(), is(PolicyRuleVerificationMethodType.ASSURANCE)) +// assertThat(createdAccessPolicyRuleActions.getAppSignOn().getVerificationMethod().getFactorMode(), is("1FA")) +// assertThat(createdAccessPolicyRuleActions.getAppSignOn().getVerificationMethod().getReauthenticateIn(), is("PT43800H")) policyApi.deactivatePolicyRule(accessPolicy.getId(), createdAccessPolicyRule.getId()) policyApi.deletePolicyRule(accessPolicy.getId(), createdAccessPolicyRule.getId()) @@ -195,13 +221,13 @@ class PoliciesIT extends ITSupport { oktaSignOnPolicyRule.type(PolicyRuleType.SIGN_ON) OktaSignOnPolicyRuleActions oktaSignOnPolicyRuleActions = new OktaSignOnPolicyRuleActions() OktaSignOnPolicyRuleSignonActions oktaSignOnPolicyRuleSignOnActions = new OktaSignOnPolicyRuleSignonActions() - oktaSignOnPolicyRuleSignOnActions.setAccess(PolicyAccess.DENY) + oktaSignOnPolicyRuleSignOnActions.setAccess(OktaSignOnPolicyRuleSignonActions. AccessEnum.DENY) oktaSignOnPolicyRuleSignOnActions.setRequireFactor(false) oktaSignOnPolicyRuleActions.setSignon(oktaSignOnPolicyRuleSignOnActions) oktaSignOnPolicyRule.actions(oktaSignOnPolicyRuleActions) OktaSignOnPolicyRule createdPolicyRule = - policyApi.createPolicyRule(policy.getId(), oktaSignOnPolicyRule, true) as OktaSignOnPolicyRule + policyApi.createPolicyRule(policy.getId(), oktaSignOnPolicyRule, null, true) as OktaSignOnPolicyRule assertThat(createdPolicyRule.getId(), notNullValue()) assertThat(createdPolicyRule.getName(), is(policyRuleName)) @@ -274,15 +300,15 @@ class PoliciesIT extends ITSupport { .buildAndCreate(policyApi) registerForCleanup(policy) - def policies= - policyApi.listPolicies(PolicyType.OKTA_SIGN_ON.name(), LifecycleStatus.INACTIVE.name(), null) + List policies = + policyApi.listPolicies(PolicyType.OKTA_SIGN_ON.name(), LifecycleStatus.INACTIVE.name(), null, null, null, null, null, null) assertThat(policies, not(empty())) policies.stream() .limit(5) .forEach { assertRulesNotExpanded(it) } - policies = policyApi.listPolicies(PolicyType.OKTA_SIGN_ON.name(), LifecycleStatus.ACTIVE.name(), "rules") + policies = policyApi.listPolicies(PolicyType.OKTA_SIGN_ON.name(), LifecycleStatus.ACTIVE.name(), "rules", null, null, null, null, null) assertThat(policies, not(empty())) policies.stream() @@ -306,7 +332,7 @@ class PoliciesIT extends ITSupport { PolicyApi policyApi = new PolicyApi(getClient()) - policyApi.listPolicyRules(policy.getId()).forEach({policyItem -> + policyApi.listPolicyRules(policy.getId(), null).forEach({policyItem -> assertThat(policyItem, notNullValue()) assertThat(policyItem.getId(), notNullValue()) assertThat(policyItem, instanceOf(Policy.class)) diff --git a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/UsersIT.groovy b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/UsersIT.groovy index 399590ffed4..0ae91bbbe05 100644 --- a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/UsersIT.groovy +++ b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/UsersIT.groovy @@ -15,25 +15,37 @@ */ package com.okta.sdk.tests.it - import com.okta.sdk.impl.resource.DefaultGroupBuilder import com.okta.sdk.resource.api.ApplicationApi import com.okta.sdk.resource.api.ApplicationGroupsApi import com.okta.sdk.resource.api.GroupApi import com.okta.sdk.resource.api.PolicyApi -import com.okta.sdk.resource.api.RoleAssignmentApi -import com.okta.sdk.resource.api.RoleTargetApi +import com.okta.sdk.resource.api.RoleAssignmentAUserApi +import com.okta.sdk.resource.api.RoleAssignmentClientApi +import com.okta.sdk.resource.api.RoleBTargetAdminApi +import com.okta.sdk.resource.api.RoleBTargetBGroupApi import com.okta.sdk.resource.api.UserApi +import com.okta.sdk.resource.api.UserCredApi +import com.okta.sdk.resource.api.UserLifecycleApi +import com.okta.sdk.resource.api.UserResourcesApi import com.okta.sdk.resource.api.UserTypeApi import com.okta.sdk.resource.group.GroupBuilder +import com.okta.sdk.resource.model.AddGroupRequest import com.okta.sdk.resource.model.Application import com.okta.sdk.resource.model.ApplicationGroupAssignment import com.okta.sdk.resource.model.AssignRoleRequest +import com.okta.sdk.resource.model.AssignRoleToUser201Response +import com.okta.sdk.resource.model.AssignRoleToUserRequest import com.okta.sdk.resource.model.AuthenticationProvider import com.okta.sdk.resource.model.AuthenticationProviderType import com.okta.sdk.resource.model.ChangePasswordRequest +import com.okta.sdk.resource.model.CreateUserRequestType +import com.okta.sdk.resource.model.CreateUserTypeRequest +import com.okta.sdk.resource.model.ForgotPasswordResponse import com.okta.sdk.resource.model.Group import com.okta.sdk.resource.model.GroupProfile +import com.okta.sdk.resource.model.ListGroupAssignedRoles200ResponseInner +import com.okta.sdk.resource.model.OktaUserGroupProfile import com.okta.sdk.resource.model.PasswordCredential import com.okta.sdk.resource.model.PasswordPolicyPasswordSettings import com.okta.sdk.resource.model.PasswordPolicyPasswordSettingsAge @@ -58,6 +70,8 @@ import com.okta.sdk.resource.model.UserGetSingleton import com.okta.sdk.resource.model.UserProfile import com.okta.sdk.resource.model.UserStatus import com.okta.sdk.resource.model.UserType +import com.okta.sdk.resource.model.UserTypePostRequest +import com.okta.sdk.resource.model.UserTypePutRequest import com.okta.sdk.resource.user.UserBuilder import com.okta.sdk.tests.Scenario import com.okta.sdk.tests.it.util.ITSupport @@ -85,7 +99,8 @@ class UsersIT extends ITSupport { ApplicationGroupsApi applicationGroupsApi = new ApplicationGroupsApi(getClient()) PolicyApi policyApi = new PolicyApi(getClient()) UserApi userApi = new UserApi(getClient()) - RoleAssignmentApi roleAssignmentApi = new RoleAssignmentApi(getClient()) + UserCredApi userCredApi = new UserCredApi(getClient()) + RoleAssignmentAUserApi roleAssignmentApi = new RoleAssignmentAUserApi(getClient()) @Test void doCrudTest() { @@ -95,9 +110,9 @@ class UsersIT extends ITSupport { assertThat(user.getStatus(), equalTo(UserStatus.PROVISIONED)) // deactivate - userApi.deactivateUser(user.getId(), false) + userApi.deleteUser(user.getId(), false, null) - UserGetSingleton retrievedUser = userApi.getUser(user.getId(), "false") + UserGetSingleton retrievedUser = userApi.getUser(user.getId(), null, "false") assertThat(retrievedUser.getStatus(), equalTo(UserStatus.DEPROVISIONED)) } @@ -115,7 +130,7 @@ class UsersIT extends ITSupport { // 1. Create a User Type String name = "java_sdk_it_" + RandomStringUtils.randomAlphanumeric(15) - UserType userType = new UserType() + CreateUserTypeRequest userType = new CreateUserTypeRequest() .name(name) .displayName(name) .description(name + "_test_description") @@ -144,7 +159,7 @@ class UsersIT extends ITSupport { Thread.sleep(getTestOperationDelay()) // 4.Verify user in list of active users - List users = userApi.listUsers(null, null, null, 'status eq \"ACTIVE\"', null, null, null) + List users = userApi.listUsers(null, null, null, 200, 'status eq \"ACTIVE\"', null, null, null) assertThat(users, hasSize(greaterThan(0))) //assertPresent(users, user) } @@ -170,12 +185,16 @@ class UsersIT extends ITSupport { validateUser(user, firstName, lastName, email) // 2. Activate the user and verify user in list of active users - userApi.activateUser(user.getId(), false) + UserLifecycleApi userLifecycleApi = new UserLifecycleApi(getClient()) + userLifecycleApi.activateUser(user.getId(), false) // fix flakiness seen in PDV tests Thread.sleep(getTestOperationDelay()) - List users = userApi.listUsers(null, null, null, 'status eq \"ACTIVE\"', null, null, null) + List users = userApi.listUsers(null, null, null, null, 'status eq \"ACTIVE\"', null, null, null) + + // fix flakiness seen in PDV tests + Thread.sleep(getTestOperationDelay()) assertUserPresent(users, user) } @@ -199,7 +218,7 @@ class UsersIT extends ITSupport { Thread.sleep(getTestOperationDelay()) - UserGetSingleton retrievedUser = userApi.getUser(email, "false") + UserGetSingleton retrievedUser = userApi.getUser(email,null, "false") assertThat(retrievedUser.id, equalTo(user.id)) } @@ -222,7 +241,7 @@ class UsersIT extends ITSupport { registerForCleanup(user) validateUser(user, firstName, lastName, email) - UserGetSingleton retrievedUser = userApi.getUser(email, "false") + UserGetSingleton retrievedUser = userApi.getUser(email,null, "false") assertThat(retrievedUser.id, equalTo(user.id)) assertThat(retrievedUser.profile.firstName, equalTo(firstName)) assertThat(retrievedUser.profile.lastName, equalTo(lastName)) @@ -249,7 +268,7 @@ class UsersIT extends ITSupport { Thread.sleep(getTestOperationDelay()) List users = - userApi.listUsers(null, null, null, "profile.login eq \"${email}\"", null, null, null) + userApi.listUsers(null, null, null, null, "profile.login eq \"${email}\"", null, null, null) assertUserPresent(users, user) } @@ -275,14 +294,14 @@ class UsersIT extends ITSupport { validateUser(user, firstName, lastName, email) // 2. Assign USER_ADMIN role to the user - AssignRoleRequest assignRoleRequest = new AssignRoleRequest() - assignRoleRequest.setType(RoleType.USER_ADMIN) + AssignRoleToUserRequest assignRoleToUserRequest = new AssignRoleToUserRequest() + assignRoleToUserRequest.setType(RoleType.USER_ADMIN.name()) - Role role = roleAssignmentApi.assignRoleToUser(user.getId(), assignRoleRequest, true) + AssignRoleToUser201Response role = roleAssignmentApi.assignRoleToUser(user.getId(), assignRoleToUserRequest, true) // 3. List roles for the user and verify added role - List roles = roleAssignmentApi.listAssignedRolesForUser(user.getId(), null) - Optional match = roles.stream().filter(r -> r.getId() == role.getId()).findAny() + List roles = roleAssignmentApi.listAssignedRolesForUser(user.getId(), null) + Optional match = roles.stream().filter(r -> r.getId() == role.getId()).findAny() assertThat(match.isPresent(), is(true)) // 4. Verify added role @@ -326,12 +345,12 @@ class UsersIT extends ITSupport { passwordCredentialNew.setValue("!2@3#Passw0rd") changePasswordRequest.setNewPassword(passwordCredentialNew) - UserCredentials userCredentials = userApi.changePassword(user.getId(), changePasswordRequest, true) + UserCredentials userCredentials = userCredApi.changePassword(user.getId(), changePasswordRequest, true) assertThat userCredentials.getProvider().getType(), equalTo(AuthenticationProviderType.OKTA) // 3. make the test recording happy, and call a get on the user // TODO: fix har file - userApi.getUser(user.getId(), "false") + userApi.getUser(user.getId(),null,"false") } @Test(expectedExceptions = ApiException, groups = "group2") @@ -344,12 +363,12 @@ class UsersIT extends ITSupport { String name = "java-sdk-it-${UUID.randomUUID().toString()}" - Group group = new Group() - GroupProfile groupProfile = new GroupProfile() - groupProfile.setName(name) - groupProfile.setDescription(name) - group.setProfile(groupProfile) - Group createdGroup = groupApi.createGroup(group) + OktaUserGroupProfile oktaUserGroupProfile = new OktaUserGroupProfile() + oktaUserGroupProfile.setName(name) + oktaUserGroupProfile.setDescription(name) + AddGroupRequest addGroupRequest = new AddGroupRequest() + addGroupRequest.setProfile(oktaUserGroupProfile) + Group createdGroup = groupApi.addGroup(addGroupRequest) registerForCleanup(createdGroup) assertThat createdGroup, notNullValue() @@ -397,7 +416,7 @@ class UsersIT extends ITSupport { passwordPolicyRule.setActions(passwordPolicyRuleActions) passwordPolicyRule.setName(policyRuleName) - policyApi.createPolicyRule(policy.getId(), passwordPolicyRule, true) + policyApi.createPolicyRule(policy.getId(), passwordPolicyRule, null, true) // 1. Create a user User user = UserBuilder.instance() @@ -421,14 +440,14 @@ class UsersIT extends ITSupport { .newPassword(passwordCredentialNew) // would throw a HTTP 403 - userApi.changePassword(user.getId(), changePasswordRequest, true) + userCredApi.changePassword(user.getId(), changePasswordRequest, true) - UserCredentials userCredentials = userApi.changePassword(user.getId(), changePasswordRequest, false) + UserCredentials userCredentials = userCredApi.changePassword(user.getId(), changePasswordRequest, false) assertThat userCredentials.getProvider().getType(), equalTo(AuthenticationProviderType.OKTA) // 3. make the test recording happy, and call a get on the user // TODO: fix har file - userApi.getUser(user.getId(), "false") + userApi.getUser(user.getId(), null, "false") } @Test(expectedExceptions = ApiException, groups = "group2") @@ -463,7 +482,7 @@ class UsersIT extends ITSupport { userCredentials.setPassword(passwordCredential) userCredentials.setRecoveryQuestion(recoveryQuestionCredential) - userCredentials = userApi.changeRecoveryQuestion(user.getId(), userCredentials) + userCredentials = userCredApi.changeRecoveryQuestion(user.getId(), userCredentials) assertThat userCredentials.getProvider().getType(), equalTo(AuthenticationProviderType.OKTA) assertThat userCredentials.getRecoveryQuestion().question, equalTo('How many roads must a man walk down?') @@ -473,11 +492,11 @@ class UsersIT extends ITSupport { userCredentials.getRecoveryQuestion().answer = 'forty two' // below would throw HTTP 403 exception - userApi.changeRecoveryQuestion(user.getId(), userCredentials) + userCredApi.changeRecoveryQuestion(user.getId(), userCredentials) // 4. make the test recording happy, and call a get on the user // TODO: fix har file - userApi.getUser(user.getId(), "false") + userApi.getUser(user.getId(), null, "false") } @Test (groups = "bacon") @@ -499,8 +518,8 @@ class UsersIT extends ITSupport { registerForCleanup(user) validateUser(user, firstName, lastName, email) - ResetPasswordToken response = userApi.generateResetPasswordToken(user.getId(), false, false) - assertThat response.getResetPasswordUrl(), containsString("/reset_password/") + ForgotPasswordResponse forgotPasswordResponse = userCredApi.forgotPassword(user.getId(), false) + assertThat forgotPasswordResponse.getResetPasswordUrl(), containsString("/reset-password/") } @Test (groups = "group2") @@ -526,7 +545,7 @@ class UsersIT extends ITSupport { validateUser(user, firstName, lastName, email) // 2. Expire the user's password - User updatedUser = userApi.expirePassword(user.getId()) + User updatedUser = userCredApi.expirePassword(user.getId()) assertThat updatedUser, notNullValue() assertThat updatedUser.getStatus().name(), equalTo("PASSWORD_EXPIRED") } @@ -552,8 +571,8 @@ class UsersIT extends ITSupport { validateUser(user, firstName, lastName, email) // 2. Get the reset password link - ResetPasswordToken token = userApi.generateResetPasswordToken(user.getId(), false, false) - assertThat token.getResetPasswordUrl(), notNullValue() + ForgotPasswordResponse forgotPasswordResponse = userCredApi.forgotPassword(user.getId(), false) + assertThat forgotPasswordResponse.getResetPasswordUrl(), notNullValue() } @Test (groups = "group2") @@ -578,20 +597,26 @@ class UsersIT extends ITSupport { validateUser(createdUser, firstName, lastName, email) // 2. Get the user by user ID - UserGetSingleton user = userApi.getUser(createdUser.getId(), "false") + UserGetSingleton user = userApi.getUser(createdUser.getId(), null, "false") validateUser(user, firstName, lastName, email) // 3. Get the user by user login - UserGetSingleton userByLogin = userApi.getUser(createdUser.getProfile().getLogin(), "false") + UserGetSingleton userByLogin = userApi.getUser(createdUser.getProfile().getLogin(), null, "false") validateUser(userByLogin, firstName, lastName, email) - // 3. deactivate and delete the user - userApi.deactivateUser(user.getId(), false) - userApi.deleteUser(user.getId(), false) + // 3. deactivate the user + userApi.deleteUser(user.getId(), false, null) + + // 4. delete the user + // Second delete API call is required to delete the user + // Ref: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/deleteUser + userApi.deleteUser(user.getId(), false, null) + + Thread.sleep(getTestOperationDelay()) // 4. get user expect 404 expect(ApiException) { - userApi.getUser(email, "false") + userApi.getUser(email, null, "false") } } @@ -605,8 +630,11 @@ class UsersIT extends ITSupport { def email = "john-${uniqueTestName}@example.com" def groupName = "Group-Target Test Group ${uniqueTestName}" - RoleAssignmentApi roleAssignmentApi = new RoleAssignmentApi(getClient()) - RoleTargetApi roleTargetApi = new RoleTargetApi(getClient()) + RoleAssignmentAUserApi roleAssignmentApi = new RoleAssignmentAUserApi(getClient()) + RoleBTargetAdminApi roleTargetApi = new RoleBTargetAdminApi(getClient()) + + //RoleAssignmentApi roleAssignmentApi = new RoleAssignmentApi(getClient()) + //RoleTargetApi roleTargetApi = new RoleTargetApi(getClient()) // 1. Create a user User user = UserBuilder.instance() @@ -626,10 +654,10 @@ class UsersIT extends ITSupport { validateGroup(group, groupName) // 2. Assign USER_ADMIN role to the user - AssignRoleRequest assignRoleRequest = new AssignRoleRequest() - assignRoleRequest.setType(RoleType.USER_ADMIN) + AssignRoleToUserRequest assignRoleRequest = new AssignRoleToUserRequest() + assignRoleRequest.setType(RoleType.USER_ADMIN.name()) - Role role = roleAssignmentApi.assignRoleToUser(user.getId(), assignRoleRequest, true) + AssignRoleToUser201Response role = roleAssignmentApi.assignRoleToUser(user.getId(), assignRoleRequest, true) // 3. Add Group Target to User Admin Role roleTargetApi.assignGroupTargetToUserRole(user.getId(), role.getId(), group.getId()) @@ -717,7 +745,7 @@ class UsersIT extends ITSupport { userApi.updateUser(user.getId(), updateUserRequest, true) - UserGetSingleton updatedUser = userApi.getUser(user.getId(), "false") + UserGetSingleton updatedUser = userApi.getUser(user.getId(), null, "false") assertThat(updatedUser.lastUpdated, greaterThan(originalLastUpdated)) assertThat(updatedUser.getProfile(), not(user.getProfile())) @@ -746,19 +774,23 @@ class UsersIT extends ITSupport { validateUser(user, firstName, lastName, email) // 2. Suspend the user and verify user in list of suspended users - userApi.suspendUser(user.getId()) + UserLifecycleApi userLifecycleApi = new UserLifecycleApi(getClient()) + userLifecycleApi.suspendUser(user.getId()) // fix flakiness seen in PDV tests Thread.sleep(getTestOperationDelay()) - List users = userApi.listUsers(null, null, null, 'status eq \"SUSPENDED\"',null, null, null) + List users = userApi.listUsers(null, null, null, null, 'status eq \"SUSPENDED\"',null, null, null) Optional match = users.stream().filter(u -> u.getId() == user.getId()).findAny() assertThat(match.isPresent(), is(true)) // 3. Unsuspend the user and verify user in list of active users - userApi.unsuspendUser(user.getId()) + userLifecycleApi.unsuspendUser(user.getId()) + + // fix flakiness seen in PDV tests + Thread.sleep(getTestOperationDelay()) - users = userApi.listUsers(null, null, null, 'status eq \"ACTIVE\"',null, null, null) + users = userApi.listUsers(null, null, null, null, 'status eq \"ACTIVE\"',null, null, null) match = users.stream().filter(u -> u.getId() == user.getId()).findAny() assertThat(match.isPresent(), is(true)) } @@ -768,7 +800,7 @@ class UsersIT extends ITSupport { def userId = "invalid-user-id-${uniqueTestName}@example.com" expect(ApiException) { - userApi.getUser(userId, "false") + userApi.getUser(userId, null, "false") } } @@ -800,7 +832,9 @@ class UsersIT extends ITSupport { registerForCleanup(createUser) validateUser(createUser, firstName, lastName, email) - List groups = userApi.listUserGroups(createUser.getId(), null, 10).stream().collect(Collectors.toList()) + UserResourcesApi userResourcesApi = new UserResourcesApi(getClient()) +\ + List groups = userResourcesApi.listUserGroups(createUser.getId()).stream().collect(Collectors.toList()) assertThat groups, allOf(hasSize(2)) assertThat groups.get(0).getProfile().name, equalTo("Everyone") assertThat groups.get(1).getId(), equalTo(group.id) @@ -860,7 +894,7 @@ class UsersIT extends ITSupport { userCredentials.setPassword(passwordCredential) userCredentials.setRecoveryQuestion(recoveryQuestionCredential) - userCredentials = userApi.forgotPasswordSetNewPassword(user.getId(), userCredentials, false) + userCredentials = userCredApi.forgotPasswordSetNewPassword(user.getId(), userCredentials, false) assertThat userCredentials.getRecoveryQuestion().getQuestion(), equalTo("How many roads must a man walk down?") assertThat userCredentials.getProvider().getType(), equalTo(AuthenticationProviderType.OKTA) } @@ -901,7 +935,7 @@ class UsersIT extends ITSupport { def expandParameter = "group" List applicationList = - applicationApi.listApplications( null, null, null, null, null, null) + applicationApi.listApplications( null, null, null, null, null, null, null) Application application = applicationList.first() diff --git a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/ClientProvider.groovy b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/ClientProvider.groovy index acf1776ab7b..20d9af96eb3 100644 --- a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/ClientProvider.groovy +++ b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/ClientProvider.groovy @@ -17,6 +17,27 @@ package com.okta.sdk.tests.it.util import com.okta.commons.lang.Strings import com.okta.sdk.client.Clients +import com.okta.sdk.resource.api.ApplicationApi +import com.okta.sdk.resource.api.GroupApi +import com.okta.sdk.resource.api.GroupRuleApi +import com.okta.sdk.resource.api.IdentityProviderApi +import com.okta.sdk.resource.api.InlineHookApi +import com.okta.sdk.resource.api.PolicyApi +import com.okta.sdk.resource.api.UserApi +import com.okta.sdk.resource.api.UserTypeApi +import com.okta.sdk.resource.model.Application +import com.okta.sdk.resource.model.ApplicationLifecycleStatus +import com.okta.sdk.resource.model.Group +import com.okta.sdk.resource.model.GroupRule +import com.okta.sdk.resource.model.IdentityProvider +import com.okta.sdk.resource.model.InlineHook +import com.okta.sdk.resource.model.InlineHookStatus +import com.okta.sdk.resource.model.LifecycleStatus +import com.okta.sdk.resource.model.Policy +import com.okta.sdk.resource.model.User +import com.okta.sdk.resource.model.UserGetSingleton +import com.okta.sdk.resource.model.UserStatus +import com.okta.sdk.resource.model.UserType import com.okta.sdk.tests.Scenario import com.okta.sdk.tests.TestResources import com.okta.sdk.resource.client.ApiClient @@ -139,17 +160,17 @@ trait ClientProvider implements IHookable { void deleteUser(String id, ApiClient client) { UserApi userApi = new UserApi(client) - User userToDelete = userApi.getUser(id) + UserGetSingleton userToDelete = userApi.getUser(id, null, "false") if (userToDelete != null) { log.info("Deleting User: {} (id - {})", userToDelete.getProfile().getEmail(), id) if (userToDelete.getStatus() != UserStatus.DEPROVISIONED) { // deactivate - userApi.deactivateUser(userToDelete.getId(), false) + userApi.deleteUser(userToDelete.getId(), false, null) } // delete - userApi.deleteUser(userToDelete.getId(), false) + userApi.deleteUser(userToDelete.getId(), false, null) } } @@ -177,7 +198,9 @@ trait ClientProvider implements IHookable { void deleteGroupRule(String id, ApiClient client) { GroupApi groupApi = new GroupApi(client) - GroupRule groupRuleToDelete = groupApi.getGroupRule(id, null) + GroupRuleApi groupRuleApi = new GroupRuleApi(client) + + GroupRule groupRuleToDelete = groupRuleApi.getGroupRule(id, null) if (groupRuleToDelete != null) { log.info("Deleting GroupRule: {} (id - {})", groupRuleToDelete.getName(), id) diff --git a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/OktaOrgCleaner.groovy b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/OktaOrgCleaner.groovy index b3ae81ebfe9..f3657c76a21 100644 --- a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/OktaOrgCleaner.groovy +++ b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/OktaOrgCleaner.groovy @@ -16,6 +16,7 @@ package com.okta.sdk.tests.it.util import com.okta.sdk.client.Clients +import com.okta.sdk.resource.api.GroupRuleApi import com.okta.sdk.resource.client.ApiClient import com.okta.sdk.resource.api.ApplicationApi import com.okta.sdk.resource.api.AuthorizationServerApi @@ -49,27 +50,29 @@ class OktaOrgCleaner { UserApi userApi = new UserApi(client) log.info("Deleting Active Users:") - userApi.listUsers(null, null, null, 'status eq \"ACTIVE\"', null, null, null) + userApi.listUsers(null, null, null, null,'status eq \"ACTIVE\"', null, null, null) .stream() .filter { it.getProfile().getEmail().endsWith("@example.com") } .forEach { log.info("\t ${it.getProfile().getEmail()}") // deactivate - userApi.deactivateUser(it.getId(),false) + userApi.deleteUser(it.getId(), false, null) // delete - userApi.deleteUser(it.getId(), false) + // second delete API call is required + // see https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/deleteUser + userApi.deleteUser(it.getId(), false, null) } - userApi.listUsers(null, null, null, 'status eq \"DEPROVISIONED\"', null, null, null) + userApi.listUsers(null, null, null, null, 'status eq \"DEPROVISIONED\"', null, null, null) .forEach { log.info("Deleting deactivated user: ${it.getProfile().getEmail()}") - userApi.deleteUser(it.getId(), false) + userApi.deleteUser(it.getId(), false, null) } ApplicationApi applicationApi = new ApplicationApi(client) log.info("Deleting Applications:") - applicationApi.listApplications(null, null, 100, null, null, true).stream() + applicationApi.listApplications(null, null, true, 100, null, null, true).stream() .filter { it.getLabel().startsWith(prefix) && it.getLabel().matches(".*-${uuidRegex}.*") } .forEach { log.info("\t ${it.getLabel()}") @@ -87,8 +90,10 @@ class OktaOrgCleaner { groupApi.deleteGroup(it.getId()) } + GroupRuleApi groupRuleApi = new GroupRuleApi(client) + log.info("Deleting Group Rules:") - groupApi.listGroupRules(1000, null, null, null).stream() + groupRuleApi.listGroupRules(1000, null, null, null).stream() .filter { it.getName().startsWith(prefix) && it.getName().matches(".*-${uuidRegex}.*") } .forEach { GroupRule rule = it @@ -102,7 +107,7 @@ class OktaOrgCleaner { PolicyApi policyApi = new PolicyApi(client) log.info("Deleting Policies:") - policyApi.listPolicies("OKTA_SIGN_ON", null, null, null, null, null).stream() + policyApi.listPolicies("OKTA_SIGN_ON", null, null, null, null, null, null, null).stream() .filter { it.getName().startsWith(prefix) && it.getName().matches(".*-${uuidRegex}.*") } .forEach { log.info("\t ${it.getName()}") diff --git a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/Util.groovy b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/Util.groovy index 3f037457d27..bfcd0cd64aa 100644 --- a/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/Util.groovy +++ b/integration-tests/src/test/groovy/com/okta/sdk/tests/it/util/Util.groovy @@ -96,7 +96,7 @@ class Util { } static void assertUserInGroup(User user, Group group, GroupApi groupApi) { - assertThat "User was not found in group.", StreamSupport.stream(groupApi.listGroupUsers(group.getId(), null, null, null, null, null).spliterator(), false) + assertThat "User was not found in group.", StreamSupport.stream(groupApi.listGroupUsers(group.getId(), null, null).spliterator(), false) .filter{ listUser -> listUser.id == user.id} .findFirst().isPresent() } @@ -106,7 +106,7 @@ class Util { sleep(delayInMilliseconds) - if (present == StreamSupport.stream(groupApi.listGroupUsers(group.getId(), null, null, null, null, null).spliterator(), false) + if (present == StreamSupport.stream(groupApi.listGroupUsers(group.getId(), null, null).spliterator(), false) .filter{ listUser -> listUser.id == user.id} .findFirst().isPresent()) { return @@ -118,7 +118,7 @@ class Util { } static void assertUserNotInGroup(User user, Group group, GroupApi groupApi) { - assertThat "User was found in group.", !StreamSupport.stream(groupApi.listGroupUsers(group.getId(), null, null, null, null, null).spliterator(), false) + assertThat "User was found in group.", !StreamSupport.stream(groupApi.listGroupUsers(group.getId(), null, null).spliterator(), false) .filter{ listUser -> listUser.id == user.id} .findFirst().isPresent() } @@ -128,7 +128,7 @@ class Util { sleep(delayInMilliseconds) - if (present == !StreamSupport.stream(groupApi.listGroupUsers(group.getId(), null, null, null, null, null).spliterator(), false) + if (present == !StreamSupport.stream(groupApi.listGroupUsers(group.getId(), null, null).spliterator(), false) .filter{ listUser -> listUser.id == user.id} .findFirst().isPresent()) { return diff --git a/pom.xml b/pom.xml index e3485aaff4b..07e67235598 100644 --- a/pom.xml +++ b/pom.xml @@ -25,7 +25,7 @@ com.okta.sdk okta-sdk-root - 18.0.1-SNAPSHOT + 19.0.0-SNAPSHOT pom Okta Java SDK @@ -35,7 +35,7 @@ 2.17.2 - 2.2 + 2.3 1.78.1 0.12.6 5.3.1 @@ -68,12 +68,12 @@ com.okta.sdk okta-sdk-api - 18.0.1-SNAPSHOT + 19.0.0-SNAPSHOT com.okta.sdk okta-sdk-impl - 18.0.1-SNAPSHOT + 19.0.0-SNAPSHOT @@ -103,14 +103,14 @@ com.okta.sdk okta-sdk-integration-tests - 18.0.1-SNAPSHOT + 19.0.0-SNAPSHOT com.okta.sdk okta-sdk-examples-quickstart - 18.0.1-SNAPSHOT + 19.0.0-SNAPSHOT diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 8d1b6476743..c928b8b4676 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -25,7 +25,7 @@ info: license: name: Apache-2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html - version: 2024.06.1 + version: 2024.08.3 x-logo: url: logo.svg backgroundColor: transparent @@ -68,36 +68,26 @@ tags: Okta supports token-based and OAuth 2.0-based provisioning connections for supported apps. The following available provisioning connections are supported by the indicated apps: - |
Connection
| Apps supported | Description | - | -------------------- | -------------- | ----------- | - | Token | Okta Org2Org (`okta_org2org`)
Zscaler 2.0 (`zscalerbyz`) | The provisioning API connection is based on bearer token authentication. | - | OAuth 2.0 | Google Workspace (`google`)
Microsoft Office 365 (`office365`)
Okta Org2Org (`okta_org2org`)
Slack (`slack`)
Zoom (`zoomus`) | The provisioning API connection is based on OAuth 2.0 authentication. | - > **Note:** The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team. - - name: ApplicationCredentials - x-displayName: Application Credentials - description: | - Specifies credentials and scheme for the application's `signOnMode` - - ### Application Key Credential - The application Key Credential object defines a [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc7517) for a signature or encryption credential for an application. + |
Connection
| Description |
Apps supported
| + | -------------------------------- | -------------- | ----------- | + | Token | The provisioning API connection is based on bearer token authentication. |
  • Okta Org2Org (`okta_org2org`)
  • Zscaler 2.0 (`zscalerbyz`)
| + | OAuth 2.0 | The provisioning API connection is based on OAuth 2.0 authentication. |
  • Google Workspace (`google`)
  • Microsoft Office 365 (`office365`)
  • Okta Org2Org (`okta_org2org`)
  • Slack (`slack`)
  • Zoom (`zoomus`)
| - > **Notes:** - > * To update the app, you can provide just the Signing Credential object instead of the entire Application Credential object. - > * Currently only the X.509 JWK format is supported for applications with the `SAML_2_0` sign-on mode. + > **Note:** The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team. - name: ApplicationFeatures x-displayName: Application Features description: | - The Application Features API supports operations to configure app feature settings. + The Application Features API supports operations to configure app provisioning feature settings. You must have app provisioning enabled to configure provisioning features. See [Update the default Provisioning Connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication). The following available provisioning features are supported by the indicated apps: - |
Feature
| Apps supported | Description | + |
Feature
| Description |
Apps supported
| | -------------------- | -------------- | ----------- | - | `USER_PROVISIONING` | Google Workspace (`google`)
Microsoft Office 365 (`office365`)
Okta Org2Org (`okta_org2org`)
Slack (`slack`)
Zoom (`zoomus`)
Zscaler 2.0 (`zscalerbyz`) | Similar to the app **Provisioning** > **To App** setting in the Admin Console, user profiles are pushed from Okta to the third-party app. You can configure rules for creating users, deactivating users, and syncing passwords. | - | `INBOUND_PROVISIONING` | Google Workspace (`google`)
Microsoft Office 365 (`office365`)
Okta Org2Org (`okta_org2org`)
Slack (`slack`)
Zoom (`zoomus`) | Similar to the app **Provisioning** > **To Okta** provisioning setting in the Admin Console, user profiles are imported from the third-party app into Okta. You can schedule user import and configure rules for user creation and matching. | + | `USER_PROVISIONING` | Similar to the app **Provisioning** > **To App** setting in the Admin Console, user profiles are pushed from Okta to the third-party app. You can configure rules for creating users, deactivating users, and syncing passwords. |
  • Google Workspace (`google`)
  • Microsoft Office 365 (`office365`)
  • Okta Org2Org (`okta_org2org`)
  • Slack (`slack`)
  • Zoom (`zoomus`)
  • Zscaler 2.0 (`zscalerbyz`)
| + | `INBOUND_PROVISIONING` | Similar to the app **Provisioning** > **To Okta** provisioning setting in the Admin Console, user profiles are imported from the third-party app into Okta. You can schedule user import and configure rules for user creation and matching. |
  • Google Workspace (`google`)
  • Microsoft Office 365 (`office365`)
  • Okta Org2Org (`okta_org2org`)
  • Slack (`slack`)
  • Zoom (`zoomus`)
| > **Note:** The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team. - name: ApplicationGrants @@ -115,10 +105,18 @@ tags: description: Provides a resource to manage the application instance logo - name: ApplicationPolicies x-displayName: Application Policies - description: Provides a resource to manage authentication policies associated with an application + description: The Application Policies API provides a resource to manage authentication policies associated with an app. - name: ApplicationSSO x-displayName: Application SSO description: Provides a Single Sign-On (SSO) resource for an application + - name: ApplicationSSOCredentialKey + x-displayName: Application Key Credentials + description: | + The Application Key Credentials API provides a set of operations to manage an app's key store credentials. + - name: ApplicationSSOCredentialOAuth2ClientAuth + x-displayName: Application Client Auth Credentials + description: | + The Application Client Authentication Credentials API provides a set of operations to manage credentials used for OAuth 2.0 client authentication as described in [Client authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/client-auth/). - name: ApplicationTokens x-displayName: Application Tokens description: | @@ -185,7 +183,10 @@ tags: Read [Validate access tokens](https://developer.okta.com/docs/guides/validate-access-tokens/dotnet/main/) and [Validate ID tokens](https://developer.okta.com/docs/guides/validate-id-tokens/main/) to understand more about how OAuth 2.0 tokens work. - name: AuthorizationServerKeys x-displayName: Authorization Server Keys - description: Provides operations to manage credential keys for the given `authServerId`. + description: |- + Provides operations to manage [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc7517) credentials for the given `authServerId`. + + > **Note:** Looking for how to obtain the jwks_uri for your org or custom authorization server? See the [well-known OpenID metadata endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/getWellKnownOpenIDConfigurationCustomAS) and the [well-known OAuth 2.0 metadata endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/getWellKnownOAuthConfigurationCustomAS). - name: AuthorizationServerPolicies x-displayName: Authorization Server Policies description: Provides operations to manage policies for the given `authServerId`. @@ -194,7 +195,7 @@ tags: description: Provides operations to manage policy rules for the given `authServerId`, `policyId`, and `ruleId`. - name: AuthorizationServerScopes x-displayName: Authorization Server Scopes - description: Provides operations to manage custom token scopes for the given `authServerId` and `scopeId`. + description: Provides operations to manage custom token scopes for the given `authServerId` and `scopeId`. See [scope properties](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#scope-properties). - name: Behavior x-displayName: Behavior Rules description: The Behavior Rules API provides operations to manage the behavior detection rules for your organization. @@ -279,6 +280,9 @@ tags: > **Note:** End users with a new enrollment in Okta Verify on an Okta Identity Engine org have a device record created in the device inventory by default. See [Device Registration](https://help.okta.com/okta_help.htm?type=oie&id=csh-device-registration), [Login Using Okta Verify](https://help.okta.com/okta_help.htm?type=eu&id=ext-ov-user-overview). + - name: DeviceAccess + x-displayName: Device Access + description: The Device Access API provides operations to configure device access settings. - name: DeviceAssurance x-displayName: Device Assurance Policies description: The Device Assurance Policies API provides operations to manage device assurance policies in your organization. @@ -288,6 +292,9 @@ tags: > **Note:** Your Okta org needs to have the AD bidirectional group management feature enabled. Contact your Okta account team to enable this feature. The Directories Integration API provides operations to manage Active Directory objects in a connected on-premises directory through Okta. + - name: EmailCustomization + x-displayName: Email Customization + description: The Email Customization API provides operations to modify the email bounce list for your Okta org. - name: EmailDomain x-displayName: Email Domains description: The Email Domains API provides operations to manage email domains for your organization. @@ -312,19 +319,36 @@ tags: > **Note:** Important background information for this API is available on the [Feature Lifecycle Management](https://developer.okta.com/docs/concepts/feature-lifecycle-management/) page. - name: Group x-displayName: Groups - description: The Groups API provides operations to manage Okta Groups and their user members for your organization. + description: The Groups API provides operations to manage Okta Groups and their user members for your org. - name: GroupOwner x-displayName: Group Owners description: |- The Group Owners API provides operations to manage owners of Okta Groups for your organization. > **Note**: This API is only available if you're subscribed to [Okta Identity Governance](https://www.okta.com/products/identity-governance/). Contact your Customer Success Manager or Account Executive for more information. + - name: GroupRule + x-displayName: Group Rules + description: The Group Rules API provides operations to manage rules for Okta Groups in your org. - name: HookKey x-displayName: Hook Keys - description: The Hook Keys API provides operations to manage hook keys for your organization. + description: |- + The Okta Key Management API provides a CRUD interface for JSON Web Keys (JWK) used with other parts of the application, such as inline hooks. For information on how to create inline hooks, see [inline hooks](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/). + + > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: IdentityProvider x-displayName: Identity Providers description: The Identity Providers API provides operations to manage federations with external Identity Providers (IdP). For example, your app can support signing in with credentials from Apple, Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (`OIDC`) protocol. + - name: IdentityProviderKeys + x-displayName: Identity Provider Keys + description: The Identity Provider Keys API provides operations to manage Key Credentials for Identity Providers. + - name: IdentityProviderSigningKeys + x-displayName: Identity Provider Signing Keys + description: |- + The Identity Provider Signing Keys API provides operations to manage signing Key Credentials and Certificate Signing Requests for Identity Providers. + > **Note:** Okta currently uses the same key for both request signing and the decryption of SAML assertions that the IdP encrypts. Changing your signing key also changes your decryption key. + - name: IdentityProviderUsers + x-displayName: Identity Provider Users + description: The Identity Provider Users API provides operations to manage Identity Provider Users. - name: IdentitySource x-displayName: Identity Sources description: The Okta Identity Source API provides a mechanism to synchronize an HR source (the custom identity source) with Okta user profiles in an org. @@ -408,12 +432,12 @@ tags: Your Okta org provides the following default system Network Zones that you can modify and use: * `LegacyIpZone`: The system default IP Network Zone * `BlockedIpZone`: The system default IP Blocklist Network Zone - * `DefaultEnhancedDynamicZone`: The system default Enhanced Dynamic Network Zone + * `DefaultEnhancedDynamicZone`: The system default Enhanced Dynamic Network Zone You can create and use the following custom Network Zones: * IP Network Zone (`IP`): Allows you to define network perimeters around a set of IPs * Dynamic Network Zone (`DYNAMIC`): Allows you to define network perimeters around location, IP type, or ASNs - * Enhanced Dynamic Network Zone (`DYNAMIC_V2`): Extends the Dynamic Network Zone and allows you to include or exclude specific locations, ASNs, or IP service categories + * Enhanced Dynamic Network Zone (`DYNAMIC_V2`): Extends the Dynamic Network Zone and allows you to include or exclude specific locations, ASNs, or IP service categories > **Notes:** > * To create multiple Network Zones, you must have Adaptive MFA enabled in your Okta org. @@ -421,9 +445,33 @@ tags: - name: OktaApplicationSettings x-displayName: Okta Application Settings description: The Okta Application Settings API provides operations to manage settings for Okta apps in your org. - - name: OrgSetting - x-displayName: Org Settings - description: The Org Settings API provides operations to manage your org account settings such as contact information, granting Okta Support access, and more. + - name: OrgCreator + x-displayName: Org Creator + description: |- + > **Note:** You need to have the **Platform - Multi-org Deployment** product to enable the **Org Creator API** feature. Contact your Okta account team for more information. + + The Org Creator API provides an operation to create Okta orgs (child orgs) based on features from your current org (the parent org). See [Org Creator](https://developer.okta.com/docs/concepts/org-creator/). + - name: OrgSettingAdmin + x-displayName: Org Admin Settings + description: The Org Admin Settings API provides operations to manage the admin settings for your Okta org. + - name: OrgSettingCommunication + x-displayName: Org Communication Settings + description: The Org Communication Settings API provides operations to manage the communication settings for your Okta org. For example, opt users in or out of communication emails. + - name: OrgSettingContact + x-displayName: Org Contacts + description: The Org Contacts API provides operations to manage the contact types of your Okta org. + - name: OrgSettingCustomization + x-displayName: Org Customization + description: The Org Customization API provides operations to retrieve and modify custom settings for your Okta org. + - name: OrgSettingGeneral + x-displayName: Org General Settings + description: The Org General Settings API provides operations to manage the general settings of your Okta org. + - name: OrgSettingMetadata + x-displayName: Org Metadata + description: The Org Metadata API provides operation to fetch metadata for your Okta org. + - name: OrgSettingSupport + x-displayName: Org Support Settings + description: The Org Support Settings API provides operations to manage the support settings for your Okta org. - name: Policy x-displayName: Policies description: |- @@ -461,41 +509,77 @@ tags: - name: RealmAssignment x-displayName: Realm Assignments description: The Realm Assignments API provides operations to manage Realm Assignments - - name: ResourceSet - x-displayName: Resource Sets - description: The Resource Sets API provides operations to manage Resource Sets as custom collections of resources. You can use Resource Sets to assign Custom Roles to administrators who are scoped to the designated resources. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources). - name: RiskEvent x-displayName: Risk Events description: The Risk Events API provides the ability for third-party risk providers to send risk events to Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. - name: RiskProvider x-displayName: Risk Providers - description: The Risk Providers API provides the ability to manage the Risk Providers within Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. - - name: Role - x-displayName: Roles + description: The Risk Providers API enables you to manage the Risk Providers within Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. + - name: RoleAssignmentAUser + x-displayName: User Role Assignments + description: The User Role Assignments APIs allow you to assign roles and designate third-party admin status to Users. + - name: RoleAssignmentBGroup + x-displayName: Group Role Assignments + description: The Group Role Assignments APIs allow you to assign roles and designate third-party admin status to Groups. + - name: RoleAssignmentClient + x-displayName: Client Role Assignments + description: The Client Role Assignments APIs allow you to assign roles and designate third-party admin status to public client apps. + - name: RoleBTargetAdmin + x-displayName: User Role Targets description: |- - The Roles API provides operations to manage administrative Role assignments for a User. - - Role listing APIs provide a union of both standard and Custom Roles assigned to a User or Group. - - name: RoleAssignment - x-displayName: Role Assignments - description: The Role Assignments APIs allow you to assign custom roles, and designate third-party admin status, to users, groups and public client apps. - - name: RoleTarget - x-displayName: Role Targets + User role targets are a way of limiting the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to an admin User within your org. + You can define admin roles to target Groups, Applications, and Application Instances. + + * **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group. + * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. + * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. + + > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Set Resources](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). + - name: RoleBTargetBGroup + x-displayName: Group Role Targets description: |- - Role targets are a way of defining permissions for admin roles into a smaller subset of Groups or Apps within your org. Targets limit an admin's permissions to a targeted area of the org. You can define admin roles to target Groups, Applications, and Application Instances. + Group role targets allow you to limit the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to a Group within your org. + You can define admin roles to target Groups, Applications, and Application Instances. * **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group. - * **App targets:** Grant an admin permission to manage all instances of the specified Apps. Target Apps are Okta catalog Apps. For example, you can have multiple configurations of an Okta catalog App, such as Salesforce or Facebook. When you add a Salesforce or Facebook App as a target, that grants the admin permission to manage all the instances of those Apps and create new instances of them. - * **App Instance targets:** Grant an admin permission to manage an instance of one App or instances of multiple Apps. App Instances are specific Apps that admins have created in their org. For example, there may be a Salesforce App configured differently for each sales region of a company. When you create an App Instance target, you can assign an admin to manage only two instances of the configured Salesforce Apps and then also to manage an instance of another configured App such as Workday. + * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. + * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. - > **Note:** Don't use these operations with a Custom Role ID. Custom Role assignments always require a target Resource Set. See [Role Assignments](https://developer.okta.com/docs/concepts/role-assignment/) for more information. + > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Set Resources](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). + - name: RoleBTargetClient + x-displayName: Client Role Targets + description: |- + Client role targets allow you to limit the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to a client (Application) within your org. + You can define admin roles to target Groups, Applications, and Application Instances. + + * **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group. + * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. + * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. + + > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Sets](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). + - name: RoleCResourceSet + x-displayName: Resource Sets + description: The Resource Sets API provides operations to manage Resource Sets as a custom set of resources. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources). + - name: RoleCResourceSetResource + x-displayName: Resource Set Resources + description: The Resource Set Resources API provides operations to manage Resources within a Resource Set. You can add or remove Resources in Resource Sets. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources). + - name: RoleDResourceSetBinding + x-displayName: Role Resource Set Bindings + description: The Role Resource Set Bindings API provides operations to assign members to a [Custom Role](/openapi/okta-management/management/tag/RoleECustom/) that targets resources in a [Resource Set](/openapi/okta-management/management/tag/RoleCResourceSet/). The returned Role Resource Set Binding is a single unique combination of a principal, a resource set, and a custom role. You can assign custom roles to admins who are scoped to the designated resources in a resource set. + - name: RoleDResourceSetBindingMember + x-displayName: Role Resource Set Binding Members + description: The Role Resource Set Binding Members API provides operations to manage members in a [Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/). + - name: RoleECustom + x-displayName: Custom Roles + description: The Custom Roles API provides operations to manage custom roles that limit an admin's access to a subset of permissions and resources. + - name: RoleECustomPermission + x-displayName: Custom Role Permissions + description: The Custom Role Permissions API provides operations to manage the permissions assigned to a Custom Role. - name: SSFReceiver x-displayName: SSF Receiver description: |- - - > **Note:** This is an EA release feature that's currently available to a selected audience. - > This feature is only available as a part of Okta Identity Engine. Your Okta org must have the SSF Receiver API feature enabled. - > Contact your Okta account team to enable this feature. + + > This feature is only available with Identity Threat Protection in Identity Engine. Okta uses the [Shared Signals Framework (SSF)](https://sharedsignals.guide/) to receive security-related events and other data-subject signals from third-party security vendors. In this scenario, commonly used terms for third-party vendors that send signals are "transmitters", Okta is the "receiver", and the connection between the two entities is referred to as a "stream." @@ -505,10 +589,8 @@ tags: - name: SSFSecurityEventToken x-displayName: SSF Security Event Tokens description: |- - - > **Note:** This is an EA release feature that's currently available to a selected audience. - > This feature is only available as a part of Okta Identity Engine. Your Okta org needs to have the SSF Security Event Tokens API feature enabled. - > Contact your Okta account team to enable this feature. + + > This feature is only available with Identity Threat Protection in Identity Engine. The Shared Signals Framework (SSF) Security Event Tokens API allows third-party security event providers to send Security Event Tokens (SETs) to Okta. The provider must be configured in Okta as a Security Events Provider instance before transmitting a SET to Okta. See [Create a Security Events Provider](/openapi/okta-management/management/tag/SSFReceiver/#tag/SSFReceiver/operation/createSecurityEventsProviderInstance). After the token is verified, any appropriate action is performed upon ingestion. @@ -533,6 +615,37 @@ tags: [JSON Schema](http://json-schema.org/) is a lightweight declarative format for describing the structure, constraints, and validation of JSON documents. > **Note:** Okta implements only a subset of [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) and [JSON Schema Draft 2020-12](https://json-schema.org/specification.html). This document describes which parts apply to Okta, and any extensions Okta has made to [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) and [JSON Schema Draft 2020-12](https://json-schema.org/specification.html). + + ### Unique Attributes + You can enforce uniqueness for custom properties in Okta user profiles or the Okta group profile, such as an employee identification number. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile. Different user types can have the same or different unique properties (up to the limit of five per type). + + Unique properties in Okta user profiles share a single namespace across all [user types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) in an org. If user types A and B both contain the property `ice cream` and you identify it as unique in both profiles, then if a user of type A has the value `chocolate`, no other users of type A or B (or any other user type that declares `ice cream` as unique) can have that value. + + Properties that aren't unique also aren't tracked for uniqueness. Suppose the property `candy` is unique in type E and not unique in type F. If a user of type E has the value `caramel` for the `candy` property, no other users of type E can also have the value `caramel`, but any number of users of type F can already have or later be assigned the value `caramel`. Furthermore, because `candy` is not unique in type F, any values users of type F may have are not considered when enforcing uniqueness for users of type E. No matter how many users of type F already have the value `cotton`, it might be assigned to a user of type E as long as no other such user already has that value. + + If you attempt to create or update a user with a duplicate value for a custom user property with a uniqueness restriction, the user creation or update operation fails. The user isn't created or updated until you enter a unique value. Similarly, creating or updating a group fails when the request contains a value for a unique custom group property that is duplicated by another group. + + `null` values don't enter into the uniqueness calculation. If the unique property isn't also specified as being required, you can also omit the value entirely. Multiple users or groups can omit the property and not violate uniqueness. + + To enforce uniqueness for custom properties, you can either add new unique custom properties or update existing custom properties to be unique. + + #### Add new unique custom property + + You can use the [add property to user profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [add property to group profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to add one or more unique custom user or group properties. Specify `"unique": true` on the properties to be marked as unique. The response shows the properties with `"unique": "UNIQUE_VALIDATED"` and uniqueness is then enforced on those properties. + + #### Update existing custom property to be unique + + You can use the [update user profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [update group profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to mark existing custom user or group properties as unique by specifying `"unique": true` on the properties to be marked as unique. + + After the request to mark existing custom properties as unique is submitted, an asynchronous validation check is performed to make sure that there are no existing duplicate entries. If you have a significant number of users or groups, the validation can take some time. + + A uniqueness status of `"unique": "PENDING_UNIQUENESS"` indicates that the validation check is still in progress. Use the Universal Directory page in the Admin Console (**Directory** > **Directory Integrations**) to track the status of the validation check. After the validation completes, if you submit a retrieve user schema request or a retreive group schema request, the property's uniqueness status changes to `UNIQUE_VALIDATED` if no duplicate records are found, and uniqueness is then enforced on that property. Otherwise, if duplicate records are found, the `unique` attribute of the schema property isn't shown in the get schema request and uniqueness isn't enforced on the schema property. + + #### Update existing unique custom property to be non-unique + + You can use the [update user profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [update group profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to change existing unique custom user or group properties to be non-unique by specifying `"unique": false` on the properties to be changed to non-unique. The response shows the properties without the `unique` attribute and the uniqueness constraint is then removed on those properties. + + **Note:** If multiple user types declare a property as unique and you remove the uniqueness constraint on one type, there may be a delay before users of other types that declare the property as unique can be assigned values formerly held by users of the first type. - name: Session x-displayName: Sessions description: |- @@ -563,9 +676,9 @@ tags: - name: SystemLog x-displayName: System Log description: |- - The System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. + The Okta System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. - The System Log API provides near real-time, read-only access to your organization's system log and is the programmatic counterpart of the [System Log UI](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog). + The Okta System Log API provides near real-time, read-only access to your organization's system log and is the programmatic counterpart of the [System Log UI](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog). The terms "event" and "log event" are often used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system, and a "log" or "log event" is the recorded fact. @@ -575,9 +688,7 @@ tags: * Development debugging * Event introspection and audit - The System Log API isn't intended for use as a Database as a Service (DBaaS) or to serve data directly to downstream consumers without an intermediate data store. - - See [Events API Migration](https://developer.okta.com/docs/concepts/events-api-migration/) for information on migrating from the Events API to the System Log API. + > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: Template x-displayName: SMS Templates description: |- @@ -590,6 +701,7 @@ tags: ### SMS Template macros Only two macros are supported for SMS Templates: + |
Type
| Description | | -------------------- | ----------- | | ${code} | The one-time verification code that's required for a user to sign in. | @@ -644,12 +756,16 @@ tags: If you're not sure which solution you're using, check the footer on any page of the Admin Console. The version number is appended with E for Identity Engine orgs and C for Classic Engine orgs. - name: User x-displayName: Users - description: The User API provides operations to manage users in your organization. + description: "The Users API provides operations to manage users in your organization.\n> **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs.\n> OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/).\n\n### User status\nThe following diagram shows the flow of User status:\n![STAGED, PROVISIONED, ACTIVE, RECOVERY, LOCKED_OUT, PASSWORD_EXPIRED, or DEPROVISIONED](../../../../../images/users/okta-user-status.png)\n\n### User creation scenarios\n\n The following table describes the user experience and expectation of user status and welcome screen, depending on which options (security question and answer, password, and activate query) are defined during user creation.\n\n **User creation details and outcomes**\n\n | Security Q & A | Password | Activate Query Parameter | User Status | Login Credential | Welcome Screen |\n | ----- | -------- | ------------------------ | ------------- | ---------------------- | -------------- |\n | | | FALSE | `STAGED` | | |\n | | | TRUE | `PROVISIONED` or `ACTIVE` | One-Time Token (Email) or Email | X |\n | X | | FALSE | `STAGED` | | |\n | X | | TRUE | `PROVISIONED` or `ACTIVE` | One-Time Token (Email) or Email | X |\n | | X | FALSE | `STAGED` | | |\n | | X | TRUE | `ACTIVE` | Password | X |\n | X | X | FALSE | `STAGED` | | |\n | X | X | TRUE | `ACTIVE` | Password | |\n\nCreating users with a `FEDERATION` or `SOCIAL` provider sets the User status to either `ACTIVE` or `STAGED` based on the `activate` query parameter since these two providers don't support a `password` or `recovery_question` credential.\n\nMore information about the use cases are in the following sections and in the examples for [Create a User](/openapi/okta-management/management/tag/User/#tag/User/operation/createUser).\n\n#### Create User with Optional Password enabled\n\nWhen Optional Password is enabled, the User status following User creation can be affected by the enrollment policy. See [Create an authenticator enrollment policy](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-mfa-policy).\nBased on the group memberships that are specified when the User is created, a password may or may not be required to make the user's status `ACTIVE`.\n\nIf the enrollment policy that applies to the User (as determined by the groups assigned to the user) specifies that the Password authenticator is `required`, then in the case where the User is created without a password, the User is in the `PROVISIONED` status and\na One-Time Token is sent to the User through email. If the User is created with a password, then their status is set to ACTIVE, and they can immediately sign in using their Password authenticator.\n\nIf the enrollment policy that applies to the groups specified for the newly created User indicates that password is `optional` or `disabled`, then the Administrator can't specify a password for the user. Instead, the user status is set to `ACTIVE` and the User can immediately sign in using their Email authenticator. If policy permits, and the User so chooses, they can enroll a password after they sign in.\n\n#### Create User without credentials\n\nCreates a user without a `password` or `recovery question & answer`\n\nIf appropriate, when the user is activated, an email is sent to the user with an activation token that the user can use to complete the activation process.\nThis is the default flow for new user registration using the administrator UI.\n\n#### Create User with recovery question\n\nCreates a user without a `password`\n\nWhen the user is activated, an email is sent to the user with an activation token that can be used to complete the activation process.\nThis flow is useful if migrating users from an existing user store.\n\n#### Create User with password\n\nCreates a user without a `recovery question & answer`\n\nThe new user is able to sign in after activation with the assigned password. This flow is common when developing a custom user registration experience.\n> **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.\n\n#### Create User with imported hashed password\n\nCreates a user with a specified `hashed password`.\n\nThe new user is able to sign in after activation with the specified password.\nThis flow is common when migrating users from another data store in cases where we want to allow the users to retain their current passwords.\n> **Important:** Do not generate or send a one-time activation token when activating users with an imported password. Users should login with their imported password.\n\n#### Create User with password import inline hook\n\nCreates a user with a `Password Hook` object specifying that a password inline hook should be used to handle password verification.\n\nThe password inline hook is triggered to handle verification of the end user's password the first time the user tries to sign in, with Okta calling the password inline hook to check that the password the user supplied is valid. If the password is valid, Okta stores the hash of the password that was provided and can authenticate the user independently from then on. See [Password import inline hook](https://developer.okta.com/docs/reference/password-hook/) for more details.\n\nThe new user is able to sign in after activation with the valid password. This flow supports migrating users from another data store in cases where we wish to allow the users to retain their current passwords.\n> **Important:** Don't generate or send a one-time activation token when activating users with an password inline hook. Users should sign in with their existing password to be imported using the password import inline hook.\n\n#### Create User with Password & Recovery Question\n\nCreates a new user with a `password` and `recovery question & answer`.\n\nThe new user is able to log in with the assigned password after activation. This flow is common when developing a custom user-registration experience.\n> **Important:** Don't generate or send a one-time activation token when activating users with an assigned password. Users should login with their assigned password.\n\n#### Create User with Authentication Provider\n\nCreates a new passwordless user with a `SOCIAL` or `FEDERATION` authentication provider that must be authenticated via a trusted Identity Provider.\n\n#### Create User in Group\n\nCreates a user that is added to the specified groups upon creation.\n\nUse this in conjunction with other create operations for a Group Administrator that is scoped to create users only in specified groups. The request may specify up to 20 group ids. (This limit applies only when creating a user. The user may later be added to more groups.)\n\n#### Create User with non-default User Type\nCreates a user with a specified User Type (see [User Types](https://developer.okta.com/docs/reference/api/user-types)). The type specification may be included with any of the above Create User operations; this example demonstrates creating a user without credentials.\nThe User Type determines which [Schema](/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can be assigned a different User Type only by an administrator via a full replacement [PUT operation](https://developer.okta.com/docs/reference/api/user-types/#update-user-type).\n\n### Links object\n\nThe Links object specifies link relations. See [`_links`](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=_links&t=response).\n\n> **Note:** This Links object is different from [Linked Objects](/openapi/okta-management/management/tag/LinkedObject/).\n\n#### Individual Users versus collection of Users\n\nFor an individual User result, the Links object contains a full set of link relations available for that User as determined by your policies. For a collection of Users, the Links object contains only the `self` link. Operations that return a collection of Users include [List all Users](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) and [List all Member Users](openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroupUsers).\n\nThe following table shows some links that may be available on a User, as determined by your policies:\n\n| Link Relation Type | Description |\n|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n|self\t | A self-referential link to this user |\n|activate\t | Lifecycle action to [activate the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) |\n|deactivate |\tLifecycle action to [deactivate the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/deactivateUser) |\n|suspend |\tLifecycle action to [suspend the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/suspendUser) |\n|unsuspend |\tLifecycle action to [unsuspend the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/unsuspendUser) |\n|resetPassword |\tLifecycle action to [trigger a password reset](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) |\n|expirePassword |\tLifecycle action to [expire the user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/expirePassword) |\n|resetFactors |\tLifecycle action to [reset all MFA factors](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/resetFactors) |\n|unlock |\tLifecycle action to [unlock a locked-out user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/unlockUser) |\n|forgotPassword |\t[Resets a user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/forgotPassword) by validating the user's recovery credential. |\n|changePassword |\t[Changes a user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changePassword) validating the user's current password |\n|changeRecoveryQuestion |\t[Changes a user's recovery credential](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changeRecoveryQuestion) by validating the user's current password |" + - name: UserCred + x-displayName: User Credentials + description: The User Credentials API provides operations to manage user credentials in your org. - name: UserFactor x-displayName: User Factors description: |- The Factors API provides operations to enroll, manage, and verify factors for multifactor authentication (MFA). Generally, authentication involves verifying a different one-time passcode (OTP). Manage both administration and end-user accounts, or verify an individual factor at any time. Okta supports several different types of Factors: + | Factor Type | Description | |-----------------------|-------------| | `call` | Software OTP sent using a voice call to a registered phone number | @@ -665,9 +781,48 @@ tags: | `web` | HTML inline frame (iframe) for embedding verification from a third party | | `webauthn` | Hardware WebAuthn device | | `signed_nonce` | Okta Fastpass (device-bound authentication). This is available for OIE orgs if the org has users that have enrolled with Okta Verify after the org started using OIE. | + - name: UserGrant + x-displayName: User Grants + description: |- + The User Grants API provides operations to manage user consent Grants in your org. + + A consent represents a user's explicit permission to allow an app to access resources protected by scopes. Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they've already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scope is deactivated or deleted. + + > **Hint:** For all grant operations, you can use `me` instead of the `userId` in an endpoint that contains `/users`, in an active session with no SSWS token (API token). For example: `https://${yourOktaDomain}/api/v1/users/me/grants` returns all the grants for the active session user. + + > **Note:** Some browsers have begun blocking third-party cookies by default, disrupting Okta functionality in certain flows. For more information, see [FAQ: How Blocking Third Party Cookies Can Potentially Impact Your Okta Environment](https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment). + - name: UserLifecycle + x-displayName: User Lifecycle + description: |- + The User Lifecycle API provides lifecycle operations, which are non-idempotent operations that initiate a state transition for a user's status. Some operations are asynchronous while others are synchronous. + The user's current status limits what operations are allowed. + - name: UserLinkedObject + x-displayName: User Linked Objects + description: |- + The User Linked Objects API provides operations to manage User Linked Objects in your org. + Use link value operations to assign Users to a relationship, represented by a pair of `primary` and `associated` links. See also the [Linked Objects API](/openapi/okta-management/management/tag/LinkedObject/). + + For these operations, the examples use consistent IDs so that you can follow the operations more easily: + * `manager` is the `primary` relationship and is assigned `00u5t60iloOHN9pBi0h7` + * `subordinate` is the `associated` relationship and is assigned to IDs `00u5zex6ztMbOZhF50h7` and `00u1tsf0nQKavLDUh0g5` + - name: UserOAuth + x-displayName: User OAuth 2.0 Token Management + description: |- + The User OAuth 2.0 Token Management API provides operations to manage tokens issued by an Authorization Server for a particular User and Client in your org. For example, you can revoke every active refresh token for a User in the context of a specific Client. You can also [revoke specific tokens](https://developer.okta.com/docs/guides/revoke-tokens/main/) or [manage tokens at the authorization server level](/openapi/okta-management/management/tag/AuthorizationServer/). + + Read [Validate Access Tokens](https://developer.okta.com/docs/guides/validate-access-tokens/) to understand more about how OAuth 2.0 tokens work. + - name: UserResources + x-displayName: User Resources + description: The User Resources API provides operations related to User resources. + - name: UserSessions + x-displayName: User Sessions + description: The User Sessions API provides operations to manage User sessions in your org. - name: UserType x-displayName: User Types description: The User Types API provides operations to manage User Types. + - name: WebAuthnPreregistration + x-displayName: WebAuthn Preregistration + description: The WebAuthn Preregistration API provides a flow to initiate and set up WebAuthn Preregistration authenticator enrollments through third-party fulfillment providers. externalDocs: description: Find more info here url: https://developer.okta.com/docs/reference/core-okta-api/#design-principles @@ -710,7 +865,7 @@ paths: /.well-known/okta-organization: get: summary: Retrieve the Well-Known Org Metadata - description: Retrieves the well-known org metadata, which includes the id, configured custom domains, authentication pipeline, and various other org settings + description: Retrieves the well-known org metadata, which includes the org ID, configured custom domains, authentication pipeline, and various other org settings operationId: getWellknownOrgMetadata responses: '200': @@ -728,7 +883,7 @@ paths: $ref: '#/components/responses/ErrorTooManyRequests429' security: [] tags: - - OrgSetting + - OrgSettingMetadata x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -1314,7 +1469,7 @@ paths: tags: - ApiToken x-okta-lifecycle: - lifecycle: EA + lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke an API Token @@ -1341,32 +1496,53 @@ paths: /api/v1/apps: get: summary: List all Applications - description: Lists all applications with pagination. A subset of apps can be returned that match a supported filter expression or query. + description: Lists all apps in the org with pagination. A subset of apps can be returned that match a supported filter expression or query. The results are [paginated](/#pagination) according to the `limit` parameter. If there are multiple pages of results, the header contains a `next` link. Treat the link as an opaque value (follow it, don't parse it). operationId: listApplications parameters: - name: q in: query + description: Searches for apps with `name` or `label` properties that starts with the `q` value using the `startsWith` operation schema: type: string + example: Okta - name: after in: query - description: Specifies the pagination cursor for the next page of apps + description: Specifies the [pagination](/#pagination) cursor for the next page of results. Treat this as an opaque value obtained through the `next` link relationship. schema: type: string + example: 16278919418571 + - name: useOptimization + in: query + description: Specifies whether to use query optimization. If you specify `useOptimization=true` in the request query, the response contains a subset of app instance properties. + schema: + type: boolean + default: false - name: limit in: query - description: Specifies the number of results for a page + description: Specifies the number of results per page schema: type: integer format: int32 default: -1 + maximum: 200 - name: filter in: query - description: Filters apps by status, user.id, group.id or credentials.signing.kid expression + description: Filters apps by `status`, `user.id`, `group.id`, `credentials.signing.kid` or `name` expression that supports the `eq` operator schema: type: string + examples: + ActiveStatusEx: + value: status eq "ACTIVE" + summary: Filter for active apps + NameFilterEx: + value: name eq "okta_org2org" + summary: Filter for apps with `okta_org2org` name + CredKidEx: + value: credentials.signing.kid eq "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-F1bm4" + summary: Filter for apps using a specific key - $ref: '#/components/parameters/queryAppsExpand' - name: includeNonDeleted + description: Specifies whether to include non-active, but not deleted apps in the results in: query schema: type: boolean @@ -1380,6 +1556,15 @@ paths: type: array items: $ref: '#/components/schemas/Application' + examples: + ResponseExample1: + $ref: '#/components/examples/GetApplicationsByUserResponseEx' + ResponseExample2: + $ref: '#/components/examples/GetApplicationsByGroupResponseEx' + ResponseExample3: + $ref: '#/components/examples/GetApplicationsByKeyResponseEx' + ResponseExample4: + $ref: '#/components/examples/GetApplicationsByNameResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -1395,7 +1580,12 @@ paths: isGenerallyAvailable: true post: summary: Create an Application - description: Creates a new application to your Okta organization + description: | + Creates an app instance in your Okta org. + + You can either create an OIN app instance or a custom app instance: + * OIN app instances have prescribed `name` (key app definition) and `signOnMode` options. See the [OIN schemas](/openapi/okta-management/management/tag/Application/#tag/Application/schema/GoogleApplication) for the request body. + * For custom app instances, select the [signOnMode](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/signOnMode&t=request) that pertains to your app and specify the required parameters in the request body. operationId: createApplication parameters: - name: activate @@ -1414,6 +1604,25 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStoreEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0Ex' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectEx' required: true responses: '200': @@ -1422,6 +1631,25 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkAppResponseEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginAppResponseEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthResponseEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStoreResponseEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationResponseEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginResponseEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldResponseEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0ResponseEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1453,8 +1681,12 @@ paths: parameters: - name: expand in: query + description: |- + An optional query parameter to return the specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property. + Valid value: `expand=user/{userId}` schema: type: string + example: user/0oa1gjh63g214q0Hq0g4 responses: '200': description: Success @@ -1462,6 +1694,9 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + RetrieveEx1: + $ref: '#/components/examples/GetApplicationsResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1479,7 +1714,11 @@ paths: isGenerallyAvailable: true put: summary: Replace an Application - description: Replaces an application + description: | + Replaces properties for an application + > **Notes:** + > * All required properties must be specified in the request body + > * You can't modify system-assigned properties, such as `id`, `name`, `status`, `created`, and `lastUpdated`. The values for these properties in the PUT request body are ignored. operationId: replaceApplication x-codegen-request-body-name: application requestBody: @@ -1487,6 +1726,25 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkPutEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginPutEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthPutEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStorePutEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationPutEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginPutEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldPutEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0PutEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectPutEx' required: true responses: '200': @@ -1495,6 +1753,25 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkPutResponseEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginPutResponseEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthPutResponseEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStorePutResponseEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationPutResponseEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginPutResponseEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldPutResponseEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0PutResponseEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectPutResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1710,13 +1987,17 @@ paths: - oauth2: - okta.apps.read tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Generate a Certificate Signing Request - description: Generates a new key pair and returns the Certificate Signing Request for it + description: |- + Generates a new key pair and returns the Certificate Signing Request(CSR) for it. The information in a CSR is used by the Certificate Authority (CA) to verify and create your certificate. It also contains the public key that is included in your certificate. + + Returns CSR in `pkcs#10` format if the `Accept` media type is `application/pkcs10` or a CSR object if the `Accept` media type is `application/json`. + > **Note:** The key pair isn't listed in the Key Credentials for the app until it's published. operationId: generateCsrForApplication x-codegen-request-body-name: metadata requestBody: @@ -1728,10 +2009,36 @@ paths: responses: '201': description: Created + headers: + Content-Type: + schema: + type: string + description: The Content-Type of the response + examples: + pkcs10Header: + summary: application/pkcs10 Content-Type header + value: application/pkcs10; filename=okta.p10 + json: + summary: application/json Content-Type header + value: application/json + Content-Transfer-Encoding: + schema: + type: string + description: Encoding of the response + example: base64 content: + application/pkcs10: + schema: + $ref: '#/components/schemas/AppCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/AppCsrPkcs10Response' application/json: schema: $ref: '#/components/schemas/Csr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/AppCsrJsonResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1745,7 +2052,7 @@ paths: - oauth2: - okta.apps.manage tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -1755,15 +2062,44 @@ paths: - $ref: '#/components/parameters/pathCsrId' get: summary: Retrieve a Certificate Signing Request - description: Retrieves a certificate signing request for the app by `id` + description: |- + Retrieves a Certificate Signing Request (CSR) for the app by `csrId`. + + Returns a Base64-encoded CSR in DER format if the `Accept` media type is `application/pkcs10` or a CSR object if the `Accept` media type is `application/json`. operationId: getCsrForApplication responses: '200': description: Success + headers: + Content-Type: + schema: + type: string + description: The Content-Type of the response + examples: + pkcs10Header: + summary: application/pkcs10 Content-Type header + value: application/pkcs10; filename=okta.p10 + json: + summary: application/json Content-Type header + value: application/json + Content-Transfer-Encoding: + schema: + type: string + description: Encoding of the response + example: base64 content: application/json: schema: $ref: '#/components/schemas/Csr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/AppCsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/AppCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/AppCsrPkcs10Response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1775,13 +2111,13 @@ paths: - oauth2: - okta.apps.read tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke a Certificate Signing Request - description: Revokes a certificate signing request and deletes the key pair from the application + description: Revokes a Certificate Signing Request and deletes the key pair from the app operationId: revokeCsrFromApplication responses: '204': @@ -1798,7 +2134,7 @@ paths: - oauth2: - okta.apps.manage tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -1808,7 +2144,9 @@ paths: - $ref: '#/components/parameters/pathCsrId' post: summary: Publish a Certificate Signing Request - description: Publishes a certificate signing request for the app with a signed X.509 certificate and adds it into the application key credentials + description: |- + Publishes a Certificate Signing Request (CSR) for the app with a signed X.509 certificate and adds it into the Application Key Credentials. + > **Note:** Publishing a certificate completes the lifecycle of the CSR and it's no longer accessible. operationId: publishCsrFromApplication requestBody: required: true @@ -1817,16 +2155,26 @@ paths: schema: type: string format: binary + description: |- + X.509 certificate in `CER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: '@certificate.pem' x-okta-operationId: publishBinaryCerCert application/pkix-cert: schema: type: string format: binary + description: |- + X.509 certificate in `DER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q== x-okta-operationId: publishBinaryDerCert application/x-pem-file: schema: type: string format: binary + description: X.509 certificate in `PEM` format + example: '@certificate.pem' x-okta-operationId: publishBinaryPemCert responses: '201': @@ -1835,8 +2183,261 @@ paths: application/json: schema: $ref: '#/components/schemas/JsonWebKey' + examples: + PublishCSR: + $ref: '#/components/examples/KeyCredentialExample' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorPublishCSRCertDoesNotMatchCSR: + $ref: '#/components/examples/ErrorPublishCSRCertDoesNotMatchCSR' + ErrorPublishCSRCertValidityLessThan90Days: + $ref: '#/components/examples/ErrorPublishCSRCertValidityLessThan90Days' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks: + parameters: + - $ref: '#/components/parameters/pathAppId' + get: + summary: List all the OAuth 2.0 Client JSON Web Keys + description: Lists all JSON Web Keys for an OAuth 2.0 client app + operationId: listJwk + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + OAuthClientJsonWebKeyListResponseExample: + $ref: '#/components/examples/oAuthClientJsonWebKeyListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Add a JSON Web Key + description: |- + Adds a new JSON Web Key to the client’s JSON Web Keys. + > **Note:** This API doesn't allow you to add a key if the existing key doesn't have a `kid`. This is also consistent with how the [Dynamic Client Registration](/openapi/okta-oauth/oauth/tag/Client/) or [Applications](/openapi/okta-management/management/tag/Application/) APIs behave, as they don't allow the creation of multiple keys without `kids`. Use the [Replace an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) or the [Replace a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/replaceClient) operation to update the JWKS or [Delete an OAuth 2.0 Client JSON Web Key](/openapi/okta-management/management/tag/ApplicationSSOCredentialOAuth2ClientAuth/#tag/ApplicationSSOCredentialOAuth2ClientAuth/operation/deletejwk) and re-add the key with a `kid`. + operationId: addJwk + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBody' + examples: + createOAuth2ClientJsonWebKeyRequestBody: + $ref: '#/components/examples/oAuthClientJsonWebKeyRequest' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + newOAuth2ClientSecretResponse: + $ref: '#/components/examples/oAuthClientJsonWebKey' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorClientJsonWebKeyNonUniqueKid: + $ref: '#/components/examples/ErrorClientJsonWebKeyNonUniqueKid' + ErrorClientJsonWebKeyDuplicateKid: + $ref: '#/components/examples/ErrorClientJsonWebKeyDuplicateKid' + ErrorClientJsonWebKeyKidLengthTooShort: + $ref: '#/components/examples/ErrorClientJsonWebKeyKidLengthTooShort' + ErrorClientJsonWebKeyTooManyKids: + $ref: '#/components/examples/ErrorClientJsonWebKeyTooManyKids' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks/{keyId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + get: + summary: Retrieve an OAuth 2.0 Client JSON Web Key + description: Retrieves an OAuth 2.0 Client JSON Web Key by `keyId`. + operationId: getJwk + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + OAuthClientJsonWebKeyResponseExample: + $ref: '#/components/examples/oAuthClientJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an OAuth 2.0 Client JSON Web Key + description: Deletes an OAuth 2.0 Client JSON Web Key by `keyId`. You can only delete an inactive key. + operationId: deletejwk + responses: + '204': + description: No Content + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeleteActiveJsonWebKey: + $ref: '#/components/examples/ErrorDeleteActiveJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + post: + summary: Activate an OAuth 2.0 Client JSON Web Key + description: Activates an OAuth 2.0 Client JSON Web Key by `keyId` + operationId: activateOAuth2ClientJsonWebKey + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + activateOAuth2ClientJsonWebKeyResponse: + $ref: '#/components/examples/oAuthClientJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + post: + summary: Deactivate an OAuth 2.0 Client JSON Web Key + description: Deactivates an OAuth 2.0 Client JSON Web Key by `keyId`. + operationId: deactivateOAuth2ClientJsonWebKey + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + deactivateOAuth2ClientJsonWebKeyResponse: + $ref: '#/components/examples/deactivateOAuth2ClientJsonWebKeyResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod: + $ref: '#/components/examples/ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod' + ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm: + $ref: '#/components/examples/ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1848,7 +2449,7 @@ paths: - oauth2: - okta.apps.manage tags: - - ApplicationCredentials + - ApplicationSSOCredentialOAuth2ClientAuth x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -1857,7 +2458,7 @@ paths: - $ref: '#/components/parameters/pathAppId' get: summary: List all Key Credentials - description: Lists all key credentials for an application + description: Lists all key credentials for an app operationId: listApplicationKeys responses: '200': @@ -1868,6 +2469,9 @@ paths: type: array items: $ref: '#/components/schemas/JsonWebKey' + examples: + ListAllKeyCredentialsExample: + $ref: '#/components/examples/ListAllKeyCredentialsExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1879,7 +2483,7 @@ paths: - oauth2: - okta.apps.read tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -1888,13 +2492,18 @@ paths: - $ref: '#/components/parameters/pathAppId' post: summary: Generate a Key Credential - description: Generates a new X.509 certificate for an application key credential + description: |- + Generates a new X.509 certificate for an app key credential + > **Note:** To update an Application with the newly generated key credential, use the [Replace an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) request with the new [credentials.signing.kid](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing/kid&t=request) value in the request body. You can provide just the [Signing Credential object](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing&t=request) instead of the entire [Application Credential object](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials&t=request). operationId: generateApplicationKey parameters: - name: validityYears + description: Expiry years of the Application Key Credential in: query + required: true schema: type: integer + example: 5 responses: '201': description: Created @@ -1902,6 +2511,18 @@ paths: application/json: schema: $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorKeyCredentialInvalidValidity: + $ref: '#/components/examples/ErrorKeyCredentialInvalidValidity' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1913,7 +2534,7 @@ paths: - oauth2: - okta.apps.manage tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -1923,7 +2544,7 @@ paths: - $ref: '#/components/parameters/pathKeyId' get: summary: Retrieve a Key Credential - description: Retrieves a specific application key credential by kid + description: Retrieves a specific Application Key Credential by `kid` operationId: getApplicationKey responses: '200': @@ -1932,6 +2553,9 @@ paths: application/json: schema: $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1943,7 +2567,7 @@ paths: - oauth2: - okta.apps.read tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -1953,7 +2577,11 @@ paths: - $ref: '#/components/parameters/pathKeyId' post: summary: Clone a Key Credential - description: Clones a X.509 certificate for an application key credential from a source application to target application. + description: |- + Clones an X.509 certificate for an Application Key Credential from a source app to a target app. + + For step-by-step instructions to clone a credential, see [Share application key credentials for IdPs across apps](https://developer.okta.com/docs/guides/sharing-cert/main/). + > **Note:** Sharing certificates isn't a recommended security practice. operationId: cloneApplicationKey parameters: - name: targetAid @@ -1962,6 +2590,7 @@ paths: required: true schema: type: string + example: 0ouuytCAJSSDELFTUIDS responses: '201': description: Created @@ -1969,6 +2598,18 @@ paths: application/json: schema: $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorKeyCredentialCloneDuplicateKey: + $ref: '#/components/examples/ErrorKeyCredentialCloneDuplicateKey' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1980,7 +2621,251 @@ paths: - oauth2: - okta.apps.manage tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets: + parameters: + - $ref: '#/components/parameters/pathAppId' + get: + summary: List all OAuth 2.0 Client Secrets + description: Lists all client secrets for an OAuth 2.0 client app + operationId: listOAuth2ClientSecrets + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + OAuthClientSecretListResponseExample: + $ref: '#/components/examples/oAuthClientSecretListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an OAuth 2.0 Client Secret + description: |- + Creates an OAuth 2.0 Client Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects. + > **Note:** This API lets you bring your own secret. If [token_endpoint_auth_method](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/credentials/oauthClient/token_endpoint_auth_method&t=request) of the app is `client_secret_jwt`, then the minimum length of `client_secret` is 32 characters. If no secret is specified in the request, Okta adds a new system-generated secret. + operationId: createOAuth2ClientSecret + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecretRequestBody' + examples: + createOAuth2ClientSecretSystemGeneratedRequestBody: + $ref: '#/components/examples/createOAuth2ClientSecretSystemGeneratedRequestBody' + createOAuth2ClientSecretCustomRequestBody: + $ref: '#/components/examples/createOAuth2ClientSecretCustomRequestBody' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + newOAuth2ClientSecretResponse: + $ref: '#/components/examples/oAuth2ClientSecretResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorClientSecretTooLong: + $ref: '#/components/examples/ErrorClientSecretTooLong' + ErrorClientSecretTooShort: + $ref: '#/components/examples/ErrorClientSecretTooShort' + ErrorClientSecretTooShortJWT: + $ref: '#/components/examples/ErrorClientSecretTooShortWithClientSecretJWT' + ErrorClientSecretPrivateKeyJWT: + $ref: '#/components/examples/ErrorClientSecretWithPrivateKeyJWT' + ErrorClientSecretNonAscii: + $ref: '#/components/examples/ErrorClientSecretNonAscii' + ErrorMaxNumberOfSecrets: + $ref: '#/components/examples/ErrorMaxNumberOfSecrets' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets/{secretId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' + get: + summary: Retrieve an OAuth 2.0 Client Secret + description: Retrieves an OAuth 2.0 Client Secret by `secretId` + operationId: getOAuth2ClientSecret + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + OAuthClientSecretResponseExample: + $ref: '#/components/examples/oAuth2ClientSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an OAuth 2.0 Client Secret + description: Deletes an OAuth 2.0 Client Secret by `secretId`. You can only delete an inactive Secret. + operationId: deleteOAuth2ClientSecret + responses: + '204': + description: No Content + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeleteActiveClientSecret: + $ref: '#/components/examples/ErrorDeleteActiveSecret' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' + post: + summary: Activate an OAuth 2.0 Client Secret + description: Activates an OAuth 2.0 Client Secret by `secretId` + operationId: activateOAuth2ClientSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + activateOAuth2ClientSecretResponse: + $ref: '#/components/examples/activateOAuth2ClientSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' + post: + summary: Deactivate an OAuth 2.0 Client Secret + description: Deactivates an OAuth 2.0 Client Secret by `secretId`. You can't deactivate a secret if it's the only secret of the client. + operationId: deactivateOAuth2ClientSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + deactivateOAuth2ClientSecretResponse: + $ref: '#/components/examples/deactivateOAuth2ClientSecretResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeactivateTheOnlyClientSecret: + $ref: '#/components/examples/ErrorDeactivateTheOnlyClientSecret' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -1990,8 +2875,8 @@ paths: get: summary: List all Features description: | - Lists all features for an application - > **Note:** This request returns an error if provisioning isn't enabled for the application. + Lists all features for an app + > **Note:** This request returns an error if provisioning isn't enabled for the app. > To set up provisioning, see [Update the default Provisioning Connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication). operationId: listFeaturesForApplication responses: @@ -2036,7 +2921,7 @@ paths: - $ref: '#/components/parameters/pathFeatureName' get: summary: Retrieve a Feature - description: Retrieves a Feature object for an application + description: Retrieves a Feature object for an app operationId: getFeatureForApplication responses: '200': @@ -2066,7 +2951,7 @@ paths: put: summary: Update a Feature description: | - Updates a Feature object for an application + Updates a Feature object for an app > **Note:** This endpoint supports partial updates. operationId: updateFeatureForApplication requestBody: @@ -2547,13 +3432,13 @@ paths: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathPolicyId' put: - summary: Assign an application to a Policy + summary: Assign an Authentication Policy description: |- - Assigns an application to an [authentication policy](/openapi/okta-management/management/tag/Policy/), identified by `policyId`. - If the application was previously assigned to another policy, this operation replaces that assignment with the updated policy identified by `policyId`. + Assigns an app to an [authentication policy](/openapi/okta-management/management/tag/Policy/), identified by `policyId`. + If the app was previously assigned to another policy, this operation replaces that assignment with the updated policy identified by `policyId`. > **Note:** When you [merge duplicate authentication policies](https://help.okta.com/okta_help.htm?type=oie&id=ext-merge-auth-policies), - the policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email. + the policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email with merged results. operationId: assignApplicationPolicy responses: '204': @@ -2582,6 +3467,13 @@ paths: summary: Preview the application SAML metadata description: Previews the SSO SAML metadata for an application operationId: previewSAMLmetadataForApplication + parameters: + - name: kid + in: query + required: true + schema: + type: integer + example: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo responses: '200': description: OK @@ -2645,7 +3537,7 @@ paths: parameters: - $ref: '#/components/parameters/pathAppId' get: - summary: List all application refresh Tokens + summary: List all Application Refresh Tokens description: | Lists all refresh tokens for an app @@ -2684,7 +3576,7 @@ paths: lifecycle: GA isGenerallyAvailable: true delete: - summary: Revoke all application Tokens + summary: Revoke all Application Tokens description: Revokes all OAuth 2.0 refresh tokens for the specified app. Any access tokens issued with these refresh tokens are also revoked, but access tokens issued without a refresh token aren't affected. operationId: revokeOAuth2TokensForApplication responses: @@ -2711,7 +3603,7 @@ paths: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathTokenId' get: - summary: Retrieve an application Token + summary: Retrieve an Application Token description: Retrieves a refresh token for the specified app operationId: getOAuth2TokenForApplication parameters: @@ -2742,7 +3634,7 @@ paths: lifecycle: GA isGenerallyAvailable: true delete: - summary: Revoke an application Token + summary: Revoke an Application Token description: Revokes the specified token for the specified app operationId: revokeOAuth2TokenForApplication responses: @@ -4116,7 +5008,7 @@ paths: - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all Credential Keys - description: Lists all credential keys + description: Lists all of the current, future, and expired Keys used by the Custom Authorization Server operationId: listAuthorizationServerKeys responses: '200': @@ -4127,6 +5019,48 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + ListAuthorizationServerKeys: + $ref: '#/components/examples/ListAuthorizationServerKeys' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/credentials/keys/{keyId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathCredentialKeyId' + get: + summary: Retrieve an Authorization Server Key + description: Retrieves an Authorization Server Key specified by the `keyId` + operationId: getAuthorizationServerKey + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + ActiveAuthorizationServerKey: + $ref: '#/components/examples/ActiveAuthorizationServerKey' + NextAuthorizationServerKey: + $ref: '#/components/examples/NextAuthorizationServerKey' + ExpiredAuthorizationServerKey: + $ref: '#/components/examples/ExpiredAuthorizationServerKey' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4149,7 +5083,15 @@ paths: - $ref: '#/components/parameters/pathAuthServerId' post: summary: Rotate all Credential Keys - description: Rotates all credential keys + description: |- + Rotates the current Keys for a Custom Authorization Server. If you rotate Keys, + the `ACTIVE` Key becomes the `EXPIRED` Key, the `NEXT` Key becomes the `ACTIVE` Key, + and the Custom Authorization Server immediately begins using the new active + Key to sign tokens. + + > **Note:** Okta rotates your Keys automatically in `AUTO` mode. You can rotate Keys + yourself in either mode. If Keys are rotated manually, you should invalidate any intermediate cache + and fetch the Keys again using the Keys endpoint. operationId: rotateAuthorizationServerKeys x-codegen-request-body-name: use requestBody: @@ -4167,8 +5109,18 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + RotateAuthorizationServerKeys: + $ref: '#/components/examples/ListAuthorizationServerKeys' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidRotateUse: + $ref: '#/components/examples/InvalidRotateUse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4258,6 +5210,9 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + ListAuthorizationServerPolicies: + $ref: '#/components/examples/ListAuthorizationServerPolicies' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4285,6 +5240,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + CreateAuthorizationServerPolicyRule: + $ref: '#/components/examples/CreateAuthorizationServerPolicyRequest' required: true responses: '201': @@ -4293,6 +5251,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -4327,6 +5288,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4354,6 +5318,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + UpdateAuthorizationServerPolicyRule: + $ref: '#/components/examples/UpdateAuthorizationServerPolicyRequest' required: true responses: '200': @@ -4362,6 +5329,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -4481,6 +5451,9 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + ListAuthorizationServerPolicyRules: + $ref: '#/components/examples/ListAuthorizationServerPolicyRules' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4507,7 +5480,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest' + examples: + CreateAuthorizationServerPolicyRule: + $ref: '#/components/examples/CreateAuthorizationServerPolicyRuleRequest' required: true responses: '201': @@ -4516,6 +5492,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -4551,6 +5530,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4577,7 +5559,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest' + examples: + UpdateAuthorizationServerPolicyRule: + $ref: '#/components/examples/UpdateAuthorizationServerPolicyRuleRequest' required: true responses: '200': @@ -4586,6 +5571,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -4700,22 +5688,29 @@ paths: parameters: - name: q in: query + description: Searches the `name` of Custom Token Scopes for matching values schema: type: string - name: filter in: query + description: Filter expression for Custom Token Scopes schema: type: string - name: after in: query + description: |- + Specifies the pagination cursor for the next page of scopes. + Treat the after cursor as an opaque value and obtain it through the next link relationship. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query + description: |- + Specifies the number of objects to return per page. + If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: integer - format: int32 - default: -1 + maximum: 200 responses: '200': description: Success @@ -4725,6 +5720,9 @@ paths: type: array items: $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleScopes: + $ref: '#/components/examples/ExampleOAuth2Scopes' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4752,6 +5750,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' + examples: + CreateOAuth2ScopeRequest: + $ref: '#/components/examples/CreateOAuth2ScopeRequest' required: true responses: '201': @@ -4760,6 +5761,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleOAuth2Scope: + $ref: '#/components/examples/ExampleOAuth2Scope' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -4794,6 +5798,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleOAuth2Scope: + $ref: '#/components/examples/ExampleOAuth2Scope' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4821,6 +5828,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' + examples: + UpdateOAuth2Scope: + $ref: '#/components/examples/UpdateOAuth2ScopeRequest' required: true responses: '200': @@ -4829,6 +5839,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' + examples: + UpdatedOAuth2Scope: + $ref: '#/components/examples/UpdatedOAuth2ScopeResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -7373,6 +8386,9 @@ paths: isGenerallyAvailable: false SKUs: - Okta Identity Engine + /api/v1/device-checks/{deviceCheckId}: + parameters: + - $ref: '#/components/parameters/pathDeviceCheckId' /api/v1/devices: get: summary: List all Devices @@ -7887,7 +8903,12 @@ paths: - $ref: '#/components/parameters/pathDomainId' put: summary: Upsert the Custom Domain's Certificate - description: Upserts (creates or renews) the `MANUAL` certificate for the custom domain. If the `certificateSourceType` in the domain is `OKTA_MANAGED`, it becomes `MANUAL` and Okta no longer manages and renews certificates for this domain since a user-managed certificate has been provided. + description: |- + Upserts (creates or renews) the `MANUAL` certificate for the custom domain + + > **Notes:** + > * If the existing `certificateSourceType` is `OKTA_MANAGED`, this operation changes the source type to `MANUAL`. Okta no longer manages and renews certificates for this domain after you provide a user-managed certificate. + > * Okta supports TLS certificates and private keys that are PEM-encoded and 2048, 3072, or 4096 bits. See the [Custom domain guide](https://developer.okta.com/docs/guides/custom-url-domain/main/) for more details. operationId: upsertCertificate x-codegen-request-body-name: certificate requestBody: @@ -8920,52 +9941,116 @@ paths: /api/v1/groups: get: summary: List all Groups - description: Lists all groups with pagination support. A subset of groups can be returned that match a supported filter expression or query. + description: |- + Lists all Groups with pagination support. + + The number of Groups returned depends on the specified [`limit`](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!in=query&path=limit&t=request), if you have a search, filter, and/or query parameter set, and if that parameter is not null. We recommend using a limit less than or equal to 200. + + A subset of Groups can be returned that match a supported filter expression, query, or search criteria. + + > **Note:** Results from the filter or query parameter are driven from an eventually consistent datasource. The synchronization lag is typically less than one second. + See [Filtering](https://developer.okta.com/docs/api/#filter) for more information on expressions. operationId: listGroups parameters: - name: q in: query - description: Searches the name property of groups for matching value + description: |- + Finds a Group that matches the `name` property + > **Note:** Paging and searching are currently mutually exclusive. You can't page a query. The default limit for a query is 300 results. Query is intended for an auto-complete picker use case where users refine their search string to constrain the results. schema: type: string + example: West&limit=10 - name: filter in: query - description: Filter expression for groups + description: |- + [Filter expression](https://developer.okta.com/docs/reference/core-okta-api/#filter) for Groups + > **Note:** All filters must be [URL encoded](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. schema: type: string + examples: + filterById: + value: id eq "00g1emaKYZTWRYYRRTSK" + summary: Filter group with a specific ID + filterByType: + value: type eq "OKTA_GROUP" + summary: Filter groups that are of the type `OKTA_GROUP` + filterByTypeAndProfileLastUpdatedAfterDate: + value: type eq "OKTA_GROUP" and lastUpdated gt "2016-11-11T00:00:00.000Z" + summary: Filter groups that are of the type `OKTA_GROUP` with Profile updated after 11/11/2015 + filterByTypeAndProfileOrMembershipUpdatedBeforeDate: + value: type eq "OKTA_GROUP" and (lastUpdated lt "2015-11-11T00:00:00.000Z" or lastMembershipUpdated lt "2015-11-11T00:00:00.000Z") + summary: Filter groups that are of the type `OKTA_GROUP` with Profile or memberships updated before 11/11/2015 - name: after in: query - description: Specifies the pagination cursor for the next page of groups + description: Specifies the pagination cursor for the next page of Groups. The `after` cursor should be treated as an opaque value and obtained through the next link relation. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query - description: Specifies the number of group results in a page + description: |- + Specifies the number of Group results in a page. + + Don't write code that depends on the default or maximum value, as it might change. If you receive an `HTTP 500` status code, you likely exceeded the request timeout. Retry your request with a smaller `limit` and [page the results](https://developer.okta.com/docs/api/#pagination). + + The Okta default Everyone group isn't returned for users with a Group Admin role. + + >**Note:** We strongly encourage using a limit that's less than or equal to 200. Any number greater than 200 affects performance and accuracy. schema: type: integer format: int32 - default: 10000 + maximum: 10000 - name: expand in: query - description: If specified, it causes additional metadata to be included in the response. + description: If specified, additional metadata is included in the response. Possible values are `stats` and `app`. schema: type: string - name: search in: query - description: Searches for groups with a supported filtering expression for all attributes except for _embedded, _links, and objectClass + description: |- + Searches for groups with a supported [filtering](https://developer.okta.com/docs/reference/core-okta-api/#filter) expression for all attributes except for `_embedded`, `_links`, and `objectClass`. + + Search currently performs a `startsWith` match but it should be considered an implementation detail and might change without notice in the future. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). + + Using search requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding), for example, `search=type eq "OKTA_GROUP"` is encoded as `search=type+eq+%22OKTA_GROUP%22`. + + This operation searches many properties: + * Any group profile property, including imported app group profile properties. + * The top-level properties `id`, `created`, `lastMembershipUpdated`, `lastUpdated`, and `type`. + * The [source](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links/source&t=response) of groups with type of `APP_GROUP`, accessed as `source.id`. + You can also use `sortBy` and `sortOrder` parameters. schema: type: string + examples: + searchByType: + value: type eq "APP_GROUP" + summary: Search for Groups that have a type of `APP_GROUP` + searchByLastMembershipUpdatedAfterDate: + value: lastMembershipUpdated gt "2014-01-01T00:00:00.000Z" + summary: Search for Groups whose memberships were last updated after a specific timestamp + searchById: + value: id eq "00gak46y5hydV6NdM0g4" + summary: Search for Groups with the specified ID (`00gak46y5hydV6NdM0g4`) + searchByProfileName: + value: profile.name eq "West Coast Users" + summary: Search for Groups that have a `name` of `West Coast Users` + searchBySamAccountName: + value: profile.samAccountName sw "West Coast" + summary: Search for Groups whose `samAccountName` starts with `West Coast` + searchBySourceId: + value: source.id eq "0oa2v0el0gP90aqjJ0g7" + summary: Search for Groups that have the source app with a specified `source.id` (`0oa2v0el0gP90aqjJ0g7`) + searchByIdTypeAndCreationDate: + value: type eq "APP_GROUP" and (created lt "2014-01-01T00:00:00.000Z" and source.id eq "0oa2v0el0gP90aqjJ0g7") + summary: List groups of type `APP_GROUP` that were created before 01/01/2014 and whose source app has the ID 0oa2v0el0gP90aqjJ0g7 - name: sortBy in: query - description: Specifies field to sort by and can be any single property (for search queries only). + description: Specifies field to sort by **(for search queries only)**. `sortBy` can be any single property, for example `sortBy=profile.name`. schema: type: string example: lastUpdated - name: sortOrder in: query - description: |- - Specifies sort order `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` is not present. - Groups with the same value for the `sortBy` parameter are ordered by `id`. + description: 'Specifies sort order: `asc` or `desc` (for search queries only). This parameter is ignored if if `sortBy` is not present. Groups with the same value for the `sortBy` property will be ordered by `id`' schema: type: string default: asc @@ -8978,6 +10063,9 @@ paths: type: array items: $ref: '#/components/schemas/Group' + examples: + ListGroupExample: + $ref: '#/components/examples/list-groups-examples' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -8992,15 +10080,20 @@ paths: lifecycle: GA isGenerallyAvailable: true post: - summary: Create a Group - description: Creates a new group with `OKTA_GROUP` type - operationId: createGroup + summary: Add a Group + description: |- + Adds a new Group with the `OKTA_GROUP` type to your org + > **Note:** App import operations are responsible for syncing Groups with `APP_GROUP` type such as Active Directory Groups. See + [About groups](https://help.okta.com/okta_help.htm?id=Directory_Groups). + operationId: addGroup x-codegen-request-body-name: group requestBody: content: application/json: schema: - $ref: '#/components/schemas/Group' + properties: + profile: + $ref: '#/components/schemas/OktaUserGroupProfile' required: true responses: '200': @@ -9009,6 +10102,9 @@ paths: application/json: schema: $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -9026,8 +10122,8 @@ paths: isGenerallyAvailable: true /api/v1/groups/rules: get: - summary: List all Group Rules - description: Lists all group rules + summary: List all Group rules + description: Lists all Group rules for your org operationId: listGroupRules parameters: - name: limit @@ -9037,6 +10133,8 @@ paths: type: integer format: int32 default: 50 + minimum: 1 + maximum: 200 - name: after in: query description: Specifies the pagination cursor for the next page of rules @@ -9044,12 +10142,12 @@ paths: type: string - name: search in: query - description: Specifies the keyword to search fules for + description: Specifies the keyword to search rules for schema: type: string - name: expand in: query - description: If specified as `groupIdToGroupNameMap`, then show group names + description: If specified as `groupIdToGroupNameMap`, then displays group names schema: type: string x-okta-added-version: 1.3.0 @@ -9062,6 +10160,9 @@ paths: type: array items: $ref: '#/components/schemas/GroupRule' + examples: + ListGroupRulesExample: + $ref: '#/components/examples/list-group-rules-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -9071,20 +10172,25 @@ paths: - oauth2: - okta.groups.read tags: - - Group + - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Create a Group Rule - description: Creates a group rule to dynamically add users to the specified group if they match the condition + summary: Create a Group rule + description: |- + Creates a Group rule to dynamically add Users to the specified Group if they match the condition + > **Note:** Group rules are created with the status set to `'INACTIVE'`. operationId: createGroupRule x-codegen-request-body-name: groupRule requestBody: content: application/json: schema: - $ref: '#/components/schemas/GroupRule' + $ref: '#/components/schemas/CreateGroupRuleRequest' + examples: + GroupRuleExample: + $ref: '#/components/examples/create-group-rule-request-example' required: true responses: '200': @@ -9093,6 +10199,9 @@ paths: application/json: schema: $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -9104,7 +10213,7 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -9112,12 +10221,13 @@ paths: parameters: - $ref: '#/components/parameters/pathGroupRuleId' get: - summary: Retrieve a Group Rule - description: Retrieves a specific group rule by `groupRuleId` + summary: Retrieve a Group rule + description: Retrieves a specific Group rule by ID from your org operationId: getGroupRule parameters: - name: expand in: query + description: If specified as `groupIdToGroupNameMap`, then show Group names schema: type: string responses: @@ -9127,6 +10237,9 @@ paths: application/json: schema: $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9138,13 +10251,17 @@ paths: - oauth2: - okta.groups.read tags: - - Group + - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: - summary: Replace a Group Rule - description: Replaces a group rule. Only `INACTIVE` rules can be updated. + summary: Replace a Group rule + description: |- + Replaces a Group rule + > **Notes:** You only can update rules with a Group whose status is set to `'INACTIVE'`. + > + > You currently can't update the `action` section. operationId: replaceGroupRule x-codegen-request-body-name: groupRule requestBody: @@ -9152,6 +10269,9 @@ paths: application/json: schema: $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' required: true responses: '200': @@ -9173,20 +10293,21 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Delete a group Rule + summary: Delete a Group Rule description: Deletes a specific group rule by `groupRuleId` operationId: deleteGroupRule parameters: - name: removeUsers in: query - description: Indicates whether to keep or remove users from groups assigned by this rule. + description: If set to `true`, removes Users from Groups assigned by this rule schema: type: boolean + default: false responses: '202': description: Accepted @@ -9202,7 +10323,7 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -9211,7 +10332,7 @@ paths: - $ref: '#/components/parameters/pathGroupRuleId' post: summary: Activate a Group Rule - description: Activates a specific group rule by `groupRuleId` + description: Activates a specific Group rule by ID from your org operationId: activateGroupRule responses: '204': @@ -9228,7 +10349,7 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -9237,7 +10358,7 @@ paths: - $ref: '#/components/parameters/pathGroupRuleId' post: summary: Deactivate a Group Rule - description: Deactivates a specific group rule by `groupRuleId` + description: Deactivates a specific Group rule by ID from your org operationId: deactivateGroupRule responses: '204': @@ -9254,7 +10375,7 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -9263,7 +10384,7 @@ paths: - $ref: '#/components/parameters/pathGroupId' get: summary: Retrieve a Group - description: Retrieves a group by `groupId` + description: Retrieves a specific Group by `id` from your org operationId: getGroup responses: '200': @@ -9272,6 +10393,9 @@ paths: application/json: schema: $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9289,14 +10413,20 @@ paths: isGenerallyAvailable: true put: summary: Replace a Group - description: Replaces the profile for a group with `OKTA_GROUP` type + description: |- + Replaces the profile for a Group of `OKTA_GROUP` type from your org + > **Note :** You only can modify profiles for groups of the `OKTA_GROUP` type. + > + > App imports are responsible for updating profiles for groups of the `APP_GROUP` type, such as Active Directory groups. operationId: replaceGroup x-codegen-request-body-name: group requestBody: content: application/json: schema: - $ref: '#/components/schemas/Group' + properties: + profile: + $ref: '#/components/schemas/OktaUserGroupProfile' required: true responses: '200': @@ -9305,6 +10435,9 @@ paths: application/json: schema: $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -9324,7 +10457,9 @@ paths: isGenerallyAvailable: true delete: summary: Delete a Group - description: Deletes a group with `OKTA_GROUP` type + description: |- + Deletes a Group of the `OKTA_GROUP` or `APP_GROUP` type from your org + > **Note:** You can't remove Groups of type `APP_GROUP` if they are used in a group push mapping. operationId: deleteGroup responses: '204': @@ -9350,7 +10485,7 @@ paths: - $ref: '#/components/parameters/pathGroupId' get: summary: List all Assigned Applications - description: Lists all applications that are assigned to a group + description: Lists all apps that are assigned to a Group. See [Application Groups API](/openapi/okta-management/management/tag/ApplicationGroups/). operationId: listAssignedApplicationsForGroup parameters: - name: after @@ -9374,6 +10509,9 @@ paths: type: array items: $ref: '#/components/schemas/Application' + examples: + ListAppsExample: + $ref: '#/components/examples/list-apps-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9516,14 +10654,11 @@ paths: parameters: - $ref: '#/components/parameters/pathGroupId' get: - summary: List all Assigned Roles of Group - description: Lists all assigned roles of group identified by `groupId` + summary: List all Group Role Assignments + description: Lists all assigned roles of a Group by `groupId` operationId: listGroupAssignedRoles parameters: - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/pathQueryRoleExpand' responses: '200': description: Success @@ -9532,7 +10667,16 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Role' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponseGroup' + Custom Roles: + $ref: '#/components/examples/CustomRolesListResponseGroup' + IAM-Based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponseGroup' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9544,26 +10688,36 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Assign a Role to a Group - description: Assigns a role to a group + description: |- + Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a Group. + + You can also assign a custom role to a Group, but the preferred method to assign a custom role to a Group is to create a binding between the Custom Role, the Resource Set, and the Group. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + > **Notes:** + > * The request payload is different for standard and custom role assignments. + > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. operationId: assignRoleToGroup parameters: - name: disableNotifications in: query - description: Setting this to `true` grants the group third-party admin status + description: Grants the Group third-party admin status when set to `true` schema: type: boolean + default: false x-codegen-request-body-name: assignRoleRequest requestBody: content: application/json: schema: - $ref: '#/components/schemas/AssignRoleRequest' + oneOf: + - $ref: '#/components/schemas/StandardRoleAssignmentSchema' + - $ref: '#/components/schemas/CustomRoleAssignmentSchema' required: true responses: '200': @@ -9571,7 +10725,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Role' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/CreateStandardRoleAssignmentResponseGroup' + Custom Roles: + $ref: '#/components/examples/CreateCustomRoleResponseGroup' + IAM-based Standard Roles: + $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup' '201': description: Success content: {} @@ -9588,17 +10751,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleAssignment + - RoleAssignmentBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/groups/{groupId}/roles/{roleId}: + /api/v1/groups/{groupId}/roles/{roleAssignmentId}: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: Retrieve a Role assigned to Group - description: Retrieves a role identified by `roleId` assigned to group identified by `groupId` + summary: Retrieve a Group Role Assignment + description: Retrieves a Role assigned to a Group (identified by the `groupId`). The `roleAssignmentId` is the unique identifier for either a standard role Group Assignment object or a custom role Resource Set Binding object. operationId: getGroupAssignedRole responses: '200': @@ -9606,7 +10769,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Role' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/CreateStandardRoleAssignmentResponseGroup' + Custom Roles: + $ref: '#/components/examples/CreateCustomRoleResponseGroup' + IAM-based Standard Roles: + $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9618,13 +10790,13 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Unassign a Role from a Group - description: Unassigns a role identified by `roleId` assigned to group identified by `groupId` + summary: Unassign a Group Role + description: Unassigns a Role Assignment (identified by `roleAssignmentId`) from a Group (identified by the `groupId`) operationId: unassignRoleFromGroup responses: '204': @@ -9641,17 +10813,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleAssignment + - RoleAssignmentBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps: + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: List all Application Targets for an Application Administrator Role - description: Lists all App targets for an `APP_ADMIN` Role assigned to a Group. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID. + summary: List all Group Role Application Targets + description: Lists all app targets for an `APP_ADMIN` Role Assignment to a Group. The response includes a list of OIN-cataloged apps or app instances. The response payload for an app instance contains the `id` property, but an OIN-cataloged app doesn't. operationId: listApplicationTargetsForApplicationAdministratorRoleForGroup parameters: - name: after @@ -9684,18 +10856,18 @@ paths: - oauth2: - okta.roles.read tags: - - RoleTarget + - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}: + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' put: - summary: Assign an Application Target to Administrator Role - description: Assigns an application target to administrator role + summary: Assign an Group Role Application Target + description: Assigns an OIN app target to an `APP_ADMIN` Role Assignment to a Group. When you assign the first OIN app target, you reduce the scope of the Role Assignment. The Role no longer applies to all app targets but applies only to the specified target. An OIN app target that's assigned to the Role overrides any existing instance targets of the OIN app. For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app with `facebook` for `appName` makes that user the administrator for all Facebook instances. operationId: assignAppTargetToAdminRoleForGroup responses: '200': @@ -9712,13 +10884,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Unassign an Application Target from Application Administrator Role - description: Unassigns an application target from application administrator role + summary: Unassign a Group Role Application Target + description: | + Unassigns an OIN app target from an `APP_ADMIN` Role Assignment to a Group + + > **Note:** You can't remove the last app target from a Role Assignment, since this causes an exception. + > If you need a Role Assignment that applies to all apps, delete the `APP_ADMIN` Role Assignment and recreate a new one. See [Unassign a Group Role](/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup). operationId: unassignAppTargetToAdminRoleForGroup responses: '204': @@ -9735,19 +10911,21 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}/{appId}: + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' - $ref: '#/components/parameters/pathAppId' put: - summary: Assign an Application Instance Target to Application Administrator Role - description: Assigns App Instance Target to App Administrator Role given to a Group + summary: Assign an Group Role Application Instance Target + description: |- + Assigns an app instance target to an `APP_ADMIN` Role Assignment to a Group. When you assign the first OIN app or app instance target, you reduce the scope of the Role Assignment. The Role no longer applies to all app targets, but applies only to the specified target. + > **Note:** You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app. For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app. operationId: assignAppInstanceTargetToAppAdminRoleForGroup responses: '204': @@ -9764,13 +10942,15 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Unassign an Application Instance Target from an Application Administrator Role - description: Unassigns an application instance target from application administrator role + summary: Unassign an Group Role Application Instance Target + description: |- + Unassigns an app instance target from an `APP_ADMIN` Role Assignment to a Group + > **Note:** You can't remove the last app instance target from a Role Assignment since this causes an exception. > If you need a Role Assignment that applies to all apps, delete the `APP_ADMIN` Role Assignment and recreate a new one. See [Unassign a Group Role](/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup). operationId: unassignAppInstanceTargetToAppAdminRoleForGroup responses: '204': @@ -9787,17 +10967,19 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/groups/{groupId}/roles/{roleId}/targets/groups: + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: List all Group Targets for a Group Role - description: Lists all group targets for a group role + summary: List all Group Role Group Targets + description: | + Lists all Group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group. + If the Role isn't scoped to specific Group targets, an empty array `[]` is returned. operationId: listGroupTargetsForGroupRole parameters: - name: after @@ -9830,18 +11012,20 @@ paths: - oauth2: - okta.roles.read tags: - - RoleTarget + - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/groups/{groupId}/roles/{roleId}/targets/groups/{targetGroupId}: + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups/{targetGroupId}: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathTargetGroupId' put: - summary: Assign a Group Target to a Group Role - description: Assigns a group target to a group role + summary: Assign a Group Role Group Target + description: | + Assigns a Group target to a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group. + When you assign the first Group target, you reduce the scope of the Role Assignment. The Role no longer applies to all targets but applies only to the specified target. operationId: assignGroupTargetToGroupAdminRole responses: '204': @@ -9858,13 +11042,13 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Unassign a Group Target from a Group Role - description: Unassigns a group target from a group role + summary: Unassign a Group Role Group Target + description: Unassigns a Group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group. operationId: unassignGroupTargetFromGroupAdminRole responses: '204': @@ -9881,7 +11065,7 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -9890,28 +11074,12 @@ paths: - $ref: '#/components/parameters/pathGroupId' get: summary: List all Member Users - description: Lists all users that are a member of a group + description: |- + Lists all users that are a member of a Group. + + The default user limit is set to a very high number due to historical reasons that are no longer valid for most orgs. This will change in a future version of this API. The recommended page limit is now `limit=200`. operationId: listGroupUsers parameters: - - name: search - in: query - description: Searches for users with a supported filtering expression for user name, primary email, or user name - schema: - type: string - - name: sortBy - in: query - description: Specifies which field to sort by. This can be any single property. - schema: - type: string - example: id - - name: sortOrder - in: query - description: |- - Specifies sort order: `asc` or `desc`. This parameter is ignored if `sortBy` is not present. - Users with the same value for the `sortBy` parameter are ordered by `id`. - schema: - type: string - default: asc - $ref: '#/components/parameters/queryAfter' - name: limit in: query @@ -9928,7 +11096,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/GroupMember' + $ref: '#/components/schemas/User' + examples: + ListMemberUserResponse: + $ref: '#/components/examples/ListUsersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9949,8 +11120,10 @@ paths: - $ref: '#/components/parameters/pathGroupId' - $ref: '#/components/parameters/pathUserId' put: - summary: Assign a User - description: Assigns a user to a group with 'OKTA_GROUP' type + summary: Assign a User to a Group + description: |- + Assigns a User to a Group with the `OKTA_GROUP` type + > **Note:** You only can modify memberships for Groups of the `OKTA_GROUP` type. App imports are responsible for managing group memberships for Groups of the `APP_GROUP` type, such as Active Directory groups. operationId: assignUserToGroup responses: '204': @@ -9972,8 +11145,12 @@ paths: lifecycle: GA isGenerallyAvailable: true delete: - summary: Unassign a User - description: Unassigns a user from a group with 'OKTA_GROUP' type + summary: Unassign a User from a Group + description: |- + Unassigns a User from a Group with the `OKTA_GROUP` type + > **Note:** You only can modify memberships for groups of the `OKTA_GROUP` type. + > + > App imports are responsible for managing group memberships for groups of the `APP_GROUP` type, such as Active Directory groups. operationId: unassignUserFromGroup responses: '204': @@ -10026,10 +11203,10 @@ paths: isGenerallyAvailable: true post: summary: Create a key - description: | + description: |- Creates a key for use with other parts of the application, such as inline hooks - Use the key name to access this key for inline hook operations. + > **Note:** Use the key name to access this key for inline hook operations. The total number of keys that you can create in an Okta org is limited to 50. operationId: createHookKey @@ -10046,7 +11223,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/HookKey' + $ref: '#/components/schemas/DetailedHookKeyInstance' examples: ResponseExample: $ref: '#/components/examples/CreateHookKeyResponse' @@ -10065,12 +11242,15 @@ paths: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/hook-keys/public/{publicKeyId}: + /api/v1/hook-keys/public/{keyId}: parameters: - $ref: '#/components/parameters/pathPublicKeyId' get: summary: Retrieve a public key - description: Retrieves a public key by `keyId` + description: |- + Retrieves a public key by `keyId` + + >**Note:** keyId is the alias of the public key. operationId: getPublicKey responses: '200': @@ -10078,7 +11258,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/_embedded' examples: ResponseExample: $ref: '#/components/examples/RetrievePublicKeyResponse' @@ -10097,13 +11277,22 @@ paths: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/hook-keys/{hookKeyId}: + /api/v1/hook-keys/{id}: parameters: - $ref: '#/components/parameters/pathHookKeyId' get: - summary: Retrieve a key - description: Retrieves a key by `hookKeyId` + summary: Retrieve a key by ID + description: |- + Retrieves the public portion of the Key object using the `id` parameter + + >**Note:** The `?expand=publickey` query parameter optionally returns the full object including the details of the public key in the response body's `_embedded` property. operationId: getHookKey + parameters: + - name: id + description: A valid key ID + in: path + schema: + type: string responses: '200': description: Success @@ -10131,12 +11320,12 @@ paths: isGenerallyAvailable: true put: summary: Replace a key - description: | - Replaces a key by `hookKeyId` + description: |- + Replaces a key by `id` This request replaces existing properties after passing validation. - Note: The only parameter that you can update is the name of the key, which must be unique at all times. + > **Note:** The only parameter that you can update is the name of the key, which must be unique at all times. operationId: replaceHookKey x-codegen-request-body-name: keyRequest requestBody: @@ -10151,7 +11340,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/HookKey' + $ref: '#/components/schemas/DetailedHookKeyInstance' examples: ResponseExample: $ref: '#/components/examples/ReplaceKeyResponse' @@ -10175,7 +11364,7 @@ paths: delete: summary: Delete a key description: | - Deletes a key by `hookKeyId`. After being deleted, the key is unrecoverable. + Deletes a key by `id`. After being deleted, the key is unrecoverable. As a safety precaution, only keys that aren't being used are eligible for deletion. operationId: deleteHookKey @@ -10205,9 +11394,11 @@ paths: operationId: listUsersWithRoleAssignments parameters: - name: after + description: Specifies the pagination cursor for the next page of targets in: query schema: type: string + required: false - name: limit in: query description: Specifies the number of results returned. Defaults to `100`. @@ -10215,6 +11406,7 @@ paths: type: integer format: int32 default: 100 + required: false responses: '200': description: Success @@ -10238,7 +11430,7 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -10268,7 +11460,7 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleCResourceSet x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -10276,7 +11468,8 @@ paths: summary: Create a Resource Set description: |- Creates a new Resource Set. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources). - > **Note:** The maximum amount of `resources` allowed in a `resource set` object is 1000. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn). + + > **Note:** The maximum number of `resources` allowed in a Resource Set object is 1000. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn). operationId: createResourceSet x-codegen-request-body-name: instance requestBody: @@ -10316,16 +11509,16 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet + - RoleCResourceSet x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/iam/resource-sets/{resourceSetId}: + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' get: summary: Retrieve a Resource Set - description: Retrieves a Resource Set by `resourceSetId` + description: Retrieves a Resource Set by `resourceSetIdOrLabel` operationId: getResourceSet responses: '200': @@ -10348,13 +11541,13 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleCResourceSet x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a Resource Set - description: Replaces a Resource Set by `resourceSetId` + description: Replaces the label and description of a Resource Set operationId: replaceResourceSet x-codegen-request-body-name: instance requestBody: @@ -10364,7 +11557,7 @@ paths: $ref: '#/components/schemas/ResourceSet' examples: Example Request: - $ref: '#/components/examples/ResourceSetRequest' + $ref: '#/components/examples/ReplaceResourceSetRequest' required: true responses: '200': @@ -10389,13 +11582,13 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet + - RoleCResourceSet x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a Resource Set - description: Deletes a role by `resourceSetId` + description: Deletes a Resource Set by `resourceSetIdOrLabel` operationId: deleteResourceSet responses: '204': @@ -10419,16 +11612,16 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet + - RoleCResourceSet x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/iam/resource-sets/{resourceSetId}/bindings: + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' get: - summary: List all Bindings - description: Lists all Resource Set bindings with pagination support + summary: List all Role Resource Set Bindings + description: Lists all Bindings for a Resource Set with pagination support operationId: listBindings parameters: - $ref: '#/components/parameters/queryAfter' @@ -10453,13 +11646,13 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleDResourceSetBinding x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Create a Resource Set Binding - description: Creates a new Resource Set binding + summary: Create a Role Resource Set Binding + description: Creates a Binding for the Resource Set, Custom Role, and members (Users or Groups) operationId: createResourceSetBinding x-codegen-request-body-name: instance requestBody: @@ -10501,17 +11694,17 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet + - RoleDResourceSetBinding x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}: + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathRoleIdOrLabel' get: - summary: Retrieve a Binding - description: Retrieves a Resource Set binding by `resourceSetId` and `roleIdOrLabel` + summary: Retrieve a Role Resource Set Binding + description: Retrieves the Binding of a Role (identified by `roleIdOrLabel`) in a Resource Set (identified by `resourceSetIdOrLabel`) operationId: getBinding responses: '200': @@ -10534,13 +11727,13 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleDResourceSetBinding x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Delete a Binding - description: Deletes a Resource Set binding by `resourceSetId` and `roleIdOrLabel` + summary: Delete a Role Resource Set Binding + description: Deletes a Binding of a Role (identified by `roleIdOrLabel`) and a Resource Set (identified by `resourceSetIdOrLabel`) operationId: deleteBinding responses: '204': @@ -10564,17 +11757,17 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet + - RoleDResourceSetBinding x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}/members: + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathRoleIdOrLabel' get: - summary: List all Members of a binding - description: Lists all members of a Resource Set binding with pagination support + summary: List all Role Resource Set Binding Members + description: Lists all members of a Role Resource Set Binding with pagination support operationId: listMembersOfBinding parameters: - $ref: '#/components/parameters/queryAfter' @@ -10599,13 +11792,13 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleDResourceSetBindingMember x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true patch: - summary: Add more Members to a binding - description: Adds more members to a Resource Set binding + summary: Add more Role Resource Set Binding Members + description: Adds more members to a Role Resource Set Binding operationId: addMembersToBinding x-codegen-request-body-name: instance requestBody: @@ -10647,18 +11840,18 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet + - RoleDResourceSetBindingMember x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}/members/{memberId}: + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members/{memberId}: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathRoleIdOrLabel' - $ref: '#/components/parameters/pathMemberId' get: - summary: Retrieve a Member of a binding - description: Retrieves a member identified by `memberId` for a binding + summary: Retrieve a Role Resource Set Binding Member + description: Retrieves a Member (identified by `memberId`) that belongs to a Role Resource Set Binding operationId: getMemberOfBinding responses: '200': @@ -10681,13 +11874,13 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleDResourceSetBindingMember x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Unassign a Member from a binding - description: Unassigns a member identified by `memberId` from a binding + summary: Unassign a Role Resource Set Bindiing Member + description: Unassigns a Member (identified by `memberId`) from a Role Resource Set Binding operationId: unassignMemberFromBinding x-codegen-request-body-name: instance responses: @@ -10712,16 +11905,16 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet + - RoleDResourceSetBindingMember x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/iam/resource-sets/{resourceSetId}/resources: + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' get: - summary: List all Resources of a Resource Set - description: Lists all resources that make up the Resource Set + summary: List all Resource Set Resources + description: Lists all Resources for the Resource Set operationId: listResourceSetResources responses: '200': @@ -10744,14 +11937,14 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleCResourceSetResource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true patch: - summary: Add more Resource to a Resource Set - description: Adds more resources to a Resource Set - operationId: addResourceSetResource + summary: Add more Resources to a Resource Set + description: Adds more Resources to a Resource Set + operationId: addResourceSetResources x-codegen-request-body-name: instance requestBody: content: @@ -10792,17 +11985,17 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet + - RoleCResourceSetResource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/iam/resource-sets/{resourceSetId}/resources/{resourceId}: + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources/{resourceId}: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathResourceId' delete: - summary: Delete a Resource from a Resource Set - description: Deletes a resource identified by `resourceId` from a Resource Set + summary: Delete a Resource Set Resource + description: Deletes a Resource (identified by `resourceId`) from a Resource Set operationId: deleteResourceSetResource responses: '204': @@ -10826,14 +12019,14 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet + - RoleCResourceSetResource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/roles: get: - summary: List all Roles - description: Lists all roles with pagination support + summary: List all Custom Roles + description: Lists all Custom Roles with pagination support operationId: listRoles parameters: - $ref: '#/components/parameters/queryAfter' @@ -10856,13 +12049,13 @@ paths: - oauth2: - okta.roles.read tags: - - Role + - RoleECustom x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Create a Role - description: Creates a new role + summary: Create a Custom Role + description: Creates a Custom Role operationId: createRole x-codegen-request-body-name: instance requestBody: @@ -10902,7 +12095,7 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustom x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -10934,13 +12127,13 @@ paths: - oauth2: - okta.roles.read tags: - - Role + - RoleECustom x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: - summary: Replace a Role - description: Replaces a role by `roleIdOrLabel` + summary: Replace a Custom Role + description: Replaces the label and description for a Custom Role by `roleIdOrLabel` operationId: replaceRole x-codegen-request-body-name: instance requestBody: @@ -10950,7 +12143,7 @@ paths: $ref: '#/components/schemas/UpdateIamRoleRequest' examples: Example Request: - $ref: '#/components/examples/RoleRequest' + $ref: '#/components/examples/ReplaceRoleRequest' required: true responses: '200': @@ -10975,13 +12168,13 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustom x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Delete a Role - description: Deletes a role by `roleIdOrLabel` + summary: Delete a Custom Role + description: Deletes a Custom Role by `roleIdOrLabel` operationId: deleteRole responses: '204': @@ -11005,7 +12198,7 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustom x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -11013,8 +12206,8 @@ paths: parameters: - $ref: '#/components/parameters/pathRoleIdOrLabel' get: - summary: List all Permissions - description: Lists all permissions of the role by `roleIdOrLabel` + summary: List all Custom Role Permissions + description: Lists all permissions for a Custom Role by `roleIdOrLabel` operationId: listRolePermissions responses: '200': @@ -11037,7 +12230,7 @@ paths: - oauth2: - okta.roles.read tags: - - Role + - RoleECustomPermission x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -11046,8 +12239,8 @@ paths: - $ref: '#/components/parameters/pathRoleIdOrLabel' - $ref: '#/components/parameters/pathPermissionType' get: - summary: Retrieve a Permission - description: Retrieves a permission by `permissionType` + summary: Retrieve a Custom Role Permission + description: Retrieves a permission (identified by `permissionType`) for a Custom Role operationId: getRolePermission responses: '200': @@ -11057,8 +12250,10 @@ paths: schema: $ref: '#/components/schemas/Permission' examples: - Example Response: + Example Response without conditions: $ref: '#/components/examples/PermissionResponse' + Example Response with conditions: + $ref: '#/components/examples/PermissionResponseWithConditions' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11070,13 +12265,13 @@ paths: - oauth2: - okta.roles.read tags: - - Role + - RoleECustomPermission x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Create a Permission - description: Creates a permission specified by `permissionType` to the role + summary: Create a Custom Role Permission + description: Creates a permission (specified by `permissionType`) for a Custom Role operationId: createRolePermission x-codegen-request-body-name: instance requestBody: @@ -11088,8 +12283,10 @@ paths: schema: $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' examples: - Example Request: - $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExample' + Example Request with include: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude' + Example Request with exclude: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude' required: false responses: '204': @@ -11107,7 +12304,7 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustomPermission x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -11115,8 +12312,8 @@ paths: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - summary: Replace a Permission - description: Replaces a permission specified by `permissionType` in the role + summary: Replace a Custom Role Permission + description: Replaces a permission (specified by `permissionType`) for a Custom Role operationId: replaceRolePermission x-codegen-request-body-name: instance requestBody: @@ -11125,8 +12322,10 @@ paths: schema: $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' examples: - Example Request: - $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExample' + Example Request with include: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude' + Example Request with exclude: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude' required: false responses: '200': @@ -11151,10 +12350,10 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustomPermission delete: - summary: Delete a Permission - description: Deletes a permission from a role by `permissionType` + summary: Delete a Custom Role Permission + description: Deletes a permission (identified by `permissionType`) from a Custom Role operationId: deleteRolePermission responses: '204': @@ -11178,7 +12377,7 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustomPermission x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -11187,7 +12386,7 @@ paths: - $ref: '#/components/parameters/pathIdentitySourceId' get: summary: List all Identity Source Sessions - description: Lists all identity source sessions for the given identity source instance + description: Lists all Identity Source Sessions for the given Identity Source instance operationId: listIdentitySourceSessions responses: '200': @@ -11219,7 +12418,7 @@ paths: SKUs: [] post: summary: Create an Identity Source Session - description: Creates an identity source session for the given identity source instance + description: Creates an Identity Source Session for the given Identity Source instance operationId: createIdentitySourceSession responses: '200': @@ -11227,12 +12426,10 @@ paths: content: application/json: schema: - type: object - items: - $ref: '#/components/schemas/IdentitySourceSession' + $ref: '#/components/schemas/IdentitySourceSession' examples: - sessionsList: - $ref: '#/components/examples/ListSessionsResponse' + session: + $ref: '#/components/examples/GetSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11255,7 +12452,7 @@ paths: - $ref: '#/components/parameters/pathIdentitySourceSessionId' get: summary: Retrieve an Identity Source Session - description: Retrieves an identity source session for a given identity source id and session id + description: Retrieves an Identity Source Session for a given Identity Source ID and session ID operationId: getIdentitySourceSession responses: '200': @@ -11265,8 +12462,8 @@ paths: schema: $ref: '#/components/schemas/IdentitySourceSession' examples: - Session: - $ref: '#/components/examples/ListSessionsResponse' + session: + $ref: '#/components/examples/GetSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11285,7 +12482,7 @@ paths: SKUs: [] delete: summary: Delete an Identity Source Session - description: Deletes an identity source session for a given `identitySourceId` and `sessionId` + description: Deletes an Identity Source Session for a given `identitySourceId` and `sessionId` operationId: deleteIdentitySourceSession responses: '204': @@ -11312,13 +12509,16 @@ paths: - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the data to be deleted in Okta - description: Uploads entities that need to be deleted in Okta from the identity source for the given session + description: Uploads external IDs of entities that need to be deleted in Okta from the Identity Source for the given session operationId: uploadIdentitySourceDataForDelete requestBody: content: application/json: schema: $ref: '#/components/schemas/BulkDeleteRequestBody' + examples: + bulkDeletePayload: + $ref: '#/components/examples/bulkDeletePayload' responses: '202': description: Accepted @@ -11346,13 +12546,16 @@ paths: - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the data to be upserted in Okta - description: Uploads entities that need to be upserted in Okta from the identity source for the given session + description: Uploads entities that need to be inserted or updated in Okta from the Identity Source for the given session operationId: uploadIdentitySourceDataForUpsert requestBody: content: application/json: schema: $ref: '#/components/schemas/BulkUpsertRequestBody' + examples: + bulkUpsertPayload: + $ref: '#/components/examples/bulkUpsertPayload' responses: '202': description: Accepted @@ -11380,7 +12583,7 @@ paths: - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Start the import from the Identity Source - description: Starts the import from the identity source described by the uploaded bulk operations + description: Starts the import from the Identity Source described by the uploaded bulk operations operationId: startImportFromIdentitySource responses: '200': @@ -11388,11 +12591,9 @@ paths: content: application/json: schema: - type: object - items: - $ref: '#/components/schemas/IdentitySourceSession' + $ref: '#/components/schemas/IdentitySourceSession' examples: - sessionsList: + triggeredSession: $ref: '#/components/examples/TriggerSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' @@ -11418,26 +12619,17 @@ paths: parameters: - name: q in: query - description: Searches the name property of IdPs for matching value - schema: - type: string - - name: after - in: query - description: Specifies the pagination cursor for the next page of IdPs + description: Searches the `name` property of IdPs for matching value schema: type: string - - name: limit - in: query - description: Specifies the number of IdP results in a page - schema: - type: integer - format: int32 - default: 20 + example: Example SAML + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' - name: type in: query - description: Filters IdPs by type + description: Filters IdPs by `type` schema: - type: string + $ref: '#/components/schemas/IdentityProviderType' responses: '200': description: Success @@ -11447,6 +12639,9 @@ paths: type: array items: $ref: '#/components/schemas/IdentityProvider' + examples: + MultipleIdPsResponse: + $ref: '#/components/examples/MultipleIdPsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -11462,14 +12657,55 @@ paths: isGenerallyAvailable: true post: summary: Create an Identity Provider - description: Creates a new identity provider integration + description: |- + Creates a new Identity Provider integration. + + #### SAML 2.0 Identity Provider + + You must first add the IdP's signature certificate to the IdP key store before you can add a SAML 2.0 IdP with a `kid` credential reference. + + Don't use `fromURI` to automatically redirect a user to a particular app after successfully authenticating with a third-party IdP. Instead, use SAML deep links. Using `fromURI` isn't tested or supported. For more information about using deep links when signing users in using an SP-initiated flow, see [Understanding SP-Initiated Login flow](https://developer.okta.com/docs/concepts/saml/#understanding-sp-initiated-login-flow). + + Use SAML deep links to automatically redirect the user to an app after successfully authenticating with a third-party IdP. To use deep links, assemble these three parts into a URL: + + * SP ACS URL
+ For example: `https://${yourOktaDomain}/sso/saml2/:idpId` + * The app to which the user is automatically redirected after successfully authenticating with the IdP
+ For example: `/app/:app-location/:appId/sso/saml` + * Optionally, if the app is an outbound SAML app, you can specify the `relayState` passed to it.
+ For example: `?RelayState=:anyUrlEncodedValue` + + The deep link for the above three parts is:
+ `https://${yourOktaDomain}/sso/saml2/:idpId/app/:app-location/:appId/sso/saml?RelayState=:anyUrlEncodedValue` + + #### Smart Card X509 Identity Provider + + You must first add the IdP's server certificate to the IdP key store before you can add a Smart Card `X509` IdP with a `kid` credential reference. + You need to upload the whole trust chain as a single key using the [Key Store API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderKeys/#tag/IdentityProviderKeys/operation/createIdentityProviderKey). + Depending on the information stored in the smart card, select the proper [template](https://developer.okta.com/docs/reference/okta-expression-language/#idp-user-profile) `idpuser.subjectAltNameEmail` or `idpuser.subjectAltNameUpn`. operationId: createIdentityProvider x-codegen-request-body-name: identityProvider requestBody: + description: IdP settings content: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + CreateGenericOidcIdPRequest: + $ref: '#/components/examples/CreateGenericOidcIdPRequest' + CreateSamlIdPRequest: + $ref: '#/components/examples/CreateSamlIdPRequest' + CreateAppleIdPRequest: + $ref: '#/components/examples/CreateAppleIdPRequest' + CreateFacebookIdPRequest: + $ref: '#/components/examples/CreateFacebookIdPRequest' + CreateGoogleIdPRequest: + $ref: '#/components/examples/CreateGoogleIdPRequest' + CreateMicrosoftIdPRequest: + $ref: '#/components/examples/CreateMicrosoftIdPRequest' + CreateSmartCardIdPRequest: + $ref: '#/components/examples/CreateSmartCardIdPRequest' required: true responses: '200': @@ -11478,6 +12714,21 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + CreateGenericOidcIdpResponse: + $ref: '#/components/examples/GenericOidcIdpResponse' + CreateSamlIdPResponse: + $ref: '#/components/examples/SamlIdPResponse' + CreateAppleIdPResponse: + $ref: '#/components/examples/AppleIdPResponse' + CreateFacebookIdPResponse: + $ref: '#/components/examples/FacebookIdPResponse' + CreateGoogleIdPResponse: + $ref: '#/components/examples/GoogleIdPResponse' + CreateMicrosoftIdPResponse: + $ref: '#/components/examples/MicrosoftIdPResponse' + CreateSmartCardIdPResponse: + $ref: '#/components/examples/SmartCardIdPResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11495,22 +12746,12 @@ paths: isGenerallyAvailable: true /api/v1/idps/credentials/keys: get: - summary: List all Credential Keys - description: Lists all IdP key credentials + summary: List all IdP Key Credentials + description: Lists all IdP Key Credentials operationId: listIdentityProviderKeys parameters: - - name: after - in: query - description: Specifies the pagination cursor for the next page of keys - schema: - type: string - - name: limit - in: query - description: Specifies the number of key results in a page - schema: - type: integer - format: int32 - default: 20 + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success @@ -11519,7 +12760,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + ListIdPKeyCredentialsResponse: + $ref: '#/components/examples/MultipleIdPKeyCredentialsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -11529,20 +12773,22 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Create an X.509 Certificate Public Key - description: Creates a new X.509 certificate credential to the IdP key store. + summary: Create an IdP Key Credential + description: |- + Creates a new X.509 certificate credential in the IdP key store + > **Note:** RSA-based certificates are supported for all IdP types. Okta currently supports EC-based certificates only for the `X509` IdP type. For EC-based certificates we support only P-256, P-384, and P-521 curves. operationId: createIdentityProviderKey x-codegen-request-body-name: jsonWebKey requestBody: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPCertificateCredential' required: true responses: '200': @@ -11550,7 +12796,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11562,15 +12811,15 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/idps/credentials/keys/{idpKeyId}: + /api/v1/idps/credentials/keys/{kid}: parameters: - - $ref: '#/components/parameters/pathIdpKeyId' + - $ref: '#/components/parameters/pathKid' get: - summary: Retrieve an Credential Key + summary: Retrieve an IdP Key Credential description: Retrieves a specific IdP Key Credential by `kid` operationId: getIdentityProviderKey responses: @@ -11579,7 +12828,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11591,13 +12843,54 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an IdP Key Credential + description: Replaces an IdP Key Credential by `kid` + operationId: replaceIdentityProviderKey + requestBody: + description: Updated IdP Key Credential + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialRequest: + $ref: '#/components/examples/IdPKeyCredentialRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Delete a Signing Credential Key - description: Deletes a specific IdP Key Credential by `kid` if it is not currently being used by an Active or Inactive IdP + summary: Delete an IdP Key Credential + description: Deletes a specific IdP Key Credential by `kid` if it isn't currently being used by an active or inactive IdP operationId: deleteIdentityProviderKey responses: '204': @@ -11614,7 +12907,7 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -11632,6 +12925,11 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + GenericOidcIdpResponse: + $ref: '#/components/examples/GenericOidcIdpResponse' + SamlIdPResponse: + $ref: '#/components/examples/SamlIdPResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11653,10 +12951,14 @@ paths: operationId: replaceIdentityProvider x-codegen-request-body-name: identityProvider requestBody: + description: Updated configuration for the IdP content: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + ReplaceIdPRequest: + $ref: '#/components/examples/ReplaceIdPRequestResponse' required: true responses: '200': @@ -11665,6 +12967,9 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + ReplaceIdPResponse: + $ref: '#/components/examples/ReplaceIdPRequestResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11684,7 +12989,10 @@ paths: isGenerallyAvailable: true delete: summary: Delete an Identity Provider - description: Deletes an identity provider integration by `idpId` + description: |- + Deletes an identity provider integration by `idpId` + * All existing IdP users are unlinked with the highest order profile source taking precedence for each IdP user. + * Unlinked users keep their existing authentication provider such as `FEDERATION` or `SOCIAL`. operationId: deleteIdentityProvider responses: '204': @@ -11720,7 +13028,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Csr' + $ref: '#/components/schemas/IdPCsr' + examples: + MultipleIdPCsrsResponse: + $ref: '#/components/examples/MultipleIdPCsrsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11732,13 +13043,15 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Generate a Certificate Signing Request - description: Generates a new key pair and returns a Certificate Signing Request for it + description: |- + Generates a new key pair and returns a Certificate Signing Request (CSR) for it + > **Note:** The private key isn't listed in the [Signing Key Credentials for IdP](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderSigningKeys/#tag/IdentityProviderSigningKeys/operation/listIdentityProviderSigningKeys) until it's published. operationId: generateCsrForIdentityProvider x-codegen-request-body-name: metadata requestBody: @@ -11753,7 +13066,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Csr' + $ref: '#/components/schemas/IdPCsr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/CsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/IdPCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/CsrPkcs10Response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11767,7 +13089,7 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -11777,7 +13099,7 @@ paths: - $ref: '#/components/parameters/pathIdpCsrId' get: summary: Retrieve a Certificate Signing Request - description: Retrieves a specific Certificate Signing Request model by id + description: Retrieves a specific Certificate Signing Request by `id` operationId: getCsrForIdentityProvider responses: '200': @@ -11785,7 +13107,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Csr' + $ref: '#/components/schemas/IdPCsr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/CsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/IdPCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/CsrPkcs10Response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11797,13 +13128,13 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke a Certificate Signing Request - description: Revokes a certificate signing request and deletes the key pair from the IdP + description: Revokes a CSR and deletes the key pair from the IdP operationId: revokeCsrForIdentityProvider responses: '204': @@ -11820,7 +13151,7 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -11830,25 +13161,39 @@ paths: - $ref: '#/components/parameters/pathIdpCsrId' post: summary: Publish a Certificate Signing Request - description: Publishes a certificate signing request with a signed X.509 certificate and adds it into the signing key credentials for the IdP + description: |- + Publishes the CSR with a signed X.509 certificate and adds it into the signing Key Credentials for the IdP + > **Notes:** + > * Publishing a certificate completes the lifecycle of the CSR, and it's no longer accessible. + > * If the validity period of the certificate is less than 90 days, a 400 error response is returned. operationId: publishCsrForIdentityProvider requestBody: required: true content: - application/x-x509-ca-cert: + application/pkix-cert: schema: type: string format: binary - x-okta-operationId: publishBinaryCerCertForIdentityProvider - application/pkix-cert: + description: |- + X.509 certificate in `DER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q== + x-okta-operationId: publishBinaryDerCertForIdentityProvider + application/x-x509-ca-cert: schema: type: string format: binary - x-okta-operationId: publishBinaryDerCertForIdentityProvider + description: |- + X.509 certificate in `CER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: '@certificate.cer' + x-okta-operationId: publishBinaryCerCertForIdentityProvider application/x-pem-file: schema: type: string format: binary + description: X.509 certificate in `PEM` format + example: '@certificate.pem' x-okta-operationId: publishBinaryPemCertForIdentityProvider responses: '201': @@ -11856,7 +13201,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11870,7 +13215,7 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -11878,8 +13223,8 @@ paths: parameters: - $ref: '#/components/parameters/pathIdpId' get: - summary: List all Signing Credential Keys - description: Lists all signing key credentials for an IdP + summary: List all signing Key Credentials for IdP + description: Lists all signing Key Credentials for an IdP operationId: listIdentityProviderSigningKeys responses: '200': @@ -11889,7 +13234,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + MultipleIdPSigningKeyCredentialsResponse: + $ref: '#/components/examples/MultipleIdPSigningKeyCredentialsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11901,7 +13249,7 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -11909,8 +13257,10 @@ paths: parameters: - $ref: '#/components/parameters/pathIdpId' post: - summary: Generate a new Signing Credential Key - description: Generates a new X.509 certificate for an IdP signing key credential to be used for signing assertions sent to the IdP + summary: Generate a new signing Key Credential for IdP + description: |- + Generates a new X.509 certificate for an IdP signing Key Credential to be used for signing assertions sent to the IdP. IdP signing keys are read-only. + > **Note:** To update an IdP with the newly generated Key Credential, [update your IdP](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider) using the returned key's `kid` in the [signing credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/credentials/signing/kid&t=request). operationId: generateIdentityProviderSigningKey parameters: - name: validityYears @@ -11920,13 +13270,18 @@ paths: schema: type: integer format: int32 + minimum: 2 + maximum: 10 responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11938,16 +13293,16 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/idps/{idpId}/credentials/keys/{idpKeyId}: + /api/v1/idps/{idpId}/credentials/keys/{kid}: parameters: - $ref: '#/components/parameters/pathIdpId' - - $ref: '#/components/parameters/pathIdpKeyId' + - $ref: '#/components/parameters/pathKid' get: - summary: Retrieve a Signing Credential Key + summary: Retrieve a signing Key Credential for IdP description: Retrieves a specific IdP Key Credential by `kid` operationId: getIdentityProviderSigningKey responses: @@ -11956,7 +13311,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11968,22 +13326,27 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/idps/{idpId}/credentials/keys/{idpKeyId}/clone: + /api/v1/idps/{idpId}/credentials/keys/{kid}/clone: parameters: - $ref: '#/components/parameters/pathIdpId' - - $ref: '#/components/parameters/pathIdpKeyId' + - $ref: '#/components/parameters/pathKid' post: - summary: Clone a Signing Credential Key - description: Clones a X.509 certificate for an IdP signing key credential from a source IdP to target IdP + summary: Clone a signing Key Credential for IdP + description: |- + Clones an X.509 certificate for an IdP signing Key Credential from a source IdP to target IdP + > **Caution:** Sharing certificates isn't a recommended security practice. + + > **Note:** If the key is already present in the list of Key Credentials for the target IdP, you receive a 400 error response. operationId: cloneIdentityProviderKey parameters: - name: targetIdpId in: query required: true + description: '`id` of the target IdP' schema: type: string responses: @@ -11992,7 +13355,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12004,7 +13370,7 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -12022,6 +13388,9 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + ActivateIdPResponse: + $ref: '#/components/examples/ActivateIdPResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12051,6 +13420,9 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + DeactivateIdPResponse: + $ref: '#/components/examples/DeactivateIdPResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12070,32 +13442,19 @@ paths: parameters: - $ref: '#/components/parameters/pathIdpId' get: - summary: List all Users - description: Lists all users linked to the identity provider + summary: List all Users for IdP + description: Lists all the Users linked to an Identity Provider operationId: listIdentityProviderApplicationUsers parameters: - - name: q - in: query - description: Searches the name property of IdPs for matching value - schema: - type: string - - name: after - in: query - description: Specifies the pagination cursor for the next page of IdPs - schema: - type: string - - name: limit - in: query - description: Specifies the number of IdP results in a page - schema: - type: integer - format: int32 - default: 20 + - $ref: '#/components/parameters/queryFilter' + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' - name: expand in: query description: Expand user data schema: type: string + example: user responses: '200': description: Success @@ -12105,6 +13464,9 @@ paths: type: array items: $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + ListIdPUsersResponse: + $ref: '#/components/examples/ListIdPUsersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12116,7 +13478,7 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -12125,8 +13487,8 @@ paths: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathUserId' get: - summary: Retrieve a User - description: Retrieves a linked IdP user by ID + summary: Retrieve a User for IdP + description: Retrieves a linked IdP User by ID operationId: getIdentityProviderApplicationUser responses: '200': @@ -12135,6 +13497,9 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + IdPAppUserResponse: + $ref: '#/components/examples/IdPAppUserResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12146,13 +13511,17 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Link a User to a Social IdP - description: Links an Okta user to an existing Social Identity Provider. This does not support the SAML2 Identity Provider Type + summary: Link a User to IdP + description: |- + Links an Okta User to an existing SAML or social Identity Provider. + + The SAML Identity Provider must have `honorPersistentNameId` set to `true` to use this API. + The [Name Identifier Format](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/settings&t=request) of the incoming assertion must be `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`. operationId: linkUserToIdentityProvider x-codegen-request-body-name: userIdentityProviderLinkRequest requestBody: @@ -12168,6 +13537,9 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + LinkIdPAppUserResponse: + $ref: '#/components/examples/LinkIdPAppUserResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12181,13 +13553,13 @@ paths: - oauth2: - okta.users.manage tags: - - IdentityProvider + - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unlink a User from IdP - description: Unlinks the link between the Okta user and the IdP user + description: Unlinks the Okta User and the IdP User. The next time the User federates into Okta through this IdP, they have to re-link their account according to the account link policy. operationId: unlinkUserFromIdentityProvider responses: '204': @@ -12204,7 +13576,7 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -12213,8 +13585,11 @@ paths: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathUserId' get: - summary: List all Tokens from a OIDC Identity Provider - description: Lists the tokens minted by the Social Authentication Provider when the user authenticates with Okta via Social Auth + summary: List all Tokens from OIDC IdP + description: |- + Lists the tokens minted by the Social Authentication Provider when the user authenticates with Okta via Social Auth. + + Okta doesn't import all the User information from a social provider. If the app needs information that isn't imported, it can get the User token from this endpoint. Then the app can make an API call to the social provider with the token to request the additional information. operationId: listSocialAuthTokens responses: '200': @@ -12225,6 +13600,9 @@ paths: type: array items: $ref: '#/components/schemas/SocialAuthToken' + examples: + SocialAuthTokensResponse: + $ref: '#/components/examples/SocialAuthTokensResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12236,7 +13614,7 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -12800,41 +14178,57 @@ paths: /api/v1/logs: get: summary: List all System Log Events - description: Lists all system log events. The Okta System Log API provides read access to your organization’s system log. This API provides more functionality than the Events API + description: Lists all System Log Events operationId: listLogEvents parameters: - name: since + description: Filters the lower time bound of the log events `published` property for bounded queries or persistence time for polling queries in: query schema: type: string - format: date-time + format: ISO 8601 compliant timestamp + default: 7 days prior to until - name: until + description: Filters the upper time bound of the log events `published` property for bounded queries or persistence time for polling queries. + in: query + schema: + type: string + format: ISO 8601 compliant timestamp + default: current time + - name: after + description: Retrieves the next page of results. Okta returns a link in the HTTP Header (`rel=next`) that includes the after query parameter in: query schema: type: string - format: date-time + format: Opaque token - name: filter + description: Filter expression that filters the results. All operators except [ ] are supported. See [Filter](https://developer.okta.com/docs/api/#filter). in: query schema: type: string + format: SCIM Filter expression - name: q + description: Filters log events results by one or more case insensitive keywords. in: query schema: type: string + format: URL encoded string. Max length is 40 characters per keyword, with a maximum of 10 keyword filters per query (before encoding) - name: limit + description: Sets the number of results that are returned in the response in: query schema: type: integer + format: Integer between 0 and 1000 default: 100 - name: sortOrder + description: The order of the returned events that are sorted by the `published` property in: query schema: type: string + enum: + - ASCENDING + - DESCENDING default: ASCENDING - - name: after - in: query - schema: - type: string responses: '200': description: Success @@ -12844,6 +14238,11 @@ paths: type: array items: $ref: '#/components/schemas/LogEvent' + examples: + ListLogs: + $ref: '#/components/examples/ListLogs' + LogTargetChangeDetails: + $ref: '#/components/examples/LogTargetChangeDetails' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -13017,8 +14416,11 @@ paths: parameters: - $ref: '#/components/parameters/pathAppId' get: - summary: Retrieve the default Application User Schema for an Application - description: Retrieves the Schema for an App User + summary: Retrieve the default App User Schema for an App + description: |- + Retrieves the default Schema for an App User. + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to apps. All users assigned to a given app use the same App User Schema. Therefore, unlike the User Schema operations, the App User Schema operations all specify `default` and don't accept a Schema ID. operationId: getApplicationUserSchema responses: '200': @@ -13043,8 +14445,11 @@ paths: lifecycle: GA isGenerallyAvailable: true post: - summary: Update the default Application User Schema for an Application - description: Partially updates on the User Profile properties of the Application User Schema + summary: Update the App User Profile Schema for an App + description: |- + Updates the App User Schema. This updates, adds, or removes one or more custom profile properties or the nullability of a base property in the App User Schema for an app. Changing a base property's nullability (for example, the value of its `required` field) is allowed only if it is nullable in the default predefined Schema for the App. + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to apps. All users assigned to a given app use the same App User Schema. Therefore, unlike the User Schema operations, the App User Schema operations all specify `default` and don't accept a Schema ID. operationId: updateApplicationUserProfile x-codegen-request-body-name: body requestBody: @@ -13086,7 +14491,10 @@ paths: /api/v1/meta/schemas/group/default: get: summary: Retrieve the default Group Schema - description: Retrieves the group schema + description: |- + Retrieves the Group Schema + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to groups. All groups use the same Group Schema. Unlike User Schema operations, Group Schema operations all specify `default` and don't accept a Schema ID. operationId: getGroupSchema parameters: [] responses: @@ -13113,8 +14521,13 @@ paths: lifecycle: GA isGenerallyAvailable: true post: - summary: Update the default Group Schema - description: Updates the default group schema. This updates, adds, or removes one or more custom Group Profile properties in the schema. + summary: Update the Group Profile Schema + description: |- + Updates the Group Profile schema. This updates, adds, or removes one or more custom profile properties in a Group Schema. Currently Okta does not support changing base Group Profile properties. + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to groups. All groups use the same Group Schema. Unlike User Schema operations, Group Schema operations all specify `default` and don't accept a Schema ID. + + **Note:** Since POST is interpreted as a partial update, you must set properties explicitly to null to remove them from the Schema. operationId: updateGroupSchema requestBody: content: @@ -13152,7 +14565,7 @@ paths: /api/v1/meta/schemas/logStream: get: summary: List the Log Stream Schemas - description: Lists the schema for all log stream types visible for this org + description: Lists the Schema for all Log Stream types visible for this org operationId: listLogStreamSchemas responses: '200': @@ -13185,7 +14598,7 @@ paths: - $ref: '#/components/parameters/pathLogStreamType' get: summary: Retrieve the Log Stream Schema for the schema type - description: Retrieves the schema for a Log Stream type. The `logStreamType` element in the URL specifies the Log Stream type, which is either `aws_eventbridge` or `splunk_cloud_logstreaming`. Use the `aws_eventbridge` literal to retrieve the AWS EventBridge type schema, and use the `splunk_cloud_logstreaming` literal retrieve the Splunk Cloud type schema. + description: Retrieves the Schema for a Log Stream type. The `logStreamType` element in the URL specifies the Log Stream type, which is either `aws_eventbridge` or `splunk_cloud_logstreaming`. Use the `aws_eventbridge` literal to retrieve the AWS EventBridge type schema, and use the `splunk_cloud_logstreaming` literal retrieve the Splunk Cloud type schema. operationId: getLogStreamSchema responses: '200': @@ -13353,7 +14766,7 @@ paths: - $ref: '#/components/parameters/pathSchemaId' get: summary: Retrieve a User Schema - description: Retrieves the schema for a Schema Id + description: Retrieves the Schema for a User Type operationId: getUserSchema responses: '200': @@ -13382,7 +14795,10 @@ paths: isGenerallyAvailable: true post: summary: Update a User Schema - description: Partially updates on the User Profile properties of the user schema + description: |- + Updates a User Schema. This updates, adds, or removes one or more profile properties in a User Schema. + + Unlike custom User Profile properties, limited changes are allowed to base User Profile properties (permissions, nullability of the `firstName` and `lastName` properties, or pattern for `login`). A property cannot be removed from the default Schema if it is being referenced as a [matchAttribute](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/) in SAML2 IdPs. Currently, all validation of SAML assertions is only performed against the default user type. operationId: updateUserProfile x-codegen-request-body-name: userSchema requestBody: @@ -13462,7 +14878,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/UserType' + $ref: '#/components/schemas/CreateUserTypeRequest' examples: CreateUserRequest: $ref: '#/components/examples/CreateUserRequest' @@ -13815,8 +15231,8 @@ paths: - Okta Identity Engine /api/v1/org: get: - summary: Retrieve the Org Settings - description: Retrieves the org settings + summary: Retrieve the Org General Settings + description: Retrieves the Org General Settings operationId: getOrgSettings parameters: [] responses: @@ -13826,6 +15242,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -13835,19 +15254,22 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingGeneral x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Update the Org Settings - description: Partially updates the org settings depending on provided fields + summary: Update the Org General Settings + description: Updates partial Org General Settings operationId: updateOrgSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/UpdateOrgSettingEx' responses: '200': description: Success @@ -13855,6 +15277,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13866,13 +15291,13 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingGeneral x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: - summary: Replace the Org Settings - description: Replaces the settings of your organization + summary: Replace the Org General Settings + description: Replaces the Org General Settings for your Okta org operationId: replaceOrgSettings x-codegen-request-body-name: orgSetting requestBody: @@ -13880,6 +15305,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/UpdateOrgSettingEx' required: true responses: '200': @@ -13888,6 +15316,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13899,7 +15330,7 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingGeneral x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -13907,7 +15338,7 @@ paths: get: summary: Retrieve the Org-wide CAPTCHA Settings description: |- - Retrieves the CAPTCHA settings object for your organization. + Retrieves the CAPTCHA settings object for your organization > **Note**: If the current organization hasn't configured CAPTCHA Settings, the request returns an empty object. operationId: getOrgCaptchaSettings responses: @@ -13940,7 +15371,7 @@ paths: put: summary: Replace the Org-wide CAPTCHA Settings description: |- - Replaces the CAPTCHA settings object for your organization. + Replaces the CAPTCHA settings object for your organization > **Note**: You can disable CAPTCHA for your organization by setting `captchaId` and `enabledPages` to `null`. operationId: replacesOrgCaptchaSettings requestBody: @@ -14017,9 +15448,9 @@ paths: - Okta Identity Engine /api/v1/org/contacts: get: - summary: Retrieve the Org Contact Types - description: Retrieves Contact Types of your organization - operationId: getOrgContactTypes + summary: List all Org Contact Types + description: Lists all Org Contact Types for your Okta org + operationId: listOrgContactTypes parameters: [] responses: '200': @@ -14030,6 +15461,9 @@ paths: items: $ref: '#/components/schemas/OrgContactTypeObj' type: array + examples: + orgContactTypeEx: + $ref: '#/components/examples/orgContactTypeResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14039,7 +15473,7 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingContact x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -14047,8 +15481,8 @@ paths: parameters: - $ref: '#/components/parameters/pathContactType' get: - summary: Retrieve the User of the Contact Type - description: Retrieves the URL of the User associated with the specified Contact Type + summary: Retrieve the Contact Type User + description: Retrieves the ID and the User resource associated with the specified Contact Type operationId: getOrgContactUser responses: '200': @@ -14057,6 +15491,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgContactUser' + examples: + contactTypeUserEx: + $ref: '#/components/examples/orgContactUserResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -14068,12 +15505,12 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingContact x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: - summary: Replace the User of the Contact Type + summary: Replace the Contact Type User description: Replaces the User associated with the specified Contact Type operationId: replaceOrgContactUser x-codegen-request-body-name: orgContactUser @@ -14082,6 +15519,11 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgContactUser' + examples: + contactTypeUserEx: + summary: Contact User + value: + userId: 00ux3u0ujW1r5AfZC1d7 required: true responses: '200': @@ -14090,6 +15532,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgContactUser' + examples: + contactTypeUserEx: + $ref: '#/components/examples/orgContactUserResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -14103,14 +15548,20 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingContact x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/email/bounces/remove-list: post: - summary: Remove Emails from Email Provider Bounce List - description: Removes a list of email addresses to be removed from the set of email addresses that are bounced + summary: Remove Bounced Emails + description: | + Removes emails from an email service bounce list. + + The emails submitted in this operation are removed from the bounce list by an asynchronous job. + Any email address that passes validation is accepted for the removal process, even if there are other email addresses in the request that failed validation. + + > **Note:** If there are validation errors for all email addresses, a `200 OK` HTTP status is still returned. operationId: bulkRemoveEmailAddressBounces requestBody: content: @@ -14119,6 +15570,7 @@ paths: $ref: '#/components/schemas/BouncesRemoveListObj' examples: example-1: + summary: Request example value: emailAddresses: - name@company.com @@ -14126,13 +15578,14 @@ paths: - name@okta@com responses: '200': - description: Deletes the provided list of emails from the set of email addresses that are bounced so that the provider resumes sending emails to those addresses. + description: OK content: application/json: schema: $ref: '#/components/schemas/BouncesRemoveListResult' examples: example-1: + summary: Response example value: errors: - emailAddress: unknown.email@okta.com @@ -14150,25 +15603,207 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - EmailCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/factors/yubikey_token/tokens: + parameters: + - name: after + in: query + description: Specifies the pagination cursor for the next page of tokens + schema: + type: string + - name: expand + in: query + description: Embeds the [User](/openapi/okta-management/management/tag/User/) resource if the YubiKey Token is assigned to a user and `expand` is set to `user` + schema: + type: string + - name: filter + in: query + description: The expression used to filter tokens + schema: + type: string + enum: + - profile.email + - profile.serial + - activated + - user.id + - created + - status + - lastVerified + - name: forDownload + in: query + description: Returns tokens in a CSV to download instead of in the response. When you use this query parameter, the `limit` default changes to 1000. + schema: + type: boolean + default: false + - name: limit + in: query + description: Specifies the number of results per page + schema: + type: integer + default: 20 + maximum: 200 + - name: sortBy + in: query + description: The value of how the tokens are sorted + schema: + type: string + enum: + - profile.email + - profile.serial + - activated + - user.id + - created + - status + - lastVerified + - name: sortOrder + in: query + description: Specifies the sort order, either `ASC` or `DESC` + schema: + type: string + enum: + - ASC + - DESC + get: + summary: List all YubiKey OTP Tokens + description: Lists all YubiKey OTP Tokens + operationId: listYubikeyOtpTokens + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + ListYubikeyOptTokensResponse: + $ref: '#/components/examples/ListYubikeyOptTokensResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Upload a YubiKey OTP Seed + description: Uploads a seed for a user to enroll a YubiKey OTP + operationId: uploadYubikeyOtpTokenSeed + requestBody: + content: + application/json: + schema: + type: object + properties: + serialNumber: + type: string + description: The unique identifier assigned to each YubiKey device + publicId: + type: string + description: The Yubikey's public ID + privateId: + type: string + description: The Yubikey's private ID + aesKey: + type: string + description: The cryptographic key used in the AES algorithm to encrypt and decrypt YubiKey OTP + examples: + uploadYubikeyOtpSeedRequest: + $ref: '#/components/examples/UploadYubikeyTokenSeedRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + yubikeyToken: + $ref: '#/components/examples/UploadYubikeyTokenSeedResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/factors/yubikey_token/tokens/{tokenId}: + parameters: + - $ref: '#/components/parameters/yubikeyTokenId' + get: + summary: Retrieve a YubiKey OTP Token + description: Retrieves the specified YubiKey OTP Token by `id` + operationId: getYubikeyOtpTokenById + parameters: + - name: tokenId + in: path + required: true + description: The YubikeyOTP token ID + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + Token: + $ref: '#/components/examples/GetYubikeyOptTokenResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/logo: post: summary: Upload the Org Logo - description: Uploads and replaces the logo for your organization. The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling. + description: Uploads and replaces the logo for your organization operationId: uploadOrgLogo requestBody: content: multipart/form-data: schema: - description: The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling. type: object properties: file: type: string format: binary + description: The file must be in PNG, JPG, or GIF format and less than 1 MB in size. For best results use landscape orientation, a transparent background, and a minimum size of 420px by 120px to prevent upscaling. required: - file description: logo file @@ -14186,14 +15821,14 @@ paths: - oauth2: - okta.apps.manage tags: - - OrgSetting + - OrgSettingCustomization x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/orgSettings/thirdPartyAdminSetting: get: - summary: Retrieve the Org Third-Party Admin setting - description: Retrieves the Third-Party Admin setting + summary: Retrieve the Org Third-Party Admin Setting + description: Retrieves the Third-Party Admin Setting. See [Configure third-party administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) in the Okta product documentation. operationId: getThirdPartyAdminSetting parameters: [] responses: @@ -14212,15 +15847,28 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Update the Org Third-Party Admin setting - description: Updates the Third-Party Admin setting + summary: Update the Org Third-Party Admin Setting + description: | + Updates the Third-Party Admin Setting. + This setting allows third-party admins to perform administrative actions in the Admin Console, but they can't do any of the following: + * Receive Okta admin email notifications + * Contact Okta support + * Sign in to the Okta Help Center + + See [Configure third-party administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) in the Okta product documentation. operationId: updateThirdPartyAdminSetting parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ThirdPartyAdminSetting' + required: true responses: '200': description: Success @@ -14237,14 +15885,14 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/preferences: get: summary: Retrieve the Org Preferences - description: Retrieves preferences of your organization + description: Retrieves preferences of your Okta org operationId: getOrgPreferences parameters: [] responses: @@ -14254,6 +15902,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgPreferences' + examples: + retrieveOrgPrefEx: + $ref: '#/components/examples/orgShowFooterPrefResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14263,15 +15914,15 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingCustomization x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/preferences/hideEndUserFooter: post: - summary: Update the Preference to Hide the Okta Dashboard Footer - description: Updates the preference hide the Okta UI footer for all end users of your organization - operationId: updateOrgHideOktaUIFooter + summary: Set the Hide Dashboard Footer Preference + description: Sets the preference to hide the Okta UI footer for all end users of your org + operationId: setOrgHideOktaUIFooter parameters: [] responses: '200': @@ -14280,6 +15931,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgPreferences' + examples: + hideOrgPrefEx: + $ref: '#/components/examples/orgHideFooterPrefResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14289,15 +15943,15 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingCustomization x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/preferences/showEndUserFooter: post: - summary: Update the Preference to Show the Okta Dashboard Footer - description: Updates the preference to show the Okta UI footer for all end users of your organization - operationId: updateOrgShowOktaUIFooter + summary: Set the Show Dashboard Footer Preference + description: Sets the preference to show the Okta UI footer for all end users of your org + operationId: setOrgShowOktaUIFooter parameters: [] responses: '200': @@ -14306,6 +15960,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgPreferences' + examples: + showOrgPrefEx: + $ref: '#/components/examples/orgShowFooterPrefResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14315,14 +15972,157 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingCustomization x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true + /api/v1/org/privacy/aerial: + get: + summary: Retrieve Okta Aerial consent for your Org + description: Retrieves the Okta Aerial consent grant details for your Org. Returns a 404 Not Found error if no consent has been granted. + operationId: getAerialConsent + parameters: [] + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentDetails' + examples: + example-read-grant-response: + $ref: '#/components/examples/AerialConsentDetails' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-no-already-present-response: + $ref: '#/components/examples/AerialGrantAlreadyPresentErrorResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Consent hasn't been given and there are no grants to any Aerial Accounts + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-no-grant-found-response: + $ref: '#/components/examples/AerialGrantNotFoundResponse' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/org/privacy/aerial/grant: + post: + summary: Grant Okta Aerial access to your Org + description: Grants an Okta Aerial account access to your Org. If the org is a child org, consent is taken from the parent org. Grant calls directly to the child are not allowed. + operationId: grantAerialConsent + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsent' + examples: + example-grant-call: + description: Request body to grant an Okta Aerial account access to your Org + value: + accountId: 0200bs0617vvhv2v675mch1cukp + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentDetails' + examples: + example-grant-success-response: + $ref: '#/components/examples/AerialConsentDetails' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-invalid-account-id: + $ref: '#/components/examples/AerialConsentInvalidAccountIdResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/org/privacy/aerial/revoke: + post: + summary: Revoke Okta Aerial access to your Org + description: Revokes access of an Okta Aerial account to your Org. The revoke operation will fail if the org has already been added to an Aerial account. + operationId: revokeAerialConsent + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsent' + examples: + example-revoke-request: + description: Request body for revoking an Okta Aerial account + value: + accountId: 0200bs0617vvhv2v675mch1cukp + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentRevoked' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-org-is-linked: + $ref: '#/components/examples/AerialConsentOrgAlreadyLinkedResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] /api/v1/org/privacy/oktaCommunication: get: summary: Retrieve the Okta Communication Settings - description: Retrieves Okta Communication Settings of your organization + description: Retrieves Okta Communication Settings of your org operationId: getOktaCommunicationSettings parameters: [] responses: @@ -14332,6 +16132,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' + examples: + retrieveOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptOutResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14341,14 +16144,14 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingCommunication x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication/optIn: post: - summary: Opt in all Users to Okta Communication emails - description: Opts in all users of this org to Okta Communication emails + summary: Opt in to Okta User Communication Emails + description: Opts in all users of this org to Okta communication emails operationId: optInUsersToOktaCommunicationEmails parameters: [] responses: @@ -14358,6 +16161,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' + examples: + optInOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptInResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14367,14 +16173,14 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingCommunication x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication/optOut: post: - summary: Opt out all Users from Okta Communication emails - description: Opts out all users of this org from Okta Communication emails + summary: Opt out of Okta User Communication Emails + description: Opts out all users of this org from Okta communication emails operationId: optOutUsersFromOktaCommunicationEmails parameters: [] responses: @@ -14384,6 +16190,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' + examples: + optOutOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptOutResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14393,14 +16202,14 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingCommunication x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport: get: summary: Retrieve the Okta Support Settings - description: Retrieves Okta Support Settings of your organization + description: Retrieves Okta Support Settings for your org operationId: getOrgOktaSupportSettings parameters: [] responses: @@ -14410,6 +16219,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + RetrieveOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14419,7 +16231,7 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -14436,6 +16248,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + ExtendOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14445,13 +16260,13 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/grant: post: - summary: Grant Okta Support Access to your Org + summary: Grant Okta Support Access description: Grants Okta Support temporary access your org as an administrator for eight hours operationId: grantOktaSupport parameters: [] @@ -14462,6 +16277,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + GrantOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14471,14 +16289,14 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/revoke: post: summary: Revoke Okta Support Access - description: Revokes Okta Support access to your organization + description: Revokes Okta Support access to your org operationId: revokeOktaSupport parameters: [] responses: @@ -14488,6 +16306,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + RevokeOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsRevokeResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14497,14 +16318,14 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/settings/clientPrivilegesSetting: get: - summary: Retrieve the Org settings to assign the Super Admin role - description: Retrieves the Org settings to assign the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) by default to a public client app + summary: Retrieve the Default Public Client App Role Setting + description: Retrieves the org setting to assign the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) to new public client apps operationId: getClientPrivilegesSetting parameters: [] responses: @@ -14523,13 +16344,13 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: - summary: Assign the Super Admin role to a public client app - description: Assigns the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) by default to a public client app + summary: Assign the Default Public Client App Role Setting + description: Assigns the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) as the default role for new public client apps operationId: assignClientPrivilegesSetting requestBody: content: @@ -14552,7 +16373,55 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/orgs: + post: + summary: Create an Org + description: |- + Creates an Org (child org) that has the same features as the current requesting org (parent org). + A child org inherits any new features added to the parent org, but new features added to the child org aren't propagated back to the parent org. + > **Notes:** + > * Some features associated with products, such as Atspoke, Workflows, and Okta Identity Governance, aren't propagated to the child Org. + > * Wait at least 30 seconds after a 201-Created response before you make API requests to the new child Org. + > * For rate limits, see [Org creation rate limits](https://developer.okta.com/docs/reference/rl-additional-limits/#org-creation-rate-limits). + operationId: createChildOrg + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ChildOrg' + examples: + CreateChildOrg: + $ref: '#/components/examples/CreateChildOrgRequestEx' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/ChildOrg' + examples: + CreateChildOrg: + $ref: '#/components/examples/CreateChildOrgResponseEx' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + '500': + $ref: '#/components/responses/ErrorInternalServer500' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgCreator x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -14574,16 +16443,21 @@ paths: - IDP_DISCOVERY - ACCESS_POLICY - PROFILE_ENROLLMENT - - CONTINUOUS_ACCESS (EA) - - ENTITY_RISK (EA) + - POST_AUTH_SESSION + - ENTITY_RISK description: |- - Specifies the type of policy to return. The following policy types are available only with the Okta Identity Engine - `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `CONTINUOUS_ACCESS`, and `ENTITY_RISK`. - The `CONTINUOUS_ACCESS` and `ENTITY_RISK` are in Early Access (EA). Contact your Okta account team to enable these features. + Specifies the type of policy to return. The following policy types are available only with the Okta Identity Engine - `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, and `ENTITY_RISK`. + The `POST_AUTH_SESSION` and `ENTITY_RISK` policy types are in . Contact your Okta account team to enable these features. - name: status in: query schema: type: string description: Refines the query by the `status` of the policy - `ACTIVE` or `INACTIVE` + - name: q + in: query + schema: + type: string + description: Refines the query by policy name prefix (startWith method) passed in as `q=string` - name: expand in: query schema: @@ -14599,6 +16473,11 @@ paths: schema: type: string description: Defines the number of policies returned, see [Pagination](https://developer.okta.com/docs/api/#pagination) + - name: resourceId + in: query + schema: + type: string + description: Reference to the associated authorization server - name: after in: query schema: @@ -14613,6 +16492,15 @@ paths: type: array items: $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14628,7 +16516,7 @@ paths: isGenerallyAvailable: true post: summary: Create a Policy - description: Creates a policy + description: Creates a policy. There are many types of policies that you can create. See [Policies](https://developer.okta.com/docs/concepts/policies/) for an overview of the types of policies available and then links to more indepth information. operationId: createPolicy parameters: - name: activate @@ -14651,6 +16539,15 @@ paths: application/json: schema: $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -14734,6 +16631,15 @@ paths: application/json: schema: $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -14767,6 +16673,15 @@ paths: application/json: schema: $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -14855,6 +16770,15 @@ paths: application/json: schema: $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -14942,6 +16866,9 @@ paths: type: array items: $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-list-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -14974,6 +16901,9 @@ paths: application/json: schema: $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -15006,6 +16936,9 @@ paths: application/json: schema: $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15047,6 +16980,7 @@ paths: /api/v1/policies/{policyId}/rules: parameters: - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/limitParameter' get: summary: List all Policy Rules description: Lists all policy rules @@ -15060,6 +16994,9 @@ paths: type: array items: $ref: '#/components/schemas/PolicyRule' + examples: + SignOnPolicy: + $ref: '#/components/examples/list-all-policy-rule-response-array' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15077,7 +17014,10 @@ paths: isGenerallyAvailable: true post: summary: Create a Policy Rule - description: Creates a policy rule. **Note:** You can't create additional rules for the `PROFILE_ENROLLMENT` or `CONTINUOUS_ACCESS` policies. + description: |- + Creates a policy rule + + > **Note:** You can't create additional rules for the `PROFILE_ENROLLMENT` or `POST_AUTH_SESSION` policies. operationId: createPolicyRule parameters: - name: activate @@ -15099,6 +17039,8 @@ paths: $ref: '#/components/examples/sspr-enabled-sso-step-up' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up' + EnableSsprOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP' Enable2FAPreciseAuth: $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing' EnableSpecificRoutingRule: @@ -15107,6 +17049,16 @@ paths: $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' CreateAuthPolicyRuleDevicePlatformCondition: $ref: '#/components/examples/create-auth-policy-rule-condition' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule' + RadiusRule: + $ref: '#/components/examples/radius-rule' + CloudRule: + $ref: '#/components/examples/cloud-rule' + DenyRule: + $ref: '#/components/examples/deny-rule' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints' required: true @@ -15124,6 +17076,8 @@ paths: $ref: '#/components/examples/sspr-enabled-sso-step-up-response' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up-response' + EnableSsprWithOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP-response' Enable2FAPreciseAuth: $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing-response' EnableSpecificRoutingRule: @@ -15132,6 +17086,16 @@ paths: $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' CreateAuthPolicyRuleDevicePlatformCondition: $ref: '#/components/examples/create-auth-policy-rule-condition-response' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' '400': @@ -15173,6 +17137,22 @@ paths: $ref: '#/components/examples/sspr-enabled-sso-step-up-update' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up-update' + EnableSsprWithOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP-update' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' '403': @@ -15209,6 +17189,20 @@ paths: $ref: '#/components/examples/sspr-enabled-no-step-up-update' UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints: $ref: '#/components/examples/update-auth-policy-rule-condition' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule' + RadiusRule: + $ref: '#/components/examples/radius-rule' + CloudRule: + $ref: '#/components/examples/cloud-rule' + DenyRule: + $ref: '#/components/examples/deny-rule' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' required: true @@ -15228,6 +17222,20 @@ paths: $ref: '#/components/examples/sspr-enabled-no-step-up-response' UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints: $ref: '#/components/examples/update-auth-policy-rule-condition-response' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' '400': @@ -16851,10 +18859,6 @@ paths: isGenerallyAvailable: true /api/v1/security-events-providers: get: - x-okta-lifecycle: - lifecycle: EA - isGenerallyAvailable: false - SKUs: [] summary: List all Security Events Providers description: Lists all Security Events Provider instances operationId: listSecurityEventsProviderInstances @@ -16882,11 +18886,12 @@ paths: - okta.securityEventsProviders.read tags: - SSFReceiver - post: x-okta-lifecycle: - lifecycle: EA + lifecycle: LIMITED_GA isGenerallyAvailable: false - SKUs: [] + SKUs: + - Okta Identity Engine + post: summary: Create a Security Events Provider description: Creates a Security Events Provider instance operationId: createSecurityEventsProviderInstance @@ -16928,14 +18933,15 @@ paths: - okta.securityEventsProviders.manage tags: - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/security-events-providers/{securityEventProviderId}: parameters: - $ref: '#/components/parameters/pathSecurityEventProviderId' get: - x-okta-lifecycle: - lifecycle: EA - isGenerallyAvailable: false - SKUs: [] summary: Retrieve the Security Events Provider description: Retrieves the Security Events Provider instance specified by `id` operationId: getSecurityEventsProviderInstance @@ -16963,11 +18969,12 @@ paths: - okta.securityEventsProviders.read tags: - SSFReceiver - put: x-okta-lifecycle: - lifecycle: EA + lifecycle: LIMITED_GA isGenerallyAvailable: false - SKUs: [] + SKUs: + - Okta Identity Engine + put: summary: Replace a Security Events Provider description: Replaces a Security Events Provider instance specified by `id` operationId: replaceSecurityEventsProviderInstance @@ -17011,11 +19018,12 @@ paths: - okta.securityEventsProviders.manage tags: - SSFReceiver - delete: x-okta-lifecycle: - lifecycle: EA + lifecycle: LIMITED_GA isGenerallyAvailable: false - SKUs: [] + SKUs: + - Okta Identity Engine + delete: summary: Delete a Security Events Provider description: Deletes a Security Events Provider instance specified by `id` operationId: deleteSecurityEventsProviderInstance @@ -17037,14 +19045,15 @@ paths: - okta.securityEventsProviders.manage tags: - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathSecurityEventProviderId' post: - x-okta-lifecycle: - lifecycle: EA - isGenerallyAvailable: false - SKUs: [] summary: Activate a Security Events Provider description: |- Activates a Security Events Provider instance by setting its status to `ACTIVE`. @@ -17074,14 +19083,15 @@ paths: - okta.securityEventsProviders.manage tags: - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathSecurityEventProviderId' post: - x-okta-lifecycle: - lifecycle: EA - isGenerallyAvailable: false - SKUs: [] summary: Deactivate a Security Events Provider description: |- Deactivates a Security Events Provider instance by setting its status to `INACTIVE`. @@ -17111,6 +19121,11 @@ paths: - okta.securityEventsProviders.manage tags: - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/sessions: post: summary: Create a Session with session token @@ -18110,12 +20125,21 @@ paths: /api/v1/users: get: summary: List all Users - description: Lists all users that do not have a status of 'DEPROVISIONED' (by default), up to the maximum (200 for most orgs), with pagination. A subset of users can be returned that match a supported filter expression or search criteria. + description: |- + Lists Users in your org, with pagination in most cases. + + A subset of Users can be returned that match a supported filter expression or search criteria. operationId: listUsers parameters: + - $ref: '#/components/parameters/OktaResponse' - name: q in: query - description: Finds a user that matches firstName, lastName, and email properties + description: |- + Finds users who match the specified query. This doesn't support pagination. + + This might not deliver optimal performance for large orgs, and is deprecated for such use cases. To ensure optimal performance, use a [`search` parameter](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!in=query&path=search&t=request) instead. + + Use the `q` parameter for a simple lookup of users by name, for example when creating a people picker. The value of `q` is matched against `firstName`, `lastName`, or `email`. This performs a `startsWith` match, but this is an implementation detail and can change without notice. You don't need to specify `firstName`, `lastName`, or `email`. schema: type: string - $ref: '#/components/parameters/queryAfter' @@ -18128,21 +20152,70 @@ paths: default: 200 - name: filter in: query - description: Filters users with a supported expression for a subset of properties + description: |- + Filters users with a supported expression for a subset of properties. + + This requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. Filtering is case-sensitive for attribute names and query values, while attribute operators are case-insensitive. + + Filtering supports the following limited number of properties: `status`, `lastUpdated`, `id`, `profile.login`, `profile.email`, `profile.firstName`, and `profile.lastName`. Additionally, filtering supports only the equal `eq` operator from the standard Okta API filtering semantics, except in the case of the `lastUpdated` property. This property can also use the inequality operators (`gt`, `ge`, `lt`, and `le`). For logical operators, only the logical operators `and` and `or` are supported. The `not` operator isn't supported. schema: type: string + examples: + filterByStatus: + value: status eq "LOCKED_OUT" + summary: Filter users with status of `LOCKED_OUT` + filterByLogin: + value: profile.login eq "login@example.com" + summary: Filter Users with a specified `login` + filterByDateRange: + value: filter=lastUpdated gt "2013-06-01T00:00:00.000Z" and lastUpdated lt "2014-01-01T00:00:00.000Z" + summary: Filter users updated after 06/01/2013 but before 01/01/2014 + filterByTypeAndProfileLastUpdatedAfterDate: + value: lastUpdated gt "2013-06-01T00:00:00.000Z" and (status eq "LOCKED_OUT" or status eq "RECOVERY") + summary: Filter users updated after 06/01/2013 but with a status of `LOCKED_OUT` or `RECOVERY` - name: search in: query - description: Searches for users with a supported filtering expression for most properties. Okta recommends using this parameter for search for best performance. + description: |- + Searches for users with a supported filtering expression for most properties. Okta recommends using this parameter for search for best performance. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). Use an ID lookup for records that you update to ensure your results contain the latest data. + + Property names in the search parameter are case sensitive, whereas operators (`eq`, `sw`, and so on) and string values are case insensitive. Unlike with user logins, diacritical marks are significant in search string values: a search for `isaac.brock` finds `Isaac.Brock`, but doesn't find a property whose value is `isáàc.bröck`. This operation requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `search=profile.department eq "Engineering"` is encoded as `search=profile.department%20eq%20%22Engineering%22`. + + > **Note:** If you use the special character `"` within a quoted string, it must also be escaped `\` and encoded. For example, `search=profile.lastName eq "bob"smith"` is encoded as `search=profile.lastName%20eq%20%22bob%5C%22smith%22`. + + This operation searches many properties: + * Any user profile property, including custom-defined properties + * The top-level properties `id`, `status`, `created`, `activated`, `statusChanged`, and `lastUpdated` + * The [User Type](https://developer.okta.com/docs/reference/api/user-types/) accessed as `type.id` + + You can also use `sortBy` and `sortOrder` parameters. The `ne` (not equal) operator isn't supported, but you can obtain the same result by using `lt ... or ... gt`. For example, to see all users except those that have a status of `STAGED`, use `(status lt "STAGED" or status gt "STAGED")`. + + You can search properties that are arrays. If any element matches the search term, the entire array (object) is returned. Okta follows the [SCIM Protocol Specification](https://tools.ietf.org/html/rfc7644#section-3.4.2.2) for searching arrays. You can search multiple arrays, multiple values in an array, as well as using the standard logical and filtering operators. See [Filter](https://developer.okta.com/docs/reference/core-okta-api/#filter). schema: type: string + examples: + searchByStatus: + value: status eq "STAGED" + summary: Search for Users that have a status of `STAGED` + searchByLastUpdatedAfterDate: + value: lastUpdated gt "2014-01-01T00:00:00.000Z" + summary: Search for Users that have last updated after a specific timestamp + searchById: + value: id eq "00u1ero7vZFVEIYLWPBN" + summary: Search for Groups with the specified ID (`00gak46y5hydV6NdM0g4`) + searchByProfileDepartmentCreatedAndStatus: + value: profile.department eq "Engineering" and (created lt "2014-01-01T00:00:00.000Z" or status eq "ACTIVE") + summary: Search for users in the department of `Engineering` who were created before `01/01/2014` or have a status of `ACTIVE` + searchArrayAttributes: + value: profile.arrayAttr eq "arrayAttrVal1" + summary: Searches for properties that are arrays. Custom User attribute `arrayAttr` that contains values ["arrayAttrVal1", "arrayAttrVal2"...] - name: sortBy in: query + description: Specifies field to sort by (for search queries only). This can be any single property, for example `sortBy=profile.lastName`. Users with the same value for the `sortBy` property will be ordered by `id`. schema: type: string - name: sortOrder in: query - description: Sorting is done in ASCII sort order (that is, by ASCII character value), but isn't case sensitive. + description: Specifies sort order asc or desc (for search queries only). Sorting is done in ASCII sort order (that is, by ASCII character value), but isn't case sensitive. `sortOrder` is ignored if `sortBy` is not present. schema: type: string responses: @@ -18178,29 +20251,42 @@ paths: post: summary: Create a User description: |- - Creates a new user in your Okta organization with or without credentials
- > **Legal Disclaimer**
- After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, - you agreed not to use Okta's service/product to spam and/or send unsolicited messages. - Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all - liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. + Creates a new User in your Okta org with or without credentials.
+ > **Legal Disclaimer** + > + > After a User is added to the Okta directory, they receive an activation email. As part of signing up for this service, + > you agreed not to use Okta's service/product to spam and/or send unsolicited messages. + > Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all + > liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. + + All responses return the created User. Activation of a User is an asynchronous operation. The system performs group reconciliation during activation and assigns the User to all apps via direct or indirect relationships (group memberships). + * The user's `transitioningToStatus` property is `ACTIVE` during activation to indicate that the User hasn't completed the asynchronous operation. + * The user's `status` is `ACTIVE` when the activation process is complete. + + The User is emailed a one-time activation token if activated without a password. + + > **Note:** If the User is assigned to an app that is configured for provisioning, the activation process triggers downstream provisioning to the app. It is possible for a User to sign in before these apps have been successfully provisioned for the User. + + > **Important:** Do not generate or send a one-time activation token when activating Users with an assigned password. Users should sign in with their assigned password. + + For more information about the various scenarios of creating a user listed in the examples, see User Scenario Creations section in the [Users API](/openapi/okta-management/management/tag/User) description. operationId: createUser parameters: - name: activate in: query - description: Executes activation lifecycle operation when creating the user + description: Executes an [activation lifecycle](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) operation when creating the User schema: type: boolean default: true - name: provider in: query - description: Indicates whether to create a user with a specified authentication provider + description: Indicates whether to create a User with a specified authentication provider schema: type: boolean default: false - name: nextLogin in: query - description: With activate=true, set nextLogin to "changePassword" to have the password be EXPIRED, so user must change it the next time they log in. + description: With `activate=true`, if `nextLogin=changePassword`, a User is created, activated, and the password is set to `EXPIRED`. The User must change it the next time they sign in. schema: $ref: '#/components/schemas/UserNextLogin' x-okta-added-version: 0.14.0 @@ -18210,6 +20296,25 @@ paths: application/json: schema: $ref: '#/components/schemas/CreateUserRequest' + examples: + Create User without credentials: + $ref: '#/components/examples/create-user-without-credentials-request' + Create User with recovery question: + $ref: '#/components/examples/create-user-with-recovery-question-request' + Create User with Password: + $ref: '#/components/examples/create-user-with-password-request' + Create User with imported hashed password: + $ref: '#/components/examples/create-user-with-imported-hashed-password-request' + Create User with password import inline hook: + $ref: '#/components/examples/create-user-with-password-import-inline-hook-request' + Create User with Password and Recovery Question: + $ref: '#/components/examples/create-user-with-password-and-recovery-question-request' + Create User with Authentication Provider: + $ref: '#/components/examples/create-user-with-authentication-provider-request' + Create User in Group: + $ref: '#/components/examples/create-user-in-group-request' + Create User with non-default User Type: + $ref: '#/components/examples/create-user-with-non-default-user-type-request' required: true responses: '200': @@ -18218,6 +20323,25 @@ paths: application/json: schema: $ref: '#/components/schemas/User' + examples: + Create User without credentials: + $ref: '#/components/examples/create-user-without-credentials-response' + Create User with recovery question: + $ref: '#/components/examples/create-user-with-recovery-question-response' + Create User with Password: + $ref: '#/components/examples/create-user-with-password-response' + Create User with imported hashed password: + $ref: '#/components/examples/create-user-with-imported-hashed-password-response' + Create User with password import inline hook: + $ref: '#/components/examples/create-user-with-password-import-inline-hook-response' + Create User with Password and Recovery Question: + $ref: '#/components/examples/create-user-with-password-and-recovery-question-response' + Create User with Authentication Provider: + $ref: '#/components/examples/create-user-with-authentication-provider-response' + Create User in Group: + $ref: '#/components/examples/create-user-in-group-response' + Create User with non-default User Type: + $ref: '#/components/examples/create-user-with-non-default-user-type-response' '400': description: Bad Request content: @@ -18225,11 +20349,11 @@ paths: schema: $ref: '#/components/schemas/Error' examples: - Create user with too many groups specified: + Create User with too many groups specified: $ref: '#/components/examples/ErrorCreateUserWithTooManyManyGroupsResponse' - Create user with expired password and activate set to `false`: + Create User with expired password and activate set to `false`: $ref: '#/components/examples/ErrorCreateUserWithExpiredPasswordWithoutActivation' - Create user with expired password and `null` password: + Create User with expired password and `null` password: $ref: '#/components/examples/ErrorCreateUserWithExpiredPasswordWithNullPassword' '403': description: Forbidden @@ -18249,88 +20373,21 @@ paths: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true - /api/v1/users/{userIdOrLogin}/linkedObjects/{primaryRelationshipName}/{primaryUserId}: - parameters: - - $ref: '#/components/parameters/pathUserIdOrLogin' - - $ref: '#/components/parameters/pathPrimaryRelationshipName' - - $ref: '#/components/parameters/pathPrimaryUserId' - put: - summary: Replace the Linked Object value for `primary` - description: Replaces the first user as the `associated` and the second user as the `primary` for the specified relationship. If the first user is already associated with a different `primary` for this relationship, replaces the previous link. A Linked Object relationship can specify only one `primary` user for an `associated` user. - operationId: replaceLinkedObjectForUser - responses: - '204': - description: Success - content: {} - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - oauth2: - - okta.users.manage - tags: - - User - x-okta-lifecycle: - isCorsEnabled: true - lifecycle: GA - isGenerallyAvailable: true - /api/v1/users/{userIdOrLogin}/linkedObjects/{relationshipName}: - parameters: - - $ref: '#/components/parameters/pathUserIdOrLogin' - - $ref: '#/components/parameters/pathRelationshipName' - get: - summary: List the primary or all of the associated Linked Object values - description: Lists either the self link for the `primary` user or all `associated` users in the relationship specified by `relationshipName`. If the specified user isn't associated in any relationship, an empty array is returned. - operationId: listLinkedObjectsForUser - parameters: - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: -1 + /api/v1/users/me/lifecycle/delete_sessions: + post: + summary: End a current User session + description: |- + Ends Okta sessions for the currently signed in User. By default, the current session remains active. Use this method in a browser-based app. + > **Note:** This operation requires a session cookie for the User. The API token isn't allowed for this operation. + operationId: endUserSessions + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeepCurrent' responses: '200': - description: Success - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/ResponseLinks' - examples: - GetUserLinkedObjectResponse: - $ref: '#/components/examples/GetUserLinkedObjectResponse' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.users.read - tags: - - User - x-okta-lifecycle: - isCorsEnabled: true - lifecycle: GA - isGenerallyAvailable: true - delete: - summary: Delete a Linked Object - description: Deletes linked objects for a user, relationshipName can be ONLY a primary relationship name - operationId: deleteLinkedObjectForUser - responses: - '204': - description: No Content + description: OK content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' @@ -18340,22 +20397,31 @@ paths: $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - - oauth2: - - okta.users.manage + - oauth2: [] tags: - - User + - UserSessions x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true - /api/v1/users/{userId}: + /api/v1/users/{id}: parameters: - - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathId' get: summary: Retrieve a User - description: Retrieves a user from your Okta organization + description: |- + Retrieves a User from your Okta org. + + > **Note:** You can substitute `me` for the `id` to fetch the current User linked to an API token or session cookie. + > * The request returns the User linked to the API token that is specified in the Authorization header, not the User linked to the active session. Details of the Admin User who granted the API token is returned. + > * When the end User has an active Okta session, it is typically a CORS request from the browser. Therefore, it's possible to retrieve the current User without the Authorization header. + + > **Note:** Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies). + + > **Note:** When fetching a User by `login` or `login shortname`, [URL encode](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding) the request parameter to ensure that special characters are escaped properly. Logins with a `/` character can only be fetched by `id` due to URL issues with escaping the `/` character. operationId: getUser parameters: + - $ref: '#/components/parameters/OktaResponse' - $ref: '#/components/parameters/queryUserExpand' responses: '200': @@ -18364,6 +20430,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserGetSingleton' + examples: + GetUserExample: + $ref: '#/components/examples/user-example' '403': description: Forbidden content: @@ -18390,19 +20459,40 @@ paths: isGenerallyAvailable: true post: summary: Update a User - description: Updates a user partially determined by the request parameters + description: |- + Updates a user's profile or credentials with partial update semantics. + + > **Important:** Use the `POST` method for partial updates. Unspecified properties are set to null with `PUT`. + + `profile` and `credentials` can be updated independently or together with a single request. + > **Note**: Currently, the User Type of a User can only be changed via a full replacement PUT operation. If the request parameters of a partial update include the type element from the User object, + the value must match the existing type of the User. Only admins are permitted to change the User type of a User; end users are not allowed to change their own User type. + + > **Note**: To update a current user's profile with partial semantics, the `/api/v1/users/me` endpoint can be invoked. + > + > A User can only update profile properties for which the User has write access. Within the profile, if the User tries to update the primary or the secondary email IDs, verification emails are sent to those email IDs, and the fields are updated only upon verification. + + If you are using this endpoint to set a password, it sets a password without validating existing user credentials. This is an administrative operation. For operations that validate credentials, refer to the `Reset Password`, `Forgot Password`, and `Change Password` endpoints. operationId: updateUser parameters: - name: strict in: query schema: type: boolean + description: If true, validates against minimum age and history password policy x-codegen-request-body-name: user requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserRequest' + examples: + Update User Profile: + $ref: '#/components/examples/update-user-profile-request' + Update User Password: + $ref: '#/components/examples/update-user-set-password-request' + Set Recovery Question and Answer: + $ref: '#/components/examples/update-user-set-recovery-question-and-answer' required: true responses: '200': @@ -18411,6 +20501,9 @@ paths: application/json: schema: $ref: '#/components/schemas/User' + examples: + Update User Response: + $ref: '#/components/examples/user-example' '400': description: Bad Request content: @@ -18443,11 +20536,16 @@ paths: isGenerallyAvailable: true put: summary: Replace a User - description: Replaces a user's profile and/or credentials using strict-update semantics + description: |- + Replaces a User's profile, credentials, or both using strict-update semantics. + + All profile properties must be specified when updating a User's profile with a `PUT` method. Any property not specified in the request is deleted. + > **Important:** Don't use a `PUT` method for partial updates. operationId: replaceUser parameters: - name: strict in: query + description: If `true`, validates against minimum age and history password policy schema: type: boolean x-okta-added-version: 1.10.0 @@ -18456,7 +20554,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/User' + $ref: '#/components/schemas/UpdateUserRequest' + examples: + Replace User Request: + $ref: '#/components/examples/replace-user-request' required: true responses: '200': @@ -18465,6 +20566,9 @@ paths: application/json: schema: $ref: '#/components/schemas/User' + examples: + Replace User Response: + $ref: '#/components/examples/user-example' '400': description: Bad Request content: @@ -18497,15 +20601,29 @@ paths: isGenerallyAvailable: true delete: summary: Delete a User - description: Deletes a user permanently. This operation can only be performed on users that have a `DEPROVISIONED` status. **This action cannot be recovered!**. Calling this on an `ACTIVE` user will transition the user to `DEPROVISIONED`. + description: |- + Deletes a User permanently. This operation can only be performed on Users that have a `DEPROVISIONED` status. **This action can't be recovered!** + + This operation on a User that hasn't been deactivated causes that User to be deactivated. A second delete operation is required to delete the User. + + > **Note:** You can also perform user deletion asynchronously. To invoke asynchronous user deletion, pass an HTTP header `Prefer: respond-async` with the request. + This header is also supported by user deactivation, which is performed if the delete endpoint is invoked on a User that hasn't been deactivated. operationId: deleteUser parameters: - name: sendEmail in: query + description: Sends a deactivation email to the admin if `true` schema: type: boolean default: false x-okta-added-version: 1.5.0 + - name: Prefer + in: header + required: false + schema: + type: string + enum: + - respond-async responses: '204': description: No Content @@ -18540,12 +20658,156 @@ paths: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true + /api/v1/users/{id}/lifecycle/reactivate: + parameters: + - $ref: '#/components/parameters/pathId' + post: + summary: Reactivate a User + description: |- + Reactivates a user. + + This operation can only be performed on Users with a `PROVISIONED` or `RECOVERY` [status](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=status&t=response). + This operation restarts the activation workflow if for some reason the user activation wasn't completed when using the `activationToken` from [Activate User](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser). + + Users that don't have a password must complete the flow by completing [Reset Password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) and MFA enrollment steps to transition the user to `ACTIVE` status. + + If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link. + operationId: reactivateUser + parameters: + - name: sendEmail + in: query + description: Sends an activation email to the user if `true` + schema: + type: boolean + default: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserActivationToken' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userIdOrLogin}/linkedObjects/{primaryRelationshipName}/{primaryUserId}: + parameters: + - $ref: '#/components/parameters/pathUserIdOrLogin' + - $ref: '#/components/parameters/pathPrimaryRelationshipName' + - $ref: '#/components/parameters/pathPrimaryUserId' + put: + summary: Assign a Linked Object value for primary + description: |- + Assigns the first User as the `associated` and the second User as the `primary` for the specified relationship. + + If the first User is already associated with a different `primary` for this relationship, the previous link is removed. A Linked Object relationship can specify only one primary User for an associated User. + operationId: assignLinkedObjectValueForPrimary + responses: + '204': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - okta.users.manage + tags: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userIdOrLogin}/linkedObjects/{relationshipName}: + parameters: + - $ref: '#/components/parameters/pathUserIdOrLogin' + - $ref: '#/components/parameters/pathRelationshipName' + get: + summary: List the primary or all of the associated Linked Object values + description: |- + Lists either the `self` link for the primary User or all associated Users in the relationship specified by `relationshipName`. If the specified User isn't associated in any relationship, an empty array is returned. + + Use `me` instead of `id` to specify the current session User. + operationId: listLinkedObjectsForUser + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/ResponseLinks' + examples: + GetPrimaryLinkedObjectResponse: + $ref: '#/components/examples/GetPrimaryLinkedObjectResponse' + GetAssociatedLinkedObjectResponse: + $ref: '#/components/examples/GetAssociatedLinkedObjectsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a Linked Object value + description: |- + Deletes any existing relationship between the `associated` and `primary` user. For the `associated` User, this is specified by the ID. The `primary` name specifies the relationship. + + The operation is successful if the relationship is deleted or if the specified User isn't in the `associated` relationship for any instance of the specified `primary` and thus, no relationship is found. + operationId: deleteLinkedObjectForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/appLinks: parameters: - $ref: '#/components/parameters/pathUserId' get: - summary: List all Assigned Application Links - description: Lists all appLinks for all direct or indirect (via group membership) assigned applications + summary: List all Assigned App Links + description: Lists all App Links for all direct or indirect (via group membership) assigned apps operationId: listAppLinks responses: '200': @@ -18556,6 +20818,9 @@ paths: type: array items: $ref: '#/components/schemas/AppLink' + examples: + List App Links: + $ref: '#/components/examples/ListAppLinks' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -18567,7 +20832,7 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserResources x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -18577,7 +20842,7 @@ paths: - $ref: '#/components/parameters/pathUserId' get: summary: List all User Blocks - description: Lists information about how the user is blocked from accessing their account + description: Lists information about how the User is blocked from accessing their account operationId: listUserBlocks responses: '200': @@ -18614,7 +20879,7 @@ paths: - $ref: '#/components/parameters/pathUserId' get: summary: List all Clients - description: Lists all client resources for which the specified user has grants or tokens + description: Lists all Client resources for which the specified User has grants or tokens operationId: listUserClients responses: '200': @@ -18625,6 +20890,9 @@ paths: type: array items: $ref: '#/components/schemas/OAuth2Client' + examples: + List User Clients: + $ref: '#/components/examples/ListUserClients' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -18636,7 +20904,7 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserResources x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -18647,22 +20915,27 @@ paths: - $ref: '#/components/parameters/pathClientId' get: summary: List all Grants for a Client - description: Lists all grants for a specified user and client + description: Lists all Grants for a specified User and client operationId: listGrantsForUserAndClient parameters: - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string - name: after in: query + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query + description: Specifies the number of tokens to return schema: type: integer format: int32 + minimum: 1 + maximum: 200 default: 20 responses: '200': @@ -18684,14 +20957,14 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke all Grants for a Client - description: Revokes all grants for the specified user and client + description: Revokes all Grants for the specified User and client operationId: revokeGrantsForUserAndClient responses: '204': @@ -18708,7 +20981,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -18719,22 +20992,28 @@ paths: - $ref: '#/components/parameters/pathClientId' get: summary: List all Refresh Tokens for a Client - description: Lists all refresh tokens issued for the specified User and Client + description: Lists all refresh Tokens issued for the specified User and client operationId: listRefreshTokensForUserAndClient parameters: - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string + example: scope - name: after in: query + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query + description: Specifies the number of tokens to return schema: type: integer format: int32 + minimum: 1 + maximum: 200 default: 20 responses: '200': @@ -18756,14 +21035,14 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserOAuth x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke all Refresh Tokens for a Client - description: Revokes all refresh tokens issued for the specified User and Client + description: Revokes all refresh Tokens issued for the specified User and client operationId: revokeTokensForUserAndClient responses: '204': @@ -18780,7 +21059,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserOAuth x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -18792,22 +21071,15 @@ paths: - $ref: '#/components/parameters/pathTokenId' get: summary: Retrieve a Refresh Token for a Client - description: Retrieves a refresh token issued for the specified User and Client + description: Retrieves a refresh Token issued for the specified User and client operationId: getRefreshTokenForUserAndClient parameters: - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string - - name: limit - in: query - schema: - type: integer - default: 20 - - name: after - in: query - schema: - type: string + example: scope responses: '200': description: Success @@ -18826,14 +21098,14 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserOAuth x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke a Token for a Client - description: Revokes the specified refresh token + description: Revokes the specified refresh Token operationId: revokeTokenForUserAndClient responses: '204': @@ -18850,7 +21122,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserOAuth x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -18859,14 +21131,23 @@ paths: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Change Password - description: Changes a user's password by validating the user's current password. This operation can only be performed on users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid password credential + summary: Update Password + description: |- + Updates a User's password by validating the User's current Password. + + This operation provides an option to delete all the sessions of the specified User. However, if the request is made in the context of a session owned by the specified User, that session isn't cleared. + + You can only perform this operation on Users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid [Password credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). + + The User transitions to `ACTIVE` status when successfully invoked in `RECOVERY` status. operationId: changePassword parameters: - name: strict in: query + description: If true, validates against password minimum age policy schema: type: boolean + default: false x-okta-added-version: 1.10.0 x-codegen-request-body-name: changePasswordRequest requestBody: @@ -18874,6 +21155,9 @@ paths: application/json: schema: $ref: '#/components/schemas/ChangePasswordRequest' + examples: + Change Password Request: + $ref: '#/components/examples/ChangePwdRequest' required: true responses: '200': @@ -18882,6 +21166,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserCredentials' + examples: + Change Password Response: + $ref: '#/components/examples/ChangePwdResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -18895,7 +21182,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -18904,8 +21191,10 @@ paths: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Change Recovery Question - description: Changes a user's recovery question & answer credential by validating the user's current password. This operation can only be performed on users in **STAGED**, **ACTIVE** or **RECOVERY** `status` that have a valid password credential + summary: Update Recovery Question + description: |- + Updates a User's Recovery Question and answer credential by validating the User's current Password. + You can only perform this operation on Users in `STAGED`, `ACTIVE`, or `RECOVERY` status that have a valid [Password credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). operationId: changeRecoveryQuestion x-codegen-request-body-name: userCredentials requestBody: @@ -18913,6 +21202,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserCredentials' + examples: + Update Recovery Question Request: + $ref: '#/components/examples/UpdateRecQuestionRequest' required: true responses: '200': @@ -18921,6 +21213,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserCredentials' + examples: + Update Recovery Question Response: + $ref: '#/components/examples/UpdateRecQuestionResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -18934,7 +21229,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -18943,23 +21238,41 @@ paths: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Initiate Forgot Password - description: Initiates the forgot password flow. Generates a one-time token (OTT) that can be used to reset a user's password. + summary: Start forgot password flow + description: |- + Starts the forgot password flow. + + Generates a one-time token (OTT) that you can use to reset a User's Password. + + The User must validate their security question's answer when visiting the reset link. This operation can only be performed on Users with an ACTIVE status and + a valid [Recovery Question credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/recovery_question&t=request). + + > **Note:** If you have migrated to Identity Engine, you can allow Users to recover passwords with any enrolled MFA authenticator. See [Self-service account recovery](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-sspr.htm?cshid=ext-config-sspr) + + If an email address is associated with multiple Users, keep in mind the following to ensure a successful password recovery lookup: + * Okta no longer includes deactivated Users in the lookup. + * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses. + + If `sendEmail` is `false`, returns a link for the User to reset their Password. This operation doesn't affect the status of the User. operationId: forgotPassword parameters: - name: sendEmail in: query + description: Sends a forgot password email to the User if `true` required: false schema: type: boolean default: true responses: '200': - description: Reset url + description: Reset URL content: application/json: schema: $ref: '#/components/schemas/ForgotPasswordResponse' + examples: + Forgot Password Response: + $ref: '#/components/examples/ForgotPwdResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -18971,7 +21284,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -18981,7 +21294,9 @@ paths: - $ref: '#/components/parameters/pathUserId' post: summary: Reset Password with Recovery Question - description: Resets the user's password to the specified password if the provided answer to the recovery question is correct + description: |- + Resets the User's password to the specified password if the provided answer to the recovery question is correct. + You must include the Recovery Question answer with the submission. operationId: forgotPasswordSetNewPassword parameters: - name: sendEmail @@ -18996,6 +21311,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserCredentials' + examples: + Forgot Password Recovery Question Request: + $ref: '#/components/examples/ForgotPwdRecoveryQuestionRequest' required: true responses: '200': @@ -19004,6 +21322,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserCredentials' + examples: + Forgot Password Recovery Question Response: + $ref: '#/components/examples/ForgotPwdRecoveryQuestionResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -19017,7 +21338,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19038,6 +21359,9 @@ paths: type: array items: $ref: '#/components/schemas/UserFactor' + examples: + ListFactorsResponse: + $ref: '#/components/examples/ListFactorsResults' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -19055,18 +21379,41 @@ paths: isGenerallyAvailable: true post: summary: Enroll a Factor - description: Enrolls a supported Factor for the specified user. Some Factor types require a seperate activation to complete the enrollment process. See [Activate a Factor](./#tag/UserFactor/operation/activateFactor). + description: |- + Enrolls a supported Factor for the specified user + + > **Note:** All responses return the enrolled Factor with a status of either `PENDING_ACTIVATION`` or `ACTIVE`. + + #### Additional SMS/Call Factor information + * **Rate limits**: Okta may return a `429 Too Many Requests` status code if you attempt to resend an SMS or a voice call challenge (OTP) within the same time window. The current [rate limit](https://developer.okta.com/docs/reference/rate-limits/) is one SMS/CALL challenge per phone number every 30 seconds. + * **Existing phone numbers**: Okta may return a `400 Bad Request` status code if a user attempts to enroll with a different phone number when the user has an existing mobile phone or has an existing phone with voice call capability. A user can enroll only one mobile phone for `sms` and enroll only one voice call capable phone for `call` factor. + + #### Additional WebAuthn Factor information + **Enroll WebAuthn response parameters** + * For detailed information on the Webauthn standard, including an up-to-date list of supported browsers, see [webauthn.me](https://a0.to/webauthnme-okta-docs). + + * In the enroll API response, the `response._embedded.activation` object contains properties used to help the client to create a new WebAuthn credential for use with Okta. See the [WebAuthn spec for PublicKeyCredentialCreationOptions](https://www.w3.org/TR/webauthn/#dictionary-makecredentialoptions). + + #### Additional Custom TOTP Factor information + + **Enroll Custom TOTP Factor** + * The enrollment process involves passing both the `factorProfileId` and `sharedSecret` properties for a token. + + * A Factor Profile represents a particular configuration of the Custom TOTP factor. It includes certain properties that match the hardware token that end users possess, such as the HMAC algorithm, passcode length, and time interval. There can be multiple Custom TOTP factor profiles per org, but users can only enroll in one Custom TOTP factor. Admins can [create Custom TOTP factor profiles](https://help.okta.com/okta_help.htm?id=ext-mfa-totp) in the Admin Console. Then, copy the `factorProfileId` from the Admin Console into the API request. + + * + For Custom TOTP enrollment, Okta automaticaly enrolls a user with a `token:software:totp` factor and the `push` factor if the user isn't currently enrolled with these factors. operationId: enrollFactor parameters: - name: updatePhone - description: If `true`, indicates you are replacing the currently registered phone number for the specified user. This parameter is ignored if the existing phone number is used by an activated Factor. + description: If `true`, indicates that you are replacing the currently registered phone number for the specified user. This parameter is ignored if the existing phone number is used by an activated Factor. in: query schema: type: boolean default: false - name: templateId in: query - description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). Only used by `sms` Factors. If the provided ID doesn't exist, the default template is used instead. + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors. If the provided ID doesn't exist, the default template is used instead. schema: type: string example: cstk2flOtuCMDJK4b0g3 @@ -19081,14 +21428,14 @@ paths: default: 300 x-okta-added-version: 1.3.0 - name: activate - description: If `true`, the `sms` Factor is immediately activated as part of the enrollment. An activation text message isn't sent to the device. + description: If `true`, the factor is immediately activated as part of the enrollment. An activation process isn't required. Currently auto-activation is supported by `sms`, `call`, `email` and `token:hotp` (Custom TOTP) Factor. in: query schema: type: boolean default: false x-okta-added-version: 1.3.0 - name: Accept-Language - description: An ISO 639-1 two-letter language code that defines a localized message to send. Only used by `sms` Factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead. + description: An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` Factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead. in: header schema: type: string @@ -19100,6 +21447,33 @@ paths: application/json: schema: $ref: '#/components/schemas/UserFactor' + examples: + question: + $ref: '#/components/examples/EnrollFactorQuestionRequest' + sms: + $ref: '#/components/examples/EnrollFactorSmsRequest' + call: + $ref: '#/components/examples/EnrollFactorCallRequest' + token:software:totp: + $ref: '#/components/examples/EnrollFactorOVTotpRequest' + push: + $ref: '#/components/examples/EnrollFactorOVPushRequest' + google: + $ref: '#/components/examples/EnrollFactorGoogleRequest' + rsa_securId: + $ref: '#/components/examples/EnrollFactorRsaSecurIdRequest' + symantec_vip: + $ref: '#/components/examples/EnrollFactorSymantecVipRequest' + yubikey: + $ref: '#/components/examples/EnrollFactorYubikeyRequest' + email: + $ref: '#/components/examples/EnrollFactorEmailRequest' + u2f: + $ref: '#/components/examples/EnrollFactorU2fRequest' + webAuthn: + $ref: '#/components/examples/EnrollFactorWebauthnRequest' + customTotp: + $ref: '#/components/examples/EnrollFactorCustomTotpRequest' required: true responses: '200': @@ -19108,6 +21482,33 @@ paths: application/json: schema: $ref: '#/components/schemas/UserFactor' + examples: + question: + $ref: '#/components/examples/EnrollFactorQuestionResponse' + sms: + $ref: '#/components/examples/EnrollFactorSmsResponse' + call: + $ref: '#/components/examples/EnrollFactorCallResponse' + token:software:totp: + $ref: '#/components/examples/EnrollFactorOVTotpResponse' + push: + $ref: '#/components/examples/EnrollFactorOVPushResponse' + google: + $ref: '#/components/examples/EnrollFactorGoogleResponse' + rsa_securId: + $ref: '#/components/examples/EnrollFactorRsaSecurIdResponse' + symantec_vip: + $ref: '#/components/examples/EnrollFactorSymantecVipResponse' + yubikey: + $ref: '#/components/examples/EnrollFactorYubikeyResponse' + email: + $ref: '#/components/examples/EnrollFactorEmailResponse' + u2f: + $ref: '#/components/examples/EnrollFactorU2fResponse' + webAuthn: + $ref: '#/components/examples/EnrollFactorWebauthnResponse' + customTotp: + $ref: '#/components/examples/EnrollFactorCustomTotpResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -19141,6 +21542,9 @@ paths: type: array items: $ref: '#/components/schemas/UserFactorSupported' + examples: + SupportedFactorResponse: + $ref: '#/components/examples/SupportedFactorResults' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -19204,11 +21608,7 @@ paths: operationId: getFactor responses: '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/UserFactor' + $ref: '#/components/responses/GetFactorResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -19233,7 +21633,7 @@ paths: operationId: unenrollFactor parameters: - name: removeRecoveryEnrollment - description: If `true`, removes the the phone number as both a recovery method and a Factor. Only used for `sms` and `call` Factors. + description: If `true`, removes the phone number as both a recovery method and a Factor. This parameter is only used for the `sms` and `call` Factors. in: query schema: type: boolean @@ -19266,8 +21666,9 @@ paths: description: |- Activates a Factor. Some Factors (`call`, `email`, `push`, `sms`, `token:software:totp`, `u2f`, and `webauthn`) require activation to complete the enrollment process. - Okta enforces a rate limit of five activation attempts within five minutes. - After a user exceeds the rate limit, Okta returns an error message. + Okta enforces a rate limit of five activation attempts within five minutes. After a user exceeds the rate limit, Okta returns an error message. + + > **Note**: If the user exceeds their SMS, call, or email factor activate rate limit, then an OTP resend request (`/api/v1/users/${userId}}/factors/${factorId}/resend`) isn't allowed for the same Factor. operationId: activateFactor x-codegen-request-body-name: body requestBody: @@ -19275,6 +21676,19 @@ paths: application/json: schema: $ref: '#/components/schemas/UserFactorActivateRequest' + examples: + token:software:totp: + $ref: '#/components/examples/FactorPasscodeRequest' + sms: + $ref: '#/components/examples/FactorPasscodeRequest' + call: + $ref: '#/components/examples/FactorPasscodeRequest' + email: + $ref: '#/components/examples/FactorPasscodeRequest' + u2f: + $ref: '#/components/examples/ActivateFactorU2fRequest' + webauthn: + $ref: '#/components/examples/ActivateFactorWebauthnRequest' required: false responses: '200': @@ -19282,7 +21696,22 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/UserFactor' + $ref: '#/components/schemas/UserFactorActivateResponse' + examples: + token:software:totp: + $ref: '#/components/examples/ActivateFactorTotpResponse' + sms: + $ref: '#/components/examples/ActivateFactorSmsResponse' + call: + $ref: '#/components/examples/ActivateFactorCallResponse' + push: + $ref: '#/components/examples/ActivateFactorPushResponse' + email: + $ref: '#/components/examples/ActivateFactorEmailResponse' + u2f: + $ref: '#/components/examples/ActivateFactorU2fResponse' + webauthn: + $ref: '#/components/examples/ActivateFactorWebauthnResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -19307,7 +21736,7 @@ paths: post: summary: Resend a Factor enrollment description: |- - Resends an `sms`, `call`, or `email` factor challenge as part of an enrollment flow. + Resends an `sms`, `call`, or `email` factor challenge as part of an enrollment flow For `call` and `sms` factors, Okta enforces a rate limit of one OTP challenge per device every 30 seconds. You can configure your `sms` and `call` factors to use a third-party telephony provider. See the [Telephony inline hook reference](https://developer.okta.com/docs/reference/telephony-hook/). Okta round-robins between SMS providers with every resend request to help ensure delivery of an SMS and Call OTPs across different carriers. @@ -19316,7 +21745,7 @@ paths: parameters: - name: templateId in: query - description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). Only used by `sms` Factors. + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors. schema: example: cstk2flOtuCMDJK4b0g3 type: string @@ -19325,6 +21754,13 @@ paths: application/json: schema: $ref: '#/components/schemas/ResendUserFactor' + examples: + sms: + value: + factorType: sms + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 required: true responses: '200': @@ -19333,6 +21769,9 @@ paths: application/json: schema: $ref: '#/components/schemas/ResendUserFactor' + examples: + sms: + $ref: '#/components/examples/EnrollFactorSmsResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -19366,6 +21805,15 @@ paths: application/json: schema: $ref: '#/components/schemas/UserFactorPushTransaction' + examples: + WAITING: + $ref: '#/components/examples/UserFactorVerifyPushTransactionWaiting' + SUCCESS: + $ref: '#/components/examples/UserFactorVerifyPushTransactionApproved' + REJECTED: + $ref: '#/components/examples/UserFactorVerifyPushTransactionRejected' + TIMEOUT: + $ref: '#/components/examples/UserFactorVerifyPushTransactionTimeout' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -19394,7 +21842,7 @@ paths: operationId: verifyFactor parameters: - name: templateId - description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). Only used by `sms` Factors. + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors. in: query schema: type: string @@ -19422,7 +21870,7 @@ paths: type: string x-okta-added-version: 1.11.0 - name: Accept-Language - description: An ISO 639-1 two-letter language code that defines a localized message to send. Only used by `sms` Factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead. + description: An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` Factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead. in: header schema: type: string @@ -19434,6 +21882,25 @@ paths: application/json: schema: $ref: '#/components/schemas/UserFactorVerifyRequest' + examples: + sms verify: + $ref: '#/components/examples/FactorPasscodeRequest' + call verify: + $ref: '#/components/examples/FactorPasscodeRequest' + email verify: + $ref: '#/components/examples/FactorPasscodeRequest' + u2f verify: + $ref: '#/components/examples/UserFactorVerifyU2fRequest' + webAuthn verify: + $ref: '#/components/examples/UserFactorVerifyWebauthnRequest' + security question verify: + $ref: '#/components/examples/UserFactorVerifySecurityQuestionRequest' + totp verify: + $ref: '#/components/examples/FactorPasscodeRequest' + token verify: + $ref: '#/components/examples/FactorPasscodeRequest' + yubikey verify: + $ref: '#/components/examples/FactorPasscodeRequest' required: false responses: '200': @@ -19442,6 +21909,37 @@ paths: application/json: schema: $ref: '#/components/schemas/UserFactorVerifyResponse' + examples: + sms challenge: + $ref: '#/components/examples/UserFactorChallengeSmsResponse' + sms verify: + $ref: '#/components/examples/UserFactorVerifySuccessSmsResponse' + call challenge: + $ref: '#/components/examples/UserFactorChallengeCallResponse' + call verify: + $ref: '#/components/examples/UserFactorVerifyCallSuccessResponse' + push challenge: + $ref: '#/components/examples/UserFactorChallengePushResponse' + email challenge: + $ref: '#/components/examples/UserFactorChallengeEmailResponse' + email verify: + $ref: '#/components/examples/UserFactorVerifyEmailSuccessResponse' + u2f challenge: + $ref: '#/components/examples/UserFactorChallengeU2fResponse' + u2f verify: + $ref: '#/components/examples/UserFactorVerifyU2fResponse' + webAuthn challenge: + $ref: '#/components/examples/UserFactorChallengeWebauthnResponse' + webAuthn verify: + $ref: '#/components/examples/UserFactorVerifyWebauthnResponse' + security question verify: + $ref: '#/components/examples/UserFactorVerifySuccessSqResponse' + totp verify: + $ref: '#/components/examples/UserFactorVerifySuccessTotpResponse' + token verify: + $ref: '#/components/examples/UserFactorVerifySuccessTokenResponse' + yubikey verify: + $ref: '#/components/examples/UserFactorVerifySuccessYubikeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -19464,26 +21962,33 @@ paths: - $ref: '#/components/parameters/pathUserId' get: summary: List all User Grants - description: Lists all grants for the specified user + description: Lists all Grants for the specified user operationId: listUserGrants parameters: - name: scopeId in: query + description: The scope ID to filter on schema: type: string - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string + example: scope - name: after in: query + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query + description: Specifies the number of grants to return schema: type: integer format: int32 + minimum: 1 + maximum: 200 default: 20 responses: '200': @@ -19505,14 +22010,14 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke all User Grants - description: Revokes all grants for a specified user + description: Revokes all Grants for a specified User operationId: revokeUserGrants responses: '204': @@ -19529,7 +22034,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19540,13 +22045,15 @@ paths: - $ref: '#/components/parameters/pathGrantId' get: summary: Retrieve a User Grant - description: Retrieves a grant for the specified user + description: Retrieves a Grant for the specified User operationId: getUserGrant parameters: - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string + example: scope responses: '200': description: Success @@ -19565,14 +22072,14 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke a User Grant - description: Revokes one grant for a specified user + description: Revokes one Grant for a specified User operationId: revokeUserGrant responses: '204': @@ -19589,7 +22096,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19599,11 +22106,8 @@ paths: - $ref: '#/components/parameters/pathUserId' get: summary: List all Groups - description: Lists all groups of which the user is a member + description: Lists all Groups of which the User is a member operationId: listUserGroups - parameters: - - $ref: '#/components/parameters/queryAfter' - - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success @@ -19613,6 +22117,9 @@ paths: type: array items: $ref: '#/components/schemas/Group' + examples: + List User Groups: + $ref: '#/components/examples/ListUserGroups' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -19624,7 +22131,7 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserResources x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19633,8 +22140,8 @@ paths: parameters: - $ref: '#/components/parameters/pathUserId' get: - summary: List all Identity Providers - description: Lists the IdPs associated with the user + summary: List all Identity Providers for User + description: Lists the IdPs associated with the User operationId: listUserIdentityProviders responses: '200': @@ -19645,6 +22152,9 @@ paths: type: array items: $ref: '#/components/schemas/IdentityProvider' + examples: + MultipleIdPsResponse: + $ref: '#/components/examples/MultipleIdPsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -19656,7 +22166,7 @@ paths: - oauth2: - okta.users.read tags: - - User + - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -19666,25 +22176,31 @@ paths: post: summary: Activate a User description: |- - Activates a user. This operation can only be performed on users with a `STAGED` or `DEPROVISIONED` status. - Activation of a user is an asynchronous operation. The user will have the `transitioningToStatus` - property with a value of `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation. - The user will have a status of `ACTIVE` when the activation process is complete. - > **Multibrand and User activation**
- If you want to send a branded User Activation email, change the subdomain of your request to the custom domain that's associated with the brand. - For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains). -

- > **Legal disclaimer**
- After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, - you agreed not to use Okta's service/product to spam and/or send unsolicited messages. - Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all - liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. + Activates a User. + + This operation can only be performed on Users with a `STAGED` or `DEPROVISIONED` status. Activation of a User is an asynchronous operation. + * The User will have the `transitioningToStatus` property with an `ACTIVE` value during activation to indicate that the user hasn't completed the asynchronous operation. + * The User will have an `ACTIVE` status when the activation process completes. + + Users who don't have a password must complete the welcome flow by visiting the activation link to complete the transition to `ACTIVE` status. + + > **Note:** If you want to send a branded User Activation email, change the subdomain of your request to the custom domain that's associated with the brand. + > For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains). + + > **Note:** If you have Optional Password enabled, visiting the activation link is optional for users who aren't required to enroll a password. + > See [Create user with Optional Password enabled](https://developer.okta.com/docs/reference/api/users/#create-user-with-optional-password-enabled). + + > **Legal disclaimer** + > After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, + > you agreed not to use Okta's service/product to spam and/or send unsolicited messages. + > Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all + > liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. operationId: activateUser parameters: - name: sendEmail in: query - description: Sends an activation email to the user if true - required: true + description: Sends an activation email to the user if `true` + required: false schema: type: boolean default: true @@ -19706,7 +22222,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19716,15 +22232,34 @@ paths: - $ref: '#/components/parameters/pathUserId' post: summary: Deactivate a User - description: 'Deactivates a user. This operation can only be performed on users that do not have a `DEPROVISIONED` status. While the asynchronous operation (triggered by HTTP header `Prefer: respond-async`) is proceeding the user''s `transitioningToStatus` property is `DEPROVISIONED`. The user''s status is `DEPROVISIONED` when the deactivation process is complete.' + description: |- + Deactivates a User. + + This operation can only be performed on Users that do not have a `DEPROVISIONED` status. + * The User's `transitioningToStatus` property is `DEPROVISIONED` during deactivation to indicate that the user hasn't completed the asynchronous operation. + * The User's status is `DEPROVISIONED` when the deactivation process is complete. + + > **Important:** Deactivating a User is a **destructive** operation. The User is deprovisioned from all assigned apps, which might destroy their data such as email or files. + **This action cannot be recovered!** + + You can also perform user deactivation asynchronously. To invoke asynchronous user deactivation, pass an HTTP header `Prefer: respond-async` with the request. operationId: deactivateUser parameters: - name: sendEmail in: query + description: Sends a deactivation email to the admin if `true` schema: type: boolean default: false x-okta-added-version: 1.5.0 + - name: Prefer + in: header + required: false + schema: + type: string + enum: + - respond-async + description: Request asynchronous processing responses: '200': description: OK @@ -19740,7 +22275,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19750,7 +22285,12 @@ paths: - $ref: '#/components/parameters/pathUserId' post: summary: Expire Password - description: Expires a user's password and transitions the user to the status of `PASSWORD_EXPIRED` so that the user is required to change their password at their next login + description: |- + Expires the password. This operation transitions the User status to `PASSWORD_EXPIRED` so that the User must change their password the next time that they sign in. +
+ If you have integrated Okta with your on-premises Active Directory (AD), then setting a User's Password as expired in Okta also expires the Password in AD. + When the User tries to sign in to Okta, delegated authentication finds the password-expired status in AD, + and the User is presented with the password-expired page where they can change their Password. operationId: expirePassword responses: '200': @@ -19759,6 +22299,9 @@ paths: application/json: schema: $ref: '#/components/schemas/User' + examples: + Expire Password Response: + $ref: '#/components/examples/ExpirePwdResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -19770,7 +22313,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19779,13 +22322,20 @@ paths: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Expire Password and Set Temporary Password - description: Expires a user's password and transitions the user to the status of `PASSWORD_EXPIRED` so that the user is required to change their password at their next login, and also sets the user's password to a temporary password returned in the response - operationId: expirePasswordAndGetTemporaryPassword + summary: Expire Password with temporary password + description: |- + Expires the password and resets the User's Password to a temporary password. This operation transitions the User status to `PASSWORD_EXPIRED` so that the User must change their password the next time that they sign in. + User's Password is reset to a temporary password that is returned, and then the User's Password is expired. + If `revokeSessions` is included in the request with a value of `true`, the User's current outstanding sessions are revoked and require re-authentication. +
+ If you have integrated Okta with your on-premises Active Directory (AD), then setting a User's Password as expired in Okta also expires the Password in AD. + When the User tries to sign in to Okta, delegated authentication finds the password-expired status in AD, + and the User is presented with the password-expired page where they can change their Password. + operationId: expirePasswordWithTempPassword parameters: - name: revokeSessions - description: When set to `true` (and the session is a user session), all user sessions are revoked except the current session. in: query + description: Revokes the User's existing sessions if `true` required: false schema: type: boolean @@ -19796,48 +22346,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/TempPassword' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.users.manage - tags: - - User - x-okta-lifecycle: - isCorsEnabled: true - lifecycle: GA - isGenerallyAvailable: true - /api/v1/users/{userId}/lifecycle/reactivate: - parameters: - - $ref: '#/components/parameters/pathUserId' - post: - summary: Reactivate a User - description: |- - Reactivates a user. This operation can only be performed on users with a `PROVISIONED` status. - This operation restarts the activation workflow if the user activation wasn't completed with the `activationToken` from [Activate a user](/openapi/okta-management/management/tag/User/#tag/User/operation/activateUser). - - > **Note:** A successful request to this endpoint records the same set of events as when a user is activated in System Logs, since it invokes the same activation workflow. - operationId: reactivateUser - parameters: - - name: sendEmail - in: query - description: Sends an activation email to the user if true - schema: - type: boolean - default: false - responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/UserActivationToken' + $ref: '#/components/schemas/User' + examples: + Expire Password with Temp Password Response: + $ref: '#/components/examples/ExpirePwdWithTempPwdResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -19849,7 +22361,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19858,16 +22370,9 @@ paths: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Reset all Factors - description: Resets all factors for the specified user. All MFA factor enrollments returned to the unenrolled state. The user's status remains ACTIVE. This link is present only if the user is currently enrolled in one or more MFA factors. + summary: Reset Factors + description: Resets all factors for the specified User. All MFA factor enrollments return to the unenrolled state. The User's status remains `ACTIVE`. This link is present only if the User is currently enrolled in one or more MFA factors. operationId: resetFactors - parameters: - - name: removeRecoveryEnrollment - description: 'If `true`, removes the phone number as both a recovery method and a Factor. Supported Factors: `sms` and `call`' - in: query - schema: - type: boolean - default: false responses: '200': description: OK @@ -19883,7 +22388,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19892,9 +22397,21 @@ paths: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Generate a Reset Password Token - description: Generates a one-time token (OTT) that can be used to reset a user's password. The OTT link can be automatically emailed to the user or returned to the API caller and distributed using a custom flow. - operationId: generateResetPasswordToken + summary: Reset password + description: |- + Resets password. Generates a one-time token (OTT) that you can use to reset a User's password. You can automatically email the OTT link to the User or return the OTT to the API caller and distribute using a custom flow. + + This operation transitions the User to the `RECOVERY` status. The User is then not able to sign in or initiate a forgot password flow until they complete the reset flow. + + This operation provides an option to delete all the User's sessions. However, if the request is made in the context of a session owned by the specified User, that session isn't cleared. + > **Note:** You can also use this API to convert a User with the Okta Credential Provider to use a Federated Provider. After this conversion, the User can't directly sign in with a password. + > To convert a federated User back to an Okta User, use the default API call. + + If an email address is associated with multiple Users, keep in mind the following to ensure a successful password recovery lookup: + * Okta no longer includes deactivated Users in the lookup. + * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses. + If `sendEmail` is `false`, returns a link for the User to reset their password. + operationId: resetPassword parameters: - name: sendEmail in: query @@ -19902,7 +22419,7 @@ paths: schema: type: boolean - name: revokeSessions - description: When set to `true` (and the session is a user session), all user sessions are revoked except the current session. + description: Revokes all User sessions, except for the current session, if set to `true` in: query required: false schema: @@ -19915,6 +22432,9 @@ paths: application/json: schema: $ref: '#/components/schemas/ResetPasswordToken' + examples: + Reset Password without Sending Email Response: + $ref: '#/components/examples/ResetPwdWithoutSendingEmailResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -19926,7 +22446,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19936,12 +22456,17 @@ paths: - $ref: '#/components/parameters/pathUserId' post: summary: Suspend a User - description: Suspends a user. This operation can only be performed on users with an `ACTIVE` status. The user will have a status of `SUSPENDED` when the process is complete. + description: |- + Suspends a user. This operation can only be performed on Users with an `ACTIVE` status. The User has a `SUSPENDED` status when the process completes. + + Suspended users can't sign in to Okta. They can only be unsuspended or deactivated. Their group and app assignments are retained. operationId: suspendUser responses: '200': description: OK content: {} + '400': + $ref: '#/components/responses/ErrorMissingRequiredParameter400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -19953,7 +22478,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19963,7 +22488,9 @@ paths: - $ref: '#/components/parameters/pathUserId' post: summary: Unlock a User - description: Unlocks a user with a `LOCKED_OUT` status or unlocks a user with an `ACTIVE` status that is blocked from unknown devices. Unlocked users have an `ACTIVE` status and can sign in with their current password. + description: |- + Unlocks a User with a `LOCKED_OUT` status or unlocks a User with an `ACTIVE` status that is blocked from unknown devices. Unlocked Users have an `ACTIVE` status and can sign in with their current password. + > **Note:** This operation works with Okta-sourced users. It doesn't support directory-sourced accounts such as Active Directory. operationId: unlockUser responses: '200': @@ -19980,7 +22507,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -19990,12 +22517,14 @@ paths: - $ref: '#/components/parameters/pathUserId' post: summary: Unsuspend a User - description: Unsuspends a user and returns them to the `ACTIVE` state. This operation can only be performed on users that have a `SUSPENDED` status. + description: Unsuspends a user and returns them to the `ACTIVE` state. This operation can only be performed on users that have a `SUSPENDED` status. operationId: unsuspendUser responses: '200': description: Success content: {} + '400': + $ref: '#/components/responses/ErrorMissingRequiredParameter400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -20007,7 +22536,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -20016,14 +22545,11 @@ paths: parameters: - $ref: '#/components/parameters/pathUserId' get: - summary: List all Roles assigned to a User - description: Lists all roles assigned to a user identified by `userId` + summary: List all User Role Assignments + description: Lists all roles assigned to a User (identified by `userId`) operationId: listAssignedRolesForUser parameters: - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/pathQueryRoleExpand' responses: '200': description: Success @@ -20032,7 +22558,16 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Role' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponse' + Custom Roles: + $ref: '#/components/examples/StandardAndCustomRolesListResponse' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -20044,26 +22579,37 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Assign a Role to a User - description: Assigns a role to a user identified by `userId` + summary: Assign a User Role + description: |- + Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a User. + + You can also assign a custom role to a User, but the preferred method to assign a custom role to a User is to create a binding between the Custom Role, the Resource Set, and the User. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + > **Notes:** + > * The request payload is different for standard and custom role assignments. + > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. operationId: assignRoleToUser parameters: - name: disableNotifications - description: Setting this to `true` grants the user third-party admin status + description: Setting this to `true` grants the User third-party admin status in: query schema: type: boolean + default: false x-codegen-request-body-name: assignRoleRequest requestBody: content: application/json: schema: - $ref: '#/components/schemas/AssignRoleRequest' + type: object + oneOf: + - $ref: '#/components/schemas/StandardRoleAssignmentSchema' + - $ref: '#/components/schemas/CustomRoleAssignmentSchema' required: true responses: '201': @@ -20071,7 +22617,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Role' + type: object + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRoleResponseUser' + Custom Roles: + $ref: '#/components/examples/CustomRoleResponseUser' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRoleResponseUser' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -20085,17 +22641,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleAssignment + - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/users/{userId}/roles/{roleId}: + /api/v1/users/{userId}/roles/{roleAssignmentId}: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: Retrieve a Role assigned to a User - description: Retrieves a role identified by `roleId` assigned to a user identified by `userId` + summary: Retrieve a User Role Assignment + description: Retrieves a Role assigned to a User (identified by `userId`). The `roleAssignmentId` parameter is the unique identifier for either a standard Role Assignment object or a custom role Resource Set Binding object. operationId: getUserAssignedRole responses: '200': @@ -20103,7 +22659,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Role' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRoleResponseUser' + Custom Roles: + $ref: '#/components/examples/CustomRoleResponseUser' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRoleResponseUser' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -20115,13 +22680,13 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Unassign a Role from a User - description: Unassigns a role identified by `roleId` from a user identified by `userId` + summary: Unassign a User Role + description: Unassigns a Role Assignment (identified by `roleAssignmentId`) from a User (identified by `userId`) operationId: unassignRoleFromUser responses: '204': @@ -20138,17 +22703,31 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleAssignment + - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps: + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGrantId' + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}/resources: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGrantId' + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: List all Application Targets for Application Administrator Role - description: Lists all App targets for an `APP_ADMIN` Role assigned to a User. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID. + summary: List all Admin Role Application Targets + description: Lists all app targets for an `APP_ADMIN` Role Assigned to a User. The response is a list that includes OIN-cataloged apps or app instances. The response payload for an app instance contains the `id` property, but an OIN-cataloged app payload doesn't. operationId: listApplicationTargetsForApplicationAdministratorRoleForUser parameters: - name: after @@ -20181,7 +22760,7 @@ paths: - oauth2: - okta.roles.read tags: - - RoleTarget + - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -20204,18 +22783,21 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}: + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' put: - summary: Assign an Application Target to Administrator Role - description: Assigns an application target to administrator role + summary: Assign an Admin Role Application Target + description: | + Assigns an OIN app target for an `APP_ADMIN` Role Assignment to an admin User. When you assign the first app target, you reduce the scope of the Role Assignment. + The Role no longer applies to all app targets, but applies only to the specified target. Assigning an OIN app target overrides any existing app instance targets of the OIN app. + For example, if a user was assigned to administer a specific Facebook instance, a successful request to add an OIN app target with `facebook` for `appName` makes that user the administrator for all Facebook instances. operationId: assignAppTargetToAdminRoleForUser responses: '204': @@ -20232,13 +22814,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Unassign an Application Target from an Application Administrator Role - description: Unassigns an application target from application administrator role + summary: Unassign an Admin Role Application Target + description: | + Unassigns an OIN app target from an `APP_ADMIN` Role Assignment to an admin User. + + > **Note:** You can't remove the last OIN app target from a Role Assignment since this causes an exception. + > If you need a Role Assignment that applies to all apps, delete the `APP_ADMIN` Role Assignment to the User and recreate a new one. operationId: unassignAppTargetFromAppAdminRoleForUser responses: '204': @@ -20255,19 +22841,24 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}/{appId}: + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' - $ref: '#/components/parameters/pathAppId' put: - summary: Assign an Application Instance Target to an Application Administrator Role - description: Assigns anapplication instance target to appplication administrator role + summary: Assign an Admin Role Application Instance Target + description: | + Assigns an app instance target to an `APP_ADMIN` Role Assignment to an admin User. When you assign the first OIN app or app instance target, you reduce the scope of the Role Assignment. + The Role no longer applies to all app targets, but applies only to the specified target. + + > **Note:** You can target a mixture of both OIN app and app instance targets, but can't assign permissions to manage all instances of an OIN app and then assign a subset of permission to the same OIN app. + > For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app. operationId: assignAppInstanceTargetToAppAdminRoleForUser responses: '204': @@ -20284,13 +22875,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Unassign an Application Instance Target from an Application Administrator Role - description: Unassigns an application instance target from an application administrator role + summary: Unassign an Admin Role Application Instance Target + description: |- + Unassigns an app instance target from an `APP_ADMIN` Role Assignment to an admin User. + + > **Note:** You can't remove the last app instance target from a Role Assignment since this causes an exception. + > If you need a Role Assignment that applies to all apps, delete the `APP_ADMIN` Role Assignment and recreate a new one. operationId: unassignAppInstanceTargetFromAdminRoleForUser responses: '204': @@ -20307,17 +22902,19 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/users/{userId}/roles/{roleId}/targets/groups: + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: List all Group Targets for Role - description: Lists all group targets for role + summary: List all Admin Role Group Targets + description: | + Lists all Group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to an admin User. + If the Role isn't scoped to specific Group targets, an empty array `[]` is returned. operationId: listGroupTargetsForRole parameters: - name: after @@ -20350,18 +22947,20 @@ paths: - oauth2: - okta.roles.read tags: - - RoleTarget + - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true - /api/v1/users/{userId}/roles/{roleId}/targets/groups/{groupId}: + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups/{groupId}: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathGroupId' put: - summary: Assign a Group Target to Role - description: Assigns a Group Target to Role + summary: Assign an Admin Role Group Target + description: | + Assigns a Group target for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to an admin User. + When you assign the first Group target, you reduce the scope of the Role Assignment. The Role no longer applies to all targets but applies only to the specified target. operationId: assignGroupTargetToUserRole responses: '204': @@ -20378,13 +22977,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Unassign a Group Target from Role - description: Unassigns a Group Target from Role + summary: Unassign an Admin Role Group Target + description: | + Unassigns a Group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to an admin User. + + > **Note:** You can't remove the last Group target from a Role Assignment since this causes an exception. + > If you need a Role Assignment that applies to all Groups, delete the Role Assignment to the User and recreate a new one. operationId: unassignGroupTargetFromUserAdminRole responses: '204': @@ -20401,7 +23004,7 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -20409,8 +23012,10 @@ paths: parameters: - $ref: '#/components/parameters/pathUserId' delete: - summary: Revoke all User Sessions - description: Revokes all active identity provider sessions of the user. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. + summary: Revoke all User sessions + description: |- + Revokes all active Identity Provider sessions of the User. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the User. + > **Note:** This operation doesn't clear the sessions created for web or native apps. operationId: revokeUserSessions parameters: - name: oauthTokens @@ -20434,7 +23039,7 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserSessions x-okta-lifecycle: isCorsEnabled: true lifecycle: GA @@ -20521,7 +23126,7 @@ paths: - $ref: '#/components/parameters/pathNotificationType' post: summary: Subscribe a User to a Specific Notification Type - description: Subscribes the current user to a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. + description: Subscribes the current User to a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. operationId: subscribeByNotificationTypeUser parameters: - in: path @@ -20555,7 +23160,7 @@ paths: - $ref: '#/components/parameters/pathNotificationType' post: summary: Unsubscribe a User from a Specific Notification Type - description: Unsubscribes the current user from a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. + description: Unsubscribes the current User from a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. operationId: unsubscribeByNotificationTypeUser parameters: - in: path @@ -21000,6 +23605,75 @@ paths: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true + /device-access/api/v1/desktop-mfa/recovery-pin-settings: + get: + summary: Retrieve the Desktop MFA Recovery PIN Org setting + description: Retrieves the status of the Desktop MFA Recovery PIN feature. That is, whether or not the feature is enabled for your org. + operationId: getDesktopMFARecoveryPinOrgSetting + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the Desktop MFA Recovery PIN Org Setting + description: Replaces the Desktop MFA Recovery PIN feature for your org + operationId: replaceDesktopMFARecoveryPinOrgSetting + x-codegen-request-body-name: DesktopMFARecoveryPinOrgSetting + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /integrations/api/v1/api-services: get: summary: List all API Service Integration instances @@ -21305,14 +23979,11 @@ paths: parameters: - $ref: '#/components/parameters/pathSubmissionId' /oauth2/v1/clients/{clientId}/roles: - x-okta-lifecycle: - lifecycle: GA - isGenerallyAvailable: true parameters: - $ref: '#/components/parameters/pathClientId' get: - summary: List all Roles for a Client - description: Lists all Roles by `clientId` + summary: List all Client Role Assignments + description: Lists all roles assigned to a Client Application identified by `clientId` operationId: listRolesForClient responses: '200': @@ -21320,10 +23991,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Client' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' examples: - All role assignments: - $ref: '#/components/examples/ListRoleAssignments' + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponseClient' + Custom Roles: + $ref: '#/components/examples/CustomRolesListResponseClient' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponseClient' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -21335,10 +24012,20 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Assign Role to Client - description: Assigns a Role to a Client + summary: Assign a Client Role + description: |- + Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a Client Application. + + You can also assign a custom role to a Client Application, but the preferred method to assign a custom role to a client is to create a binding between the Custom Role, the Resource Set, and the Client Application. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + > **Notes:** + > * The request payload is different for standard and custom role assignments. + > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. operationId: assignRoleToClient requestBody: required: true @@ -21359,12 +24046,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Client' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' examples: Standard Role: - $ref: '#/components/examples/StandardRoleAssignmentResponse' + $ref: '#/components/examples/StandardRoleResponseClient' Custom Role Assignment: - $ref: '#/components/examples/CustomRoleAssignmentResponse' + $ref: '#/components/examples/CustomRoleResponseClient' + IAM-based Role Assignment: + $ref: '#/components/examples/IAMStandardRolesListResponseClient' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -21376,17 +24067,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleAssignment - /oauth2/v1/clients/{clientId}/roles/{roleId}: - x-okta-lifecycle: - lifecycle: GA - isGenerallyAvailable: true + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}: parameters: - $ref: '#/components/parameters/pathClientId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: summary: Retrieve a Client Role - description: Retrieves a Client Role + description: Retrieves a Role Assignment (identified by `roleAssignmentId`) for a Client Application (identified by `clientId`) operationId: retrieveClientRole responses: '200': @@ -21394,12 +24085,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Client' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' examples: Standard Role: - $ref: '#/components/examples/StandardRoleAssignmentResponse' + $ref: '#/components/examples/StandardRoleResponseClient' Custom Role Assignment: - $ref: '#/components/examples/CustomRoleAssignmentResponse' + $ref: '#/components/examples/CustomRoleResponseClient' + IAM-based Standard Role Assignment: + $ref: '#/components/examples/IAMStandardRoleResponseClient' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -21411,10 +24106,13 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a Role from a Client - description: Unassigns a Role from a Client + summary: Unassign a Client Role + description: Unassigns a Role Assignment (identified by `roleAssignmentId`) from a Client Application (identified by `clientId`) operationId: deleteRoleFromClient responses: '204': @@ -21431,17 +24129,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleAssignment - /oauth2/v1/clients/{clientId}/roles/{roleId}/targets/catalog/apps: - x-okta-lifecycle: - lifecycle: GA - isGenerallyAvailable: true + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps: parameters: - $ref: '#/components/parameters/pathClientId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: List all App Targets assigned to a Client - description: Lists App Targets for Client and Role + summary: List all Client Role Application Targets + description: Lists all OIN app targets for an `APP_ADMIN` Role that's assigned to a client Application (by `clientId`). operationId: listAppTargetRoleToClient parameters: - $ref: '#/components/parameters/queryAfter' @@ -21452,10 +24150,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Client' - examples: - Application target: - $ref: '#/components/examples/ApplicationTargetResponse' + type: array + items: + $ref: '#/components/schemas/CatalogApplication' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -21467,18 +24164,23 @@ paths: - oauth2: - okta.roles.read tags: - - RoleTarget - /oauth2/v1/clients/{clientId}/roles/{roleId}/targets/catalog/apps/{appName}: - x-okta-lifecycle: - lifecycle: GA - isGenerallyAvailable: true + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: parameters: - $ref: '#/components/parameters/pathClientId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' put: - summary: Assign an App Target to a Client - description: Assigns an Application Target to a Client + summary: Assign a Client Role Application Target + description: |- + Assigns an OIN app target for an `APP_ADMIN` Role Assignment to a client Application. When you assign an app target from the OIN catalog, you reduce the scope of the Role Assignment. + The Role applies to only app instances that are included in the specified OIN app target. + + An assigned OIN app target overrides any existing app instance targets. + For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app target with `facebook` for `appName` makes that user the administrator for all Facebook instances. operationId: assignAppTargetRoleToClient responses: '204': @@ -21495,10 +24197,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Remove an App Target from a Client - description: Removes an Application Target by `clientId` + summary: Unassign a Client Role Application Target + description: |- + Unassigns an OIN app target for a Role Assignment to a client Application + + > **Note:** You can't remove the last OIN app target from a Role Assignment since operation causes an exception. + > If you need a Role assignment that applies to all apps, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). operationId: removeAppTargetRoleFromClient responses: '204': @@ -21515,19 +24224,24 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget - /oauth2/v1/clients/{clientId}/roles/{roleId}/targets/catalog/apps/{appName}/{appInstanceId}: - x-okta-lifecycle: - lifecycle: GA - isGenerallyAvailable: true + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: parameters: - $ref: '#/components/parameters/pathClientId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' - - $ref: '#/components/parameters/pathAppInstanceId' + - $ref: '#/components/parameters/pathAppId' put: - summary: Replace an App Instance Target for a Client - description: Replaces an App Instance Target by `clientId` + summary: Assign a Client Role Application Instance Target + description: |- + Assigns an app instance target to an `APP_ADMIN` Role Assignment to a client Application. When you assign the first OIN app or app instance target, you reduce the scope of the Role Assignment. + The Role no longer applies to all app targets, but applies only to the specified target. + + > **Note:** You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app. + For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage only specific configurations of the Salesforce app. operationId: assignAppTargetInstanceRoleForClient responses: '204': @@ -21544,10 +24258,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete an App Instance Target for a Client - description: Deletes an App Instance Target from a Client + summary: Unassign a Client Role Application Instance Target + description: |- + Unassigns an OIN app instance target from a Role Assignment to a client Application + + > **Note:** You can't remove the last app instance target from a Role Assignment since this causes an exception. + > If you need a Role Assignment that applies to all the apps, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). operationId: removeAppTargetInstanceRoleForClient responses: '204': @@ -21564,17 +24285,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget - /oauth2/v1/clients/{clientId}/roles/{roleId}/targets/groups: - x-okta-lifecycle: - lifecycle: GA - isGenerallyAvailable: true + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups: parameters: - $ref: '#/components/parameters/pathClientId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: List all Group Targets for a Client - description: Lists all Group Targets by `clientId` and `roleId` + summary: List all Client Role Group Targets + description: Lists all Group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client. If the Role isn't scoped to specific Group targets, an empty array `[]` is returned. operationId: listGroupTargetRoleForClient parameters: - $ref: '#/components/parameters/queryAfter' @@ -21585,10 +24306,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Client' - examples: - Application target: - $ref: '#/components/examples/GroupTargetResponse' + type: array + items: + $ref: '#/components/schemas/Group' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -21600,18 +24320,18 @@ paths: - oauth2: - okta.roles.read tags: - - RoleTarget - /oauth2/v1/clients/{clientId}/roles/{roleId}/targets/groups/{groupId}: - x-okta-lifecycle: - lifecycle: GA - isGenerallyAvailable: true + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups/{groupId}: parameters: - $ref: '#/components/parameters/pathClientId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathGroupId' put: - summary: Assign a Group Target to a Client - description: Assigns a Group Target to a Client + summary: Assign a Client Role Group Target + description: Assigns a Group target to a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client Application. When you assign the first Group target, you reduce the scope of the Role Assignment. The Role no longer applies to all targets, but applies only to the specified target. operationId: assignGroupTargetRoleForClient responses: '204': @@ -21628,10 +24348,16 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a Group Target from a Client - description: Deletes a Group Target from a Client + summary: Unassign a Client Role Group Target + description: |- + Unassigns a Group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client Application. + + > **Note:** You can't remove the last Group target from a Role Assignment, as it causes an exception. If you need a Role Assignment that applies to all Groups, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). operationId: removeGroupTargetRoleFromClient responses: '204': @@ -21648,13 +24374,24 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /privileged-access/api/v1/accounts/{id}: + parameters: + - $ref: '#/components/parameters/privilegedAccountId' + /privileged-access/api/v1/resources/{id}: + parameters: + - $ref: '#/components/parameters/privilegedResourceId' + /privileged-access/api/v1/resources/{id}/claim: + parameters: + - $ref: '#/components/parameters/privilegedResourceId' + /privileged-access/api/v1/resources/{id}/rotate-password: + parameters: + - $ref: '#/components/parameters/privilegedResourceId' /security/api/v1/security-events: post: - x-okta-lifecycle: - lifecycle: EA - isGenerallyAvailable: false - SKUs: [] summary: Publish a Security Event Token description: Publishes a Security Event Token (SET) sent by a Security Events Provider. After the token is verified, Okta ingests the event and performs any appropriate action. operationId: publishSecurityEventTokens @@ -21684,17 +24421,249 @@ paths: security: [] tags: - SSFSecurityEventToken + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/activate: + post: + summary: Activate a Preregistered WebAuthn Factor + description: Activates a preregistered WebAuthn Factor. As part of this operation, Okta first decrypts and verifies the Factor PIN and enrollment data sent by the fulfillment provider. + operationId: activatePreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment Activation Request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationResponse' + '400': + description: PIN or Cred Requests Generation Failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorPinOrCredResponsesProcessingFailure' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/enroll: + post: + summary: Enroll a Preregistered WebAuthn Factor + description: Enrolls a preregistered WebAuthn Factor. This WebAuthn Factor has a longer challenge timeout period to accommodate the fulfillment request process. As part of this operation, Okta generates EC key-pairs used to encrypt the Factor PIN and enrollment data sent by the fulfillment provider. + operationId: enrollPreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment Initialization Request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationResponse' + '400': + description: PIN or Cred Requests Generation Failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorPinOrCredRequestsGenerationFailure' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/initiate-fulfillment-request: + post: + summary: Generate a Fulfillment Request + description: Generates a fulfillment request by sending a WebAuthn Preregistration event to start the flow. The Okta Workflows WebAuthn preregistration integration uses this to populate the fulfillment request. + operationId: generateFulfillmentRequest + x-codegen-request-body-name: body + requestBody: + description: Fulfillment Request + content: + application/json: + schema: + $ref: '#/components/schemas/FulfillmentRequest' + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/send-pin: + post: + summary: Send a PIN to user + description: Sends the decoded PIN for the specified WebAuthn Preregistration Enrollment. PINs are sent to the user's email. To resend the PIN, call this operation again. + operationId: sendPin + x-codegen-request-body-name: body + requestBody: + description: Send PIN Request + content: + application/json: + schema: + $ref: '#/components/schemas/PinRequest' + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /webauthn-registration/api/v1/users/{userId}/enrollments: parameters: - $ref: '#/components/parameters/pathUserId' + get: + summary: List all WebAuthn Preregistration Factors + description: Lists all WebAuthn Preregistration Factors for the specified user + operationId: listWebAuthnPreregistrationFactors + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/WebAuthnPreregistrationFactor' + example: + - id: fwf23789dfs9asdf782 + factorType: webauthn + provider: FIDO + vendorName: FIDO + fulfillmentProvider: yubico + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: YubiKey 5C + presetPinAvailable: true + _links: + self: + href: https://example.okta.com/webauthn-registration/api/v1/users/00u15s1KDETTQMQYABRL/enrollments/fwf23789dfs9asdf782 + hints: + allow: + - DELETE + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /webauthn-registration/api/v1/users/{userId}/enrollments/{authenticatorEnrollmentId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/authenticatorEnrollmentId' + delete: + summary: Delete a WebAuthn Preregistration Factor + description: Deletes a specific WebAuthn Preregistration Factor for a user + operationId: deleteWebAuthnPreregistrationFactor + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine x-webhooks: CreateTelephonyInlineHook: post: - summary: Create an Okta Telephony Inline Hook + summary: Create a Telephony Inline Hook description: |- Creates an Okta Telephony inline hook request. This is an automated request from Okta to your third-party service endpoint. @@ -21716,10 +24685,12 @@ x-webhooks: When you create a telephony inline hook, you must include the `authScheme` parameter. See [Create inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createInlineHook) and the [authScheme object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createInlineHook!path=channel/0/config/authScheme&t=request) - ### Timeout behavior + ### Time-out behavior If the provider response times out, Okta attempts to send the OTP using the Okta telephony providers. See [Troubleshoot](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTelephonyInlineHook/#troubleshoot). + >**Note:** The failover mechanism that uses the Okta telephony providers is heavily rate-limited. + ### Troubleshoot This section explains several common causes of failure for telephony inline hooks. @@ -21766,6 +24737,379 @@ x-webhooks: - oauth2: [] tags: - InlineHook + CreatePasswordImportInlineHook: + post: + summary: Create a Password Import Inline Hook + description: |- + Creates a password import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, + and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, + which specify the Okta commands to execute. + + >**Note:** The size of your response payload must be less than 256 KB. + + The password import inline hook allows you to migrate users from another data store where you want the users to retain their current passwords. + Use this hook with the [Create User with password import inline hook](https://developer.okta.com/docs/reference/api/users/#create-user-with-password-import-inline-hook) flow that's provided by the [Users API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/). + + The password import inline hook is triggered when the user tries to sign in to Okta for the first time. Okta sends your external service the password that the user supplied. Your external service then needs to send a response to Okta indicating whether the password supplied by the end user is valid. + + If your service returns a response that indicates that the password is valid, Okta sets the password for the user. The password import inline hook won't need to call your service again. + However, if the Okta service is in read-only mode, it might not be possible to set the password. Okta then needs to call your service again the next time the user attempts to sign in. + See [Password inline hook and Okta read-only mode](#password-inline-hook-and-okta-read-only-mode) and [Removing password from existing user store](#password-removal-from-an-existing-user-store). + + >**Notes:** + > * Password policies don't apply to the password import inline hook. That is, if your external service validates the password, the password is imported even if it doesn't meet the Okta password policy requirements. + > * You can create only one password import inline hook per org. + + See also: + + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console + * [Password import inline hook](https://developer.okta.com/docs/guides/password-import-inline-hook/nodejs/main/) for an example implementation of this inline hook + + ### Enable a password import inline hook + + To enable a password import inline hook, you first need to register your external service endpoint with Okta and configure it as an inline hook of type `com.okta.user.credential.password.import`. + You can enable the hook using the Admin Console, see [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) or through the [Inline Hooks management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/). + When creating a user with the Users API, you need to use the [Create User with password import inline hook](https://developer.okta.com/docs/reference/api/users/#create-user-with-password-import-inline-hook) use case. + This involves specifying a `credentials.password.hook` property in the request body. + + When the user that you have added attempts to sign in to Okta for the first time, the hook is triggered and Okta calls your external service. The call sends the credentials that the end user provided. Your service can check + the credentials and respond with a command to indicate whether the credentials are valid or not. + + ### Password inline hook and Okta read-only mode + + If your external service responds to Okta indicating that the credentials are valid, Okta saves the password and can authenticate the user independently from then on. However, if your Okta org is in a special [read-only mode](https://support.okta.com/help/s/article/What-is-Oktas-Readonly-Mode) + at the time the user signs in, then saving the password might not be possible. The next time the end user attempts to sign in, the password import inline hook needs to be called again. + + ### Password removal from an existing user store + + Because of the possibility of your org being in a special service mode, you shouldn't attempt to permanently delete user passwords from your existing user store until you can verify the success of the password import . An Okta System Log Event, `user.import.password`, is available for this purpose. An event of this type is created every time a password import inline hook is fired, with its `Event.Outcome` property providing a status of `FAILURE` or `SUCCESS` for the password import operation. + If the status is `SUCCESS`, Okta has successfully saved the end user's password, and it's safe to delete it from your previous user store. + + You can configure an [Event hook](https://developer.okta.com/docs/concepts/event-hooks/) to send this event type to you for use when triggering automated cleanup of end-user + passwords after successful migration. + operationId: createPasswordImportInlineHook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/PasswordImportRequest' + examples: + PasswordImportPayloadExample: + $ref: '#/components/examples/PasswordImportPayloadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/PasswordImportResponse' + examples: + PasswordImportVerifiedResponse: + $ref: '#/components/examples/PasswordImportVerifiedResponse' + PasswordImportUnVerifiedResponse: + $ref: '#/components/examples/PasswordImportUnVerifiedResponse' + '204': + description: No content - Unverified user response + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook + create-registration-hook: + post: + summary: Create a Registration Inline Hook + description: |- + Creates a registration inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, + and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, + which specify the Okta commands to execute. + + The Okta registration inline hook allows you to integrate your own custom code into Okta's [Profile Enrollment](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-profile-enrollment) flow. The hook is triggered after Okta receives the registration or profile update request. Your custom code can: + - Allow or deny the registration attempt, based on your own validation of the information the user has submitted + - Set or override the values that are populated in attributes of the user's Okta profile + > **Note:** Profile Enrollment and self-service registration (SSR) inline hooks only work with the [Okta Sign-In Widget](https://developer.okta.com/code/javascript/okta_sign-in_widget/) version 4.5 or later. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console + * [Registration inline hook](https://developer.okta.com/docs/guides/registration-inline-hook) for an example implementation of this inline hook + operationId: create-registration-hook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + examples: + ProfileEnrollmentRequest: + $ref: '#/components/examples/ProfileEnrollmentRequest' + ProgressiveProfileRequest: + $ref: '#/components/examples/ProgressiveProfileRequest' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/RegistrationResponse' + examples: + ProfileEnrollmentResponse: + $ref: '#/components/examples/ProfileEnrollmentResponse' + ProgressiveProfileResponse: + $ref: '#/components/examples/ProgressiveProfileResponse' + ProfileEnrollmentResponseDeny: + $ref: '#/components/examples/ProfileEnrollmentResponseDeny' + ProgressiveProfileResponseDeny: + $ref: '#/components/examples/ProgressiveProfileResponseDeny' + '204': + description: No content - Allow registration to proceed without any update. + tags: + - InlineHook + security: + - apiToken: [] + - oauth2: [] + x-okta-no-scope-required: true + CreateUserImportInlineHook: + post: + summary: Create a User Import Inline Hook + description: |- + Creates a user import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. + This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include + in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute. + + The user import inline hook enables you to add custom logic to the process of importing new users into Okta from an app. You can resolve conflicts in user name or other profile attributes, + modify values of profile attributes, and control whether the imported user is treated as a match for an existing user or not. The hook is invoked for each user being imported, + at the point immediately after any applicable profile attribute mappings have been applied, and any potential matches with existing users have been found, but before the Okta user profile is created. + + >**Note:** If the external service times out after receiving an Okta request, the Okta process flow continues and the user is created. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console + + >**Note:** The procedure for associating a user import inline hook with an app using the Admin Console can't be used with AD or LDAP. + operationId: createUserImportInlineHook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/UserImportRequest' + examples: + UserImportPayloadExample: + $ref: '#/components/examples/UserImportPayloadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/UserImportResponse' + examples: + UserImportChangeAppUserProfileExample: + $ref: '#/components/examples/UserImportChangeAppUserProfileExample' + UserImportChangeUserProfileExample: + $ref: '#/components/examples/UserImportChangeUserProfileExample' + UserImportCreateANewUserExample: + $ref: '#/components/examples/UserImportCreateANewUserExample' + UserImportMatchExample: + $ref: '#/components/examples/UserImportMatchExample' + UserImportErrorExample: + $ref: '#/components/examples/UserImportErrorExample' + '204': + description: No content - Use the default action + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook + create-saml-hook: + post: + summary: Create a SAML Assertion Inline Hook + description: |- + Creates a SAML Assertion inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute. + + This type of inline hook is triggered when Okta generates a SAML assertion in response to an authentication request. Before sending the SAML assertion to the app that will consume it, Okta calls out to your external service. Your external service can respond with commands to add attributes to the assertion or to modify its existing attributes. + + You can use this functionality to add data to assertions, which might be data that is sensitive, calculated at runtime, or complexly-structured and not appropriate for storing in Okta user profiles. Data added this way is never logged or stored by Okta. As an example, SAML assertions generated for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta. + + This inline hook works only when using custom SAML apps, not apps from the OIN. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * For a use case example of how to implement a SAML assertion inline hook, see [SAML assertion inline hook](https://developer.okta.com/docs/guides/saml-inline-hook) + * For steps to enable this inline hook, see [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook). + + ### Specify location within the assertion + + Specify the location within the assertion where you want to apply your operation using a slash-delimited path, which follows JSON Patch conventions. + + When you perform an `add` op to add a new attribute statement, begin with `/claims/` and follow that with the name of the new attribute that you're adding. + + When you modify an existing assertions statement, begin the path with `/subject/`, `/authentication/`, `/conditions/`, or `/claims/`, depending on which part of the assertion you want to modify. You then look deeper within the child elements using slash-delimited element names, for example, `/claims/array/attributeValues/1/value`. (The `/1/` in the path indicates the index of the array, using zero-based indexing.) + + ### URI claims + + Okta supports URI claims with SAML assertion hooks. When you need to replace or add a URI claim, encode the claim name within the command per the [JavaScript Object Notation (JSON) Pointer](https://tools.ietf.org/html/rfc6901) specification. Specifically, this replaces `~` with `~0` and `/` with `~1`. + + ### SessionNotOnOrAfter support + + In some scenarios, your service provider may require the `SessionNotOnOrAfter` attribute for the `` in the SAML assertion, which sets the provider session time correctly. Use `add` op with the path `/authentication/sessionLifetime` and a value for session lifetime in seconds to add this attribute. Okta calculates `SessionNotOnOrAfter` by adding the `/authentication/sessionLifetime` value to the `issueInstant` attribute and returns it in the SAML `data.assertion. + operationId: createSAMLAssertionInlineHook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/SAMLPayLoad' + examples: + SAMLPayloadExample: + $ref: '#/components/examples/SAMLPayLoadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/SAMLHookResponse' + examples: + SAMLHookResponseExample: + $ref: '#/components/examples/SAMLHookResponseExample' + SAMLHookResponseWithURIFormat: + $ref: '#/components/examples/SAMLHookResponseWithURIFormat' + '204': + description: No content - Use the default action + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook + create-token-hook: + post: + summary: Create a Token inline hook + description: |- + Creates a Token inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. + + This type of inline hook is triggered when OAuth 2.0 and OpenID Connect (OIDC) tokens are minted by your Okta custom authorization server. Before sending the token to the requester, Okta calls out to your external service. Your service can then respond with commands to add custom claims to the token or to modify existing claims. + + Use this functionality to add data that is sensitive, calculated at runtime, or complexly structured and not appropriate for storing in Okta user profiles. Okta never logs nor stores data that is added this way. As an example, tokens minted for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta. + + In addition to adding custom claims, you can modify or remove an existing custom claim or an OIDC standard profile claim. You can also update how long an access token or an ID token is valid. + + This inline hook works only when using an [Okta custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/#create-an-authorization-server), not the built-in Okta org authorization server. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * For an example implementation of this inline hook, see [Token inline hook](https://developer.okta.com/docs/guides/token-inline-hook) + + ### Timeout behavior + After receiving the Okta request, if there's a response timeout, the Okta process flow proceeds with the original token returned. + + ### Enabling a token inline hook + To activate the inline hook, you first need to register your external service endpoint with Okta using the [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook). + You then need to associate the registered inline hook with a custom authorization server policy rule by completing the following steps: + 1. Go to **Security** > **API** > **Authorization Servers.** + 2. Select a custom authorization server from the list. + 3. Select **Access Policies** and select a policy to use with the hook. In most cases, pick the Default Policy. + 4. One of the policy's rules needs to trigger the inline hook. Click the pencil icon for a rule to edit it. If you only have one rule, edit the Default Policy Rule. + 5. Click the **Use this Inline Hook** dropdown menu. Any inline hooks that you have registered are listed. Select the hook that you would like to use. + 6. Click **Update Rule**. + + > **Note:** You can associate only one inline hook with each rule. + + ### Troubleshoot + This section covers what happens when a token inline hook flow fails either due to the external inline hook service returning an error object or not returning a successful response, or the inline hook patch fails. + > **Note:** Administrators can use the [Okta System Log](https://developer.okta.com/docs/reference/api/system-log/) to view errors. See the [Troubleshooting](https://developer.okta.com/docs/concepts/inline-hooks/#troubleshooting) section in the inline hooks concept piece for more information on the events related to inline hooks that the Okta System Log captures. + - When there's a communication failure with the external service, a timeout for example, the inline hook operation is skipped. The token is generated without any modification from the inline hook. + + **Who can see this error?** Administrators + + - When the external service returns a response with any other HTTP status code besides `200`, the inline hook operation is skipped. The token is generated without any modification from the inline hook. + + **Who can see this error?** Administrators + + - When the external service returns an error object in the response, the entire token inline hook flow fails with no token generated. + + **Who can see this error?** Administrators, developers, and end users. When the OAuth 2.0 client receives the error, the client developer can see that error if the client has the debug information. What the end user sees depends on how errors are handled within the client. + > **Note:** See the [error](https://developer.okta.com/docs/reference/token-hook/#error) section on this page for more information on what to include in the error object of your response and what the OAuth 2.0 error includes that Okta returns to the requestor of the token. + + - When a hook command (for example, updating, adding, and deleting claims) can't be performed, the inline hook operation is skipped. The token is generated without any modification from the inline hook. + + **Who can see this error?** Administrators + + The following actions result in an error: + - Using an invalid command. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`. + - Using an invalid operation + - Attempting to remove a system-specific claim + - Attempting to update a claim that doesn't exist + - Attempting to update an element within an array that doesn't exist or specifying an invalid index + - Attempting to remove a claim that doesn't exist + operationId: createTokenInlineHook + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/TokenRequest' + examples: + TokenPayLoadExample: + $ref: '#/components/examples/TokenPayLoadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/TokenHookResponse' + examples: + TokenHookResponse: + $ref: '#/components/examples/TokenHookResponse' + TokenHookResponseWithURIFormat: + $ref: '#/components/examples/TokenHookResponseWithURIFormat' + TokenHookResponseAppendArray: + $ref: '#/components/examples/TokenHookResponseAppendArray' + TokenHookReplaceExisting: + $ref: '#/components/examples/TokenHookReplaceExisting' + TokenHookReplaceInPath: + $ref: '#/components/examples/TokenHookReplaceInPath' + TokenHookModifyLifetime: + $ref: '#/components/examples/TokenHookModifyLifetime' + TokenHookRemoveClaim: + $ref: '#/components/examples/TokenHookRemoveClaim' + TokenHookRemoveFromArray: + $ref: '#/components/examples/TokenHookRemoveFromArray' + TokenHookRemoveFromObject: + $ref: '#/components/examples/TokenHookRemoveFromObject' + TokenHookErrorExample: + $ref: '#/components/examples/TokenHookErrorExample' + '204': + description: No content - Unverified user response + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook components: examples: APIDevicesListAllResponse: @@ -22177,6 +25521,286 @@ components: logo: name: small href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + ActivateFactorCallResponse: + summary: call + value: + id: clf1o51EADOTFXHHBXBP + factorType: call + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-06T16:56:31.000Z' + lastUpdated: '2014-08-06T16:56:31.000Z' + profile: + phoneNumber: +1-555-415-1337 + phoneExtension: '1234' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorEmailResponse: + summary: email + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: ACTIVE + profile: + email: changed@clouditude.net + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + ActivateFactorPushResponse: + summary: push + value: + id: opf3hkfocI4JTLAju0g4 + factorType: push + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2015-03-16T18:01:28.000Z' + lastUpdated: '2015-08-27T14:25:17.000Z' + profile: + credentialId: dade.murphy@example.com + deviceType: SmartPhone_IPhone + name: Gibson + platform: IOS + version: '9.0' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorSmsResponse: + summary: sms + value: + id: sms1o51EADOTFXHHBXBP + factorType: sms + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-06T16:56:31.000Z' + lastUpdated: '2014-08-06T16:56:31.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorTotpResponse: + summary: token:software:totp + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-08-06T00:31:07.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorU2fRequest: + summary: u2f + value: + registrationData: BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew + clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ + ActivateFactorU2fResponse: + summary: u2f + value: + id: fuf2rovRxogXJ0nDy0g4 + factorType: u2f + provider: FIDO + vendorName: FIDO + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: WVO-QyHEi0eWmTNqESqJynDtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + version: U2F_V2 + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorWebauthnRequest: + summary: webAuthn + value: + attestation: o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ== + clientData: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0= + ActivateFactorWebauthnResponse: + summary: webAuthn + value: + id: fwf2rovRxogXJ0nDy0g4 + factorType: webauthn + provider: FIDO + vendorName: FIDO + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateIdPResponse: + summary: Activate an Identity Provider + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-25T19:14:23.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST ActivateNetworkZone: summary: Activated Network Zone value: @@ -22207,6 +25831,22 @@ components: hints: allow: - POST + ActiveAuthorizationServerKey: + summary: Active Authorization Server Key + value: + status: ACTIVE + alg: RS256 + e: AQAB + 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ + kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + hints: + allow: + - GET AddMappingBody: summary: Update an existing profile mapping by adding one or more properties value: @@ -22255,6 +25895,47 @@ components: value: sessionMaxLifetimeMinutes: 720 sessionIdleTimeoutMinutes: 15 + AerialConsentDetails: + description: Example response of consent details + value: + accountId: 0200bs0617vvhv2v675mch1cukp + grantDate: '2023-04-06T21:32:33.000Z' + grantedBy: 00uabcdefg1234567890 + AerialConsentInvalidAccountIdResponse: + description: Aerial account ID is invalid + value: + errorCode: E0000001 + errorSummary: 'API validation failed: account' + errorLink: E0000001 + errorId: oaewjePjfdBT7m71KkPz0Ipaw + errorCauses: + - errorSummary: Invalid aerial account ID. + AerialConsentOrgAlreadyLinkedResponse: + description: The revoke operation isn't possible when the org is already linked + value: + errorCode: E0000001 + errorSummary: 'API validation failed: account' + errorLink: E0000001 + errorId: oae_wheRkaxRT-EFAXwBmBKLg + errorCauses: + - errorSummary: The org is already linked to an Account. + AerialGrantAlreadyPresentErrorResponse: + description: Grant is already present + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: account' + errorLink: E0000001 + errorId: oaewjePjfdBT7m71KkPz0Ipaw + errorCauses: + - errorSummary: The org already has a consent grant added to Aerial. + AerialGrantNotFoundResponse: + description: No grant found for org + value: + errorCode: E0000007 + errorSummary: 'Not found: Resource not found: grant (String)' + errorLink: E0000007 + errorId: sampleFYH_dTSSTdpPYIAdHJw + errorCauses: [] AllAssignmentsOperationResponse: value: id: rre4mje4ez7B2a7B60g7 @@ -22341,6 +26022,28 @@ components: hints: allow: - GET + AppCsrJsonResponse: + summary: CSR object in JSON format + value: + id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: + - GET + - DELETE + publish: + href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + AppCsrPkcs10Response: + summary: CSR in DER format + value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9 AppFeatureListResponseEx: summary: List app Feature response value: @@ -22428,6 +26131,36 @@ components: value: issuer: '{yourOktaDomain}' scopeId: okta.users.read + AppResponseBaseEx: + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate AppUserAssignProvRequest: summary: SSO and provisioning Application User request example value: @@ -22767,6 +26500,7 @@ components: properties: twitterUserName: title: Twitter username + externalName: twitterUserName description: User's username for twitter.com type: string required: false @@ -22800,6 +26534,7 @@ components: properties: twitterUserName: title: Twitter username + externalName: twitterUserName description: User's username for twitter.com type: string scope: NONE @@ -22825,37 +26560,70 @@ components: profile: name: Rae Mae Cloud middle_name: Mae - ApplicationTargetResponse: + AppleIdPResponse: + summary: Apple Identity Provider value: - - name: google - displayName: Google Workspace - description: Gmail, Google Drive, Google Calendar, and Google Sites - status: ACTIVE - lastUpdated: '2021-06-23T22:23:29.000Z' - category: COLLABORATION - verificationStatus: OKTA_VERIFIED - website: http://www.example.com/google-apps.html - signOnModes: - - SAML_2_0 - features: - - DOWNLOAD_USERS_FOR_ROGUE_REPORT - - EXCHANGE_ACTIVE_SYNC - - GROUP_PUSH - - IMPORT_NEW_USERS - - IMPORT_PROFILE_UPDATES - - IMPORT_USER_SCHEMA - - PROFILE_MASTERING - - PUSH_NEW_USERS - - PUSH_PASSWORD_UPDATES - - PUSH_PROFILE_UPDATES - - PUSH_USER_DEACTIVATION - - REACTIVATE_USERS - _links: - logo: - - name: medium, - - href: https://www.example.com/gfs3qpyglct9KMswo0g7 - self: - href: https://{yourOktaDomain}/api/v1/catalog/apps/google + id: 0oa18hsHsG3boVejU0g4 + type: APPLE + issuerMode: ORG_URL + name: Apple Identity Provider + status: ACTIVE + created: '2020-06-05T20:57:51.000Z' + lastUpdated: '2020-06-05T20:57:51.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://appleid.apple.com/auth/authorize + binding: HTTP-REDIRECT + token: + url: https://appleid.apple.com/auth/token + binding: HTTP-POST + scopes: + - openid + - email + - name + credentials: + client: + client_id: your-client-id + signing: + teamId: test team ID + privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + kid: test key ID + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa18hsHsG3boVejU0g4&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri=${redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST AssignGroupOwnerRequest: summary: Assign a group owner request example value: @@ -23247,6 +27015,426 @@ components: hints: allow: - POST + AuthorizationServerPolicy: + summary: Authorization Server Policy + value: + type: OAUTH_AUTHORIZATION_POLICY + id: 00palyaappA22DPkj0h7 + status: ACTIVE + name: Vendor2 Policy + description: Vendor2 policy description + priority: 1 + system: false + conditions: + clients: + include: + - ALL_CLIENTS + created: '2017-05-26T19:43:53.000Z' + lastUpdated: '2017-06-07T15:28:17.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate + hints: + allow: + - POST + rules: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules + hints: + allow: + - GET + AuthorizationServerPolicyRule: + summary: Authorization Server Policy Rule + value: + type: RESOURCE_ACCESS + id: 0prbsjfyl01zfSZ9K0h7 + status: ACTIVE + name: Default Policy Rule + priority: 1 + created: '2017-08-25T16:57:02.000Z' + lastUpdated: '2017-08-30T14:51:05.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: + - EVERYONE + exclude: [] + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate + hints: + allow: + - POST + AutoLoginAppResponseEx: + summary: AUTO_LOGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + customswaapp_link: true + name: customswaapp + label: Custom SWA App + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + signOn: + redirectUrl: http://swasecondaryredirecturl.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + AutoLoginEx: + summary: AUTO_LOGIN + value: + label: Custom SWA App + signOnMode: AUTO_LOGIN + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + settings: + signOn: + redirectUrl: http://swasecondaryredirecturl.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + AutoLoginPutEx: + summary: AUTO_LOGIN + value: + label: Custom SWA App updated + status: ACTIVE + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: ADMIN_SETS_CREDENTIALS + userNameTemplate: + template: ${source.email} + type: BUILT_IN + settings: + signOn: + redirectUrl: http://swasecondaryredirecturlupdated.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + AutoLoginPutResponseEx: + summary: AUTO_LOGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + customswaapp_link: true + name: customswaapp + label: Custom SWA App updated + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: ADMIN_SETS_CREDENTIALS + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + signOn: + redirectUrl: http://swasecondaryredirecturlupdated.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + BaseSignOnModeEx: + value: + status: ACTIVE + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + features: [] + BasicAuthEx: + summary: BASIC_AUTH + value: + name: template_basic_auth + label: Sample Basic Auth App + signOnMode: BASIC_AUTH + settings: + app: + url: https://example.com/login.html + authURL: https://example.com/auth.html + BasicAuthPutEx: + summary: BASIC_AUTH + value: + label: Sample Basic Auth App updated + signOnMode: BASIC_AUTH + settings: + app: + url: https://example.com/loginUpdated.html + authURL: https://example.com/auth.html + BasicAuthPutResponseEx: + summary: BASIC_AUTH + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_basic_auth + label: Sample Basic Auth App updated + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + url: https://example.com/loginUpdated.html + authURL: https://example.com/auth.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BasicAuthResponseEx: + summary: BASIC_AUTH + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_basic_auth + label: Sample Basic Auth App + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + url: https://example.com/login.html + authURL: https://example.com/auth.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null BehaviorRuleRequest: value: name: My Behavior Rule @@ -23270,6 +27458,479 @@ components: - POST - PUT - DELETE + BookmarkAppResponseEx: + summary: BOOKMARK + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: bookmark + label: Sample Bookmark App + features: [] + signOnMode: BOOKMARK + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: {} + settings: + app: + requestIntegration: false + url: https://example.com/bookmark.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BookmarkEx: + summary: BOOKMARK + value: + name: bookmark + label: Sample Bookmark App + signOnMode: BOOKMARK + settings: + app: + url: https://example.com/bookmark.html + BookmarkPutEx: + summary: BOOKMARK + value: + name: bookmark + label: Sample Bookmark App updated + signOnMode: BOOKMARK + settings: + app: + requestIntegration: true + url: https://example.com/bookmark.html + BookmarkPutResponseEx: + summary: BOOKMARK + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: bookmark + label: Sample Bookmark App updated + features: [] + signOnMode: BOOKMARK + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: {} + settings: + app: + requestIntegration: true + url: https://example.com/bookmark.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginEx: + summary: BROWSER_PLUGIN + value: + name: template_swa + label: Sample Plugin App + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + BrowserPluginPutEx: + summary: BROWSER_PLUGIN + value: + name: template_swa + label: Sample Plugin App updated + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example_updated.com/login.html + BrowserPluginPutResponseEx: + summary: BROWSER_PLUGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa + label: Sample Plugin App updated + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + usernameField: txtbox-username + buttonField: btn-login + passwordField: txtbox-password + url: https://example_updated.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginResponseEx: + summary: BROWSER_PLUGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa + label: Sample Plugin App + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + usernameField: txtbox-username + buttonField: btn-login + passwordField: txtbox-password + url: https://example.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginSwa3FieldEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + name: template_swa3field + label: Sample Plugin App + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonSelector: '#btn-login' + passwordSelector: '#txtbox-password' + userNameSelector: '#txtbox-username' + targetURL: https://example.com/login.html + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + BrowserPluginSwa3FieldPutEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + name: template_swa3field + label: Sample Plugin App updated + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonSelector: '#btn-login' + passwordSelector: '#txtbox-password' + userNameSelector: '#txtbox-username' + targetURL: https://exampleupdated.com/login.html + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + BrowserPluginSwa3FieldPutResponseEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa3field + label: Sample Plugin App updated + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + userNameSelector: '#txtbox-username' + passwordSelector: '#txtbox-password' + buttonSelector: '#btn-login' + targetURL: https://exampleupdated.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginSwa3FieldResponseEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa3field + label: Sample Plugin App + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + userNameSelector: '#txtbox-username' + passwordSelector: '#txtbox-password' + buttonSelector: '#btn-login' + targetURL: https://example.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null BundleEntitlementsResponse: summary: List of governance bundle entitlements value: @@ -23329,6 +27990,21 @@ components: - POST - PUT - DELETE + ChangePwdRequest: + value: + oldPassword: + value: tlpWENT2m + newPassword: + value: uTVM,TPw55 + revokeSessions: true + ChangePwdResponse: + value: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA CreateAnEventHook: summary: Create an event hook value: @@ -23373,6 +28049,41 @@ components: type: HEADER key: Authorization value: my-shared-secret + CreateAppleIdPRequest: + summary: Create Apple Identity Provider + value: + type: APPLE + name: Apple Identity Provider + protocol: + type: OIDC + scopes: + - openid + - email + - name + credentials: + client: + client_id: your-client-id + signing: + privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + kid: test key ID + teamId: test team ID + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + matchType: USERNAME CreateAssocAuthServerBody: summary: Create a trusted relationship between authorization servers value: @@ -23473,6 +28184,46 @@ components: hints: allow: - POST + CreateAuthorizationServerPolicyRequest: + summary: Create Authorization Server Policy + value: + type: OAUTH_AUTHORIZATION_POLICY + status: ACTIVE + name: Default Policy + description: Default policy description + priority: 1 + system: false + conditions: + clients": + include": + - ALL_CLIENTS + CreateAuthorizationServerPolicyRuleRequest: + summary: Create Authorization Server Policy Rule + value: + type: RESOURCE_ACCESS + name: Default Policy Rule + priority: 1 + conditions: + people: + groups: + include: + - EVERYONE + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 CreateBrandRequest: value: name: My Awesome Brand @@ -23502,6 +28253,84 @@ components: hints: allow: - GET + CreateChildOrgRequestEx: + summary: Create Org request + value: + subdomain: my-child-org-1 + name: My Child Org 1 + website: http://www.examplecorp.com + edition: SKU + admin: + profile: + firstName: First + lastName: Last + email: FirstLast@example.com + login: FirstLast@example.com + mobilePhone: null + credentials: + password: + value: XXXX + CreateChildOrgResponseEx: + summary: Create Org response + value: + id: 00o1n8sbwArJ7OQRw406 + subdomain: my-child-org-1 + name: My Child Org 1 + website: http://www.examplecorp.com + status: ACTIVE + edition: SKU + expiresAt: null + created: '2024-08-27T15:42:52.000Z' + lastUpdated: '2024-08-27T15:42:56.000Z' + licensing: + apps: [] + settings: + app: + errorRedirectUrl: null + interstitialUrl: null + interstitialMinWaitTime: 1200 + userAccount: + attributes: + secondaryEmail: true + secondaryImage: true + portal: + errorRedirectUrl: null + signOutUrl: null + logs: + level: INFO + token: XXXXXXXXXXXXX + tokenType: SSWS + _links: + administrator: + href: https://my-child-org-1.oktapreview.com/api/v1/users/00u1n8sheI1WBQlDV406 + uploadLogo: + href: https://my-child-org-1.oktapreview.com/api/v1/org/logo + organization: + href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1 + contacts: + href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/contacts + policy: + href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/policy + CreateCustomRoleResponseGroup: + value: + id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions CreateCustomTokenClaimBody: summary: Create a custom token Claim value: @@ -23606,8 +28435,140 @@ components: domain: example.com brandId: bnd100iSrkcN6aR680g1 validationSubdomain: mail + CreateFacebookIdPRequest: + summary: Create Facebook Identity Provider + value: + type: FACEBOOK + name: Facebook + protocol: + type: OAUTH2 + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + CreateGenericOidcIdPRequest: + summary: Create Generic OpenID Connect Identity Provider + value: + type: OIDC + name: Example OpenID Connect IdP + protocol: + algorithms: + request: + signature: + algorithm: HS256 + scope: REQUEST + endpoints: + acs: + binding: HTTP-POST + type: INSTANCE + authorization: + binding: HTTP-REDIRECT + url: https://idp.example.com/authorize + token: + binding: HTTP-POST + url: https://idp.example.com/token + userInfo: + binding: HTTP-REDIRECT + url: https://idp.example.com/userinfo + jwks: + binding: HTTP-REDIRECT + url: https://idp.example.com/keys + scopes: + - openid + - profile + - email + type: OIDC + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + pkce_required: 'true' + issuer: + url: https://idp.example.com + policy: + accountLink: + action: AUTO + filter: null + provisioning: + action: AUTO + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + groups: + action: NONE + mapAMRClaims: false + maxClockSkew: 120000 + subject: + userNameTemplate: + template: idpuser.email + matchType: USERNAME + CreateGoogleIdPRequest: + summary: Create Google Identity Provider + value: + type: GOOGLE + name: Google + protocol: + type: OAUTH2 + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 CreateHookKeyResponse: summary: Create a key response example + description: |- + The response is a [Key object](https://developer.okta.com/docs/reference/api/hook-keys/#key-object) that represents the key that you create. The `id` property in the response serves as the unique ID for the key, which you can specify when invoking other CRUD operations. The `keyId` provided in the response is the alias of the public key that you can use to get details of the public key data in a separate call. + > **Note:** The keyId is the alias of the public key that you can use to retrieve the public key. value: id: HKY1p7jWLndGQV9M60g4 keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad @@ -23622,6 +28583,28 @@ components: use: 'null' e: AQAB 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` + CreateIAMStandardRoleResponseGroup: + value: + id: irb1q92TFAHzySt3x0g4 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests Administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7 CreateIPPolicyBlockListNetworkZone: summary: Create an IP Blocklist Network Zone value: @@ -23743,6 +28726,50 @@ components: _links: self: href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager + CreateMicrosoftIdPRequest: + summary: Create Microsoft Identity Provider + value: + type: MICROSOFT + name: Microsoft + protocol: + type: OIDC + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + CreateOAuth2ScopeRequest: + summary: Example scope + value: + name: car:drive + description: Drive car + consent: REQUIRED + displayName: Saml Jackson CreateOrReplaceSMSTemplateRequest: value: name: Custom @@ -23764,6 +28791,56 @@ components: it: '${org.name}: il codice di verifica è ${code}' created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' + CreateSamlIdPRequest: + summary: Create SAML 2.0 Identity Provider + value: + type: SAML2 + name: Example SAML IdP + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + format: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + filter: (\S+@example\.com) + matchType: USERNAME CreateSessionBody: summary: Create a new Session with a valid session token value: @@ -23790,6 +28867,48 @@ components: allow: - DELETE href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + CreateSmartCardIdPRequest: + summary: Create SmartCard Identity Provider + value: + type: X509 + status: ACTIVE + name: Smart Card IDP Name + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + credentials: + trust: + revocation: CRL + revocationCacheLifetime: 2880 + issuer: your-issuer + kid: your-kid + policy: + provisioning: + action: DISABLED + mapAMRClaims: false + maxClockSkew: 120000 + subject: + matchType: EMAIL + matchAttribute: '' + userNameTemplate: + template: idpuser.subjectAltNameEmail + CreateStandardRoleAssignmentResponseGroup: + value: + id: grasraHPx7i79ajaJ0g3 + label: Organization Administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-27T14:56:55.000Z' + lastUpdated: '2019-02-27T14:56:55.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 CreateUISchemaBody: summary: UI Schema body request value: @@ -23885,14 +29004,19 @@ components: hints: allow: - POST - CreateUpdateIamRolePermissionRequestExample: + CreateUpdateIamRolePermissionRequestExampleWithExclude: + value: + conditions: + exclude: + okta:ResourceAttribute/User/Profile: + - zipCode + CreateUpdateIamRolePermissionRequestExampleWithInclude: value: conditions: include: okta:ResourceAttribute/User/Profile: - city - state - - zipCode CreateUserRequest: summary: Create a user type request value: @@ -23916,12 +29040,34 @@ components: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + CsrJsonResponse: + summary: CSR object in JSON format + value: + id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: + - GET + - DELETE + publish: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + CsrPkcs10Response: + summary: CSR in DER format + value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9 CustomRoleAssignmentRequest: value: type: CUSTOM role: cr04cxy6yzSCtNciD0g7 resource-set: iam4cxy6z7hhaZCSk0g7 - CustomRoleAssignmentResponse: + CustomRoleResponseClient: value: id: irb4ey26fpFI3vQ8y0g7 label: view_minimal @@ -23943,6 +29089,132 @@ components: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7 assignee: href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7 + CustomRoleResponseUser: + value: + id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + CustomRolesListResponseClient: + value: + - id: irb4ey26fpFI3vQ8y0g7 + label: view_minimal + type: CUSTOM + status: ACTIVE + created: '2023-05-01T15:16:47.000Z' + lastUpdated: '2023-05-01T15:16:47.000Z' + assignmentType: CLIENT + resource-set: iam4cxy6z7hhaZCSk0g7 + role: cr04cxy6yzSCtNciD0g7 + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7 + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7 + CustomRolesListResponseGroup: + value: + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + DeactivateIdPResponse: + summary: Deactivate an Identity Provider + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: INACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-25T19:16:53.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST DeactivateNetworkZone: summary: Deactivated Network Zone value: @@ -24877,6 +30149,64 @@ components: - DELETE - GET - PUT + DeviceChecksMacOSRequest: + summary: macOS request + value: + name: Device Check macOS + description: Query macOS devices to check if firewall is enabled + variableName: macOSFirewall + platform: MACOS + query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; + DeviceChecksMacOSResponse: + summary: macOS response + value: + id: dch3m8o4rWhwReDeM1c5 + name: Device Check macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + description: Query macOS devices to check if firewall is enabled + variableName: macOSFirewall + query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; + platform: MACOS + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-checks/dch3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceChecksWindowsRequest: + summary: Windows request + value: + name: Device Check Windows + description: Query Windows devices to check if firewall is enabled + variableName: windowsFirewall + platform: WINDOWS + query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles; + DeviceChecksWindowsResponse: + summary: Windows response + value: + id: dch3m8o4rWhwReDeM1c5 + name: Device Check Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + description: Query Windows devices to check if firewall is enabled + variableName: windowsFirewall + query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles; + platform: WINDOWS + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-checks/dch3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT DeviceResponse: value: id: guo8jx5vVoxfvJeLb0w4 @@ -25183,6 +30513,536 @@ components: value: - id: null lastUpdated: null + EnrollFactorCallRequest: + summary: call + value: + factorType: call + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 + honeExtension: '1234' + EnrollFactorCallResponse: + summary: call + value: + id: clf1nz9JHJGHWRKMTLHP + factorType: call + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-08-05T20:59:49.000Z' + lastUpdated: '2014-08-06T03:59:49.000Z' + profile: + phoneNumber: +1-555-415-1337 + phoneExtension: '1234' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/lifecycle/activate + hints: + allow: + - POST + resend: + - name: call + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/resend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorCustomTotpRequest: + summary: custom totp + value: + factorType: token:hotp + provider: CUSTOM + factorProfileId: fpr20l2mDyaUGWGCa0g4 + profile: + sharedSecret: 484f97be3213b117e3a20438e291540a + EnrollFactorCustomTotpResponse: + summary: custom totp + value: + id: chf20l33Ks8U2Zjba0g4 + factorType: token:hotp + provider: CUSTOM + vendorName: Entrust Datacard + status: ACTIVE + created: '2019-07-22T23:22:36.000Z' + lastUpdated: '2019-07-22T23:22:36.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4 + hints: + allow: + - GET + - DELETE + verify: + href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3 + hints: + allow: + - GET + EnrollFactorEmailRequest: + summary: email + value: + factorType: email + provider: OKTA + profile: + email: test@gmail.com + EnrollFactorEmailResponse: + summary: email + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/lifecycle/activate + hints: + allow: + - POST + resend: + - name: email + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/resend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + EnrollFactorGoogleRequest: + summary: google token:software:totp + value: + factorType: token:software:totp + provider: GOOGLE + EnrollFactorGoogleResponse: + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: GOOGLE + vendorName: GOOGLE + status: PENDING_ACTIVATION + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-07-16T16:13:56.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: JBTWGV22G4ZGKV3N + encoding: base32 + keyLength: 16 + _links: + qrcode: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4 + type: image/png + EnrollFactorOVPushRequest: + summary: token:software:totp push + value: + factorType: push + provider: OKTA + EnrollFactorOVPushResponse: + summary: token:software:totp + value: + id: opfbtzzrjgwauUsxO0g4 + factorType: push + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2015-11-13T07:34:22.000Z' + lastUpdated: '2015-11-13T07:34:22.000Z' + _links: + poll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/poll + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + expiresAt: '2015-11-13T07:44:22.000Z' + factorResult: WAITING + _links: + send: + - name: email + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/email + hints: + allow: + - POST + - name: sms + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/sms + hints: + allow: + - POST + qrcode: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/qr/00Ji8qVBNJD4LmjYy1WZO2VbNqvvPdaCVua-1qjypa + type: image/png + EnrollFactorOVTotpRequest: + summary: token:software:totp + value: + factorType: token:software:totp + provider: OKTA + EnrollFactorOVTotpResponse: + summary: token:software:totp + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-07-16T16:13:56.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: JBTWGV22G4ZGKV3N + encoding: base32 + keyLength: 6 + _links: + qrcode: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4 + type: image/png + EnrollFactorQuestionRequest: + summary: question + value: + question: + summary: question factor + value: + factorType: question + provider: OKTA + profile: + question: disliked_food + answer: mayonnaise + EnrollFactorQuestionResponse: + summary: question + value: + id: ufs1o01OTMGHLAJPVHDZ + factorType: question + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-05T22:58:49.000Z' + lastUpdated: '2014-08-05T22:58:49.000Z' + profile: + question: disliked_food + questionText: What is the food you least liked as a child? + _links: + questions: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs1o01OTMGHLAJPVHDZ + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorRsaSecurIdRequest: + summary: RSA SecurID + value: + factorType: token + provider: RSA + profile: + credentialId: dade.murphy@example.com + verify: + passCode: '5275875498' + EnrollFactorRsaSecurIdResponse: + summary: RSA SecurID + value: + id: rsabtznMn6cp94ez20g4 + factorType: token + provider: RSA + vendorName: RSA + status: ACTIVE + created: '2015-11-13T07:05:53.000Z' + lastUpdated: '2015-11-13T07:05:53.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorSmsRequest: + summary: sms + value: + factorType: sms + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 + EnrollFactorSmsResponse: + summary: sms + value: + id: mbl1nz9JHJGHWRKMTLHP + factorType: sms + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-08-05T20:59:49.000Z' + lastUpdated: '2014-08-06T03:59:49.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/lifecycle/activate + hints: + allow: + - POST + resend: + - name: sms + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/resend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorSymantecVipRequest: + summary: Symantec VIP + value: + factorType: token + provider: SYMANTEC + profile: + credentialId: VSMT14393584 + verify: + passCode: '875498' + nextPassCode: '678195' + EnrollFactorSymantecVipResponse: + summary: Symantec VIP + value: + id: ufvbtzgkYaA7zTKdQ0g4 + factorType: token + provider: SYMANTEC + vendorName: SYMANTEC + status: ACTIVE + created: '2015-11-13T06:52:08.000Z' + lastUpdated: '2015-11-13T06:52:08.000Z' + profile: + credentialId: VSMT14393584 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorU2fRequest: + summary: u2f + value: + factorType: u2f + provider: FIDO + EnrollFactorU2fResponse: + summary: u2f + value: + id: fuf2rovRxogXJ0nDy0g4 + factorType: u2f + provider: FIDO + vendorName: FIDO + status: PENDING_ACTIVATION + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T20:43:19.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + version: U2F_V2 + nonce: 9DmGJDLvaU6KWxJbfrZ0 + timeoutSeconds: 20 + EnrollFactorWebauthnRequest: + summary: webAuthn + value: + factorType: webauthn + provider: FIDO + EnrollFactorWebauthnResponse: + summary: webAuthn + value: + id: fwf2rovRxogXJ0nDy0g4 + factorType: webauthn + provider: FIDO + vendorName: FIDO + status: PENDING_ACTIVATION + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T20:43:19.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + attestation: direct + authenticatorSelection: + userVerification: preferred + requireResidentKey: false + challenge: cdsZ1V10E0BGE4GcG3IK + excludeCredentials: [] + pubKeyCredParams: + - type: public-key + alg: -7 + - type: public-key + alg: -257 + rp: + name: Rain-Cloud59 + user: + displayName: First Last + name: first.last@gmail.com + id: 00u15s1KDETTQMQYABRL + EnrollFactorYubikeyRequest: + summary: yubikey + value: + factorType: token:hardware + provider: YUBICO + verify: + passCode: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji + EnrollFactorYubikeyResponse: + value: + id: ykfbty3BJeBgUi3750g4 + factorType: token:hardware + provider: YUBICO + vendorName: YUBICO + status: ACTIVE + created: '2015-11-13T05:27:49.000Z' + lastUpdated: '2015-11-13T05:27:49.000Z' + profile: + credentialId: '000004102994' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4/verify + hints: + allow: + - POST + self: + href: hhttps://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET EntitlementValuesResponse: summary: List of bundle entitlement values value: @@ -25273,6 +31133,83 @@ components: errorId: oae-hk3rssXQmOWDRsaFfxe8A errorCauses: errorSummary: 'captchaId: Invalid CAPTCHA ID. The value of captchaId cannot be blank when enabledPages is not empty. Please resubmit with an existing CAPTCHA ID or disable CAPTCHA support on all supported pages.' + ErrorClientJsonWebKeyDuplicateKid: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: All keys in the 'jwks' must have a unique `kid`. + ErrorClientJsonWebKeyKidLengthTooShort: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: RSA key length in the 'jwks' is less than '2,048' bits for the given key. + ErrorClientJsonWebKeyNonUniqueKid: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Each key should have a unique kid when adding multiple keys. Use the Apps API to update the JWKS to add a kid for the existing key, or delete the existing key and re-add the key with a kid using the JWKS APIs. + ErrorClientJsonWebKeyTooManyKids: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't create a new key. You have reached the maximum number of keys allowed (50). To add another key, you must first delete an existing one. + ErrorClientSecretNonAscii: + summary: Client secret allows only ASCII error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''''client_secret'''' must only contain printable ASCII: [x20-x7E]+' + ErrorClientSecretTooLong: + summary: Client secret too long error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''client_secret'' can''t be more than ''100'' characters long.' + ErrorClientSecretTooShort: + summary: Client secret too short error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''client_secret'' must be at least ''14'' characters long.' + ErrorClientSecretTooShortWithClientSecretJWT: + summary: Client secret is too short for JWT error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''client_secret'' must be at least ''32'' characters long when ''token_endpoint_auth_method'' is ''client_secret_jwt''.' + ErrorClientSecretWithPrivateKeyJWT: + summary: Client secret can't be used for private key JWT error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: '''client_secret'' can''t be used when ''token_endpoint_auth_method'' is ''private_key_jwt''.' ErrorCreateBrandExists: value: errorCode: E0000202 @@ -25283,19 +31220,19 @@ components: ErrorCreateUserWithExpiredPasswordWithNullPassword: value: errorCode: E0000124 - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified + errorSummary: Could not create User. To create a User and expire their password immediately, a password must be specified. errorLink: E0000124 errorId: oaeXxuZgXBySvqi1FvtkwoYCA errorCauses: - - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified + - errorSummary: Could not create User. To create a User and expire their password immediately, a password must be specified. ErrorCreateUserWithExpiredPasswordWithoutActivation: value: errorCode: E0000125 - errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true + errorSummary: Could not create User. To create a User and expire their password immediately, `activate` must be true. errorLink: E0000125 errorId: oaeDd77L9R-TJaD7j_rXsQ31w errorCauses: - - errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true + - errorSummary: Could not create User. To create a User and expire their password immediately, `activate` must be true. ErrorCreateUserWithTooManyManyGroupsResponse: value: errorCode: E0000093 @@ -25303,7 +31240,47 @@ components: errorLink: E0000093 errorId: oaePVSLIYnIQsC0B-ptBIllVA errorCauses: - - errorSummary: The number of group targets is too large. + - errorSummary: The number of group targets is too large + ErrorDeactivateTheOnlyClientSecret: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't deactivate the only active client secret. + ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Can't deactivate the only active JSON Web Key when the value for `token_endpoint_auth_method` is `private_key_jwt`. + ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The `jwks` must contain at least one key with an algorithm matching the `request_object_signature_algorithm`. + ErrorDeleteActiveJsonWebKey: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't delete an active JSON Web key. Deactivate the key before deleting it. + ErrorDeleteActiveSecret: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't delete an active client secret. Deactivate the secret before deleting it. ErrorDeleteBrandAssociatedWithDomain: value: errorCode: E0000201 @@ -25319,11 +31296,17 @@ components: errorId: oaeAdRqprFuTyKokyYPbURJkA errorCauses: [] ErrorDeviceAssuranceInUse: - summary: Cannot delete device assurance policy in use by authentication policies + summary: Can't delete device assurance policy in use by authentication policies value: errorSummary: Device assurance is in use and cannot be deleted. errorId: oaenwA1ra80S9W-pvbh4m6haA errorCauses: [] + ErrorDeviceCheckInUse: + summary: Can't delete device check in use by device assurance policies + value: + errorSummary: Device check is in use and can't be deleted. + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] ErrorEmailCustomizationCannotClearDefault: value: errorCode: E0000185 @@ -25380,6 +31363,14 @@ components: errorLink: E0000218 errorId: oaeEdRqprFuTyKokyYPbURJkC errorCauses: [] + ErrorInternalServer: + summary: Internal Server Error + value: + errorCode: E0000009 + errorSummary: Internal Server Error + errorLink: E0000000 + errorId: sampleAlJ82XS2SDB_vaNIWgcA + errorCauses: [] ErrorInvalidEmailTemplateRecipients: value: errorCode: E0000189 @@ -25411,6 +31402,33 @@ components: errorLink: E0000011 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: [] + ErrorKeyCredentialCloneDuplicateKey: + summary: Duplicate key credential error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: cloneKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Key already exists in the list of key credentials for the target app. + ErrorKeyCredentialInvalidValidity: + summary: Key credential invalid year error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: generateKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Validity years out of range. It should be 2 - 10 years. + ErrorMaxNumberOfSecrets: + summary: Maximum client secrets reached error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You've reached the maximum number of client secrets per client. ErrorMissingRequiredParameter: summary: Missing Required Parameter value: @@ -25444,6 +31462,24 @@ components: errorId: oaehk3rssXQmOWDRsaFfxe8B errorCauses: errorSummary: There was a problem generating the pinResponse|credResponses. + ErrorPublishCSRCertDoesNotMatchCSR: + summary: Mismatch certificate and CSR error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: certificate' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The certificate doesn't match the CSR. + ErrorPublishCSRCertValidityLessThan90Days: + summary: Certificate valid for 90 days error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: certificate' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The certificate must be valid for more than 90 days. ErrorPushProviderUsedByCustomAppAuthenticator: value: errorCode: E0000187 @@ -25463,10 +31499,1052 @@ components: summary: Too Many Requests value: errorCode: E0000047 - errorSummary: You exceeded the maximum number of requests. Try again in a while. + errorSummary: API call exceeded rate limit due to too many requests. errorLink: E0000047 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: [] + ExampleOAuth2Scope: + summary: Example scope + value: + id: scp5yu8kLOnDzo7lh0g4 + name: car:drive + description: Drive car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: NO_CLIENTS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 + hints: + allow: + - GET + - PUT + - DELETE + ExampleOAuth2Scopes: + summary: All scopes + value: + - id: scp5yu8kLOnDzo7lh0g4 + name: car:drive + description: Drive car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: NO_CLIENTS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 + hints: + allow: + - GET + - PUT + - DELETE + ExpirePwdResponse: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: PASSWORD_EXPIRED + created: '2013-06-24T16:39:18.000Z' + activated: '2013-06-24T16:39:19.000Z' + statusChanged: '2013-06-24T16:39:19.000Z' + lastLogin: '2013-06-24T17:39:19.000Z' + lastUpdated: '2013-06-27T16:35:28.000Z' + passwordChanged: '2013-06-24T16:39:19.000Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + _links: + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_password + resetFactors: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_factors + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/expire_password + forgotPassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/forgot_password + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_recovery_question + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/deactivate + changePassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_password + ExpirePwdWithTempPwdResponse: + value: + tempPassword: F46gy7X4 + ExpiredAuthorizationServerKey: + summary: Expired Authorization Server Key + value: + status: EXPIRED + alg: RS256 + e: AQAB + 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ + kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + hints: + allow: + - GET + FacebookIdPResponse: + summary: Facebook Identity Provider + value: + id: 0oa62b57p7c8PaGpU0h7 + type: FACEBOOK + name: Facebook + status: ACTIVE + created: '2016-03-24T23:18:27.000Z' + lastUpdated: '2016-03-24T23:18:27.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.facebook.com/dialog/oauth + binding: HTTP-REDIRECT + token: + url: https://graph.facebook.com/v2.5/oauth/access_token + binding: HTTP-POST + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + FactorEmail: + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: ACTIVE + profile: + email: changed@clouditude.net + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + FactorPasscodeRequest: + value: + passCode: '123456' + FactorResponseSms: + value: + id: sms2gt8gzgEBPUWBIFHN + factorType: sms + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-06-27T20:27:26.000Z' + lastUpdated: '2014-06-27T20:27:26.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ForgotPwdRecoveryQuestionRequest: + value: + password: + value: uTVM,TPw55 + recovery_question: + answer: Annie Oakley + ForgotPwdRecoveryQuestionResponse: + value: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + ForgotPwdResponse: + value: + resetPasswordUrl: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO + GenericOidcIdpResponse: + summary: Generic OpenID Connect Identity Provider + value: + id: 0oaulob4BFVa4zQvt0g3 + type: OIDC + name: Example OpenID Connect IdP + status: ACTIVE + created: '2019-02-07T20:07:47.000Z' + lastUpdated: '2019-02-07T20:07:47.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://idp.example.com/authorize + binding: HTTP-REDIRECT + token: + url: https://idp.example.com/token + binding: HTTP-POST + userInfo: + url: https://idp.example.com/userinfo + binding: HTTP-REDIRECT + jwks: + url: https://idp.example.com/keys + binding: HTTP-REDIRECT + algorithms: + request: + signature: + algorithm: HS256 + scope: REQUEST + scopes: + - openid + issuer: + url: https://idp.example.com + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + pkce_required: 'true' + policy: + provisioning: + action: AUTO + profileMaster: false + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + GetApplicationsByGroupResponseEx: + summary: Retrieve apps assigned to a group + value: + - id: 0oa7vicdkRNrz59R80w6 + name: workday + label: hrportal2 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:50.000Z' + created: '2021-05-17T23:10:49.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate + - id: 0oa7vicvor8YSr9Hc0w6 + name: workday + label: hrportal1 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:22.000Z' + created: '2021-05-17T23:10:22.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate + - id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https:/example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + GetApplicationsByKeyResponseEx: + summary: Retrieve apps using a key + value: + - id: 0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + _links: + logo: + - name: medium + href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-03-21T23:31:35.000Z' + lastUpdated: '2014-03-21T23:31:35.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-03-21T23:31:35.000Z' + passwordChanged: null + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https://example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-06-10T15:16:01.000Z' + lastUpdated: '2014-06-10T15:17:38.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-06-10T15:16:01.000Z' + passwordChanged: '2014-06-10T15:17:38.000Z' + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + password: {} + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + GetApplicationsByNameResponseEx: + summary: Retrieve apps by name + value: + - id: 0oa7vicdkRNrz59R80w6 + name: workday + label: hrportal2 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:50.000Z' + created: '2021-05-17T23:10:49.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate + - id: 0oa7vicvor8YSr9Hc0w6 + name: workday + label: hrportal1 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:22.000Z' + created: '2021-05-17T23:10:22.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate + GetApplicationsByUserResponseEx: + summary: Retrieve apps assigned to a user + value: + - id: 0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + _links: + logo: + - name: medium + href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-03-21T23:31:35.000Z' + lastUpdated: '2014-03-21T23:31:35.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-03-21T23:31:35.000Z' + passwordChanged: null + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https://example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-06-10T15:16:01.000Z' + lastUpdated: '2014-06-10T15:17:38.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-06-10T15:16:01.000Z' + passwordChanged: '2014-06-10T15:17:38.000Z' + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + password: {} + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + GetApplicationsResponseEx: + summary: Retrieve an app + value: + id: 0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + inlineHooks: + - id: cal3ughy17pylLxQB357 + _links: + self: + href: https://{yourOktaDomain}/api/v1/inlineHooks/cal3ughy17pylLxQB357 + hints: + allow: + - GET + - PUT + - DELETE + _links: + logo: + - name: medium + href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + GetAssociatedLinkedObjectsResponse: + summary: Retrieve all associated Linked Object values response + value: + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u5zex6ztMbOZhF50h7 + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u1tsf0nQKavLDUh0g5 GetBrandResponse: value: id: bnd114iNkrcN6aR680g4 @@ -25548,6 +32626,12 @@ components: hints: allow: - POST + GetPrimaryLinkedObjectResponse: + summary: Retrieve primary Linked Object value response + value: + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 GetRealmAssignmentResponse: value: id: rul2jy7jLUlnO3ng00g4 @@ -25569,6 +32653,37 @@ components: rel: self href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4 method: GET + GetRoleAssignmentGovernanceGrantResources: + value: + resources: + - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g114290ar1oCC5A0g5 + label: test-group-1 + - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5B0g5 + label: test-group-2 + _links: + next: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources?after=orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5A0g5 + self: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + GetRoleAssignmentGovernanceGrantResponse: + value: + type: ENTITLEMENT-BUNDLE + grantId: grai2556vZgWesWf10g4 + bundleId: enbhz2pAwtts9UBes0g4 + expirationDate: '2024-12-09 14:17:22.0' + _links: + resources: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + self: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4 + GetSessionResponse: + value: + id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CREATED + importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T16:15:44.000Z' GetThemeResponse: value: id: thdul904tTZ6kWVhP0g3 @@ -25584,6 +32699,26 @@ components: errorPageTouchPointVariant: OKTA_DEFAULT emailTemplateTouchPointVariant: OKTA_DEFAULT loadingPageTouchPointVariant: OKTA_DEFAULT + GetUseRoleGovernanceResponse: + value: + grants: + - type: CUSTOM + grantId: grai24zWTjnDazeOI0g4 + _links: + resources: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai24zWTjnDazeOI0g4/resources + - type: ENTITLEMENT-BUNDLE + grantId: grai2556vZgWesWf10g4 + bundleId: enbhz2pAwtts9UBes0g4 + expirationDate: '2024-12-09 14:17:22.0' + _links: + resources: + href: https://{yourOktaDomain}//api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5" GetUserLinkedObjectResponse: summary: Retrieve User Linked Object value value: @@ -25607,6 +32742,95 @@ components: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + GetYubikeyOptTokenResponse: + summary: Get Yubikey OPT Token response + value: + id: ykkxdtCA1fKVxyu6R0g3 + created: '2020-06-09T23:42:05.000Z' + activated: '2020-06-09T23:47:29.000Z' + lastVerified: '2020-06-09T23:47:29.000Z' + lastUpdated: '2020-06-09T23:47:29.000Z' + status: ACTIVE + profile: + serial: '000009508427' + _links: + self: + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3 + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3 + hints: + allow: + - DELETE + GoogleIdPResponse: + summary: Google Identity Provider + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-24T23:21:49.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST GovernanceBundle: summary: Governance Bundle value: @@ -25964,30 +33188,205 @@ components: - $ref: '#/definitions/base' title: Okta group type: object - GroupTargetResponse: + IAMStandardRoleResponseClient: value: - - id: 00g4cweckiXJaEqWl0g7 - created: '2023-01-20T08:28:32.000Z' - lastUpdated: '2023-01-20T08:28:32.000Z' - lastMembershipUpdated: '2023-01-20T08:54:49.000Z' - objectClass: - - okta:user_group - type: OKTA_GROUP - profile: - name: test_group - description: null + id: irb4jlodtdN4yJ88b0g7 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests Administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2023-07-06T21:52:48.000Z' + lastUpdated: '2023-07-06T21:52:48.000Z' + assignmentType: CLIENT + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/client/0oa5vymVNCe2cPEeZ0g4 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7 + IAMStandardRoleResponseUser: + value: + id: irb1q92TFAHzySt3x0g4 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests Administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb1q92TFAHzySt3x0g4 + IAMStandardRolesListResponse: + value: + - id: IFIFAX2BIRGUSTQ + label: Application Administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER _links: - logo: - - name: medium - href: https://www.example.com/okta-medium.png - type: image/png - - name: large - href: https://www.example.com/okta-large.png - type: image/png - users: - href: https://{yourOktaDomain}/api/v1/groups/00g4cweckiXJaEqWl0g7/users - apps: - href: https://{yourOktaDomain}/api/v1/groups/00g4cweckiXJaEqWl0g7/apps + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications Administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions + IAMStandardRolesListResponseClient: + value: + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications Administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: CLIENT + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/clients/0oa4ee9vgbIuqTUvd0g7 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissionsZ + IAMStandardRolesListResponseGroup: + value: + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications Administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: Group + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions + IdPAppUserResponse: + summary: IdP User + value: + id: 00u5t60iloOHN9pBi0h7 + externalId: externalId + created: '2017-12-19T17:30:16.000Z' + lastUpdated: '2017-12-19T17:30:16.000Z' + profile: + profileUrl: null + firstName: null + lastName: null + honorificSuffix: null + displayName: null + honorificPrefix: null + middleName: null + email: null + _links: + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7 + self: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7/users/00u5t60iloOHN9pBi0h7 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + IdPKeyCredentialRequest: + summary: Identity Provider Key Credential + value: + e: '65537' + 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdPKeyCredentialResponse: + summary: Identity Provider Key Credential + value: + kid: your-key-id + created: '2016-01-03T18:15:47.000Z' + lastUpdated: '2016-01-03T18:15:47.000Z' + e: '65537' + 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + kty: RSA + use: sig + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdPSigningKeyCredentialResponse: + summary: Identity Provider Signing Key Credential + value: + created: '2015-12-10T18:56:23.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + kid: akm5hvbbevE341ovl0h7 + kty: RSA + use: sig + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE InlineHookTelephony: value: channel: @@ -26020,6 +33419,72 @@ components: hints: allow": - POST + InvalidRotateUse: + summary: Invalid Use + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: rotateKeys' + errorLink: E0000001 + errorId: oaeprak9qKHRlaWiclJ4oPJRQ + errorCauses: + - errorSummary: Invalid value specified for key 'use' parameter + KeyCredentialExample: + summary: Key Credential example + value: + created: '2015-12-10T18:56:23.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + e: AQAB + 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + kty: RSA + use: sig + x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + LinkIdPAppUserResponse: + summary: Linked IdP User + value: + id: 00ub0oNGTSWTBKOLGLNR + externalId: '121749775026145' + created: '2017-03-30T02:19:51.000Z' + lastUpdated: '2017-03-30T02:19:51.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7/users/00ub0oNGTSWTBKOLGLNR + hints: + allow: + - GET + - DELETE + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7 + user: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + ListAllKeyCredentialsExample: + summary: List all Key Credentials example + value: + - created: '2015-12-10T18:56:23.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + e: AQAB + 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + kty: RSA + use: sig + x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + - created: '2015-12-10T18:55:35.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2045-01-23T02:15:23.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAUsUkouzMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTAxMjMwMjE0MjNaFw00NTAxMjMwMjE1MjNaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhmkmKsu3FYeBiJg44aN6Ah3g9gof1cytXJVMnblDUWpLfe/FMUQCssh8Y8NCYRri5jni4efBgk6B3SkC7ymqsOXILIEHSwUYWnAaqDOTxO101mHzryowu1+0PldRNoyTthahpprvAPYlTin9zrDTqFT+WY/zwoaN8H+CfixlW1nM85qF18zYYekkW50MSoHPcfJKe2ywIhPXTYTSBEPcHh8dQEjBrZn7A4qOoDnfOXll8OL7j2O6EVyTtHA0tLJHVLpwI4gSPsXFwEnHltjN57odwYe9yds0BbM/YG9i+am1+3cmZ6Uyd16mLGclrr05o9BHcEZ4ZctV2hr6whbRsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAnNlF27gRmhGTQ+GRAvbvYToFRgsIbBAPvRqB2LmEIiQ6UJd602w6uP1sv/zEzBYg4SnMLuVyWgOJ6d71dCvXdIO9mgAq6BaEPjlo0WhGyt+zGrpkMnIX5EwRa64kHydcPRHNA607wVYA96sJdyNJEMzBvjY9fJnfevzzDCN3NWpMS2T6rk6HP5IziI1VuFWY2OUC1kbCqLj1dUgp8koe3ftLL55ZpkAocnVMnrzBveNjgAOAiKTMcyS0bhESph9aVWvuHVZSfTnUjnTPb/4jA2YlB3ED+qaU3aqHwft1KXwZskNXBKXy7lyC+CMoeB3/ncFhSg/UllBooPPS3wYlNA== + e: AQAB + 'n': htbi5H5MN_oYaKcZ8vlWRZn2oTrPY0v8_2Br_VZPJgJ57dCgguq5dDk1Me_ax-B3kjBPdXcW8wEoUFaU30spyVeQjZrdqsSvF0nMW4OzrMOIqrGLwCrAoDBS8tutfk5Y7qc-5xABzxgu4BjgSK5nWXbCt_UR0DzVTknotmMGeT8tAej8F6GAphLa0YhIxWT7Jy-y_pdANsiUPRiZBoLueGI0rrCqgYHIQVjNoj4-si105KCXbQuyYM9_Cd-dyyu5KJ4Ic0cOW61gpx4pnecMgSy8OX57FEd06W2hExBd49ah6jra2KFMeOGe3rkIXirdkofl1mBgeQ77ruKO1wW9Qw + kid: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo + kty: RSA + use: sig + x5t#S256": 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ ListAllKeysResponse: summary: List All Keys response example value: @@ -26092,6 +33557,48 @@ components: client: href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} title: Client name + ListAppLinks: + value: + - id: 00ub0oNGTSWTBKOLGLNR + label: Google Apps Mail + linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/50 + logoUrl: https://{yourOktaDomain}/img/logos/google-mail.png + appName: google + appInstanceId: 0oa3omz2i9XRNSRIHBZO + appAssignmentId: 0ua3omz7weMMMQJERBKY + credentialsSetup: false + hidden: false + sortOrder: 0 + - id: 00ub0oNGTSWTBKOLGLNR + label: Google Apps Calendar + linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/54 + logoUrl: https://{yourOktaDomain}/img/logos/google-calendar.png + appName: google + appInstanceId: 0oa3omz2i9XRNSRIHBZO + appAssignmentId: 0ua3omz7weMMMQJERBKY + credentialsSetup: false + hidden: false + sortOrder: 1 + - id: 00ub0oNGTSWTBKOLGLNR + label: Box + linkUrl: https://{yourOktaDomain}/home/boxnet/0oa3ompioiQCSTOYXVBK/72 + logoUrl: https://{yourOktaDomain}/img/logos/box.png + appName: boxnet + appInstanceId: 0oa3ompioiQCSTOYXVBK + appAssignmentId: 0ua3omx46lYEZLPPRWBO + credentialsSetup: false + hidden: false + sortOrder: 3 + - id: 00ub0oNGTSWTBKOLGLNR + label: Salesforce.com + linkUrl: https://{yourOktaDomain}/home/salesforce/0oa12ecnxtBQMKOXJSMF/46 + logoUrl: https://{yourOktaDomain}/img/logos/salesforce_logo.png + appName: salesforce + appInstanceId: 0oa12ecnxtBQMKOXJSMF + appAssignmentId: 0ua173qgj5VAVOBQMCVB + credentialsSetup: true + hidden: false + sortOrder: 2 ListAssocAuthServerResponse: summary: List associated Authorization Servers value: @@ -26181,12 +33688,137 @@ components: hints: allow: - POST - ListBrandsResponse: + ListAuthorizationServerKeys: + summary: All Credential Keys value: - - id: bnd114iNkrcN6aR680g4 - name: Okta Default - isDefault: true - agreeToCustomPrivacyPolicy: false + - status: ACTIVE + alg: RS256 + e: AQAB + 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ + kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + hints: + allow: + - GET + - status: NEXT + alg: RS256 + e: AQAB + 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ + kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + hints: + allow: + - GET + - status: EXPIRED + alg: RS256 + e: AQAB + 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ + kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + hints: + allow: + - GET + ListAuthorizationServerPolicies: + summary: List Authorization Server Policies + value: + - type: OAUTH_AUTHORIZATION_POLICY + id: 00palyaappA22DPkj0h7 + status: ACTIVE + name: Vendor2 Policy + description: Vendor2 policy description + priority: 1 + system: false + conditions: + clients: + include: + - ALL_CLIENTS + created: '2017-05-26T19:43:53.000Z' + lastUpdated: '2017-06-07T15:28:17.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate + hints: + allow: + - POST + rules: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules + hints: + allow: + - GET + ListAuthorizationServerPolicyRules: + summary: List Authorization Server Policy Rules + value: + - type: RESOURCE_ACCESS + id: 0prbsjfyl01zfSZ9K0h7 + status: ACTIVE + name: Default Policy Rule + priority: 1 + created: '2017-08-25T16:57:02.000Z' + lastUpdated: '2017-08-30T14:51:05.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: + - EVERYONE + exclude: [] + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate + hints: + allow: + - POST + ListBrandsResponse: + value: + - id: bnd114iNkrcN6aR680g4 + name: Okta Default + isDefault: true + agreeToCustomPrivacyPolicy: false removePoweredByOkta: false customPrivacyPolicyUrl: null locale: en @@ -26334,6 +33966,92 @@ components: hints: allow: - POST + ListFactorsResults: + summary: All of the enrolled Factors for the specified User + value: + - id: ufs2bysphxKODSZKWVCT + factorType: question + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-04-15T18:10:06.000Z' + lastUpdated: '2014-04-15T18:10:06.000Z' + profile: + question: favorite_art_piece + questionText: What is your favorite piece of art? + _links: + questions: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs2bysphxKODSZKWVCT + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + - id: ostf2gsyictRQDSGTDZE + factorType: token:software:totp + provider: OKTA + status: PENDING_ACTIVATION + created: '2014-06-27T20:27:33.000Z' + lastUpdated: '2014-06-27T20:27:33.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + next: + name: activate + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: HE64TMLL2IUZW2ZLB + encoding: base32 + keyLength: 16 + - id: sms2gt8gzgEBPUWBIFHN + factorType: sms + provider: OKTA + status: ACTIVE + created: '2014-06-27T20:27:26.000Z' + lastUpdated: '2014-06-27T20:27:26.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET ListFeatureDependenciesResponse: summary: List all dependencies for a feature value: @@ -26397,6 +34115,31 @@ components: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents dependencies: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListIdPUsersResponse: + summary: List of linked IdP Users + value: + - id: 00u5cl9lo7nMjHjPr0h7 + externalId: '109912936038778' + created: '2015-11-03T19:10:11.000Z' + lastUpdated: '2015-11-03T19:11:49.000Z' + profile: + firstName: Carol + middleName: Lee + lastName: Johnson + email: carol_johnson@tfbnw.net + displayName: Carol Johnson + profile: https://www.facebook.com/app_scoped_user_id/109912936038778/ + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7/users/00u5cl9lo7nMjHjPr0h7 + hints: + allow: + - GET + - DELETE + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7 + user: + href: https://{yourOktaDomain}/api/v1/users/00u5cl9lo7nMjHjPr0h7 ListLinkedObjects: summary: List all Linked Object definitions value: @@ -26413,6 +34156,102 @@ components: _links: self: href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager + ListLogs: + summary: List all system logs + value: + - actor: + id: 00uttidj01jqL21aM1d6 + type: User + alternateId: john.doe@example.com + displayName: John Doe + detailEntry: null + client: + userAgent: + rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 + os: Mac OS X + browser: CHROME + zone: null + device: Computer + id: null + ipAddress: 10.0.0.1 + geographicalContext: + city: New York + state: New York + country: United States + postalCode: 10013 + geolocation: + lat: 40.3157 + lon: -74.01 + device: + id: guofdhyjex1feOgbN1d9 + name: Mac15,6 + os_platform: OSX + os_version: 14.6.0 + managed: false + registered: true + device_integrator: null + disk_encryption_type: ALL_INTERNAL_VOLUMES + screen_lock_type: BIOMETRIC + jailbreak: null + secure_hardware_present: true + authenticationContext: + authenticationProvider: null + credentialProvider: null + credentialType: null + issuer: null + interface: null + authenticationStep: 0 + rootSessionId: idxBager62CSveUkTxvgRtonA + externalSessionId: idxBager62CSveUkTxvgRtonA + displayMessage: User login to Okta + eventType: user.session.start + outcome: + result: SUCCESS + reason: null + published: '2024-08-13T15:58:20.353Z' + securityContext: + asNumber: 394089 + asOrg: ASN 0000 + isp: google + domain: null + isProxy: false + severity: INFO + debugContext: + debugData: + requestId: ab609228fe84ce59cdcbfa690bcce016 + requestUri: /idp/idx/authenticators/poll + url: /idp/idx/authenticators/poll + legacyEventType: core.user_auth.login_success + transaction: + type: WEB + id: ab609228fe84ce59cdcbfa690bgce016 + detail: null + uuid: dc9fd3c0-598c-11ef-8478-2b7584bf8d5a + version: 0 + request: + ipChain: + - ip: 10.0.0.1 + geographicalContext: + city: New York + state: New York + country: United States + postalCode: 10013 + geolocation: + lat: 40.3157 + lon: -74.01 + version: V4 + source: null + target: + - id: pfdfdhyjf0HMbkP2e1d7 + type: AuthenticatorEnrollment + alternateId: unknown + displayName: Okta Verify + detailEntry: null + - id: 0oatxlef9sQvvqInq5d6 + type: AppInstance + alternateId: Okta Admin Console + displayName: Okta Admin Console + detailEntry: null ListMappingsResponse: summary: List all Profile Mappings response value: @@ -26482,6 +34321,44 @@ components: hints: allow: - POST + ListPrivilegedAccounts: + summary: List Privileged Accounts with mixed account types + value: + - accountType: APP_ACCOUNT + description: This is for accessing AWS Prod-5 + id: a747a818-a4c4-4446-8a87-704216495a08 + name: AWS Prod-5 account + ownerGroupIds: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + - 00u11s48P9zGW8yqm0g5 + status: NO_ISSUES + statusDetail: ROTATED + created: '2023-04-04T15:56:05.000Z' + lastUpdated: '2023-05-05T18:15:44.000Z' + details: + credentials: + username: testuser@example.com + oktaApplicationId: aln1aqcs055ZRoizW0g8 + appInstanceName: AWS Prod-5 + appGlobalName: AWS Account Federation + - accountType: OKTA_USER_ACCOUNT + description: Shared admin account for managing AD integrations + id: d1b65a78-21ed-429b-8ea3-eec96f2748d6 + name: AD Integrations Admin + ownerGroupIds: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + - 00u11s48P9zGW8yqm0g5 + status: INFO + statusDetail: ROTATING + created: '2023-04-04T15:56:05.000Z' + lastUpdated: '2023-05-05T18:15:44.000Z' + details: + credentials: + username: shr-ad-admin-01@example.com + email: shr-ad-admin-01@example.com + oktaUserId: 00u11s48P9zGW8yqm0g5 ListRealmAssignmentsResponse: value: - id: rul2jy7jLUlnO3ng00g4 @@ -26633,73 +34510,33 @@ components: allow: - GET - PUT - ListRoleAssignments: - value: - - id: JBCUYUC7IRCVGS27IFCE2SKO - label: Help Desk Administrator - type: HELP_DESK_ADMIN - status: ACTIVE - created: '2023-05-01T14:24:54.000Z' - lastUpdated: '2023-05-01T14:24:54.000Z' - assignmentType: CLIENT - _links: - assignee: - href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles - - id: irb4ey26fpFI3vQ8y0g7 - label: view_minimal - type: CUSTOM - status: ACTIVE - created: '2023-05-01T15:16:47.000Z' - lastUpdated: '2023-05-01T15:16:47.000Z' - assignmentType: CLIENT - resource-set: iam4cxy6z7hhaZCSk0g7 - role: cr04cxy6yzSCtNciD0g7 - _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7 - resource-set: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7 - permissions: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions - member: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7 - assignee: - href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7 - ListSessionsResponse: - value: - - id: uij4ri8ZLk0ywyqxB0g1 - identitySourceId: 0oa3l6l6WK6h0R0QW0g4 - status: CREATED - importType: INCREMENTAL - created: '2022-04-04T15:56:05.000Z' - lastUpdated: '2022-05-05T16:15:44.000Z' ListSessionsResponseForGetSessions: value: - - id: uij4ri8ZLk0ywyqxB0g1 + - id: aps1qqonvr2SZv6o70h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: CREATED importType: INCREMENTAL created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T16:15:44.000Z' - - id: uij4ri8ZLk0ywyqxB0g2 + - id: aps1quck606ngubVq0h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: TRIGGERED importType: INCREMENTAL created: '2022-04-04T16:56:05.000Z' lastUpdated: '2022-05-05T17:15:44.000Z' - - id: uij4ri8ZLk0ywyqxB0g3 + - id: aps1qzy2acb5jDlUc0h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: IN_PROGRESS importType: INCREMENTAL created: '2022-04-04T17:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' - - id: uij4ri8ZLk0ywyqxB0g4 + - id: aps1qqne8c1JHkMdF0h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: EXPIRED importType: INCREMENTAL created: '2022-04-04T18:56:05.000Z' lastUpdated: '2022-05-05T19:15:44.000Z' - - id: uij4ri8ZLk0ywyqxB0g5 + - id: aps1qqonvr2SZv6o70h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: CLOSED importType: INCREMENTAL @@ -26831,6 +34668,27 @@ components: value: - type: DEVICE_BASED appliesTo: UNKNOWN_DEVICES + ListUserClients: + value: + - client_id: 0oabskvc6442nkvQO0h7 + client_name: My App + client_uri: null + logo_uri: null + _links: + grants: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants + tokens: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens + ListUserGroups: + value: + - id: 0gabcd1234 + profile: + name: Cloud App Users + description: Users can access cloud apps + - id: 0gefgh5678 + profile: + name: Internal App Users + description: Users can access internal apps ListUsersResponse: summary: List all Users value: @@ -26859,6 +34717,47 @@ components: _links: self: href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + ListYubikeyOptTokensResponse: + summary: List Yubikey OPT Token response + value: + - id: ykkwcx13nrDq8g4oy0g3 + created: '2020-01-14T21:53:09.000Z' + lastVerified: '2020-01-14T21:53:06.000Z' + lastUpdated: '2020-01-14T21:53:09.000Z' + status: UNASSIGNED + profile: + serial: '000003632071' + _links: + self: + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkwcx13nrDq8g4oy0g3 + hints: + allow: + - GET + - DELETE + - id: ykkxdtCA1fKVxyu6R0g3 + created: '2020-06-09T23:42:05.000Z' + activated: '2020-06-09T23:47:29.000Z' + lastVerified: '2020-06-09T23:47:29.000Z' + lastUpdated: '2020-06-09T23:47:29.000Z' + status: ACTIVE + profile: + serial: '000009508427' + _links: + self: + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3 + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3 + hints: + allow: + - DELETE ListsAllUserTypes: summary: Lists all user types value: @@ -27177,7 +35076,7 @@ components: properties: name: Name can't exceed 100 characters. - $schema: https://json-schema.org/draft/2020-12/schema - $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming + id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming title: Splunk Cloud type: object properties: @@ -27218,7 +35117,7 @@ components: LogStreamSchemaSplunk: value: $schema: https://json-schema.org/draft/2020-12/schema - $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming + id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming title: Splunk Cloud type: object properties: @@ -27256,6 +35155,598 @@ components: errorMessage: properties: name: Name can't exceed 100 characters. + LogTargetChangeDetails: + summary: Example of the `changeDetails` property on the target + value: + from: + vpnLocationOptions: DISABLED + vpnSettingsZones: + include: null + exclude: null + to: + message: You must a use VPN to connect to this application + vpnLocationOptions: ZONE + vpnSettingsZones: + include: + - ALL_ZONES + exclude: null + MicrosoftIdPResponse: + summary: Microsoft Identity Provider + value: + id: 0oajmvdFawBih4gey0g3 + type: MICROSOFT + name: Microsoft + status: ACTIVE + created: '2016-03-29T16:47:36.000Z' + lastUpdated: '2016-03-29T16:47:36.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize + binding: HTTP-REDIRECT + token: + url: https://login.microsoftonline.com/common/oauth2/v2.0/token + binding: HTTP-POST + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + MultipleIdPCsrsResponse: + summary: Identity Provider CSRs + value: + - id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: + - GET + - DELETE + publish: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + - id: '-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg' + created: '2017-03-28T01:21:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg + hints: + allow: + - GET + - DELETE + publish: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg/lifecycle/publish + hints: + allow: + - POST + MultipleIdPKeyCredentialsResponse: + summary: Identity Provider Key Credentials + value: + - kid: your-key-id + created: '2016-01-03T18:15:47.000Z' + lastUpdated: '2016-01-03T18:15:47.000Z' + e: '65537' + 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + kty: RSA + use: sig + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + - kty: EC + created: '2020-04-24T20:51:20.000Z' + lastUpdated: '2020-04-24T20:51:20.000Z' + expiresAt: '2040-03-01T20:22:29.000Z' + alg: EC + x5c: + - MIICqDCCAgqgAwIBAgIJAOkmCa/S8dHiMAoGCCqGSM49BAMCMG0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdKYW5reUNvMR8wHQYDVQQDDBZUZXN0IElkZW50aXR5IFByb3ZpZGVyMB4XDTIwMDMwNjIwMjIyOVoXDTQwMDMwMTIwMjIyOVowbTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoMB0phbmt5Q28xHzAdBgNVBAMMFlRlc3QgSWRlbnRpdHkgUHJvdmlkZXIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABW/lGHl17mKDtCD4D7gcMYYOWgyWTGno8MTefDOABA8PddessTsbfrguF49Gli6lCzrZaAKhhvgINc3R6t/dYleAE3lY6LAocOoLe9xDkeggXNcSuP5fDc1x5R9GHTXl44vLoJOLSLsMbOXVMXIXoqbPDzTSYUy24aFdv4W4LZxW6ak6NQME4wHQYDVR0OBBYEFChTXNWvs4z1qjRVemPDD/hqlDQ4MB8GA1UdIwQYMBaAFChTXNWvs4z1qjRVemPDD/hqlDQ4MAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDgYsAMIGHAkIBuDhHMNLbBIsorbKtjxJzHJ2ItCSD2wAwqYv/6JBtA2ulKN5gRTSqdNCnqFsZ1/nYY7FFVXHEuQ2N3pPq7Ri8h84CQSgCq1UQyd0lFtb7+57JbiGb6LVaRqRm7vwx8zLRA+tVjIM1DlQ2Gbxkj3nlkzmM93j9wchiqGdQidyKnF6EBnfd + x: Vv5Rh5de5ig7Qg-A-4HDGGDloMlkxp6PDE3nwzgAQPD3XXrLE7G364LhePRpYupQs62WgCoYb4CDXN0erf3WJXg + 'y': ATeVjosChw6gt73EOR6CBc1xK4_l8NzXHlH0YdNeXji8ugk4tIuwxs5dUxcheips8PNNJhTLbhoV2_hbgtnFbpqT + crv: P-521 + kid: your-kid + use: sig + x5t#S256: TUx-AIwypm2pZURHNqafk7ZDxqQP_ypzIyUwDDnPOlw + MultipleIdPSigningKeyCredentialsResponse: + summary: Identity Provider Signing Key Credentials + value: + - created: '2015-12-10T18:56:23.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + kid: akm5hvbbevE341ovl0h7 + kty: RSA + use: sig + x5t#S256: 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + - created: '2015-12-10T18:55:35.000Z' + expiresAt: '2045-01-23T02:15:23.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + kid: akm5hvbn1vojA9Fsa0h7 + kty: RSA + use: sig + x5t#S256: 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ + MultipleIdPsResponse: + summary: Multiple Identity Providers + value: + - id: 0oa62b57p7c8PaGpU0h7 + type: FACEBOOK + name: Facebook + status: ACTIVE + created: '2016-03-24T23:18:27.000Z' + lastUpdated: '2016-03-24T23:18:27.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.facebook.com/dialog/oauth + binding: HTTP-REDIRECT + token: + url: https://graph.facebook.com/v2.5/oauth/access_token + binding: HTTP-POST + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: ACTIVE + created: '2016-03-24T23:14:54.000Z' + lastUpdated: '2016-03-24T23:14:54.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + filter: (\S+@example\.com) + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + metadata: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml + hints: + allow: + - GET + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate + hints: + allow: + - POST + - id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-24T23:21:49.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa62bfdjnK55Z5x80h7 + type: LINKEDIN + name: LinkedIn + status: ACTIVE + created: '2016-03-24T23:23:59.000Z' + lastUpdated: '2016-03-24T23:23:59.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.linkedin.com/uas/oauth2/authorization + binding: HTTP-REDIRECT + token: + url: https://www.linkedin.com/uas/oauth2/accessToken + binding: HTTP-POST + scopes: + - r_basicprofile + - r_emailaddress + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdjnK55Z5x80h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oajmvdFawBih4gey0g3 + type: MICROSOFT + name: Microsoft + status: ACTIVE + created: '2016-03-29T16:47:36.000Z' + lastUpdated: '2016-03-29T16:47:36.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize + binding: HTTP-REDIRECT + token: + url: https://login.microsoftonline.com/common/oauth2/v2.0/token + binding: HTTP-POST + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oaulob4BFVa4zQvt0g3 + type: OIDC + name: Example OpenID Connect IdP + status: ACTIVE + created: '2019-02-07T20:07:47.000Z' + lastUpdated: '2019-02-07T20:07:47.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://idp.example.com/authorize + binding: HTTP-REDIRECT + token: + url: https://idp.example.com/token + binding: HTTP-POST + userInfo: + url: https://idp.example.com/userinfo + binding: HTTP-REDIRECT + jwks: + url: https://idp.example.com/keys + binding: HTTP-REDIRECT + scopes: + - openid + issuer: + url: https://idp.example.com + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: false + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa6jxasyhwM2ZHJh0g4 + type: X509 + name: Smart Card IDP Name + status: ACTIVE + created: '2020-01-07T00:19:27.000Z' + lastUpdated: '2020-01-07T00:19:27.000Z' + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + endpoints: + sso: + url: https://{yourOktaDomain}.okta.com/login/cert + credentials: + trust: + issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + audience: null + kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc + revocation: CRL + revocationCacheLifetime: 2880 + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: idpuser.subjectAltNameEmail + filter: null + matchType: EMAIL + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + deactivate: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users + hints: + allow: + - GET + keys: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc + hints: + allow: + - GET + NextAuthorizationServerKey: + summary: Next Authorization Server Key + value: + status: NEXT + alg: RS256 + e: AQAB + 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ + kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + hints: + allow: + - GET NzErrorApiValidationFailed: summary: API Validation Failed value: @@ -27374,6 +35865,214 @@ components: authorizationServer: href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 title: Example Authorization Server + OpenidConnectEx: + summary: OPENID_CONNECT + value: + name: oidc_client + label: Sample Client profile + signOnMode: OPENID_CONNECT + credentials: + oauthClient: + token_endpoint_auth_method: client_secret_post + profile: + label: oauth2 client app 1 + settings: + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + participate_slo: false + OpenidConnectPutEx: + summary: OPENID_CONNECT + value: + name: oidc_client + label: Sample Client profile updated + signOnMode: OPENID_CONNECT + OpenidConnectPutResponseEx: + summary: OPENID_CONNECT + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: true + web: true + appLinks: + oidc_client_link: true + name: oidc_client + label: Sample Client profile updated + features: [] + signOnMode: OPENID_CONNECT + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc + oauthClient: + autoKeyRotation: true + client_id: 0oahonkqCRR6TSNlg4 + client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5 + token_endpoint_auth_method: client_secret_post + pkce_required: true + settings: + app: {} + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + issuer_mode: DYNAMIC + idp_initiated_login: + mode: DISABLED + default_scope: [] + wildcard_redirect: DISABLED + dpop_bound_access_tokens: false + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + OpenidConnectResponseEx: + summary: OPENID_CONNECT + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: true + web: true + appLinks: + oidc_client_link: true + name: oidc_client + label: Sample Client profile + features: [] + signOnMode: OPENID_CONNECT + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc + oauthClient: + autoKeyRotation: true + client_id: 0oahonkqCRR6TSNlg4 + client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5 + token_endpoint_auth_method: client_secret_post + pkce_required: true + settings: + app: {} + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + issuer_mode: DYNAMIC + idp_initiated_login: + mode: DISABLED + default_scope: [] + wildcard_redirect: DISABLED + dpop_bound_access_tokens: false + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + profile: + label: oauth2 client app 1 OperationResponse: value: id: rre4mje4ez6B2a7B60g7 @@ -27485,6 +36184,41 @@ components: - POST - PUT - DELETE + OrgSettingResponse: + summary: Org setting response + value: + address1: 100 1st St + address2: 6th floor + city: San Fransico + companyName: okta + country: United States + endUserSupportHelpURL: support.okta.com + phoneNumber: '+18887227871' + postalCode: '94105' + state: California + supportPhoneNumber: '+18887227871' + website: www.okta.com + id: 00o3qqiw0vSCIwu8I0g7 + created: '2024-01-24T14:15:22Z' + lastUpdated: '2024-07-21T14:15:22Z' + expiresAt: '2024-12-24T14:15:22Z' + status: ACTIVE + subdomain: okta + _links: + preferences: + href: https://{yourOktaDomain}/v1/org/preferences + uploadLogo: + href: https://{yourOktaDomain}/api/v1/org/logo + hints: + allow: + - POST + oktaCommunication: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication + logo: null + oktaSupport: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport + contacts: + href: https://vantest.oktapreview.com/api/v1/org/contacts PasswordImportPayloadExample: summary: An example password import inline hook request body value: @@ -27576,6 +36310,12 @@ components: - label: okta.users.read created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' + conditions: + include: + okta:ResourceAttribute/User/Profile: + - city + - state + - zipCode _links: role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 @@ -27659,6 +36399,51 @@ components: createdBy: user1234 lastUpdate: '2022-05-20T21:13:07.410Z' lastUpdatedBy: user4321 + PrivilegedResourceClaimAppAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: APP_ACCOUNT + containerDetails: + appName: google, + containerId: 0oa103099SBEb3Z2b0g4, + displayName: Google App1, + globalAppId: 964b82aa-85b4-5645-b790-83312c473480, + passwordPushSupported: true, + provisioningEnabled: true, + _links: + login: + href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, + logo: + href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, + credentials: + userName: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourceClaimOktaAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4, + credentials: + userName: username + profile: + email: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' PrivilegedResourceCreateAppAccountRequest: value: resourceType: APP_ACCOUNT @@ -27666,10 +36451,110 @@ components: containerId: 0oa103099SBEb3Z2b0g4 credentials: userName: testuser@example.com - PrivilegedResourceCreateOktaAccountRequest: + PrivilegedResourceCreateAppAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: APP_ACCOUNT + containerDetails: + appName: google, + containerId: 0oa103099SBEb3Z2b0g4, + displayName: Google App1, + globalAppId: 964b82aa-85b4-5645-b790-83312c473480, + passwordPushSupported: true, + provisioningEnabled: true, + _links: + login: + href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, + logo: + href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, + credentials: + userName: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: INACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourceCreateOktaAccountRequestConvert: value: resourceType: OKTA_USER_ACCOUNT resourceId: 00u100xTfFs4MasRf0g4 + PrivilegedResourceCreateOktaAccountRequestNew: + value: + resourceType: OKTA_USER_ACCOUNT + credentials: + userName: username + profile: + email: testuser@example.com + PrivilegedResourceCreateOktaAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4, + credentials: + userName: username + profile: + email: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: INACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourceRotatePasswordAppAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: APP_ACCOUNT + containerDetails: + appName: google, + containerId: 0oa103099SBEb3Z2b0g4, + displayName: Google App1, + globalAppId: 964b82aa-85b4-5645-b790-83312c473480, + passwordPushSupported: true, + provisioningEnabled: true, + _links: + login: + href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, + logo: + href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, + credentials: + userName: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '' + syncState: SYNCING + errorCode: '' + errorReason: '' + PrivilegedResourceRotatePasswordOktaAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4, + credentials: + userName: username + profile: + email: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-11T11:11:01.000Z' + syncState: SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourcesAppAccountUpdateRequest: + value: + username: username PrivilegedResourcesGetAppAccountResponse: value: id: opa100xTfFs4MasRf0g4 @@ -27691,8 +36576,12 @@ components: created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: ACTIVE - credentialChanged: '2024-06-10T11:30:01.000Z' - credentialSyncState: SYNCED + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-10T11:30:01.000Z' + syncState: SYNC_FAILED + errorCode: UNKNOWN_ERROR + errorReason: Password update failed PrivilegedResourcesGetOktaAccountResponse: value: id: opa100xTfFs4MasRf0g4 @@ -27705,8 +36594,121 @@ components: created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: ACTIVE - credentialChanged: '2024-06-10T11:30:01.000Z' - credentialSyncState: SYNCED + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-10T11:30:01.000Z' + syncState: SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourcesOktaUserAccountUpdateRequest: + value: + username: username + profile: + email: testuser@example.com + ProfileEnrollmentRequest: + summary: An example Profile Enrollment (SSR) inline hook request body + value: + eventId: 04Dmt8BcT_aEgM + eventTime: '2022-04-25T17:35:27.000Z' + eventType: com.okta.user.pre-registration + eventTypeVersion: 1 + contentType: application/json + cloudEventVersion: 0.1 + source: regt4qeBKU29vSoPz0g3 + requestType: self.service.registration + data: + context: + request: + method: POST + ipAddress: 127.0.0.1 + id: 123testId456 + url: + value: /idp/idx/enroll/new + userProfile: + firstName: Rosario + lastName: Jones + login: rosario.jones@example.com + email: rosario.jones@example.com + action: ALLOW + ProfileEnrollmentResponse: + summary: An example Profile Enrollment (SSR) inline hook response + value: + commands: + - type: com.action.update + value: + registration: ALLOW + ProfileEnrollmentResponseDeny: + summary: An example Profile Enrollment (SSR) inline hook Deny response + value: + commands: + - type: com.action.update + value: + registration: DENY + error: + errorSummary: Incorrect email address. Please contact your admin. + errorCauses: + - errorSummary: Only example.com emails can register. + reason: INVALID_EMAIL_DOMAIN + locationType: body + location: data.userProfile.email + domain: end-user + ProgressiveProfileRequest: + summary: An example Progressive Profile inline hook request + value: + eventId: vzYp_zMwQu2htIWRbNJdfw + eventTime: '2022-04-25T04:04:41.000Z' + eventType: com.okta.user.pre-registration + eventTypeVersion: 1 + contentType: application/json + cloudEventVersion: 0.1 + source: regt4qeBKU29vS + requestType: progressive.profile + data: + context: + request: + method: POST + ipAddress: 127.0.0.1 + id: 123dummyId456 + url: + value: /idp/idx/enroll/update + user: + passwordChanged: '2022-01-01T00:00:00.000Z' + _links: + groups: + href: /api/v1/users/00u48gwcu01WxvNol0g7/groups + factors: + href: /api/v1/users/00u48gwcu01WxvNol0g7/factors + profile: + firstName: Rosario + lastName: Jones" + timeZone: America/Los_Angeles + login: rosario.jones@example.com + locale: en_US + id: 00u48gwcu01WxvNo + action: ALLOW + userProfileUpdate: + employeeNumber: 1234 + ProgressiveProfileResponse: + summary: An example Progressive Profile inline hook response + value: + commands: + - type: com.okta.user.progressive.profile.update' + value: request.body.data.userProfileUpdate['employeeNumber'] + ProgressiveProfileResponseDeny: + summary: An example Progressive Profile inline hook Deny response + value: + commands: + - type: com.action.update + value: + registration: DENY + error: + errorSummary: Incorrect employee number. Enter an employee number with 4 digits. + errorCauses: + - errorSummary: Only employee numbers with 4 digits can register. + reason: INVALID_EMPLOYEE_NUMBER + locationType: body + location: data.userProfile.employeeNumber + domain: end-user ProvisioningConnectionOauthO365RequestEx: summary: Provisioning Connection with OAuth 2.0 for Microsoft Office 365 app value: @@ -28112,6 +37114,85 @@ components: - GET - PUT - DELETE + ReplaceIdPRequestResponse: + summary: Replace an Identity Provider + value: + id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: INACTIVE + created: null + lastUpdated: '2016-03-29T21:23:45.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com/saml2/sso + binding: HTTP-REDIRECT + destination: https://idp.example.com/saml2/sso + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + credentials: + trust: + issuer: https://idp.example.com + audience: https://www.okta.com/saml2/service-provider/spCQJRNaaxs7ANqKBO7M + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.subjectNameId + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 120000 + _links: + metadata: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml + hints: + allow: + - GET + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users + hints: + allow: + - GET + activate: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/activate + hints: + allow: + - POST ReplaceKeyResponse: summary: Replace a key response example value: @@ -28203,6 +37284,14 @@ components: hints: allow: - POST + ReplaceResourceSetRequest: + value: + label: SF-IT-People + description: People in the IT department of San Francisco + ReplaceRoleRequest: + value: + label: UserCreator + description: Create users ReplaceUserTypePutRequest: summary: Replace user type request value: @@ -28226,6 +37315,10 @@ components: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + ResetPwdWithoutSendingEmailResponse: + value: + summary: Reset password without sending email + resetPasswordUrl: https://{yourOktaDomain}/reset_password/XE6wE17zmphl3KqAPFxO ResourceSelectorCreateRequestExample: value: name: All applications except Workday applications @@ -28376,29 +37469,80 @@ components: additions: - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + ResourceSetResourcePostRequestExample: + summary: Resource Set with conditions request + value: + resourceOrnOrUrl: https://{yourOktaDomain}/api/v1/apps + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + ResourceSetResourcePutRequestExample: + value: + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + ResourceSetResourceResponse: + summary: Resource Set response + value: + id: ire106sQKoHoXXsAe0g4 + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1 ResourceSetResourcesResponse: value: resources: - id: ire106sQKoHoXXsAe0g4 + orn: orn:{partition}:directory:{yourOrgId}:groups:00guaxWZ0AOa5NFAj0g3 created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1 - id: ire106riDrTYl4qA70g4 + orn: orn:{partition}:directory:{yourOrgId}:groups:00gu67DU2qNCjNZYO0g3:contained_resources created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g2 - id: irezvo4AwE2ngpMw40g3 + orn: orn:{partition}:directory:{yourOrgId}:users created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: + self: + href: https://{yourOktaDomain}/api/v1/users users: href: https://{yourOktaDomain}/api/v1/users + - id: ire2j4iDnxHhUFaZN0g4 + orn: orn:{partition}:directory:{yourOrgId}:groups + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups groups: href: https://{yourOktaDomain}/api/v1/groups + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g3 _links: next: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources?after=irezvn1ZZxLSIBM2J0g3 @@ -28994,7 +38138,7 @@ components: dependencies: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies RetrieveKeyResponse: - summary: Retrieve a key by hookKeyId response example + summary: Retrieve a key by id response example value: id: HKY1p7jWLndGQV9M60g4 keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad @@ -29350,6 +38494,163 @@ components: _links: next: href: https://{yourOktaDomain}/api/v1/iam/roles?after=cr0Fw7HKcWIroo88m3r1 + SAMLHookResponseExample: + summary: A sample response for a SAML inline hook + value: + commands: + - type: com.okta.assertion.patch + value: + - op: replace + path: /claims/array/attributeValues/1/value + value: replacementValue + - op: replace + path: /authentication/authnContext + value: + authnContextClassRef: replacementValue + - op: add + path: /claims/extPatientId + value: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + attributeValues: + - attributes: + xsi:type: xs:string + value: '4321' + - op: add + path: /authentication/sessionLifetime + value: 300 + - type: com.okta.assertion.patch + value: + - op: replace + path: /authentication/sessionIndex + value: exampleSession + SAMLHookResponseWithURIFormat: + summary: An example with `replace` and `add` operations with the URI formatted claim encoded + value: + commands: + - type: com.okta.assertion.patch + value: + - op: replace + path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributeValues/0/value + value: replacementValue + - op: replace + path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributes + value: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + - op: add + path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1bar + value: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + attributeValues: + - attributes: + xsi:type: xs:string + value: bearer + SAMLPayLoadExample: + summary: An example SAML assertion inline hook request body + value: + source: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml + eventId: XMFoHCM1S4Wi_SGWzL8T9A + eventTime: '2019-03-28T19:15:23.000Z' + data: + context: + request: + id: reqqXypjzYJRSu2j1G1imUovA + method: GET + url: + value: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml + ipAddress: 127.0.0.1 + protocol: + type: SAML2.0 + issuer: + id: 0oath92zlO60urQOP0g3 + name: SAML 2.0 App + uri: http://www.okta.com/exkth8lMzFm0HZOTU0g3 + session: + id: 102LN9Bnuc4S_ewfc9BYwageA + userId: 00uq8tMo3zV0OfJON0g3 + login: user@example.com + createdAt: '2019-03-28T16:45:55.000Z' + expiresAt: '2019-03-28T21:15:23.000Z' + status: ACTIVE + lastPasswordVerification: '2019-03-28T16:45:55.000Z' + amr: + - PASSWORD + idp: + id: 00oq6kcVwvrDY2YsS0g3 + type: OKTA + mfaActive: false + user: + id: 00uq8tMo3zV0OfJON0g3 + passwordChanged: '2018-09-11T23:19:12.000Z' + profile: + login: user@example.com + firstName: Admin + lastName: Last + locale: en + timeZone: America/Los_Angeles + _links: + groups: + href: https://${yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups + factors: + href: https://${yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors + assertion: + subject: + nameId: user@example.com + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + confirmation: + method: urn:oasis:names:tc:SAML:2.0:cm:bearer + data: + recipient: http://www.example.com:7070/saml/sso + authentication: + sessionIndex: id1553800523546.312669168 + authnContext: + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + conditions: + audienceRestriction: + - urn:example:sp + claims: + extPatientId: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:integer + value: '4321' + array: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: Array 1 + - attributes: + xsi:type: xs:string + value: Array2 + - attributes: + xsi:type: xs:string + value: Array3 + middle: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: admin + firstAndLast: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: 7d6a50c8-4d7e-4058-9c5b-2cc98cecd294 + lifetime: + expiration: 300 + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + eventType: com.okta.saml.tokens.transform + contentType: application/json SMSTemplateEditablePropertyValues: value: name: Custom @@ -29383,6 +38684,555 @@ components: it: '${org.name}: il codice di verifica è ${code}' created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' + Saml2.0Ex: + summary: SAML_2_0 + value: + label: Example Custom SAML 2.0 App + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + signOnMode: SAML_2_0 + settings: + signOn: + defaultRelayState: '' + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: true + acsEndpoints: + - url: http://testorgone.okta + index: 0 + - url: http://testorgone.okta/1 + index: 1 + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + Saml2.0PutEx: + summary: SAML_2_0 + value: + label: Example Custom SAML 2.0 App updated + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + signOnMode: SAML_2_0 + settings: + signOn: + defaultRelayState: '' + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n..." + requestCompressed: false + allowMultipleAcsEndpoints: true + acsEndpoints: + - url: http://testorgone.okta + index: 0 + - url: http://testorgone.okta/1 + index: 1 + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + Saml2.0PutResponseEx: + summary: SAML_2_0 + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_examplecustomsaml20app_1_link: true + name: testorgone_examplecustomsaml20app_1 + label: Example Custom SAML 2.0 App updated + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q + settings: + app: {} + signOn: + defaultRelayState: null + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + spIssuer: https://testorgone.okta.com + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + samlSignedRequestEnabled: false + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + inlineHooks: [] + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + Saml2.0ResponseEx: + summary: SAML_2_0 + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_examplecustomsaml20app_1_link: true + name: testorgone_examplecustomsaml20app_1 + label: Example Custom SAML 2.0 App + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q + settings: + app: {} + signOn: + defaultRelayState: null + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + spIssuer: https://testorgone.okta.com + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + samlSignedRequestEnabled: false + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + inlineHooks: [] + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + SamlIdPResponse: + summary: SAML 2.0 Identity Provider + value: + id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: ACTIVE + created: '2016-03-24T23:14:54.000Z' + lastUpdated: '2016-03-24T23:14:54.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + filter: (\S+@example\.com) + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + metadata: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml + hints: + allow: + - GET + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate + hints: + allow: + - POST + SecurePasswordStoreEx: + summary: SECURE_PASSWORD_STORE + value: + name: template_sps + label: Example SWA App + signOnMode: SECURE_PASSWORD_STORE + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue + SecurePasswordStorePutEx: + summary: SECURE_PASSWORD_STORE + value: + name: template_sps + label: Example SWA App updated + signOnMode: SECURE_PASSWORD_STORE + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue_updated + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue_updated + SecurePasswordStorePutResponseEx: + summary: SECURE_PASSWORD_STORE + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_sps + label: Example SWA App updated + features: [] + signOnMode: SECURE_PASSWORD_STORE + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue_updated + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue_updated + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + SecurePasswordStoreResponseEx: + summary: SECURE_PASSWORD_STORE + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_sps + label: Example SWA App + features: [] + signOnMode: SECURE_PASSWORD_STORE + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null SecurityEventsProviderRequestIssuerAndJwksUrl: summary: Provider with issuer and JWKS value: @@ -29458,15 +39308,135 @@ components: ids: - 00g4eralvekR5RLuS0g7 - 00g4eralvekR5RLuS0g8 - risk: - level: LOW - zones: - ids: - - nzo4eralxcRnbIHYJ0g7 - device: - platform: IOS - registered: true - managed: true + risk: + level: LOW + zones: + ids: + - nzo4eralxcRnbIHYJ0g7 + device: + platform: IOS + registered: true + managed: true + SimulatePolicyElExpressionBody: + summary: Simulate policy request body with EL context + description: Simulate policy request body with EL context + value: + appInstance: 0oa4fdudGhhB5FNKR0g4 + policyContext: + user: + id: 00u10wvS3zms2JVaO0g4 + status: ACTIVE + created: '2024-04-29T18:05:24.000Z' + lastUpdated: '2024-04-29T18:05:24.000Z' + passwordChanged: '2024-04-29T18:05:24.000Z' + lastLogin: '2024-04-29T18:05:24.000Z' + profile: + city: string + costCenter: string + countryCode: st + department: string + displayName: string + division: string + email: user@example.com + employeeNumber: string + firstName: string + honorificPrefix: string + honorificSuffix: string + lastName: string + locale: string + login: string + manager: string + managerId: string + middleName: string + mobilePhone: string + nickName: string + organization: string + postalAddress: string + preferredLanguage: string + primaryPhone: string + profileUrl: string + secondEmail: user@example.com + state: string + streetAddress: string + timezone: string + title: string + userType: string + zipCode: string + SimulatePolicyElExpressionResponse: + summary: Simulate policy response body with EL Context + description: Simulate policy response body with EL Context + value: + evaluation: + - status: null + policyType: OKTA_SIGN_ON + result: + policies: + - id: 00p4eromwukk6qUku0g7 + name: test policy + status: MATCH + conditions: [] + rules: + - id: 0pr4erof85nGcyC7Y0g7 + name: test rule + status: MATCH + conditions: + - type: people.groups.include + status: MATCH + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: MFA_ENROLL + result: + policies: + - id: 00p4eram2kw1aLcrx0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: 0pr4eram2lMQT5FZF0g7 + name: null + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: ACCESS_POLICY + result: + policies: + - id: rst4eram06ZKZewEe0g7 + name: Any two factors + status: MATCH + conditions: [] + rules: + - id: rul4eram07VsWgybo0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: PROFILE_ENROLLMENT + result: + policies: + - id: rst4eram08ZSjPTOl0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: rul4eram094PrQ2BX0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] SimulatePolicyResponse: summary: Simulate policy response body description: Simulate policy response body @@ -29542,10 +39512,163 @@ components: policies: [] evaluated: policies: [] + SmartCardIdPResponse: + summary: SmartCard Identity Provider + value: + id: 0oa6jxasyhwM2ZHJh0g4 + type: X509 + name: Smart Card IDP Name + status: ACTIVE + created: '2020-01-07T00:19:27.000Z' + lastUpdated: '2020-01-07T00:19:27.000Z' + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + endpoints: + sso: + url: https://{yourOktaDomain}.okta.com/login/cert + credentials: + trust: + issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + audience: null + kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc + revocation: CRL + revocationCacheLifetime: 2880 + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: idpuser.subjectAltNameEmail + filter: null + matchType: EMAIL + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 120000 + _links: + deactivate: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users + hints: + allow: + - GET + keys: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc + hints: + allow: + - GET + SocialAuthTokensResponse: + summary: Social Authentication Tokens + value: + - id: + token: JBTWGV22G4ZGKV3N + tokenType: urn:ietf:params:oauth:token-type:access_token + tokenAuthScheme: Bearer + expiresAt: '2014-08-06T16:56:31.000Z' + scopes: + - openid + - foo + - id: + token: JBTWGV22G4ZJBRXJ + tokenType: urn:ietf:params:oauth:token-type:id_token + tokenAuthScheme: null + StandardAndCustomRolesListResponse: + value: + - id: IFIFAX2BIRGUSTQ + label: Application Administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk Administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: ra125eqBFpETrMwu80g4 + label: Organization Administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: gra25fapn1prGTBKV0g4 + label: API Access Management Administrator + type: API_ACCESS_MANAGEMENT_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4 + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + - id: irb5e92YgBazyyQ3x1q5 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoakjsdQaJxGIr03int1o + _links: + assignee: + href: https://{ yourOktaDomain }/api/v1/groups/00g1ousb3XCr9Dkr20g4 + resource-set: + href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoakjsdQaJxGIr03int1o + member: + href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{ yourOktaDomain }/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{ yourOktaDomain }/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions StandardRoleAssignmentRequest: value: - type: HELP_DESK_ADMIN, - StandardRoleAssignmentResponse: + type: HELP_DESK_ADMIN + StandardRoleResponseClient: value: id: JBCUYUC7IRCVGS27IFCE2SKO label: Help Desk Administrator @@ -29557,6 +39680,84 @@ components: _links: assignee: href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles + StandardRoleResponseUser: + value: + id: ra1b8anIk7rx7em7L0g4 + label: Super Organization Administrator + type: SUPER_ADMIN + status: ACTIVE + created: '2015-09-06T15:28:47.000Z' + lastUpdated: '2015-09-06T15:28:47.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + StandardRolesListResponse: + value: + - id: IFIFAX2BIRGUSTQ + label: Application Administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk Administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: ra125eqBFpETrMwu80g4 + label: Organization Administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: gra25fapn1prGTBKV0g4 + label: API Access Management Administrator + type: API_ACCESS_MANAGEMENT_ADMIN + status: ACTIVE + created": '2019-02-06T16:20:57.000Z' + lastUpdated": '2019-02-06T16:20:57.000Z' + assignmentType": GROUP + _links": + assignee": + href": https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4 + StandardRolesListResponseClient: + value: + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk Administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2023-05-01T14:24:54.000Z' + lastUpdated: '2023-05-01T14:24:54.000Z' + assignmentType: CLIENT + _links: + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles + StandardRolesListResponseGroup: + value: + - id: IFIFAX2BIRGUSTQ + label: Application Administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 SubmissionOidcRequest: summary: Submission OIDC request example value: @@ -29607,6 +39808,12 @@ components: acs: - url: https://${org.subdomain}.example.com/saml/login entityId: https://${org.subdomain}.example.com + claims: + - name: manager + values: + - ${user.manager} + groups: + - name: groups doc: https://example.com/strawberry/help/samlSetup config: - name: subdomain @@ -29623,6 +39830,12 @@ components: acs: - url: https://${org.subdomain}.example.com/saml/login entityId: https://${org.subdomain}.example.com + claims: + - name: manager + values: + - ${user.manager} + groups: + - name: groups doc: https://example.com/strawberry/help/samlSetup config: - name: subdomain @@ -29643,6 +39856,12 @@ components: acs: - url: https://${org.subdomain}.example.com/saml/login entityId: https://${org.subdomain}.example.com + claims: + - name: manager + values: + - ${user.manager} + groups: + - name: groups doc: https://example.com/strawberry/help/samlSetup config: - name: subdomain @@ -29651,6 +39870,77 @@ components: lastUpdated: '2023-08-24T14:15:22.000Z' lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR lastPublished: '2023-09-01T13:23:45.000Z' + SupportedFactorResults: + value: + - factorType: question + provider: OKTA + vendorName: OKTA + _links: + questions: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions + hints: + allow: + - GET + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token:software:totp + provider: OKTA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token:software:totp + provider: GOOGLE + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: sms + provider: OKTA + vendorName: OKTA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + _embedded: + phones: + - id: mblldntFJevYKbyQQ0g3 + profile: + phoneNumber: '+14081234567' + status: ACTIVE + - factorType: call + provider: OKTA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token + provider: RSA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token + provider: SYMANTEC + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST TelephonyFailureResponse: summary: A sample response for external webservice returning failure value: @@ -29793,9 +40083,220 @@ components: allow: - GET - POST + TokenHookErrorExample: + summary: Error response + value: + error: + errorSummary: Human-readable summary of the error + TokenHookModifyLifetime: + summary: Modify token lifetime + value: + commands: + - type: com.okta.identity.patch + value: + - op: replace + path: /token/lifetime/expiration + value: 36000 + - type: com.okta.access.patch + value: + - op: replace + path: /token/lifetime/expiration + value: 36000 + TokenHookRemoveClaim: + summary: Remove claim + value: + commands: + - type: com.okta.identity.patch + value: + - op: remove + path: /claims/birthdate + value: null + - type: com.okta.access.patch + value: + - op: remove + path: /claims/external_guid + TokenHookRemoveFromArray: + summary: Remove from array + value: + commands: + - type: com.okta.identity.patch + value: + - op: remove + path: /claims/preferred_airports/1 + TokenHookRemoveFromObject: + summary: Remove from JSON object + value: + commands: + - type: com.okta.identity.patch + value: + - op: remove + path: /claims/employee_profile/email + TokenHookReplaceExisting: + summary: Replace an existing claim + value: + commands: + - type: com.okta.identity.patch + value: + - op: replace + path: /claims/extPatientId + value: '1234' + - op: replace + path: /claims/external_guid + value: F0384685-F87D-474B-848D-2058AC5655A7 + TokenHookReplaceInPath: + summary: Replace within JSON object + value: + commands: + - type: com.okta.identity.patch + value: + - op: replace + path: /claims/employee_profile/email + value: anna@company.com + TokenHookResponse: + summary: Add a claim + value: + commands: + - type: com.okta.assertion.patch + value: + - op: add + path: /claims/extPatientId + value: '1234' + - type: com.okta.assertion.patch + value: + - op: add + path: /claims/external_guid + value: F0384685-F87D-474B-848D-2058AC5655A7 + TokenHookResponseAppendArray: + summary: Append to array + value: + commands: + - type: com.okta.identity.patch + value: + - op: add + path: /claims/preferred_airports/3 + value: lax + TokenHookResponseWithURIFormat: + summary: Add new members to existing JSON objects + value: + commands: + - type: com.okta.identity.patch + value: + - op: add + path: /claims/employee_profile/department_id + value: '4947' + TokenPayLoadExample: + summary: Example token inline hook request body + description: An example token inline hook request body + value: + source: https://{yourOktaDomain}/oauth2/default/v1/authorize + eventId: 3OWo4oo-QQ-rBWfRyTmQYw + eventTime: '2019-01-15T23:20:47.000Z' + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + contentType: application/json + eventType: com.okta.oauth2.tokens.transform + data: null + context: + request: + id: reqv66CbCaCStGEFc8AdfS0ng + method: GET + url: + value: https://{yourOktaDomain}/oauth2/default/v1/authorize?scope=openid+profile+email&response_type=token+id_token&redirect_uri=https%3A%2F%2Fhttpbin.org%2Fget&state=foobareere&nonce=asf&client_id=customClientIdNative + ipAddress: 127.0.0.1 + protocol: + type: OAUTH2.0 + request: + scope: openid profile email + state: foobareere + redirect_uri: https://httpbin.org/get + response_mode: fragment + response_type: token id_token + client_id: customClientIdNative + issuer: + uri: https://{yourOktaDomain}/oauth2/default + client: + id: customClientIdNative + name: Native client + type: PUBLIC + session: + id: 102Qoe7t5PcRnSxr8j3I8I6pA + userId: 00uq8tMo3zV0OfJON0g3 + login: administrator1@clouditude.net + createdAt: '2019-01-15T23:17:09.000Z' + expiresAt: '2019-01-16T01:20:46.000Z' + status: ACTIVE + lastPasswordVerification: '2019-01-15T23:17:09.000Z' + amr: + - PASSWORD + idp: + id: 00oq6kcVwvrDY2YsS0g3 + type: OKTA + mfaActive: false + user: + id: 00uq8tMo3zV0OfJON0g3 + passwordChanged: '2018-09-11T23:19:12.000Z' + profile: + login: administrator1@clouditude.net + firstName: Add-Min + lastName: O'Cloudy Tud + locale: en + timeZone: America/Los_Angeles + _links: + groups: + href: https://{yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups + factors: + href: https://{yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors + policy: + id: 00pq8lGaLlI8APuqY0g3 + rule: + id: 0prq8mLKuKAmavOvq0g3 + identity: + claims: + sub: 00uq8tMo3zV0OfJON0g3 + name: Add-Min O'Cloudy Tud + email: administrator1@clouditude.net + ver: 1 + iss: https://{yourOktaDomain}/oauth2/default + aud: customClientIdNative + jti: ID.YxF2whJfB3Eu4ktG_7aClqtCgjDq6ab_hgpiV7-ZZn0 + amr: + - pwd + idp: 00oq6kcVwvrDY2YsS0g3 + nonce: asf + preferred_username: administrator1@clouditude.net + auth_time: 1547594229 + token: + lifetime: + expiration: 3600 + access: + claims: + ver: 1 + jti: AT.W-rrB-z-kkZQmHW0e6VS3Or--QfEN_YvoWJa46A7HAA + iss: https://{yourOktaDomain}/oauth2/default + aud: api://default + cid: customClientIdNative + uid: 00uq8tMo3zV0OfJON0g3 + sub: administrator1@clouditude.net + firstName: Add-Min + preferred_username: administrator1@clouditude.net + token: + lifetime: + expiration: 3600 + scopes: + openid: + id: scpq7bW1cp6dcvrz80g3 + action: GRANT + profile: + id: scpq7cWJ81CIP5Qkr0g3 + action: GRANT + email: + id: scpq7dxsoz6LQlRj00g3 + action: GRANT + refresh_token: + jti: oarob4a0tckCkGcyo1d6 TriggerSessionResponse: value: - - id: uij4ri8ZLk0ywyqxB0g4 + - id: aps1qqonvr2SZv6o70h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: TRIGGERED importType: INCREMENTAL @@ -30176,6 +40677,48 @@ components: allow: - GET - PUT + UpdateAuthorizationServerPolicyRequest: + summary: Update Authorization Server Policy + value: + id: 00p5m9xrrBffPd9ah0g4 + type: OAUTH_AUTHORIZATION_POLICY + status: ACTIVE + name: Default Policy + description: Default policy description + priority: 1 + system: false + conditions: + clients": + include": + - ALL_CLIENTS + UpdateAuthorizationServerPolicyRuleRequest: + summary: Update Authorization Server Policy Rule + value: + type: RESOURCE_ACCESS + name: Default Policy Rule + priority: 1 + status: ACTIVE + conditions: + people: + groups: + include: + - EVERYONE + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 UpdateBrandRequest: value: customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy @@ -30347,6 +40890,41 @@ components: _links: self: href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + UpdateOAuth2ScopeRequest: + summary: Example scope + value: + description: Order car + name: car:order + metadataPublish: ALL_CLIENTS + UpdateOrgSettingEx: + summary: Org setting request + value: + address1: 100 1st St + address2: 6th floor + city: San Fransico + companyName: okta + country: United States + endUserSupportHelpURL: support.okta.com + phoneNumber: '+18887227871' + postalCode: '94105' + state: California + supportPhoneNumber: '+18887227871' + website: www.okta.com + UpdateRecQuestionRequest: + value: + password: + value: tlpWENT2m + recovery_question: + question: How many roads must a man walk down? + answer: forty two + UpdateRecQuestionResponse: + value: + password: {} + recovery_question: + question: How many roads must a man walk down? + provider: + type: OKTA + name: OKTA UpdateSMSTemplateRequest: value: translations: @@ -30432,6 +41010,429 @@ components: - recordType: CNAME fqdn: t022._domainkey.example.com verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + UpdatedOAuth2ScopeResponse: + summary: Updated scope + value: + id: scp5yu8kLOnDzo7lh0g4 + name: car:order + description: Order car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: ALL_CLIENTS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 + hints: + allow: + - GET + - PUT + - DELETE + UploadYubikeyTokenSeedRequest: + summary: Yubikey OTP Seed + value: + serialNumber: '7886622' + publicId: ccccccijgibu + privateId: b74be6169486 + aesKey: 1fcc6d8ce39bf1604e0b17f3e0a11067 + UploadYubikeyTokenSeedResponse: + value: + id: ykkut4G6ti62DD8Dy0g3 + created: '2020-01-10T23:04:10.000Z' + lastVerified: '2020-01-10T23:04:10.000Z' + lastUpdated: '2020-01-10T23:04:10.000Z' + status: UNASSIGNED + profile: + serial: '000007886622' + _links: + self: + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkut4G6ti62DD8Dy0g3 + hints: + allow: + - GET + - DELETE + UserFactorChallengeCallResponse: + summary: call challenge + value: + factorResult: CHALLENGE + profile: + phoneNumber: '+12532236986' + phoneExtension: '1234' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV + hints: + allow: + - GET + - DELETE + UserFactorChallengeEmailResponse: + summary: email challenge + value: + factorResult: CHALLENGE + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + - DELETE + UserFactorChallengePushResponse: + summary: push challenge + value: + expiresAt: '2015-04-01T15:57:32.000Z' + factorResult: WAITING + _links: + poll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g + hints: + allow: + - GET + cancel: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g + hints: + allow: + - DELETE + UserFactorChallengeSmsResponse: + summary: sms challenge + value: + factorResult: CHALLENGE + profile: + phoneNumber: '+12532236986' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3 + hints: + allow: + - GET + - DELETE + UserFactorChallengeU2fResponse: + summary: u2f challenge + value: + factorResult: CHALLENGE + profile: + credentialId: GAiiLsVab2m3-zL1Fi3bVtNrM9G6_MntUITHKjxkV24ktGKjLSCRnz72wCEdHCe18IvC69Aia0sE4UpsO0HpFQ + version: U2F_V2 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + _embedded: + challenge: + nonce: vQFwTt6zKzMV7HFPzjS2 + timeoutSeconds: 20 + UserFactorChallengeWebauthnResponse: + summary: webAuthn challenge + value: + factorResult: CHALLENGE + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + _embedded: + challenge: + challenge: vQFwTt6zKzMV7HFPzjS2 + extensions: {} + UserFactorVerifyCallSuccessResponse: + summary: call verify + value: + factorResult: SUCCESS + UserFactorVerifyEmailSuccessResponse: + summary: email verify + value: + factorResult: SUCCESS + UserFactorVerifyPushRejectedResponse: + summary: push verification rejected + value: + factorResult: REJECTED + profile: + credentialId: jane.doe@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifyPushTransactionApproved: + summary: SUCCESS + value: + factorResult: SUCCESS + UserFactorVerifyPushTransactionRejected: + summary: REJECTED + value: + factorResult: REJECTED + profile: + credentialId: jane.doe@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifyPushTransactionTimeout: + summary: TIMEOUT + value: + factorResult: TIMEOUT + profile: + credentialId: jane.doe@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifyPushTransactionWaiting: + summary: WAITING + value: + expiresAt: '2015-04-01T15:57:32.000Z' + factorResult: WAITING + profile: + credentialId: jane.doe@example.com + _links: + poll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA + hints: + allow: + - GET + cancel: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA + hints: + allow: + - DELETE + UserFactorVerifySecurityQuestionRequest: + summary: security question verify + value: + answer: mayonnaise + UserFactorVerifySuccessSmsResponse: + summary: sms verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessSqResponse: + summary: security question verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessTokenResponse: + summary: token verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessTotpResponse: + summary: totp verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessYubikeyResponse: + summary: yubikey verify + value: + factorResult: SUCCESS + UserFactorVerifyU2fRequest: + summary: u2f verify + value: + clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9 + signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc + UserFactorVerifyU2fResponse: + summary: u2f verify response + value: + factorResult: SUCCESS + profile: + credentialId: h1bFwJFU9wnelYkexJuQfoUHZ5lX3CgQMTZk4H3I8kM9Nn6XALiQ-BIab4P5EE0GQrA7VD-kAwgnG950aXkhBw + version: U2F_V2 + UserFactorVerifyWebauthnRequest: + summary: WebAuthn verify challenge (posts a signed assertion using the challenge `nonce`) + value: + clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9 + authenticatorData: SBv04caJ+NLZ0bTeotGq9esMhHJ8YC5z4bMXXPbT95UFXbDsOg== + signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc + UserFactorVerifyWebauthnResponse: + summary: WebAuthn verify + value: + factorResult: SUCCESS + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + UserImportChangeAppUserProfileExample: + summary: Update an app user's profile response + value: + commands: + - type: com.okta.appUser.profile.update + value: + firstName: Stan + UserImportChangeUserProfileExample: + summary: Update an Okta user's profile response + value: + commands: + - type: com.okta.user.profile.update + value: + firstName: Stan + UserImportCreateANewUserExample: + summary: Create a new Okta user profile response + value: + commands: + - type: com.okta.action.update + value: + result: CREATE_USER + UserImportErrorExample: + summary: Return an error object + value: + error: + errorSummary: Error at third-party service. Please contact your admin. + UserImportMatchExample: + summary: Match an existing Okta user response + value: + commands: + - type: com.okta.action.update + value: + result: LINK_USER + - type: com.okta.user.update + value: + id: 00garwpuyxHaWOkdV0g3 + UserImportPayloadExample: + summary: A sample Okta user import request + value: + source: cal7eyxOsnb20oWbZ0g4 + eventId: JUGOUiYZTaKPmH6db0nDag + eventTime: '2019-02-27T20:59:04.000Z' + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + eventType: com.okta.import.transform + contentType: application/json + data: + context: + conflicts: + - login + application: + name: test_app + id: 0oa7ey7aLRuBvcYUD0g4 + label: Test App + status: ACTIVE + job: + id: ij17ez2AWtMZRfCZ60g4 + type: import:users + matches: [] + policy: + - EMAIL + - FIRST_AND_LAST_NAME + action: + result: CREATE_USER + appUser: + profile: + firstName: Sally2 + lastName: Admin2 + mobilePhone: null + accountType: PRO + secondEmail: null + failProvisioning: null + failDeprovisioning: null + externalId: user221 + groups: + - everyone@examplee.net + - tech@example.net + userName: administrator2 + email: sally.admin@example.net + user: + profile: + lastName: Admin2 + zipCode: null + city: null + secondEmail: null + postAddress: null + login: sally.admin@example.net + firstName: Sally2 + primaryPhone: null + mobilePhone: null + streetAddress: null + countryCode: null + typeId: null + state: null + email: sally.admin@example.net + UserRiskNoneResponse: + summary: Example User Risk with NONE risk level response + value: + riskLevel: NONE + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/{userId}/risk + hints: + allow: + - GET + - PUT + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + hints: + allow: + - GET + UserRiskRequest: + summary: Example upsert the risk for a user request + value: + riskLevel: HIGH + UserRiskResponse: + summary: Example User Risk response + value: + riskLevel: HIGH + reason: Admin override risk + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/{userId}/risk + hints: + allow: + - GET + - PUT + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + hints: + allow: + - GET UserSchemaAddRequest: value: definitions: @@ -30545,6 +41546,188 @@ components: - recordType: CNAME fqdn: t022._domainkey.example.com verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + WSFederationEx: + summary: WS_FEDERATION + value: + name: template_wsfed + label: Sample WS-Fed App + signOnMode: WS_FEDERATION + settings: + app: + audienceRestriction: urn:example:app + groupValueFormat: windowsDomainQualifiedName + wReplyURL: https://example.com/ + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + siteURL: https://example.com + usernameAttribute: username + WSFederationPutEx: + summary: WS_FEDERATION + value: + name: template_wsfed + label: Sample WS-Fed App updated + signOnMode: WS_FEDERATION + settings: + app: + audienceRestriction: urn:exampleupdated:app + groupValueFormat: windowsDomainQualifiedName + wReplyURL: https://example.com/ + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + siteURL: https://example.com + usernameAttribute: username + WSFederationPutResponseEx: + summary: WS_FEDERATION + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_wsfed + label: Sample WS-Fed App updated + features: [] + signOnMode: WS_FEDERATION + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU + settings: + app: + groupFilter: null + siteURL: https://example.com + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + wReplyOverride: false + digestAlgorithm: SHA1 + usernameAttribute: username + signatureAlgorithm: RSA_SHA1 + audienceRestriction: urn:exampleupdated:app + wReplyURL: https://example.com/ + groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role + attributeStatements: null + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4 + groupValueFormat: windowsDomainQualifiedName + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + WSFederationResponseEx: + summary: WS_FEDERATION + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_wsfed + label: Sample WS-Fed App + features: [] + signOnMode: WS_FEDERATION + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU + settings: + app: + groupFilter: null + siteURL: https://example.com + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + wReplyOverride: false + digestAlgorithm: SHA1 + usernameAttribute: username + signatureAlgorithm: RSA_SHA1 + audienceRestriction: urn:example:app + wReplyURL: https://example.com/ + groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role + attributeStatements: null + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4 + groupValueFormat: windowsDomainQualifiedName + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null WellKnownAppAuthenticatorConfigurationCustomApp: value: - authenticatorId: aut22f6xzargnJZYE3l7 @@ -30581,14 +41764,29 @@ components: id: 00o47wwoytgsDqEtz0g7 _links: organization: - href: https://{{yourSubdomain}}.okta.com + href: https://{yourSubdomain}.okta.com alternate: - href: https://{{yourCustomDomain}} + href: https://{yourCustomDomain} pipeline: idx settings: analyticsCollectionEnabled: false bugReportingEnabled: true omEnabled: false + activateOAuth2ClientSecretResponse: + summary: Activate Secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST activeAPIServiceIntegrationInstanceSecretResponse: summary: Activate Secret response example value: @@ -30604,6 +41802,114 @@ components: hints: allow: - POST + bulkDeletePayload: + value: + entityType: USERS + profiles: + - externalId: EXT123456784C2IF + - externalId: EXT123456784C3IF + - externalId: EXT123456784C4IF + bulkUpsertPayload: + value: + entityType: USERS + profiles: + - externalId: EXT123456784C2IF + profile: + userName: isaac.brock@example.com + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + secondEmail: isaac2.brock@example.com + mobilePhone: 123-456-7890 + homeAddress: Kirkland, WA + cloud-rule: + summary: Global session policy - Challenge cloud users + description: This global session policy uses a rule to challenge cloud users + value: + type: SIGN_ON + name: Challenge Cloud Users + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: [] + exclude: [] + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + actions: + signon: + access: ALLOW + requireFactor: true + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + cloud-rule-response: + summary: Global session policy - Challenge cloud users + description: The response body from the creation of a global session policy that uses a rule to challenge cloud users + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + type: SIGN_ON + name: Challenge Cloud Users + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: [] + exclude: [] + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: ALLOW + requireFactor: true + primaryFactor: PASSWORD_IDP_ANY_FACTOR + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE create-auth-policy-rule-condition: summary: Authentication policy - Create rule with conditions description: Creates an authentication policy rule with a conditions object. @@ -30612,191 +41918,1827 @@ components: type: ACCESS_POLICY name: Rule with conditions conditions: - userType: - include: [] - exclude: - - otyezu4m0xN6w5JEa1d7 + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + network: + connection: ZONE + exclude: + - 00u7yq5goxNFTiMjW1d7 + riskScore: + level: ANY + people: + users: + exclude: + - 00u7yq5goxNFTiMjW1d7 + include: [] + groups: + include: + - 00g9i12jictsYdZdi1d7 + exclude: [] + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + reauthenticateIn: PT2H + constraints: + - knowledge: + reauthenticateIn: PT2H + types: + - password + type: ASSURANCE + create-auth-policy-rule-condition-response: + summary: Authentication policy - Policy rule with conditions + description: The response body from the creation of an authentication policy rule with conditions. + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + name: Rule with conditions + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: + - 00u7yq5goxNFTiMjW1d7 + groups: + include: + - 00g9i12jictsYdZdi1d7 + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + exclude: [] + riskScore: + level: ANY + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + required: true + types: + - password + reauthenticateIn: PT2H + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + create-group-rule-request-example: + summary: Create group rule request example + value: + type: group_rule + name: Engineering group rule + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + create-user-in-group-request: + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + groupIds: + - 00g1emaKYZTWRYYRRTSK + - 00garwpuyxHaWOkdV0g4 + create-user-in-group-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-authentication-provider-request: + description: Set `activate` parameter to `true` + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: FEDERATION + name: FEDERATION + create-user-with-authentication-provider-response: + value: + id: 00uijntSwJjSHtDY70g3 + status: ACTIVE + created: '2016-01-19T22:02:08.000Z' + activated: '2016-01-19T22:02:08.000Z' + statusChanged: '2016-01-19T22:02:08.000Z' + lastLogin: null + lastUpdated: '2016-01-19T22:02:08.000Z' + passwordChanged: null + profile: + login: isaac.brock@example.com + firstName: Isaac + lastName: Brock + mobilePhone: 555-415-1337 + email: isaac.brock@example.com + secondEmail: null + credentials: + provider: + type: FEDERATION + name: FEDERATION + _links: + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/reset_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/credentials/change_recovery_question + method: POST + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/deactivate + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-imported-hashed-password-request: + description: Set `activate` parameter to `true` + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + hash: + algorithm: BCRYPT + workFactor: 10 + salt: rwh3vH166HCH/NT9XV5FYu + value: qaMqvAPULkbiQzkTCWo5XDcvzpk8Tna + create-user-with-imported-hashed-password-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: IMPORT + name: IMPORT + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-non-default-user-type-request: + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + type: + id: otyfnjfba4ye7pgjB0g4 + create-user-with-non-default-user-type-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + type: + id: otyfnjfba4ye7pgjB0g4 + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA + _links: + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscfnjfba4ye7pgjB0g4 + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otyfnjfba4ye7pgjB0g4 + create-user-with-password-and-recovery-question-request: + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + value: tlpWENT2m + recovery_question: + question: Who is a major player in the cowboy scene? + answer: Annie Oakley + create-user-with-password-and-recovery-question-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-password-import-inline-hook-request: + description: Set `activate` parameter to `true` + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + hook: + type: default + create-user-with-password-import-inline-hook-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: IMPORT + name: IMPORT + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-password-request: + description: Set `activate` parameter to `true` + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + value: tlpWENT2m + create-user-with-password-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-recovery-question-request: + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + recovery_question: + question: Who is a major player in the cowboy scene? + answer: Annie Oakley + create-user-with-recovery-question-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-without-credentials-request: + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + create-user-without-credentials-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + createOAuth2ClientSecretCustomRequestBody: + summary: Add a user provided client secret + value: + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + status: ACTIVE + createOAuth2ClientSecretSystemGeneratedRequestBody: + summary: Add a system-generated client secret + value: {} + deactivateOAuth2ClientJsonWebKeyResponse: + summary: Deactivate JSON Web Key example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: INACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/activate + hints: + allow: + - POST + deactivateOAuth2ClientSecretResponse: + summary: Deactivate Secret response example + value: + id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + deny-rule: + summary: Global session policy - Deny users + description: This global session policy uses a rule to deny users + value: + type: SIGN_ON + name: Deny users + conditions: + network: + connection: ANYWHERE + authContext: + authType: ANY + actions: + signon: + access: DENY + requireFactor: false + deny-rule-response: + summary: Global session policy - Deny users + description: The response body from the creation of a global session policy that uses a rule to deny users + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + type: SIGN_ON + name: Deny + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + authContext: + authType: ANY + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: DENY + requireFactor: false + primaryFactor: PASSWORD_IDP + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 120 + maxSessionLifetimeMinutes: 0 + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + editFeatureExample: + summary: Enable Okta Personal admin settings + value: + enableExportApps: true + enableEnduserEntryPoints: true + getBlockListExample: + summary: List of blocked email domains + value: + domains: + - yahoo.com + - google.com + group-example: + summary: Group example + description: Example of a Group + value: + id: 00g1emaKYZTWRYYRRTSK + created: '2015-02-06T10:11:28.000Z' + lastUpdated: '2015-10-05T19:16:43.000Z' + lastMembershipUpdated: '2015-11-28T19:15:32.000Z' + objectClass: + - okta:user_group + type: OKTA_GROUP + profile: + name: West Coast Users + description: All Users West of The Rockies + _links: + logo: + - name: medium + href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png + type: image/png + - name: large + href: https://{yourOktaDomain}/img/logos/groups/okta-large.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps + group-rule-example: + summary: Group rule example + description: Example of a group rule + value: + type: group_rule + id: 0pr3f7zMZZHPgUoWO0g4 + status: INACTIVE + name: Engineering group rule + created: '2016-12-01T14:40:04.000Z' + lastUpdated: '2016-12-01T14:40:04.000Z' + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + idp-discovery-dynamic-routing-rule: + summary: IdP discovery policy - Dynamic routing rule + description: This routing rule uses a dynamic Identity Provider. + value: + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + idp-discovery-dynamic-routing-rule-response: + summary: IdP discovery policy - Dynamic routing rule + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + idp-discovery-policy-response: + summary: IDP_DISCOVERY + value: + type: IDP_DISCOVERY + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + idp-discovery-specific-routing-rule: + summary: IdP discovery policy - Specific routing rule + description: This routing rule uses a specific Identity Provider. + value: + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY + idp-discovery-specific-routing-rule-response: + summary: IdP discovery policy - Specific routing rule + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY + inactiveAPIServiceIntegrationInstanceSecretResponse: + summary: Deactivate Secret response example + value: + id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: '***DhOW' + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + list-all-policy-rule-response-array: + summary: List all policy rules response (Sign-on policy) + description: List all policy rules response (Sign-on policy) + value: + - id: 0prh1sd28q5sXGW08697 + status: ACTIVE + name: Test Sign-on policy + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + primaryFactor: PASSWORD_IDP_ANY_FACTOR + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - POST + type: SIGN_ON + list-apps-example: + summary: List apps example + description: List all apps example + value: + - id: 0oafwvZDWJKVLDCUWUAC + name: template_basic_auth + label: Sample Basic Auth App + status: ACTIVE + lastUpdated: '2013-09-30T00:56:52.000Z' + created: '2013-09-30T00:56:52.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + url: https://example.com/login.html + authURL: https://example.com/auth.html + _links: + appLinks: + - href: https://{yourOktaDomain}/home/template_basic_auth/0oafwvZDWJKVLDCUWUAC/1438 + name: login + type: text/html + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/lifecycle/deactivate + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/groups + list-group-rules-example: + summary: List Group rules example + description: List all group rules example + value: + - type: group_rule + id: 0pr3f7zMZZHPgUoWO0g4 + status: INACTIVE + name: Engineering group rule + created: '2016-12-01T14:40:04.000Z' + lastUpdated: '2016-12-01T14:40:04.000Z' + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + list-groups-examples: + summary: List all groups example + description: Lists an example of an OKTA_GROUP and an APP_GROUP + value: + - id: 00g1emaKYZTWRYYRRTSK + created: '2015-02-06T10:11:28.000Z' + lastUpdated: '2015-10-05T19:16:43.000Z' + lastMembershipUpdated: '2015-11-28T19:15:32.000Z' + objectClass: + - okta:user_group + type: OKTA_GROUP + profile: + name: West Coast Users + description: All Users West of The Rockies + _links: + logo: + - name: medium + href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png + type: image/png + - name: large + href: https://{yourOktaDomain}/img/logos/groups/okta-large.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps + - id: 00garwpuyxHaWOkdV0g4 + created: '2015-08-15T19:15:17.000Z' + lastUpdated: '2015-11-18T04:02:19.000Z' + lastMembershipUpdated: '2015-08-15T19:15:17.000Z' + objectClass: + - okta:windows_security_principal + type: APP_GROUP + profile: + name: Engineering Users + description: corp.example.com/Engineering/Engineering Users + groupType: Security + samAccountName: Engineering Users + objectSid: S-1-5-21-717838489-685202119-709183397-1177 + groupScope: Global + dn: CN=Engineering Users,OU=Engineering,DC=corp,DC=example,DC=com + windowsDomainQualifiedName: CORP\Engineering Users + externalId: OZJdWdONCU6h7WjQKp+LPA== + source: + id: 0oa2v0el0gP90aqjJ0g7 + _links: + logo: + - name: medium + href: https://{yourOktaDomain}/img/logos/groups/active_directory-medium.png + type: image/png + - name: large + href: https://{yourOktaDomain}/img/logos/groups/active_directory-large.png + type: image/png + source: + href: https://{yourOktaDomain}/api/v1/apps/0oa2v0el0gP90aqjJ0g7 + users: + href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/apps + list-user-example: + value: + - id: 00u1f96ECLNVOKVMUSEA + status: ACTIVE + created: '2013-12-12T16:14:22.000Z' + activated: '2013-12-12T16:14:22.000Z' + statusChanged: '2013-12-12T22:14:22.000Z' + lastLogin: '2013-12-12T22:14:22.000Z' + lastUpdated: '2015-11-15T19:23:32.000Z' + passwordChanged: '2013-12-12T22:14:22.000Z' + profile: + firstName: Easy + lastName: E + email: easy-e@example.com + login: easy-e@example.com + mobilePhone: null + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA + listStreamConfigurationExample: + summary: List of SSF Stream configurations example + value: + - aud: https://example.com + delivery: + method: urn:ietf:rfc:8935 + endpoint_url: https://example.com + events_delivered: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_requested: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_supported: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + format: iss_sub + iss: https://{yourOktaDomain} + min_verification_interval: 0 + stream_id: esc1k235GIIztAuGK0g5 + mfa-enroll-policy-response: + summary: MFA_ENROLL + value: + type: MFA_ENROLL + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: + people: + groups: + include: + - groupId + settings: + factors: + okta_otp: + enroll: + self: OPTIONAL + consent: + type: NONE + okta_push: + enroll: + self: OPTIONAL + consent: + type: NONE + okta_password: + enroll: + self: OPTIONAL + consent: + type: NONE + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + newAPIServiceIntegrationInstanceSecretResponse: + summary: New secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + secret_hash: FpCwXwSjTRQNtEI11I00-g + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oAuth2ClientSecretResponse: + summary: Client secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: FpCwXwSjTRQNtEI11I00-g + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oAuthClientJsonWebKey: + summary: JSON Web Key example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oAuthClientJsonWebKeyListResponse: + summary: JSON Web Key list response example + value: + jwks: + keys: + - id: pks2f4zrZbs8nUa7p0g4 + kid: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU= + status: INACTIVE + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oAuthClientJsonWebKeyRequest: + summary: JSON Web Key Request example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + oAuthClientSecretListResponse: + summary: Secrets list response example + value: + - id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: HAGDTYU9XbLnS......3xasFDDwecdZuFs5B + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oamp-id-proofing-policy-rule: + summary: Account Management Policy - Account management policy rule with ID proofing enabled + description: This account management policy rule enables ID proofing for enrollment processes + value: + id: ruleId + name: Account Management Policy Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + appSignOn: + access: ALLOW + verificationMethod: + id: entity_id + type: ID_PROOFING + oamp-id-proofing-policy-rule-response: + summary: Account Management Policy - Account management policy rule with ID proofing enabled + description: This account management policy rule response enables ID proofing for enrollment processes + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Account Management Policy Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + appSignOn: + access: ALLOW + verificationMethod: + id: entity_id + type: ID_PROOFING + orgCommunicationOptInResponse: + summary: Opt in to communication emails + value: + optOutEmailUsers: false + _links: + optOut: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optOut + hints: + allow: + - POST + orgCommunicationOptOutResponse: + summary: Opt out of communication emails + value: + optOutEmailUsers: true + _links: + optIn: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optIn + hints: + allow: + - POST + orgContactTypeResponse: + summary: Org Contact Types + value: + - contactType: BILLING + _links: + billing: + href: https://{yourOktaDomain}/api/v1/org/contacts/billing + - contactType: TECHNICAL + _links: + technical: + href: https://{yourOktaDomain}/api/v1/org/contacts/technical + orgContactUserResponse: + summary: Contact User + value: + userId: 00ux3u0ujW1r5AfZC1d7 + _links: + user: + href: https://{yourOktaDomain}/api/v1/users/00ux3u0ujW1r5AfZC1d7 + orgHideFooterPrefResponse: + summary: Hide footer response + value: + showEndUserFooter: false + _links: + showEndUserFooter: + href: https://{yourOktaDomain}/api/v1/org/preferences/showEndUserFooter + hints: + allow: + - POST + orgShowFooterPrefResponse: + summary: Show footer response + value: + showEndUserFooter: true + _links: + hideEndUserFooter: + href: https://{yourOktaDomain}/api/v1/org/preferences/hideEndUserFooter + hints: + allow: + - POST + orgSupportSettingsResponse: + summary: Org Support Settings + value: + support: ENABLED + expiration: '2024-01-24T11:13:14.000Z' + _links: + extend: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/extend + hints: + allow: + - POST + revoke: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/revoke + hints: + allow: + - POST + orgSupportSettingsRevokeResponse: + summary: Revoked Org Support + value: + support: DISABLED + expiration: null + _links: + grant: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/grant + hints: + allow: + - POST + password-policy-response: + summary: PASSWORD + value: + type: PASSWORD + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: + people: + groups: + include: + - groupId + authProvider: + provider: provider + settings: + password: + complexity: + minLength: 8 + minLowerCase: 1 + minUpperCase: 1 + minNumber: null + minSymbol: 0 + excludeUsername: true + dictionary: + common: + exclude: false + excludeAttributes: [] + age: + maxAgeDays: 0 + expireWarnDays: 0 + minAgeMinutes: 0 + historyCount: 4 + lockout: + maxAttempts: 0 + autoUnlockMinutes: 0 + userLockoutNotificationChannels: [] + showLockoutFailures: false + recovery: + factors: + recovery_question: + status: ACTIVE + properties: + complexity: + complexity: 4 + okta_email: + status: ACTIVE + properties: + recoveryToken: + tokenLifetimeMinutes: 10080 + okta_sms: + status: INACTIVE + okta_call: + status: INACTIVE + delegation: + options: + skipUnlock: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + policy-mapping-list-response: + summary: List all Mappings for a policy + value: + - id: policyId + _links: + application: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + hints: + allow: + - GET + - PUT + - DELETE + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId} + hints: + allow: + - GET + - PUT + - DELETE + policy: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + - DELETE + policy-mapping-response: + summary: Policy Mapping for a Policy + value: + id: policyId + _links: + application: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + hints: + allow: + - GET + - PUT + - DELETE + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId} + hints: + allow: + - GET + - PUT + - DELETE + policy: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + - DELETE + postAPIServiceIntegrationRequest: + value: + type: my_app_cie + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + postAPIServiceIntegrationResponse: + summary: Post response example + value: + id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + profile-enrollment-policy-response: + summary: PROFILE_ENROLLMENT + value: + type: PROFILE_ENROLLMENT + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + radius-rule: + summary: Global session policy - Challenge VPN users with Radius + description: This global session policy uses a rule to challenge VPN users with Radius + value: + type: SIGN_ON + status: ACTIVE + name: Challenge VPN users + conditions: network: - connection: ZONE - exclude: - - 00u7yq5goxNFTiMjW1d7 - riskScore: - level: ANY + connection: ANYWHERE + authContext: + authType: RADIUS people: users: - exclude: - - 00u7yq5goxNFTiMjW1d7 - include: [] - groups: - include: - - 00g9i12jictsYdZdi1d7 exclude: [] - platform: - include: - - type: MOBILE - os: - type: IOS - - type: MOBILE - os: - type: ANDROID - - type: DESKTOP - os: - type: MACOS - elCondition: null + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY actions: - appSignOn: + signon: access: ALLOW - verificationMethod: - factorMode: 2FA - reauthenticateIn: PT2H - constraints: - - knowledge: - reauthenticateIn: PT2H - types: - - password - type: ASSURANCE - create-auth-policy-rule-condition-response: - summary: Authentication policy - Policy rule with conditions - description: The response body from the creation of an authentication policy rule with conditions. + requireFactor: true + primaryFactor: PASSWORD_IDP_ANY_FACTOR + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + radius-rule-response: + summary: Global session policy - Challenge VPN users with Radius + description: The response body from the creation of a global session policy that uses a rule to challenge VPN users with Radius value: id: rule8jjozjGMGbHyC1d6 status: ACTIVE - name: Rule with conditions + type: SIGN_ON + name: Challenge VPN users priority: 0 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: false conditions: - people: - users: - exclude: - - 00u7yq5goxNFTiMjW1d7 - groups: - include: - - 00g9i12jictsYdZdi1d7 - network: - connection: ZONE - exclude: - - nzo9o4rctwQCJNE6y1d7 - platform: - platform: - include: - - type: MOBILE - os: - type: IOS - - type: MOBILE - os: - type: ANDROID - - type: DESKTOP - os: - type: MACOS - exclude: [] - riskScore: - level: ANY - userType: - include: [] - exclude: - - otyezu4m0xN6w5JEa1d7 + network: + connection: ANYWHERE + authContext: + authType: RADIUS actions: - appSignOn: + signon: access: ALLOW - verificationMethod: - factorMode: 2FA - type: ASSURANCE - reauthenticateIn: PT2H - constraints: - knowledge: - required: true - types: - - password - reauthenticateIn: PT2H - type: ACCESS_POLICY + requireFactor: true + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 _links: self: - href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: - href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE - idp-discovery-dynamic-routing-rule: - summary: IdP discovery policy - Dynamic routing rule - description: This routing rule uses a dynamic Identity Provider. + replace-user-request: value: - name: Dynamic routing rule - priority: 1 - status: ACTIVE + credentials: + password: + value: tlpWENT2m + recovery_question: + question: Who's a major player in the cowboy scene? + answer: Annie Oakley + provider: + type: OKTA + name: OKTA + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + settingsResponseBaseEx: + value: + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + sign-on-policy-rule: + summary: Sign-on policy - Rule with factor mode always + description: Sign-on policy rule with a factor mode always + value: + type: SIGN_ON + name: Test Sign On conditions: network: connection: ANYWHERE + riskScore: + level: ANY + identityProvider: + provider: ANY + authContext: + authType: ANY actions: - idp: - providers: [] - idpSelectionType: DYNAMIC - matchCriteria: - - providerExpression: login.identifier.substringAfter('@') - propertyName: name - system: false - type: IDP_DISCOVERY - idp-discovery-dynamic-routing-rule-response: - summary: IdP discovery policy - Dynamic routing rule + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR + sign-on-policy-rule-response: + summary: Sign-on policy - Rule with factor mode always + description: Sign-on policy rule with a factor mode always value: - id: ruleId + type: SIGN_ON + name: Test Sign On + id: 0prh1sd28q5sXGW08697 + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + status: ACTIVE + conditions: + network: + connection: ANYWHERE + riskScore: + level: ANY + identityProvider: + provider: ANY + authContext: + authType: ANY + people: + users: + exclude: [] + actions: + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR _links: self: - href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: - href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - - POST - name: Dynamic routing rule - priority: 1 + - GET + - PUT + - DELETE + skip-factor-challenge-on-prem-rule: + summary: Global session policy - Skip factor challenge for on-prem sign-in use + description: This global session policy uses a rule to skip factor challenge for on-prem sign-in use + value: + type: SIGN_ON status: ACTIVE + name: Skip Factor Challenge when On-Prem conditions: network: - connection: ANYWHERE + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY actions: - idp: - providers: [] - idpSelectionType: DYNAMIC - matchCriteria: - - providerExpression: login.identifier.substringAfter('@') - propertyName: name + signon: + access: ALLOW + requireFactor: false + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + skip-factor-challenge-on-prem-rule-response: + summary: Global session policy - Skip factor challenge for on-prem sign-in use + description: The response body from the creation of a global session policy that uses a rule to skip the factor challenge for on-prem sign-in use + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + name: Skip Factor Challenge when On-Prem + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' system: false - type: IDP_DISCOVERY - idp-discovery-specific-routing-rule: - summary: IdP discovery policy - Specific routing rule - description: This routing rule uses a specific Identity Provider. + conditions: + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + people: + users: + exclude: [] + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: ALLOW + requireFactor: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + type: SIGN_ON + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + sspr-enabled-OAMP: + summary: Password policy - SSPR with Okta account management policy + description: This policy defers to the Okta account management policy to define SSPR authentication requirements. value: - name: Specific routing rule + name: SSPR Rule priority: 1 status: ACTIVE conditions: + people: + users: + exclude: [] network: connection: ANYWHERE actions: - idp: - providers: - - type: GOOGLE - id: 0oa5ks3WmHLRh8Ivr0g4 - idpSelectionType: SPECIFIC + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW system: false - type: IDP_DISCOVERY - idp-discovery-specific-routing-rule-response: - summary: IdP discovery policy - Specific routing rule + type: PASSWORD + sspr-enabled-OAMP-response: + summary: Password policy - SSPR with access control set to Okta account management policy value: id: ruleId _links: @@ -30812,111 +43754,63 @@ components: hints: allow: - POST - name: Specific routing rule + name: SSPR Rule priority: 1 status: ACTIVE conditions: + people: + users: + exclude: [] network: connection: ANYWHERE actions: - idp: - providers: - - type: GOOGLE - id: 0oa5ks3WmHLRh8Ivr0g4 - idpSelectionType: SPECIFIC + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW system: false - type: IDP_DISCOVERY - inactiveAPIServiceIntegrationInstanceSecretResponse: - summary: Deactivate Secret response example - value: - id: ocs2f4zrZbs8nUa7p0g4 - status: INACTIVE - client_secret: '***DhOW' - secret_hash: yk4SVx4sUWVJVbHt6M-UPA - created: '2023-02-21T20:08:24.000Z' - lastUpdated: '2023-02-21T20:08:24.000Z' - _links: - activate: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate - hints: - allow: - - POST - delete: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 - hints: - allow: - - DELETE - listStreamConfigurationExample: - summary: List of SSF Stream configurations example - value: - - aud: https://example.com - delivery: - method: urn:ietf:rfc:8935 - endpoint_url: https://example.com - events_delivered: - - https://schemas.openid.net/secevent/caep/event-type/session-revoked - - https://schemas.openid.net/secevent/caep/event-type/credential-change - events_requested: - - https://schemas.openid.net/secevent/caep/event-type/session-revoked - - https://schemas.openid.net/secevent/caep/event-type/credential-change - events_supported: - - https://schemas.openid.net/secevent/caep/event-type/session-revoked - - https://schemas.openid.net/secevent/caep/event-type/credential-change - format: iss_sub - iss: https://{yourOktaDomain} - min_verification_interval: 0 - stream_id: esc1k235GIIztAuGK0g5 - newAPIServiceIntegrationInstanceSecretResponse: - summary: New secret response example + type: PASSWORD + sspr-enabled-OAMP-update: + summary: Password policy - SSPR with Okta account management policy + description: This policy defers to the Okta account management policy to define SSPR authentication requirements. value: - id: ocs2f50kZB0cITmYU0g4 + id: ruleId + name: SSPR Rule + priority: 1 status: ACTIVE - client_secret: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B - secret_hash: FpCwXwSjTRQNtEI11I00-g - created: '2023-04-06T21:32:33.000Z' - lastUpdated: '2023-04-06T21:32:33.000Z' - _links: - deactivate: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate - hints: - allow: - - POST - postAPIServiceIntegrationRequest: - value: - type: my_app_cie - grantedScopes: - - okta.logs.read - - okta.groups.read - - okta.users.read - postAPIServiceIntegrationResponse: - summary: Post response example - value: - id: 0oa72lrepvp4WqEET1d9 - type: my_app_cie - name: My App Cloud Identity Engine - createdAt: '2023-02-21T20:08:24.000Z' - createdBy: 00uu3u0ujW1P6AfZC2d5 - clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg - configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide - grantedScopes: - - okta.logs.read - - okta.groups.read - - okta.users.read - _links: - self: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 - hints: - allow: - - GET - - DELETE - client: - href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 - hints: - allow: - - GET - logo: - name: small - href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD sspr-enabled-no-step-up: summary: Password policy - SSPR with no step up description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators with no secondary authentication required. @@ -31267,14 +44161,14 @@ components: id: ruleId _links: self: - href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: - href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST @@ -31419,6 +44313,123 @@ components: allow: - GET - PUT + twofa-enabled-post-auth-kmsi-disabled: + summary: Authentication policy - 2FA with granular authentication (KMSI disabled) + description: This two-factor authentication policy uses a rule that doesn't prompt the user to stay signed in post-authentication. + value: + name: 2FA with Post Auth KMSI prompt disabled + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + keepMeSignedIn: + postAuth: NOT_ALLOWED + type: ACCESS_POLICY + twofa-enabled-post-auth-kmsi-disabled-response: + summary: Authentication policy - 2FA with granular authentication (KMSI disabled) + description: This two-factor authentication policy uses a rule that doesn't prompt the user to stay signed in post-authentication. + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: 2FA with Post Auth KMSI prompt disabled + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: true + keepMeSignedIn: + postAuth: NOT_ALLOWED + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + twofa-enabled-post-auth-kmsi-enabled: + summary: Authentication policy - 2FA with granular authentication (KMSI enabled) + description: This two-factor authentication policy uses a rule to prompt the user to stay signed in post authentication. + value: + name: 2FA with Post Auth KMSI prompt enabled + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + keepMeSignedIn: + postAuth: ALLOWED + postAuthPromptFrequency: P30D + twofa-enabled-post-auth-kmsi-enabled-response: + summary: Authentication policy - 2FA with granular authentication (KMSI enabled) + description: This two-factor authentication policy uses a rule to prompt the user to stay signed in post authentication. + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: 2FA with Post Auth KMSI prompt enabled + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: true + keepMeSignedIn: + postAuth: ALLOWED + postAuthPromptFrequency: PT720H + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST update-auth-policy-rule-condition: summary: Authentication policy - Update rule with conditions description: Updates the conditions object on the request body of an authentication policy rule. @@ -31457,7 +44468,8 @@ components: - type: DESKTOP os: type: MACOS - elCondition: null + elCondition: + condition: security.risk.level == 'HIGH' update-auth-policy-rule-condition-response: summary: Authentication policy - Update rule with conditions description: The response body from an updated conditions object of an authentication policy rule. @@ -31476,42 +44488,43 @@ components: groups: exclude: - 00u7yq5goxNFTiMjW1d7 - network: - connection: ZONE - exclude: - - nzo9o4rctwQCJNE6y1d7 - platform: - platform: - include: - - type: MOBILE - os: - type: IOS - - type: MOBILE - os: - type: ANDROID - - type: DESKTOP - os: - type: MACOS - exclude: [] - riskScore: - level: ANY - userType: - include: [] - exclude: - - otyezu4m0xN6w5JEa1d7 - actions: - appSignOn: - access: ALLOW - verificationMethod: - factorMode: 2FA - type: ASSURANCE - reauthenticateIn: PT2H - constraints: - knowledge: - required: true - types: - - password - reauthenticateIn: PT2H + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + exclude: [] + riskScore: + level: ANY + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + required: true + types: + - password + reauthenticateIn: PT2H type: ACCESS_POLICY _links: self: @@ -31528,6 +44541,73 @@ components: - GET - PUT - DELETE + update-user-profile-request: + value: + profile: + firstName: Isaac + email: isaac.brock@update.example.com + mobilePhone: 555-415-1337 + update-user-set-password-request: + value: + credentials: + password: + value: uTVM,TPw55 + update-user-set-recovery-question-and-answer: + value: + credentials: + recovery_question: + question: How many roads must a man walk down? + answer: forty two + user-example: + summary: User example + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-06-24T16:39:18.000Z' + activated: '2013-06-24T16:39:19.000Z' + statusChanged: '2013-06-24T16:39:19.000Z' + lastLogin: '2013-06-24T17:39:19.000Z' + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + login: isaac.brock@example.com + firstName: Isaac + lastName: Brock + nickName: issac + displayName: Isaac Brock + email: isaac.brock@example.com + secondEmail: isaac@example.org + profileUrl: http://www.example.com/profile + preferredLanguage: en-US + userType: Employee + organization: Okta + title: Director + division: R&D + department: Engineering + costCenter: '10' + employeeNumber: '187' + mobilePhone: +1-555-415-1337 + primaryPhone: +1-555-514-1337 + streetAddress: 301 Brannan St. + city: San Francisco + state: CA + zipCode: '94107' + countryCode: US + credentials: + password: {} + recovery_question: + question: What's my childhood elementary school? + provider: + type: OKTA + name: OKTA + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA + userNameTemplateResponseBaseEx: + value: + userNameTemplate: + template: ${source.email} + type: BUILT_IN wellKnownSSFMetadataExample: summary: Well-Known SSF Metadata example value: @@ -31538,6 +44618,28 @@ components: issuer: https://{yourOktaDomain} jwks_uri: https://{yourOktaDomain}/oauth2/v1/keys parameters: + OktaResponse: + name: Content-Type + in: header + description: |- + Specifies the media type of the resource. Optional `okta-response` value can be included for performance optimization. + + Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck. + + Enum values for `okta-response`: + * `omitCredentials`: Omits the credentials subobject from the response. + * `omitCredentialsLinks`: Omits the following HAL links from the response: Change Password, Change Recovery Question, Forgot Password, Reset Password, Reset Factors, Unlock. + * `omitTransitioningToStatus`: Omits the `transitioningToStatus` field from the response. + required: false + schema: + type: string + examples: + Omit credentials subobject and credentials links: + value: application/json; okta-response=omitCredentials,omitCredentialsLinks + summary: Omits the credentials subobject and credentials links from the response. Does not apply performance optimization. + Omit credentials, credentials links, and `transitioningToStatus` field: + value: application/json; okta-response="omitCredentials,omitCredentialsLinks, omitTransitioningToStatus" + summary: Omits the credentials, credentials links, and `transitioningToStatus` field from the response. Applies performance optimization. UISchemaId: name: id description: The unique ID of the UI Schema @@ -31568,6 +44670,19 @@ components: description: ID for a WebAuthn Preregistration Factor in Okta schema: type: string + domain: + name: domain + in: path + description: The okta domain name of your org or one of your custom domains + required: true + schema: + type: string + limitParameter: + name: limit + in: query + schema: + type: string + description: Defines the number of policy rules returned. See [Pagination](https://developer.okta.com/docs/api/#pagination). pathApiServiceId: name: apiServiceId in: path @@ -31592,13 +44707,6 @@ components: schema: type: string example: 0oafxqCAJWWGELFTYASJ - pathAppInstanceId: - name: appInstanceId - in: path - schema: - type: string - description: '`id` of the application instance' - required: true pathAppName: name: appName description: Application name for the app type @@ -31685,12 +44793,25 @@ components: schema: type: string example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD + pathClientSecretId: + name: secretId + in: path + schema: + type: string + required: true + description: Unique `id` of the OAuth 2.0 Client Secret + example: ocs2f4zrZbs8nUa7p0g4 pathContactType: name: contactType in: path required: true schema: type: string + description: Type of contact + enum: + - BILLING + - TECHNICAL + example: BILLING pathCredentialKeyId: name: keyId description: '`id` of the certificate key' @@ -31721,6 +44842,13 @@ components: description: Id of the Device Assurance Policy schema: type: string + pathDeviceCheckId: + in: path + name: deviceCheckId + required: true + description: Id of the Device Check + schema: + type: string pathDeviceId: name: deviceId in: path @@ -31826,23 +44954,34 @@ components: type: string example: 0pr3f7zMZZHPgUoWO0g4 pathHookKeyId: - name: hookKeyId - description: '`id` of the Hook Key' + name: id + description: ID of the Hook Key in: path required: true schema: type: string example: XreKU5laGwBkjOTehusG + pathId: + name: id + description: '`id`, `login`, or `login shortname` (as long as it is unambiguous) of user' + in: path + required: true + schema: + type: string pathIdentitySourceId: name: identitySourceId in: path required: true + description: The ID of the Identity Source for which the session is created + example: 0oa3l6l6WK6h0R0QW0g4 schema: type: string pathIdentitySourceSessionId: name: sessionId in: path required: true + description: The ID of the Identity Source Session + example: aps1qqonvr2SZv6o70h8 schema: type: string pathIdpCsrId: @@ -31860,15 +44999,7 @@ components: required: true schema: type: string - example: SVHoAOh0l8cPQkVX1LRl - pathIdpKeyId: - name: idpKeyId - description: '`id` of IdP Key' - in: path - required: true - schema: - type: string - example: KmMo85SSsU7TZzOShcGb + example: 0oa62bfdjnK55Z5x80h7 pathInlineHookId: name: inlineHookId description: '`id` of the Inline Hook' @@ -31877,6 +45008,14 @@ components: schema: type: string example: Y7Rzrd4g4xj6WdKzrBHH + pathJsonWebKeyId: + name: keyId + in: path + schema: + type: string + required: true + description: Unique `id` of the OAuth 2.0 Client JSON Web Key + example: pks2f4zrZbs8nUa7p0g4 pathKeyId: name: keyId description: ID of the Key Credential for the application @@ -31885,6 +45024,14 @@ components: schema: type: string example: sjP9eiETijYz110VkhHN + pathKid: + name: kid + description: Unique `id` of the IdP Key Credential + in: path + required: true + schema: + type: string + example: KmMo85SSsU7TZzOShcGb pathLifecycle: name: lifecycle description: Whether to `ENABLE` or `DISABLE` the feature @@ -31928,7 +45075,7 @@ components: type: string example: irb1qe6PGuMc7Oh8N0g4 required: true - description: '`id` of a member' + description: '`id` of the Member' pathMethodType: name: methodType description: Type of authenticator method @@ -32000,6 +45147,7 @@ components: required: true schema: type: string + example: manager pathPrimaryUserId: name: primaryUserId description: User ID to be assigned to the `primary` relationship for the `associated` user @@ -32007,7 +45155,6 @@ components: required: true schema: type: string - example: ctxeQ5JnAVdGFBB7Zr7W pathPrincipalRateLimitId: name: principalRateLimitId in: path @@ -32017,8 +45164,8 @@ components: required: true description: id of the Principal Rate Limit pathPublicKeyId: - name: publicKeyId - description: '`id` of the Public Key' + name: keyId + description: id" of the Public Key in: path required: true schema: @@ -32031,6 +45178,20 @@ components: description: Id of the push provider schema: type: string + pathQueryRoleExpand: + name: expand + description: 'An optional parameter used to return targets configured for the standard Role Assignment in the `embedded` property. Supported values: `targets/groups` or `targets/catalog/apps`' + in: query + required: false + schema: + type: string + examples: + groupTarget: + value: targets/groups + summary: Return Group targets + appTarget: + value: targets/catalog/apps + summary: Return App targets pathRealmId: name: realmId description: '`id` of the Realm' @@ -32046,6 +45207,13 @@ components: required: true schema: type: string + examples: + manager: + value: manager + summary: Example of a `primary` name + subordinate: + value: subordinate + summary: Example of an `associated` name pathResourceId: name: resourceId in: path @@ -32053,7 +45221,7 @@ components: type: string example: ire106sQKoHoXXsAe0g4 required: true - description: '`id` of a resource' + description: '`id` of the Resource' pathResourceSelectorId: name: resourceSelectorId in: path @@ -32062,14 +45230,14 @@ components: example: rsl1hx31gVEa6x10v0g5 required: true description: '`id` of a Resource Selector' - pathResourceSetId: - name: resourceSetId + pathResourceSetIdOrLabel: + name: resourceSetIdOrLabel in: path schema: type: string example: iamoJDFKaJxGIr0oamd9g required: true - description: '`id` of a Resource Set' + description: '`id` or `label` the Resource Set' pathRiskProviderId: name: riskProviderId in: path @@ -32078,6 +45246,14 @@ components: example: 00rp12r4skkjkjgsn required: true description: '`id` of the Risk Provider object' + pathRoleAssignmentId: + name: roleAssignmentId + description: The `id` of the Role Assignment + in: path + required: true + schema: + type: string + example: JBCUYUC7IRCVGS27IFCE2SKO pathRoleId: name: roleId description: '`id` of the Role' @@ -32093,7 +45269,7 @@ components: type: string example: cr0Yq6IJxGIr0ouum0g3 required: true - description: '`id` or `label` of the role' + description: '`id` or `label` of the Role' pathRoleRef: name: roleRef in: path @@ -32240,13 +45416,24 @@ components: required: true schema: type: string + example: 00ub0oNGTSWTBKOLGLNR pathUserIdOrLogin: name: userIdOrLogin - description: User ID or login value of the user assigned the `associated` relationship + description: |- + If for the `self` link, the ID of the User for whom you want to get the primary User ID. If for the `associated` relation, the User ID or login value of the User assigned the associated relationship. + + This can be `me` to represent the current session User. in: path required: true schema: type: string + examples: + manager: + value: 00u5zex6ztMbOZhF50h7 + summary: Example ID of `primary` + subordinate: + value: 00u5zex6ztMbOZhF50h7 + summary: Example ID of `associated` pathZoneId: name: zoneId in: path @@ -32255,6 +45442,13 @@ components: required: true description: '`id` of the Network Zone' example: nzowc1U5Jh5xuAK0o0g3 + privilegedAccountId: + name: id + in: path + description: ID of an existing Privileged Account + required: true + schema: + type: string privilegedResourceId: name: id in: path @@ -32267,7 +45461,7 @@ components: in: query schema: type: string - description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination). + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). queryAppAfter: name: after in: query @@ -32324,7 +45518,13 @@ components: Returns the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property. schema: type: string - example: user/{userId} + example: user/0oa1gjh63g214q0Hq0g4 + queryExpand: + name: expand + in: query + schema: + type: string + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' queryExpandBrand: name: expand in: query @@ -32492,11 +45692,19 @@ components: example: blocks simulateParameter: name: expand - description: Use `expand=EVALUATED` to include a list of evaluated but not matched policies and policy rules. Use `expand=RULE` to include details about why a rule condition was (not) matched. + description: Use `expand=EVALUATED` to include a list of evaluated but not matched policies and policy rules. Use `expand=RULE` to include details about why a rule condition wasn't matched. in: query schema: type: string - example: expand=EVALUATED&expand=RULE + example: EVALUATED + yubikeyTokenId: + name: tokenId + description: ID of a Yubikey token + in: path + required: true + schema: + type: string + example: ykkxdtCA1fKVxyu6R0g3 requestBodies: AuthenticatorRequestBody: content: @@ -32630,6 +45838,64 @@ components: examples: AgentTimeOut: $ref: '#/components/examples/ErrorNoConnectedAgents' + DRStatusResponse: + description: OK + content: + application/json: + schema: + description: List of domains and their disaster recovery status + type: array + items: + $ref: '#/components/schemas/DRStatusItem' + headers: + Link: + description: A link to the next page of responses + schema: + type: string + ErrorResponse: + description: | + 400 - When request validation fails
+ 401 - When the user is not authenticated or the feature is not enabled
+ 403 - When the user is not authorized
+ 429 - When rate limits are exceeded
+ 500 - When an internal server error is encountred
+ 501 - When the operation is not supported
+ content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + GetFactorResponse: + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactor' + examples: + SMS: + $ref: '#/components/examples/FactorResponseSms' + Email: + $ref: '#/components/examples/FactorEmail' + Error-FF-NotEnabled-Response-401: + description: Unauthorized + content: + application/json: + examples: + Unauthorized: + value: + errorCode: E0000015 + errorSummary: You do not have permission to access the feature you are requesting + errorLink: E0000015 + errorId: oaeStOuPPxDRUm3PJhf-tL7bQ + errorCauses: [] + ErrorInternalServer500: + description: Internal Server Error + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InternalServerError: + $ref: '#/components/examples/ErrorInternalServer' NzErrorApiValidationFailed400: description: Bad Request content: @@ -32805,7 +46071,10 @@ components: - type: object properties: conditions: - $ref: '#/components/schemas/PolicyRuleConditions' + type: string + description: Policy conditions aren't supported. Conditions are applied at the rule level for this policy type. + default: null + nullable: true AccessPolicyConstraint: type: object properties: @@ -32863,6 +46132,10 @@ components: $ref: '#/components/schemas/KnowledgeConstraint' possession: $ref: '#/components/schemas/PossessionConstraint' + AccessPolicyLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app access policy resource AccessPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' @@ -32883,24 +46156,39 @@ components: type: object properties: access: - type: string + $ref: '#/components/schemas/AccessPolicyRuleApplicationSignOnAccess' verificationMethod: $ref: '#/components/schemas/VerificationMethod' + AccessPolicyRuleApplicationSignOnAccess: + type: string + enum: + - ALLOW + - DENY AccessPolicyRuleConditions: allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - type: object properties: device: $ref: '#/components/schemas/DeviceAccessPolicyRuleCondition' elCondition: $ref: '#/components/schemas/AccessPolicyRuleCustomCondition' + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + platform: + $ref: '#/components/schemas/PlatformPolicyRuleCondition' + riskScore: + $ref: '#/components/schemas/RiskScorePolicyRuleCondition' userType: $ref: '#/components/schemas/UserTypeCondition' AccessPolicyRuleCustomCondition: properties: condition: type: string + description: expression to match + required: + - condition AcsEndpoint: description: An array of ACS endpoints. You can configure a maximum of 100 endpoints. type: object @@ -32977,7 +46265,6 @@ components: type: string description: ID of the AD group to update parameters: - type: object $ref: '#/components/schemas/Parameters' AgentPool: description: An AgentPool is a collection of agents that serve a common purpose. An AgentPool has a unique ID within an org, and contains a collection of agents disjoint to every other AgentPool (i.e. no two AgentPools share an Agent). @@ -33180,25 +46467,33 @@ components: type: string description: The application name readOnly: true + example: google containerId: type: string description: The application ID associated with the privileged account + example: 0oa103099SBEb3Z2b0g4 displayName: type: string description: Human-readable name of the container that owns the privileged resource readOnly: true + example: Google App1 globalAppId: type: string description: The application global ID readOnly: true + example: 964b82aa-85b4-5645-b790-83312c473480 passwordPushSupported: type: boolean description: Indicates if the application supports password push readOnly: true + example: true provisioningEnabled: type: boolean description: Indicates if provisioning is enabled for this application readOnly: true + example: true + status: + $ref: '#/components/schemas/AppInstanceContainerStatus' _links: $ref: '#/components/schemas/appLink' required: @@ -33220,10 +46515,12 @@ components: properties: exclude: type: array + description: The list of applications to exclude items: $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' include: type: array + description: The list of apps or app instances to match on items: $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' AppAndInstanceType: @@ -33232,6 +46529,10 @@ components: enum: - APP - APP_TYPE + AppCsrPkcs10: + description: Base64URL-encoded CSR in DER format + format: base64 + type: string AppCustomHrefObject: type: object properties: @@ -33255,6 +46556,14 @@ components: required: - href readOnly: true + AppInstanceContainerStatus: + description: Current status of the application instance + type: string + enum: + - ACTIVE + - DELETED + - INACTIVE + readOnly: true AppInstancePolicyRuleCondition: type: object properties: @@ -33299,6 +46608,17 @@ components: sortOrder: type: integer readOnly: true + AppResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: + type: string + description: Link name + example: My App AppUser: title: Application User description: The Application User object defines a user's app-specific profile and credentials for an app @@ -33384,7 +46704,12 @@ components: $ref: '#/components/schemas/AppUserPasswordCredential' userName: type: string - description: The user's username in the app + description: |- + The user's username in the app + + > **Note:** The [userNameTemplate](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/userNameTemplate&t=request) in the Application object defines the default username generated when a user is assigned to that app. + > If you attempt to assign a username or password to an app with an incompatible [authentication scheme](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/scheme&t=request), the following error is returned: + > "Credentials should not be set on this resource based on the scheme." minLength: 1 maxLength: 100 example: testuser@example.com @@ -33479,6 +46804,27 @@ components: oneOf: - $ref: '#/components/schemas/AppUserCredentialsRequestPayload' - $ref: '#/components/schemas/AppUserProfileRequestPayload' + AppleClientSigning: + description: |- + Information used to generate the secret JSON Web Token for the token requests to Apple IdP + > **Note:** The `privateKey` property is required for a CREATE request. For an UPDATE request, it can be null and keeps the existing value if it's null. The `privateKey` property isn't returned for LIST and GET requests or UPDATE requests if it's null. + type: object + properties: + kid: + type: string + description: The Key ID that you obtained from Apple when you created the private key for the client + maxLength: 1024 + example: test key id + privateKey: + type: string + description: The PKCS \#8 encoded private key that you created for the client and downloaded from Apple + maxLength: 1024 + example: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + teamId: + type: string + description: The Team ID associated with your Apple developer account + maxLength: 1024 + example: test team id Application: type: object properties: @@ -33491,9 +46837,97 @@ components: description: Timestamp when the Application object was created features: type: array - description: Enabled app features + description: | + Enabled app features + > **Note:** Some apps can support optional provisioning features. See [Application Features](/openapi/okta-management/management/tag/ApplicationFeatures/) items: type: string + enum: + - GROUP_PUSH + - IMPORT_NEW_USERS + - IMPORT_PROFILE_UPDATES + - IMPORT_USER_SCHEMA + - PROFILE_MASTERING + - PUSH_NEW_USERS + - PUSH_PASSWORD_UPDATES + - PUSH_PROFILE_UPDATES + - PUSH_USER_DEACTIVATION + - REACTIVATE_USERS + - OUTBOUND_DEL_AUTH + - DESKTOP_SSO + - FEDERATED_PROFILE + - SUPPRESS_ACTIVATION_EMAIL + - PUSH_PENDING_USERS + - MFA + - UPDATE_EXISTING_USERNAME + - EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH + - EXCHANGE_ACTIVE_SYNC + - IMPORT_SYNC + - IMPORT_SYNC_CONTACTS + - DEVICE_COMPLIANCE + - VPN_CONFIG + - IMPORT_SCHEMA_ENUM_VALUES + - SCIM_PROVISIONING + - DEVICE_FILTER_IN_SIGN_ON_RULES + - PROFILE_TEMPLATE_UPGRADE + - DEFAULT_PUSH_STATUS_TO_PUSH + - REAL_TIME_SYNC + - SSO + - AUTHN_CONTEXT + - JIT_PROVISIONING + - GROUP_SYNC + - OPP_SCIM_INCREMENTAL_IMPORTS + - IN_MEMORY_APP_USER + - LOG_STREAMING + - OAUTH_INTEGRATION + - IDP + - PUSH_NEW_USERS_WITHOUT_PASSWORD + - SKYHOOK_SERVICE + - ENTITLEMENT_MANAGEMENT + - PUSH_NEW_USERS_WITH_HASHED_PASSWORD + x-enumDescriptions: + GROUP_PUSH: Creates or links a group in the app when a mapping is defined for a group in Okta. Okta is the source for group memberships and all group members in Okta who are also assigned to the app are synced as group members to the app. + IMPORT_NEW_USERS: Creates or links a user in Okta to a user from the app + IMPORT_PROFILE_UPDATES: Updates a linked user's app profile during manual or scheduled imports + IMPORT_USER_SCHEMA: Discovers the profile schema for a user from the app automatically + PROFILE_MASTERING: Designates the app as the identity lifecycle and profile attribute authority for linked users. The user's profile in Okta is read-only. + PUSH_NEW_USERS: Creates or links a user account in the app when assigning the app to a user in Okta + PUSH_PASSWORD_UPDATES: Updates the user's app password when their password changes in Okta + PUSH_PROFILE_UPDATES: Updates a user's profile in the app when the user's profile changes in Okta (the profile source) + PUSH_USER_DEACTIVATION: Deactivates a user's account in the app when unassigned from the app in Okta or deactivated + REACTIVATE_USERS: Reactivates an existing inactive user when provisioning a user to the app + OUTBOUND_DEL_AUTH: Okta user authentication requests are delegated to a third-party app + DESKTOP_SSO: Okta user authentication requests are handled by desktop SSO negotiation (if possible) + FEDERATED_PROFILE: App User profiles are synchronized at sign-in and profile-view instances instead of during bulk imports + SUPPRESS_ACTIVATION_EMAIL: Activation emails aren't sent to users sourced by AD and orgs with DelAuth enabled + PUSH_PENDING_USERS: Users are in PENDING state in Okta and are created but not active in the sourced app user + MFA: App can verify credentials as a second factor + UPDATE_EXISTING_USERNAME: App can update the user name for existing users + EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH: Exclude username update during profile push + EXCHANGE_ACTIVE_SYNC: App supports synchronizing credentials with OMM enrolled devices + IMPORT_SYNC: Synchronize import events + IMPORT_SYNC_CONTACTS: Synchronize contacts + DEVICE_COMPLIANCE: Apps support device compliance rules + VPN_CONFIG: App supports pushing VPN configuration to OMM enrolled devices + IMPORT_SCHEMA_ENUM_VALUES: App supports downloading schema enum values. You can download custom objects and integrating them with UD without being tied to the type metadata system. + SCIM_PROVISIONING: App supports generic SCIM client provisioning and can leverage SCIM standard for provisioning and push custom attributes to a third-party app + DEVICE_FILTER_IN_SIGN_ON_RULES: App supports filtering by client type in app sign-on rules + PROFILE_TEMPLATE_UPGRADE: App supports profile template upgrades. This is primarily to help roll out the profile template upgrade feature for individual apps + DEFAULT_PUSH_STATUS_TO_PUSH: App defaults Push status to `PUSH`. This feature is for apps, such as SharePoint, that want to receive App User profile updates even though they didn't implement traditional PUSH_PROFILE_UPDATES in the client API. + REAL_TIME_SYNC: Apps support real-time synchronization + SSO: Apps support establishing a subject based on claims from an IdP + AUTHN_CONTEXT: Apps support establishing an authentication context based on claims from an IdP + JIT_PROVISIONING: Apps support provisioning a user based on claims from an IdP + GROUP_SYNC: Apps support syncing group information based on claims from an IdP + OPP_SCIM_INCREMENTAL_IMPORTS: Apps support incremental imports. Used for SCIM app instances + IN_MEMORY_APP_USER: Apps support in-memory App Users. This feature is used as an alternative to Implicit App Assignment for a non-persisted App User. + LOG_STREAMING: Apps support Log Streaming + OAUTH_INTEGRATION: App is an OAuth 2.0 Integration + IDP: Apps support IdP functionalities + PUSH_NEW_USERS_WITHOUT_PASSWORD: Don't send generated password for new users + SKYHOOK_SERVICE: Use the Skyhook microservice for LCM operations + ENTITLEMENT_MANAGEMENT: Marker to showcase which OIN apps are entitlement enabled + PUSH_NEW_USERS_WITH_HASHED_PASSWORD: Send hashed password for new users. This feature is only used for CIS to CIC migration. id: type: string readOnly: true @@ -33507,9 +46941,19 @@ components: description: Timestamp when the Application object was last updated licensing: $ref: '#/components/schemas/ApplicationLicensing' + orn: + type: string + readOnly: true + description: The Okta resource name (ORN) for the current app instance profile: type: object - description: Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps) + description: |- + Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps). + For example, add an app manager contact email address or define an allowlist of groups that you can then reference using the Okta Expression Language `getFilteredGroups` function. + + > **Notes:** + > * `profile` isn't encrypted, so don't store sensitive data in it. + > * `profile` doesn't limit the level of nesting in the JSON schema you created, but there is a practical size limit. Okta recommends a JSON schema size of 1 MB or less for best performance. additionalProperties: true signOnMode: $ref: '#/components/schemas/ApplicationSignOnMode' @@ -33519,9 +46963,14 @@ components: $ref: '#/components/schemas/ApplicationVisibility' _embedded: type: object - additionalProperties: - type: object - properties: {} + description: Embedded resources related to the app using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. If the `expand=user/{userId}` query parameter is specified, then the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) is embedded. + properties: + user: + type: object + description: The specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) assigned to the app + additionalProperties: + type: object + properties: {} readOnly: true _links: $ref: '#/components/schemas/ApplicationLinks' @@ -33549,7 +46998,9 @@ components: description: Custom error page URL for the app loginRedirectUrl: type: string - description: Custom login page URL for the app + description: |- + Custom login page URL for the app + > **Note:** The `loginRedirectUrl` property is deprecated in Identity Engine. This property is used with the custom app login feature. Orgs that actively use this feature can continue to do so. See [Okta-hosted sign-in (redirect authentication)](https://developer.okta.com/docs/guides/redirect-authentication/) or [configure IdP routing rules](https://help.okta.com/okta_help.htm?type=oie&id=ext-cfg-routing-rules) to redirect users to the appropriate sign-in app for orgs that don't use the custom app login feature. selfService: type: boolean description: Represents whether the app can be self-assignable by users @@ -33566,16 +47017,37 @@ components: properties: autoKeyRotation: type: boolean + description: Requested key rotation mode + default: true client_id: type: string + maxLength: 100 + minLength: 6 + description: |- + Unique identifier for the OAuth 2.0 client app + + > **Notes:** + > * If you don't specify the `client_id`, this immutable property is populated with the [Application instance ID](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=4/id&t=response). + > * The `client_id` must consist of alphanumeric characters or the following special characters: `$-_.+!*'(),`. + > * You can't use the reserved word `ALL_CLIENTS`. client_secret: type: string + maxLength: 100 + minLength: 14 + description: |- + OAuth 2.0 client secret string (used for confidential clients) + + > **Notes:** If a `client_secret` isn't provided on creation, and the `token_endpoint_auth_method` requires one, Okta generates a random `client_secret` for the client app. + > The `client_secret` is only shown when an OAuth 2.0 client app is created or updated (and only if the `token_endpoint_auth_method` requires a client secret). pkce_required: type: boolean - description: Require Proof Key for Code Exchange (PKCE) for additional verification + description: Requires Proof Key for Code Exchange (PKCE) for additional verification. If `token_endpoint_auth_method` is `none`, then `pkce_required` must be `true`. The default is `true` for browser and native app types. + default: true token_endpoint_auth_method: $ref: '#/components/schemas/OAuthEndpointAuthenticationMethod' ApplicationCredentialsScheme: + description: | + Apps with `BASIC_AUTH`, `BROWSER_PLUGIN`, or `SECURE_PASSWORD_STORE` sign-on modes have credentials vaulted by Okta and can be configured with the following schemes. type: string enum: - ADMIN_SETS_CREDENTIALS @@ -33583,47 +47055,95 @@ components: - EDIT_USERNAME_AND_PASSWORD - EXTERNAL_PASSWORD_SYNC - SHARED_USERNAME_AND_PASSWORD + x-enumDescriptions: + ADMIN_SETS_CREDENTIALS: Admin sets username and password + EDIT_PASSWORD_ONLY: Admin sets username, user sets password + EDIT_USERNAME_AND_PASSWORD: User sets username and password + EXTERNAL_PASSWORD_SYNC: Admin sets username, password is the same as user's Okta password + SHARED_USERNAME_AND_PASSWORD: Users share a single username and password set by the admin ApplicationCredentialsSigning: + description: | + App signing key properties + > **Note:** Only apps with SAML_2_0, SAML_1_1, WS_FEDERATION, or OPENID_CONNECT `signOnMode` support the key rotation feature. type: object properties: kid: type: string + description: |- + Key identifier used for signing assertions + > **Note:** Currently, only the X.509 JWK format is supported for apps with SAML_2_0 `signOnMode`. lastRotated: type: string + description: Timestamp when the signing key was last rotated format: date-time readOnly: true nextRotation: type: string + description: The scheduled time for the next signing key rotation format: date-time readOnly: true rotationMode: type: string + description: The mode of key rotation use: $ref: '#/components/schemas/ApplicationCredentialsSigningUse' ApplicationCredentialsSigningUse: + description: Specifies the intended use of the key type: string enum: - sig ApplicationCredentialsUsernameTemplate: + description: The template used to generate the username when the app is assigned through a group or directly to a user type: object properties: pushStatus: type: string + description: Determines if the username is pushed to the app on updates for CUSTOM `type` + enum: + - PUSH + - DONT_PUSH + - NOT_CONFIGURED template: type: string + description: |- + Mapping expression used to generate usernames. + + The following are supported mapping expressions that are used with the `BUILT_IN` template type: + + | Name | Template Expression | + | ------------------------------- | ---------------------------------------------- | + | AD Employee ID | `${source.employeeID}` | + | AD SAM Account Name | `${source.samAccountName}` | + | AD SAM Account Name (lowercase) | `${fn:toLowerCase(source.samAccountName)}` | + | AD User Principal Name | `${source.userName}` | + | AD User Principal Name prefix | `${fn:substringBefore(source.userName, "@")}` | + | Email | `${source.email}` | + | Email (lowercase) | `${fn:toLowerCase(source.email)}` | + | Email prefix | `${fn:substringBefore(source.email, "@")}` | + | LDAP UID + custom suffix | `${source.userName}${instance.userSuffix}` | + | Okta username | `${source.login}` | + | Okta username prefix | `${fn:substringBefore(source.login, "@")}` | + default: ${source.login} type: type: string + description: Type of mapping expression. Empty string is allowed. + enum: + - NONE + - BUILT_IN + - CUSTOM + default: BUILT_IN userSuffix: type: string + description: An optional suffix appended to usernames for `BUILT_IN` mapping expressions ApplicationFeature: description: | - The Feature object is used to configure application feature settings. + The Feature object is used to configure app feature settings. type: object properties: description: type: string description: Description of the feature - example: Settings for provisioning users from Okta to a downstream application + example: Settings for provisioning users from Okta to a downstream app readOnly: true name: $ref: '#/components/schemas/ApplicationFeatureType' @@ -33645,21 +47165,20 @@ components: INBOUND_PROVISIONING: '#/components/schemas/InboundProvisioningApplicationFeature' ApplicationFeatureType: description: | - Identifying name of the feature + Key name of the feature - | Value | Description | + | Feature name | Description | | --------- | ------------- | - | USER_PROVISIONING | Represents the **To App** provisioning feature setting in the Admin Console | - | INBOUND_PROVISIONING | Represents the **To Okta** provisioning feature setting in the Admin Console | + | USER_PROVISIONING | User profiles are pushed from Okta to the third-party app. Represents the **To App** provisioning feature setting in the Admin Console. | + | INBOUND_PROVISIONING | User profiles are imported from the third-party app into Okta. This feature represents the **To Okta** provisioning feature setting in the Admin Console. | + + Select the feature: example: USER_PROVISIONING type: string enum: - USER_PROVISIONING - USER_PROVISIONING - INBOUND_PROVISIONING - x-enumDescriptions: - USER_PROVISIONING: Represents the **To App** provisioning feature setting in the Admin Console - INBOUND_PROVISIONING: Represents the **To Okta** provisioning feature setting in the Admin Console ApplicationGroupAssignment: title: Application Group Assignment description: The Application Group object that defines a group of users' app-specific profile and credentials for an app @@ -33755,6 +47274,7 @@ components: $ref: '#/components/schemas/HrefObject' type: array ApplicationLicensing: + description: Licenses for the app type: object properties: seatCount: @@ -33772,73 +47292,126 @@ components: description: Discoverable resources related to the app properties: accessPolicy: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/AccessPolicyLink' activate: $ref: '#/components/schemas/HrefObjectActivateLink' + appLinks: + type: array + description: List of app link resources + items: + $ref: '#/components/schemas/HrefObject' deactivate: $ref: '#/components/schemas/HrefObjectDeactivateLink' groups: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/GroupsLink' + help: + $ref: '#/components/schemas/HelpLink' logo: type: array + description: List of app logo resources items: $ref: '#/components/schemas/HrefObject' metadata: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/MetadataLink' self: $ref: '#/components/schemas/HrefObjectSelfLink' users: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/UsersLink' + readOnly: true ApplicationSettings: description: App settings type: object properties: identityStoreId: type: string + description: Identifies an additional identity store app, if your app supports it. The `identityStoreId` value must be a valid identity store app ID. This identity store app must be created in the same org as your app. implicitAssignment: type: boolean + description: Controls whether Okta automatically assigns users to the app based on the user's role or group membership. inlineHookId: type: string + description: Identifier of an inline hook. Inline hooks are outbound calls from Okta to your own custom code, triggered at specific points in Okta process flows. They allow you to integrate custom functionality into those flows. See [Inline hooks](/openapi/okta-management/management/tag/InlineHook/). notes: $ref: '#/components/schemas/ApplicationSettingsNotes' notifications: $ref: '#/components/schemas/ApplicationSettingsNotifications' + signOn: + $ref: '#/components/schemas/AutoLoginApplicationSettingsSignOn' ApplicationSettingsNotes: + description: App notes visible to either the admin or end user type: object properties: admin: type: string + description: An app message that's visible to admins enduser: type: string + description: A message that's visible in the End-User Dashboard ApplicationSettingsNotifications: + description: Specifies notifications settings for the app type: object properties: vpn: $ref: '#/components/schemas/ApplicationSettingsNotificationsVpn' ApplicationSettingsNotificationsVpn: + description: Sends customizable messages with conditions to end users when a VPN connection is required type: object properties: helpUrl: type: string + description: An optional URL to a help page to assist your end users in signing in to your company VPN message: type: string + description: A VPN requirement message that's displayed to users network: $ref: '#/components/schemas/ApplicationSettingsNotificationsVpnNetwork' + required: + - network ApplicationSettingsNotificationsVpnNetwork: + description: Defines network zones for VPN notification type: object properties: connection: type: string + description: Specifies the VPN connection details required to access the app + enum: + - DISABLED + - ANYWHERE + - ON_NETWORK + - OFF_NETWORK + - ZONE + x-enumDescriptions: + DISABLED: The default state. Retain this setting for apps that don't require a VPN connection. + ANYWHERE: Displays VPN connection information regardless of the browser's client IP. The notification appears before the end user can access the app. + ON_NETWORK: Displays VPN connection information only when a browser's client IP matches the configured Public Gateway IPs. The notification appears before the end user can access the app. + OFF_NETWORK: Displays VPN connection information only when the browser's client IP doesn't match the configured Public Gateway IPs. The notification appears before the end user can access the app. exclude: type: array + description: Defines the IP addresses or network ranges that are excluded from the VPN requirement items: type: string include: type: array + description: Defines the IP addresses or network ranges that are required to use the VPN items: type: string ApplicationSignOnMode: - description: Authentication mode for the app + description: | + Authentication mode for the app + + | signOnMode | Description | + | ---------- | ----------- | + | AUTO_LOGIN | Secure Web Authentication (SWA) | + | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin | + | BOOKMARK | Just a bookmark (no-authentication) | + | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser Plugin | + | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) | + | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not supported for custom apps) | + | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO | + | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST (plugin not required) | + | WS_FEDERATION | Federated Authentication with WS-Federation Passive Requestor Profile | + + Select the `signOnMode` for your custom app: type: string enum: - AUTO_LOGIN @@ -33859,11 +47432,12 @@ components: - service - web ApplicationVisibility: + description: Specifies visibility settings for the app type: object properties: appLinks: type: object - description: Links or icons that appear on the End-User Dashboard when they're assigned to the app + description: Links or icons that appear on the End-User Dashboard if they're set to `true`. additionalProperties: type: boolean autoLaunch: @@ -33880,8 +47454,14 @@ components: properties: iOS: type: boolean + description: Okta Mobile for iOS or Android (pre-dates Android) + default: false + example: false web: type: boolean + description: Okta End-User Dashboard on a web browser + default: false + example: true AssignGroupOwnerRequestBody: type: object properties: @@ -33908,6 +47488,28 @@ components: description: A list of the authorization server IDs items: type: string + AssuranceMethod: + allOf: + - $ref: '#/components/schemas/VerificationMethod' + - type: object + properties: + constraints: + items: + $ref: '#/components/schemas/AccessPolicyConstraints' + type: array + factorMode: + $ref: '#/components/schemas/AssuranceMethodFactorMode' + inactivityPeriod: + type: string + description: The inactivity duration after which the user must re-authenticate. Use the ISO 8601 period format (for example, PT2H). + reauthenticateIn: + type: string + description: The duration after which the user must re-authenticate, regardless of user activity. Keep in mind that the re-authentication intervals for constraints take precedent over this value. Use the ISO 8601 period format for recurring time intervals (for example, PT2H, PT0S, PT43800H, and so on). + AssuranceMethodFactorMode: + type: string + enum: + - 1FA + - 2FA AttackProtectionAuthenticatorSettings: type: object properties: @@ -33944,6 +47546,77 @@ components: allOf: - description: Link to the authorization server scopes - $ref: '#/components/schemas/HrefObject' + AuthenticationMethod: + type: object + properties: + hardwareProtection: + type: string + description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + id: + type: string + description: An ID that identifies the authenticator + key: + type: string + description: A label that identifies the authenticator + method: + type: string + description: Specifies the method used for the authenticator + phishingResistant: + type: string + description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + userVerification: + type: string + description: Indicates the user interaction requirement (PIN or biometrics) to ensure verification of a possession factor + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + required: + - key + - method + AuthenticationMethodChain: + type: object + properties: + authenticationMethods: + items: + $ref: '#/components/schemas/AuthenticationMethod' + type: array + next: + type: array + description: The next steps of the authentication method chain. This is an array of `AuthenticationMethodChain`. Only supports one item in the array. + items: + type: object + reauthenticateIn: + type: string + description: |- + Specifies how often the user should be prompted for authentication using duration format for the time period. + For example, `PT2H30M` for two and a half hours. This parameter can't be set at the same time as the `reauthenticateIn` property on the `verificationMethod`. + AuthenticationMethodChainMethod: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + allOf: + - $ref: '#/components/schemas/VerificationMethod' + - type: object + properties: + chains: + items: + $ref: '#/components/schemas/AuthenticationMethodChain' + type: array + description: Authentication method chains. Only supports 5 items in the array. Each chain can support maximum 3 steps. + reauthenticateIn: + description: |- + Specifies how often the user should be prompted for authentication using duration format for the time period. + For example, `PT2H30M` for two and a half hours. Don't set this parameter if you're setting the `reauthenticateIn` parameter in `chains`. + type: string AuthenticationMethodObject: type: object properties: @@ -33953,18 +47626,22 @@ components: method: type: string description: Specifies the method used for the authenticator + required: + - key AuthenticationProvider: description: |- - Specifies the authentication provider that validates the user's password credential. The user's current provider - is managed by the Delegated Authentication settings for your organization. The provider object is read-only. + Specifies the authentication provider that validates the User's password credential. The User's current provider + is managed by the Delegated Authentication settings for your organization. The provider object is **read-only**. type: object properties: name: type: string description: The name of the authentication provider readOnly: true + example: OKTA type: $ref: '#/components/schemas/AuthenticationProviderType' + readOnly: true AuthenticationProviderType: description: The type of authentication provider type: string @@ -34031,6 +47708,154 @@ components: smart_card_idp: '#/components/schemas/AuthenticatorKeySmartCard' webauthn: '#/components/schemas/AuthenticatorKeyWebauthn' yubikey_token: '#/components/schemas/AuthenticatorKeyYubikey' + AuthenticatorEnrollmentPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyConditions' + settings: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettings' + AuthenticatorEnrollmentPolicyAuthenticatorSettings: + type: object + properties: + constraints: + description: Constraints for the authenticator + nullable: true + minimum: 0 + type: object + properties: + aaguidGroups: + type: array + description: The list of FIDO2 WebAuthn authenticator groups allowed for enrollment + items: + type: string + uniqueItems: true + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + enroll: + type: object + description: Enrollment requirements for the authenticator + properties: + self: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorStatus' + key: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorType' + AuthenticatorEnrollmentPolicyAuthenticatorStatus: + description: Requirements for the user-initiated enrollment + default: NOT_ALLOWED + type: string + enum: + - NOT_ALLOWED + - OPTIONAL + - REQUIRED + AuthenticatorEnrollmentPolicyAuthenticatorType: + description: A label that identifies the authenticator + type: string + enum: + - custom_app + - custom_otp + - duo + - external_idp + - google_otp + - okta_email + - okta_password + - okta_verify + - onprem_mfa + - phone_number + - rsa_token + - security_question + - symantec_vip + - webauthn + - yubikey_token + AuthenticatorEnrollmentPolicyConditions: + allOf: + - type: object + properties: + people: + type: object + description: Identifies Users and Groups that are used together + properties: + groups: + type: object + description: Specifies a set of Groups whose Users are to be included or excluded + properties: + include: + type: array + description: Groups to be included + items: + type: string + AuthenticatorEnrollmentPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActions' + conditions: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleConditions' + AuthenticatorEnrollmentPolicyRuleActionEnroll: + description: Specifies whether the User is to be enrolled the first time they `LOGIN`, the next time they are in the `CHALLENGE` process, or `NEVER` + type: object + properties: + self: + type: string + enum: + - CHALLENGE + - LOGIN + - NEVER + AuthenticatorEnrollmentPolicyRuleActions: + allOf: + - $ref: '#/components/schemas/PolicyRuleActions' + - type: object + properties: + enroll: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActionEnroll' + AuthenticatorEnrollmentPolicyRuleConditions: + type: object + properties: + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + people: + type: object + description: Identifies Users and Groups that are used together + properties: + users: + type: object + description: Specifies a set of Users to be included or excluded + properties: + exclude: + type: array + description: Users to be excluded + items: + type: string + AuthenticatorEnrollmentPolicySettings: + description: '**Note:** In Identity Engine, the Multifactor (MFA) Enrollment Policy name has changed to authenticator enrollment policy. The policy type of `MFA_ENROLL` remains unchanged. However, the `settings` data is updated for authenticators. Policy `settings` are included only for those authenticators that are enabled.' + type: object + properties: + authenticators: + description: | + List of authenticator policy settings + + For orgs with the Authenticator enrollment policy feature enabled, the new default authenticator enrollment policy created by Okta contains the `authenticators` property in the policy settings. Existing default authenticator enrollment policies from a migrated Classic Engine org remain unchanged. The policies still use the `factors` property in their settings. The `authenticators` parameter allows you to configure all available authenticators, including authentication and recovery. The `factors` parameter only allows you to configure multifactor authentication. + items: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorSettings' + type: array + type: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettingsType' + AuthenticatorEnrollmentPolicySettingsType: + description: | + Type of policy configuration object + + The `type` property in the policy `settings` is only applicable to the authenticator enrollment policy available in Identity Engine. + default: FACTORS + type: string + enum: + - AUTHENTICATORS + - FACTORS AuthenticatorIdentity: description: Represents a particular authenticator serving as a constraint on a method type: object @@ -34532,8 +48357,53 @@ components: allOf: - type: object properties: + id: + type: string + description: ID of the Policy + type: + type: string + description: Indicates that the Policy is an authorization server Policy + enum: + - OAUTH_AUTHORIZATION_POLICY + name: + type: string + description: Name of the Policy conditions: $ref: '#/components/schemas/AuthorizationServerPolicyConditions' + description: + type: string + description: Description of the Policy + priority: + type: integer + description: Specifies the order in which this Policy is evaluated in relation to the other Policies in a custom authorization server + status: + type: string + description: Specifies whether requests have access to this Policy + enum: + - ACTIVE + - INACTIVE + system: + type: boolean + description: Specifies whether Okta created this Policy + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the Policy was created + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the Policy was last updated + _links: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + rules: + allOf: + - description: Link to the authorization server policy's rules + - $ref: '#/components/schemas/HrefObject' AuthorizationServerPolicyConditions: type: object properties: @@ -34548,14 +48418,49 @@ components: users: $ref: '#/components/schemas/AuthorizationServerPolicyRuleUserCondition' AuthorizationServerPolicyRule: - allOf: - - $ref: '#/components/schemas/PolicyRule' - - type: object - properties: - actions: - $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions' - conditions: - $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions' + type: object + properties: + actions: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions' + conditions: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions' + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the rule was created + id: + type: string + description: Identifier of the rule + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the rule was last modified + name: + type: string + description: Name of the rule + priority: + type: integer + description: Priority of the rule + status: + type: string + description: Status of the rule + enum: + - ACTIVE + - INACTIVE + system: + type: boolean + description: Set to `true` for system rules. You can't delete system rules. + type: + type: string + description: Rule type + enum: + - RESOURCE_ACCESS + _links: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' AuthorizationServerPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' @@ -34581,6 +48486,14 @@ components: description: Groups to be included items: type: string + AuthorizationServerPolicyRuleRequest: + allOf: + - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + - type: object + required: + - name + - conditions + - type AuthorizationServerPolicyRuleUserCondition: description: Specifies a set of Users to be included type: object @@ -34590,12 +48503,24 @@ components: type: array items: type: string + AuthorizationServerResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: + type: string + description: Link name + example: Example Authorization Server AutoAssignAdminAppSetting: description: The org setting that automatically assigns the Okta Admin Console when an admin role is assigned type: object properties: autoAssignAdminAppSetting: type: boolean + description: Automatically assigns the Okta Admin Console to the user when an admin role is assigned AutoLoginApplication: allOf: - $ref: '#/components/schemas/Application' @@ -34625,6 +48550,8 @@ components: redirectUrl: type: string description: Secondary URL of the sign-in page for this app + required: + - loginUrl AutoUpdateSchedule: description: The schedule of auto-update configured by admin. type: object @@ -34677,6 +48604,110 @@ components: - us-east-2 - us-west-1 - us-west-2 + BaseContext: + description: This object contains a number of sub-objects, each of which provide some type of contextual information. + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + session: + description: Details of the user session + type: object + properties: + id: + description: The unique identifier for the user's session + type: string + example: 102LN9Bnuc4S_ewfc9BYwageA + userId: + description: The unique identifier for the user + type: string + example: 00uq8tMo3zV0OfJON0g3 + login: + description: The username used to identify the user. This is often the user's email address. + type: string + example: user@example.com + createdAt: + description: Timestamp of when the session was created + type: string + format: date-time + example: '2019-03-28T16:45:55.000Z' + expiresAt: + description: Timestamp of when the session expires + type: string + format: date-time + example: '2019-03-28T21:15:23.000Z' + status: + description: Represents the current status of the user's session + type: string + example: ACTIVE + lastPasswordVerification: + description: Timestamp of when the user was last authenticated + type: string + format: date-time + example: '2019-03-28T16:45:55.000Z' + amr: + description: The authentication method reference + type: array + items: + type: string + example: + - PASSWORD + idp: + $ref: '#/components/schemas/SessionIdentityProvider' + mfaActive: + description: Describes whether multifactor authentication was enabled + type: boolean + example: false + user: + description: Identifies the Okta user that the token was generated to authenticate and provides details of their Okta user profile + type: object + properties: + id: + description: The unique identifier for the user + type: string + example: 00uq8tMo3zV0OfJON0g3 + passwordChanged: + description: The timestamp when the user's password was last updated + type: string + format: date-time + example: '2018-09-11T23:19:12.000Z' + profile: + type: object + properties: + login: + description: The username used to identify the user. This is often the user's email address. + type: string + example: user@example.com + firstName: + description: The first name of the user + type: string + example: John + lastName: + description: The last name of the user + type: string + example: Smith + locale: + description: |- + The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. + A locale value is a concatenation of the [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes) two-letter language code, an underscore, and the [ISO 3166-1](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) two-letter country code. For example, `en_US` specifies the language English and country US. This value is `en_US` by default. + type: string + example: en_US + timeZone: + description: The user's timezone + type: string + example: America/Los_Angeles + _links: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled. + type: object + properties: + groups: + description: URL to retrieve the individual user's group memberships + allOf: + - $ref: '#/components/schemas/HrefObject' + factors: + description: URL to retrieve individual user's factor enrollments + allOf: + - $ref: '#/components/schemas/HrefObject' BaseEmailDomain: type: object properties: @@ -34709,6 +48740,19 @@ components: type: string description: Username used to access your SMTP server example: aUser + BaseToken: + type: object + properties: + claims: + description: Claims included in the token. Consists of name-value pairs for each included claim. For descriptions of the claims that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#claims). + type: object + lifetime: + description: Lifetime of the token + type: object + properties: + expiration: + description: Time in seconds until the token expires + type: integer BasicApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' @@ -34721,8 +48765,13 @@ components: properties: authURL: type: string + description: The URL of the authenticating site for this app url: type: string + description: The URL of the sign-in page for this app + required: + - authURL + - url BasicAuthApplication: x-okta-defined-as: name: template_basic_auth @@ -34734,8 +48783,9 @@ components: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string - description: '`template_basic_auth` is the key name for a basic authentication scheme app instance' - default: template_basic_auth + description: '`template_basic_auth` is the key name for a Basic Authentication scheme app instance' + enum: + - template_basic_auth settings: $ref: '#/components/schemas/BasicApplicationSettings' required: @@ -34892,7 +48942,8 @@ components: name: type: string description: '`bookmark` is the key name for a Bookmark app' - default: bookmark + enum: + - bookmark settings: $ref: '#/components/schemas/BookmarkApplicationSettings' required: @@ -34910,27 +48961,37 @@ components: properties: requestIntegration: type: boolean + description: Would you like Okta to add an integration for this app? + default: false url: type: string + description: The URL of the launch page for this app + required: + - url BouncesRemoveListError: type: object properties: emailAddress: type: string + description: An email address with a validation error reason: type: string + description: Validation error reason BouncesRemoveListObj: type: object properties: emailAddresses: type: array + description: A list of email addresses to remove from the email-service bounce list items: type: string + description: Email address BouncesRemoveListResult: type: object properties: errors: type: array + description: A list of emails that wasn't added to the email-bounced remove list and the error reason items: $ref: '#/components/schemas/BouncesRemoveListError' Brand: @@ -35030,6 +49091,12 @@ components: name: type: string description: The key name for the app definition + enum: + - template_swa + - template_swa3field + x-enumDescriptions: + template_swa: The key name for a SWA app instance that requires a browser plugin + template_swa3field: The key name for a SWA app instance that requires a browser plugin and supports three CSS selectors settings: $ref: '#/components/schemas/SwaApplicationSettings' required: @@ -35088,12 +49155,29 @@ components: items: $ref: '#/components/schemas/BundleEntitlement' _links: - allOf: - - $ref: '#/components/schemas/LinksSelf' - - $ref: '#/components/schemas/LinksNext' - - properties: - bundle: - $ref: '#/components/schemas/HrefObject' + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + next: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the next resource + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + bundle: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the bundle resource + ByDateTimeExpiry: + allOf: + - $ref: '#/components/schemas/DateTime' + ByDurationExpiry: + allOf: + - $ref: '#/components/schemas/TimeDuration' + description: |- + A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). + Must be between 1 and 180 days inclusive. CAPTCHAInstance: title: CAPTCHAInstance description: '' @@ -35123,6 +49207,14 @@ components: enum: - HCAPTCHA - RECAPTCHA_V2 + CSRLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of a CSR object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + properties: + publish: + $ref: '#/components/schemas/HrefCsrPublishLink' + self: + $ref: '#/components/schemas/HrefCsrSelfLink' + readOnly: true CaepDeviceComplianceChangeEvent: description: The subject's device compliance was revoked type: object @@ -35163,12 +49255,11 @@ components: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required. - subjects: - type: object + subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - - subjects + - subject - current_status - previous_status CaepSecurityEvent: @@ -35197,12 +49288,11 @@ components: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required. - subjects: - type: object + subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - - subjects + - subject CaepSessionRevokedEvent: description: The session of the subject was revoked type: object @@ -35246,17 +49336,16 @@ components: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required. - subjects: - type: object + subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - - subjects + - subject CapabilitiesCreateObject: description: | - Determines whether Okta assigns a new application account to each user managed by Okta. + Determines whether Okta assigns a new app account to each user managed by Okta. - Okta doesn't create a new account if it detects that the username specified in Okta already exists in the application. + Okta doesn't create a new account if it detects that the username specified in Okta already exists in the app. The user's Okta username is assigned by default. type: object properties: @@ -35326,7 +49415,7 @@ components: update: $ref: '#/components/schemas/CapabilitiesUpdateObject' CapabilitiesUpdateObject: - description: Determines whether updates to a user's profile are pushed to the application + description: Determines whether updates to a user's profile are pushed to the app type: object properties: lifecycleDeactivate: @@ -35380,7 +49469,7 @@ components: - http://auth0.com/oauth/grant-type/mfa-oob - http://auth0.com/oauth/grant-type/mfa-otp ChangeEnum: - description: Determines whether a change in a user's password also updates the user's password in the application + description: Determines whether a change in a user's password also updates the user's password in the app default: KEEP_EXISTING example: CHANGE type: string @@ -35396,6 +49485,8 @@ components: $ref: '#/components/schemas/PasswordCredential' revokeSessions: type: boolean + description: When set to `true`, revokes all User sessions, except for the current session + default: false Channel: description: The out-of-band channel for use with authentication. Required for all `/oob-authenticate` requests and any `/challenge` request with an out-of-band authenticator. type: string @@ -35412,6 +49503,90 @@ components: type: string enum: - NUMBER_CHALLENGE + ChildOrg: + type: object + properties: + admin: + $ref: '#/components/schemas/OrgCreationAdmin' + created: + description: Timestamp when the Org was created + type: string + format: date-time + readOnly: true + example: '2022-08-25T00:05:00.000Z' + edition: + description: Edition for the Org. `SKU` is the only supported value. + type: string + enum: + - SKU + example: SKU + id: + type: string + description: Org ID + readOnly: true + example: 00o1n8sbwArJ7OQRw406 + lastUpdated: + description: Timestamp when the Org was last updated + type: string + format: date-time + readOnly: true + example: '2022-08-25T00:05:00.000Z' + name: + description: |- + Unique name of the Org. + This name appears in the HTML `` tag of the new Org sign-in page. + Only less than 4-width UTF-8 encoded characters are allowed. + type: string + format: utf-8 + minimum: 1 + maximum: 100 + example: My Child Org 1 + settings: + description: Settings associated with the created Org + readOnly: true + type: object + additionalProperties: true + status: + description: Status of the Org. `ACTIVE` is returned after the Org is created. + type: string + readOnly: true + enum: + - ACTIVE + subdomain: + description: Subdomain of the Org. Must be unique and include no spaces. + type: string + minimum: 1 + maximum: 57 + example: my-child-org-1 + token: + description: |- + API token associated with the child Org super admin account. + Use this API token to provision resources (such as policies, apps, and groups) on the newly created child Org. + This token is revoked if the super admin account is deactivated. + > **Note:** If this API token expires, sign in to the Admin Console as the super admin user and create a new API token. See [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/). + type: string + readOnly: true + tokenType: + description: Type of returned `token`. See [Okta API tokens](https://developer.okta.com/docs/guides/create-an-api-token/main/#okta-api-tokens). + type: string + readOnly: true + example: SSWS + enum: + - SSWS + website: + description: Default website for the Org + type: string + example: https://www.okta.com + _links: + description: Specifies available link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + type: object + additionalProperties: true + required: + - admin + - edition + - name + - subdomain ChromeBrowserVersion: description: Current version of the Chrome Browser type: object @@ -35514,6 +49689,8 @@ components: properties: clientPrivilegesSetting: type: boolean + description: If true, assigns the super admin role by default to new public client apps + example: true CodeChallengeMethod: type: string enum: @@ -35551,89 +49728,6 @@ components: properties: expression: type: string - ContinuousAccessFailureActionsObject: - type: object - properties: - action: - type: string - enum: - - RUN_WORKFLOW - - TERMINATE_SESSION - discriminator: - propertyName: action - mapping: - RUN_WORKFLOW: '#/components/schemas/ContinuousAccessPolicyRuleRunWorkflow' - TERMINATE_SESSION: '#/components/schemas/ContinuousAccessPolicyRuleTerminateSession' - ContinuousAccessPolicy: - allOf: - - $ref: '#/components/schemas/Policy' - - type: object - properties: - conditions: - type: string - description: Policy conditions aren't supported for this policy type. - default: null - nullable: true - ContinuousAccessPolicyRule: - allOf: - - $ref: '#/components/schemas/PolicyRule' - - type: object - properties: - actions: - type: object - description: The action to take in response to a failure of the reevaluated global session policy or authentication polices. - properties: - continuousAccess: - type: object - description: This object contains a `failureActions` array that defines the specific action to take when Continuous Access evaluation detects a failure. - properties: - failureActions: - type: array - description: An array of objects that define the action. It can be empty or contain two `action` value pairs. - items: - $ref: '#/components/schemas/ContinuousAccessFailureActionsObject' - conditions: - type: object - properties: - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - ContinuousAccessPolicyRuleRunWorkflow: - type: object - properties: - action: - type: string - enum: - - RUN_WORKFLOW - workflow: - type: object - description: This action runs a workflow - properties: - id: - type: integer - description: The `id` of the workflow that runs. - ContinuousAccessPolicyRuleTerminateSession: - type: object - properties: - action: - type: string - description: The action to take when Continuous Access evaluation detects a failure. - enum: - - TERMINATE_SESSION - slo: - type: object - properties: - appSelectionMode: - description: This property defines the session to terminate - everyone, no one, or a specific app instance. - type: string - enum: - - SPECIFIC - - ALL - - NONE - appInstanceIds: - type: array - description: This property defines the app instance access to terminate. Only include this property when `appSelectionMode` is set to `SPECIFIC`. - items: - type: string CreateBrandRequest: title: CreateBrandRequest type: object @@ -35643,6 +49737,22 @@ components: description: The name of the Brand required: - name + CreateGroupRuleRequest: + type: object + properties: + actions: + $ref: '#/components/schemas/GroupRuleAction' + conditions: + $ref: '#/components/schemas/GroupRuleConditions' + name: + type: string + description: Name of the Group rule + minLength: 1 + maxLength: 50 + type: + type: string + enum: + - group_rule CreateIamRoleRequest: type: object properties: @@ -35654,7 +49764,7 @@ components: description: Unique label for the role permissions: type: array - description: Array of permissions that the role will grant. See [Permissions](/openapi/okta-management/guides/roles/#permission). + description: Array of permissions that the Role grants. See [Permissions](/openapi/okta-management/guides/roles/#permissions). items: $ref: '#/components/schemas/RolePermissionType' required: @@ -35692,6 +49802,10 @@ components: maximum: 1000 items: type: string + required: + - description + - label + - resources CreateSessionRequest: type: object properties: @@ -35722,16 +49836,68 @@ components: $ref: '#/components/schemas/UserProfile' realmId: type: string - description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the Realm in which the user is residing + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the Realm in which the User is residing example: guo1bfiNtSnZYILxO0g4 x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] type: - $ref: '#/components/schemas/UserType' + type: object + description: |- + The ID of the User type. Add this value if you want to create a User with a non-default [User Type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/). + The User Type determines which [schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a User has been created, the User can + only be assigned a different User Type by an administrator through a full replacement (`PUT`) operation. + properties: + id: + type: string + description: The ID of the User Type required: - profile + CreateUserTypeRequest: + type: object + properties: + name: + type: string + description: The updated human-readable name for the User Type + displayName: + type: string + description: The updated human-readable display name for the User Type + description: + type: string + description: The updated human-readable description of the User Type + Created: + format: date-time + description: Timestamp when the object was created + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true + CredentialSyncInfo: + type: object + properties: + errorCode: + type: string + description: The error code for the type of error + readOnly: true + errorReason: + type: string + description: A short description of the error + readOnly: true + secretVersionId: + type: string + description: The version ID of the password secret from the OPA vault. + minLength: 1 + maxLength: 36 + example: 9f8400-e29b-41d4-a716-926655440034 + syncState: + $ref: '#/components/schemas/CredentialSyncState' + example: NOT_SYNCED + syncTime: + type: string + description: Timestamp when the credential was changed + format: date-time + readOnly: true + example: '2024-06-10T11:30:01.000Z' CredentialSyncState: description: Current credential sync status of the privileged resource type: string @@ -35754,12 +49920,19 @@ components: csr: type: string readOnly: true + example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= id: type: string readOnly: true + example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 kty: type: string readOnly: true + example: RSA + _links: + $ref: '#/components/schemas/CSRLinks' + readOnly: true + nullable: false CsrMetadata: type: object properties: @@ -35772,30 +49945,109 @@ components: properties: commonName: type: string + description: Common name of the subject + example: SP Issuer countryName: type: string + description: Country name or code + example: US localityName: type: string + description: Locality (city) name + example: San Francisco organizationalUnitName: type: string + description: Name of the smaller organization, for example, the department or the division + example: Dev organizationName: type: string + description: Large organization name + example: Okta, Inc. stateOrProvinceName: type: string + description: State or province name + example: California CsrMetadataSubjectAltNames: type: object properties: dnsNames: + type: array + description: DNS names of the subject + items: + type: string + example: dev.okta.com + CsrPublishHrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + type: string + enum: + - POST + CsrSelfHrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: type: array items: type: string + enum: + - GET + - DELETE CustomAppUserVerificationEnum: description: User verification setting type: string enum: - PREFERRED - REQUIRED + CustomRole: + title: Custom Role Assignment + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + id: + type: string + description: Binding Object ID + readOnly: true + label: + type: string + description: Label for the custom role assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + resource-set: + type: string + description: Resource Set ID + readOnly: true + role: + type: string + description: Custom Role ID + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the Custom Role Assignment + type: + type: string + description: CUSTOM for a custom role + enum: + - CUSTOM + _links: + $ref: '#/components/schemas/LinksCustomRoleResponse' CustomRoleAssignmentSchema: + title: Custom Role type: object properties: resource-set: @@ -35806,7 +50058,7 @@ components: description: Custom Role ID type: type: string - description: Standard role type + description: The type of role. Specify `CUSTOM` for a custom role. enum: - CUSTOM CustomizablePage: @@ -35841,6 +50093,17 @@ components: enum: - CNAME - TXT + DRStatusItem: + description: Provides the status whether a domain has been failed over or not + type: object + properties: + domain: + type: string + description: domain + isFailedOver: + type: boolean + description: Indicates if the domain has been failed over + nullable: false DTCChromeOS: description: Google Chrome Device Trust Connector provider type: object @@ -35979,6 +50242,11 @@ components: windowsUserDomain: description: Windows domain for the current OS user type: string + DateTime: + description: An [ISO-8601](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations) formatted date and time. + format: date-time + example: '2024-12-01T00:00:00Z' + type: string DefaultApp: type: object properties: @@ -35991,6 +50259,62 @@ components: classicApplicationUri: type: string description: Application URI for classic Orgs + DesktopMFAEnforceNumberMatchingChallengeOrgSetting: + type: object + properties: + desktopMFAEnforceNumberMatchingChallengeEnabled: + type: boolean + description: Indicates whether or not the Desktop MFA Enforce Number Matching Challenge push notifications feature is enabled + default: false + DesktopMFARecoveryPinOrgSetting: + type: object + properties: + desktopMFARecoveryPinEnabled: + type: boolean + description: Indicates whether or not the Desktop MFA Recovery PIN feature is enabled + default: false + DetailedHookKeyInstance: + title: DetailedHookKeyInstance + description: A key object with public key details + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the key was created + readOnly: true + nullable: true + id: + type: string + description: The unique Okta ID of this key record + readOnly: true + nullable: false + isUsed: + type: string + format: boolean + description: Whether this key is currently in use by other applications + nullable: false + readOnly: true + keyId: + type: string + description: The alias of the public key + nullable: false + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the key was updated + readOnly: true + nullable: true + name: + type: string + description: Display name of the key + readOnly: false + nullable: false + minLength: 1 + maxLength: 255 + _embedded: + $ref: '#/components/schemas/_embedded' DetectedRiskEvents: type: string enum: @@ -36039,16 +50363,19 @@ components: _links: $ref: '#/components/schemas/LinksSelfAndFullUsersLifecycle' DeviceAccessPolicyRuleCondition: - allOf: - - $ref: '#/components/schemas/DevicePolicyRuleCondition' - - type: object - properties: - assurance: - $ref: '#/components/schemas/DevicePolicyRuleConditionAssurance' - managed: - type: boolean - registered: - type: boolean + description: <x-lifecycle class="oie"></x-lifecycle> Specifies the device condition to match on + type: object + properties: + assurance: + $ref: '#/components/schemas/DevicePolicyRuleConditionAssurance' + managed: + type: boolean + description: Indicates if the device is managed. A device is considered managed if it's part of a device management system. + registered: + type: boolean + description: | + Indicates if the device is registered. A device is registered if the User enrolls with Okta Verify that's installed on the device. + When the `managed` property is passed, you must also include the `registered` property and set it to `true`. DeviceAssurance: title: DeviceAssurance type: object @@ -36223,6 +50550,60 @@ components: properties: dtc: $ref: '#/components/schemas/DTCWindows' + DeviceCheck: + title: DeviceCheck + type: object + properties: + createdBy: + type: string + readOnly: true + description: User who created the Device Check + example: 00u217pyf72CdUrBt1c5 + createdDate: + type: string + readOnly: true + description: Time the Device Check was created + example: '2019-10-02T18:03:07.000Z' + description: + type: string + description: Description of the Device Check + example: Query macOS devices to check if firewall is enabled + id: + type: string + readOnly: true + description: The ID of the Device Check + example: dch3m8o4rWhwReDeM1c5 + lastUpdate: + type: string + readOnly: true + description: Time the Device Check was updated + example: '2019-10-02T18:03:07.000Z' + lastUpdatedBy: + type: string + readOnly: true + description: User who updated the Device Check + example: 00u217pyf72CdUrBt1c5 + name: + type: string + description: Display name of the Device Check + example: Device Check macOS + platform: + $ref: '#/components/schemas/DeviceChecksPlatform' + query: + type: string + description: OSQuery for the Device Check + example: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; + variableName: + type: string + description: Unique name of the Device Check + example: macOSFirewall + _links: + $ref: '#/components/schemas/LinksSelf' + DeviceChecksPlatform: + type: string + enum: + - MACOS + - WINDOWS DeviceDisplayName: description: Display name of the device type: object @@ -37093,14 +51474,16 @@ components: value: type: string _links: - allOf: - - properties: - group: - $ref: '#/components/schemas/HrefObject' - app: - $ref: '#/components/schemas/HrefObject' - resource-set: - $ref: '#/components/schemas/HrefObject' + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + group: + $ref: '#/components/schemas/HrefObjectGroupLink' + app: + $ref: '#/components/schemas/HrefObjectAppLink' + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' EntitlementValuesResponse: type: object properties: @@ -37109,7 +51492,7 @@ components: items: $ref: '#/components/schemas/EntitlementValue' _links: - allOf: + anyOf: - $ref: '#/components/schemas/LinksSelf' - $ref: '#/components/schemas/LinksNext' - properties: @@ -37124,7 +51507,7 @@ components: properties: conditions: type: string - description: Policy conditions aren't supported for this policy types. + description: Policy conditions aren't supported for this policy type. default: null nullable: true EntityRiskPolicyRule: @@ -37146,35 +51529,7 @@ components: items: $ref: '#/components/schemas/EntityRiskPolicyRuleActionsObject' conditions: - type: object - properties: - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - riskDetectionTypes: - type: object - description: An object that references detected risk events. This object can have an `include` parameter or an `exclude` parameter, but not both. - properties: - exclude: - type: array - description: An array of detected risk events to exclude in the entity policy rule - items: - $ref: '#/components/schemas/DetectedRiskEvents' - include: - type: array - description: An array of detected risk events to include in the entity policy rule - items: - $ref: '#/components/schemas/DetectedRiskEvents' - EntityRisk: - type: object - description: The risk score level of the entity risk policy rule - properties: - level: - type: string - enum: - - ANY - - LOW - - MEDIUM - - HIGH + $ref: '#/components/schemas/EntityRiskPolicyRuleConditions' EntityRiskPolicyRuleActionRunWorkflow: type: object properties: @@ -37210,6 +51565,29 @@ components: mapping: RUN_WORKFLOW: '#/components/schemas/EntityRiskPolicyRuleActionRunWorkflow' TERMINATE_ALL_SESSIONS: '#/components/schemas/EntityRiskPolicyRuleActionTerminateAllSessions' + EntityRiskPolicyRuleConditions: + allOf: + - type: object + properties: + entityRisk: + $ref: '#/components/schemas/EntityRiskScorePolicyRuleCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + riskDetectionTypes: + $ref: '#/components/schemas/RiskDetectionTypesPolicyRuleCondition' + EntityRiskScorePolicyRuleCondition: + description: <x-lifecycle class="oie"></x-lifecycle> The risk score level of the entity risk policy rule + type: object + properties: + level: + type: string + enum: + - ANY + - LOW + - MEDIUM + - HIGH + required: + - level Error: title: Error type: object @@ -37255,6 +51633,30 @@ components: BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the Theme BACKGROUND_SECONDARY_COLOR: Uses the logo and favicon from the Theme. Uses `secondaryColorHex` as the background color for the error page. OKTA_DEFAULT: Uses the Okta logo, favicon, and background color + ErrorResponse: + type: object + properties: + errorCause: + type: string + description: The reason or cause for the error in the org domain for the dr operation + nullable: true + errorCode: + type: string + description: An error code unique to the error + errorId: + type: string + description: The unique identifier of this error + nullable: true + errorLink: + type: string + description: An indicator where to look out to troubleshoot the error + nullable: true + errorSummary: + type: string + description: An error code description, detailing the error + required: + - errorCode + - errorSummary EventHook: type: object properties: @@ -37350,8 +51752,7 @@ components: To use Basic Auth for authentication, set `type` to `HEADER`, `key` to `Authorization`, and `value` to the Base64-encoded string of "username:password". Ensure that you include - the scheme (including space) as part of the `value` parameter. For example, `Basic YWRtaW46c3VwZXJzZWNyZXQ=`. See - [HTTP Basic Authentication](/books/api-security/authn/api-authentication-options/#http-basic-authentication). + the scheme (including space) as part of the `value` parameter. For example, `Basic YWRtaW46c3VwZXJzZWNyZXQ=`. type: object properties: key: @@ -37428,7 +51829,7 @@ components: description: |- The subscribed event types that trigger the event hook. When you register an event hook you need to specify which events you want to subscribe to. To see the list of event types - currently eligible for use in event hooks, use the [Event Types catalog](/docs/reference/api/event-types/#catalog) + currently eligible for use in event hooks, use the [Event Types catalog](https://developer.okta.com/docs/reference/api/event-types/#catalog) and search with the parameter `event-hook-eligible`. items: type: string @@ -37457,6 +51858,12 @@ components: required: - type - items + ExpiresAt: + format: date-time + description: Timestamp when the object expires + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true Expression: type: object properties: @@ -37482,6 +51889,26 @@ components: properties: configuration: $ref: '#/components/schemas/FCMConfiguration' + FailbackRequestSchema: + description: List of domains to failback + items: + type: string + description: Okta or custom domain to failback + example: yourOktaDomain.okta.com + type: array + FailbackResponseSchema: + description: successful failback message + type: string + FailoverRequestSchema: + description: List of domains to failover + items: + type: string + description: Okta or custom domain to failover + example: yourOktaDomain.okta.com + type: array + FailoverResponseSchema: + description: successful failover message + type: string Feature: description: Specifies feature release cycle information type: object @@ -37614,7 +52041,7 @@ components: description: | Schema for the Google Workspace app (key name: `google`) - To create a Google Workspace app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + To create a Google Workspace app, use the [Create an Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. > **Note:** The Google Workspace app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes. allOf: - $ref: '#/components/schemas/OINApplication' @@ -37706,9 +52133,15 @@ components: items: $ref: '#/components/schemas/GovernanceBundle' _links: - allOf: + anyOf: - $ref: '#/components/schemas/LinksSelf' - $ref: '#/components/schemas/LinksNext' + GovernanceSourceType: + description: The grant type + type: string + enum: + - CUSTOM + - ENTITLEMENT-BUNDLE GrantOrTokenStatus: description: Status example: ACTIVE @@ -37717,6 +52150,13 @@ components: - ACTIVE - REVOKED readOnly: true + GrantResourcesHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants GrantType: description: Determines the mechanism Okta uses to authorize the creation of the tokens. type: string @@ -37752,20 +52192,26 @@ components: type: string format: date-time readOnly: true + description: Timestamp when the Group was created id: type: string readOnly: true + example: 0gabcd1234 + description: Unique ID for the Group lastMembershipUpdated: type: string format: date-time readOnly: true + description: Timestamp when the Groups memberships were last updated lastUpdated: type: string format: date-time readOnly: true + description: Timestamp when the Group's Profile was last updated objectClass: type: array readOnly: true + description: Determines the Group's `profile` items: type: string profile: @@ -37774,11 +52220,13 @@ components: $ref: '#/components/schemas/GroupType' _embedded: type: object + description: Embedded resources related to the Group additionalProperties: type: object properties: {} readOnly: true _links: + description: '[Discoverable resources](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links&t=response) related to the Group' allOf: - $ref: '#/components/schemas/LinksSelf' - properties: @@ -37812,16 +52260,9 @@ components: description: Groups to be included items: type: string - GroupMember: - allOf: - - $ref: '#/components/schemas/User' - type: object - properties: - groupRuleId: - type: string - description: The group rule ID - example: guo56h6ux7ibCPl2G0g7 - readOnly: true + required: + - exclude + - include GroupOwner: type: object properties: @@ -37874,14 +52315,15 @@ components: items: type: string GroupProfile: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - x-okta-extensible: true + description: |- + Specifies required and optional properties for a Group. The `objectClass` of a Group determines which additional properties are available. + + You can extend Group Profiles with custom properties, but you must first add the properties to the Group Profile schema before you can reference them. Use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/)to manage schema extensions. + + Custom properties can contain HTML tags. It is the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. + anyOf: + - $ref: '#/components/schemas/OktaUserGroupProfile' + - $ref: '#/components/schemas/OktaActiveDirectoryGroupProfile' GroupRule: type: object properties: @@ -37893,25 +52335,34 @@ components: type: string format: date-time readOnly: true + description: Creation date for group rule id: type: string readOnly: true + description: ID of the group rule lastUpdated: type: string format: date-time readOnly: true + description: Date group rule was last updated name: type: string + description: Name of the Group rule + minLength: 1 + maxLength: 50 status: $ref: '#/components/schemas/GroupRuleStatus' type: type: string + description: Type to indicate a Group rule operation. Only `group_rule` is allowed. GroupRuleAction: + description: Defines which users and groups to assign type: object properties: assignUserToGroups: $ref: '#/components/schemas/GroupRuleGroupAssignment' GroupRuleConditions: + description: Defines group rule conditions type: object properties: expression: @@ -37919,31 +52370,36 @@ components: people: $ref: '#/components/schemas/GroupRulePeopleCondition' GroupRuleExpression: + description: Defines Okta specific [group-rules expression](https://developer.okta.com/docs/reference/okta-expression-language/#expressions-in-group-rules) type: object properties: type: type: string + description: Expression type. Only valid value is '`urn:okta:expression:1.0`'. value: type: string + description: Okta expression that would result in a Boolean value + example: user.role==\"Engineer\" GroupRuleGroupAssignment: + description: Contains the `groupIds` array type: object properties: groupIds: + description: Array of `groupIds` to which Users are added type: array items: type: string GroupRuleGroupCondition: + description: Currently not supported type: object properties: exclude: type: array - items: - type: string - include: - type: array + description: Currently not supported items: type: string GroupRulePeopleCondition: + description: Defines conditions for `people` in a group rule type: object properties: groups: @@ -37951,20 +52407,19 @@ components: users: $ref: '#/components/schemas/GroupRuleUserCondition' GroupRuleStatus: + description: Status of group rule type: string enum: - ACTIVE - INACTIVE - INVALID GroupRuleUserCondition: + description: Defines conditions specific to user exclusion type: object properties: exclude: type: array - items: - type: string - include: - type: array + description: Excluded `userIds` when processing rules items: type: string GroupSchema: @@ -37973,29 +52428,38 @@ components: $schema: readOnly: true type: string + description: JSON Schema version identifier created: readOnly: true type: string + description: Timestamp when the Schema was created definitions: $ref: '#/components/schemas/GroupSchemaDefinitions' description: type: string + description: Description for the Schema id: readOnly: true type: string + description: URI of Group Schema lastUpdated: readOnly: true type: string + description: Timestamp when the Schema was last updated name: readOnly: true type: string + description: Name of the Schema properties: $ref: '#/components/schemas/UserSchemaProperties' + description: Group object properties title: type: string + description: User-defined display name for the Schema type: readOnly: true type: string + description: Type of [root Schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4) _links: $ref: '#/components/schemas/LinksSelf' x-okta-allow-null-property-value-for-updates: true @@ -38004,81 +52468,160 @@ components: properties: description: type: string + description: Description of the property enum: items: - type: string + anyOf: + - type: string + - type: integer type: array + nullable: true + description: |- + Enumerated value of the property. + + The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements. externalName: type: string + description: Name of the property as it exists in an external application externalNamespace: type: string + description: Namespace from the external application + format: + description: Identifies the type of data represented by the string + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeFormat' items: $ref: '#/components/schemas/UserSchemaAttributeItems' + nullable: true master: - $ref: '#/components/schemas/UserSchemaAttributeMaster' + description: Identifies where the property is mastered + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMaster' maxLength: type: integer + nullable: true + description: Maximum character length of a string property minLength: type: integer + nullable: true + description: Minimum character length of a string property mutability: - type: string + description: Defines the mutability of the property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString' oneOf: items: $ref: '#/components/schemas/UserSchemaAttributeEnum' type: array + nullable: true + description: |- + Non-empty array of valid JSON schemas. + + Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format: + + ``` + { + "const": "enumValue", + "title": "display name" + } + ```json + + When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order. + + ``` + {"enum": ["S","M","L","XL"], + "oneOf": [ + {"const": "S", "title": "Small"}, + {"const": "M", "title": "Medium"}, + {"const": "L", "title": "Large"}, + {"const": "XL", "title": "Extra Large"} + ] + } + ```json + + The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value. permissions: + description: Access control permissions for the property items: $ref: '#/components/schemas/UserSchemaAttributePermission' type: array + nullable: true required: type: boolean + nullable: true + description: Determines whether the property is required scope: - $ref: '#/components/schemas/UserSchemaAttributeScope' + description: Determines whether a group attribute can be set at the individual or group level + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeScope' title: type: string + minLength: 1 + description: User-defined display name for the property type: - $ref: '#/components/schemas/UserSchemaAttributeType' - union: - $ref: '#/components/schemas/UserSchemaAttributeUnion' + description: Type of property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeType' unique: - type: string + description: Determines whether property values must be unique + type: boolean + nullable: true GroupSchemaBase: type: object properties: id: readOnly: true type: string + description: The subschema name properties: - $ref: '#/components/schemas/GroupSchemaBaseProperties' + description: The `#base` object properties + allOf: + - $ref: '#/components/schemas/GroupSchemaBaseProperties' required: items: type: string type: array + description: A collection indicating required property names + readOnly: true type: + description: The object type type: string + readOnly: true GroupSchemaBaseProperties: + description: All Okta-defined Profile properties are defined in a Profile subschema with the resolution scope `#base`. These properties can't be removed or edited, regardless of any attempt to do so. type: object properties: description: - $ref: '#/components/schemas/GroupSchemaAttribute' + description: Human readable description of the Group + allOf: + - $ref: '#/components/schemas/GroupSchemaAttribute' name: - $ref: '#/components/schemas/GroupSchemaAttribute' + description: Unique identifier for the Group + allOf: + - $ref: '#/components/schemas/GroupSchemaAttribute' GroupSchemaCustom: + description: All custom Profile properties are defined in a Profile subschema with the resolution scope `#custom` type: object properties: id: readOnly: true type: string + description: The subschema name properties: additionalProperties: $ref: '#/components/schemas/GroupSchemaAttribute' type: object + description: The `#custom` object properties required: items: type: string type: array + description: A collection indicating required property names + readOnly: true type: type: string + description: The object type + readOnly: true GroupSchemaDefinitions: type: object properties: @@ -38087,42 +52630,67 @@ components: custom: $ref: '#/components/schemas/GroupSchemaCustom' GroupType: + description: Determines how a Group's Profile and memberships are managed type: string enum: - APP_GROUP - BUILT_IN - OKTA_GROUP + x-enumDescriptions: + APP_GROUP: Group Profile and memberships are imported and must be managed within the app (such as Active Directory or LDAP) that imported the Group + BUILT_IN: Group Profile and memberships are managed by Okta and can't be modified + OKTA_GROUP: Group Profile and memberships are directly managed in Okta via static assignments or indirectly through Group rules + GroupsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Application Groups](/openapi/okta-management/management/tag/ApplicationGroups/#tag/ApplicationGroups/operation/listApplicationGroupAssignments) resource + HelpLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app help resource HookKey: + title: HookKeyInstance + description: |- + The `id` property in the response as `id` serves as the unique ID for the key, which you can specify when invoking other CRUD operations. + + The `keyId` provided in the response is the alias of the public key that you can use to get details of the public key data in a separate call. type: object properties: created: type: string format: date-time - description: Timestamp when the key was created. + description: Timestamp when the key was created readOnly: true + nullable: true id: type: string - description: The unique identifier for the key. + description: The unique identifier for the key readOnly: true + nullable: false isUsed: type: string format: boolean - description: Whether this key is currently in use by other hooks. + description: Whether this key is currently in use by other applications + nullable: false + readOnly: true keyId: type: string - description: The alias of the public key. + description: The alias of the public key + nullable: false readOnly: true lastUpdated: type: string format: date-time - description: Timestamp when the key was updated. + description: Timestamp when the key was updated readOnly: true + nullable: true name: type: string - description: Display name of the key. + description: Display name of the key readOnly: false - _embedded: - $ref: '#/components/schemas/JsonWebKey' + nullable: false + minLength: 1 + maxLength: 255 HostedPage: type: object properties: @@ -38137,6 +52705,34 @@ components: enum: - EXTERNALLY_HOSTED - OKTA_DEFAULT + HrefCsrPublishLink: + title: Link Object + description: Link to publish CSR + type: object + properties: + hints: + $ref: '#/components/schemas/CsrPublishHrefHints' + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + required: + - href + readOnly: true + HrefCsrSelfLink: + title: Link Object + description: Link to the resource (self) + type: object + properties: + hints: + $ref: '#/components/schemas/CsrSelfHrefHints' + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + required: + - href + readOnly: true HrefHints: description: Describes allowed HTTP verbs for the `href` type: object @@ -38187,6 +52783,10 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the app resource + HrefObjectAssigneeLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the assignee resource HrefObjectAuthorizeLink: x-okta-lifecycle: lifecycle: GA @@ -38214,6 +52814,14 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to delete the resource + HrefObjectGovernanceResourcesLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resources + HrefObjectGrantAerialConsent: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to grant Okta Aerial access to your Org HrefObjectGroupLink: allOf: - $ref: '#/components/schemas/HrefObject' @@ -38226,6 +52834,30 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the mappings resource + HrefObjectMemberLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the member resource + HrefObjectPermissionsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the permissions resource + HrefObjectResourceSetLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource-set resource + HrefObjectRetrieveAerialConsent: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to retrieve Okta Aerial consent for your Org + HrefObjectRevokeAerialConsent: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to revoke Okta Aerial consent for your Org + HrefObjectRoleLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the role resource HrefObjectRulesLink: allOf: - $ref: '#/components/schemas/HrefObject' @@ -38350,25 +52982,103 @@ components: $ref: '#/components/schemas/IamRole' _links: $ref: '#/components/schemas/LinksNext' - IdentityProvider: + IdPCertificateCredential: + type: object + properties: + x5c: + $ref: '#/components/schemas/X5c' + required: + - x5c + IdPCsr: + description: Defines a CSR for a signature or decryption credential for an IdP type: object properties: created: + $ref: '#/components/schemas/Created' + csr: + description: Base64-encoded CSR in DER format type: string - format: date-time readOnly: true - nullable: true + example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= id: + description: Unique identifier for the CSR type: string readOnly: true - issuerMode: - $ref: '#/components/schemas/IssuerMode' + example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + kty: + description: Cryptographic algorithm family for the CSR's keypair + type: string + example: RSA + _links: + type: object + additionalProperties: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + publish: + description: Publish the CSR + allOf: + - $ref: '#/components/schemas/HrefObject' + IdPCsrPkcs10: + description: Base64URL-encoded CSR in DER format + format: base64 + type: string + IdPKeyCredential: + description: A [JSON Web Key](https://tools.ietf.org/html/rfc7517) for a signature or encryption credential for an IdP + additionalProperties: true + type: object + properties: + created: + $ref: '#/components/schemas/Created' + e: + description: The exponent value for the RSA public key + type: string + example: AQAB + expiresAt: + $ref: '#/components/schemas/ExpiresAt' + kid: + description: Unique identifier for the key + type: string + example: your-key-id + kty: + description: 'Identifies the cryptographic algorithm family used with the key (Supported value: `RSA`)' + type: string + example: RSA lastUpdated: + $ref: '#/components/schemas/LastUpdated' + 'n': + description: The modulus value for the RSA public key + type: string + example: '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + use: + description: 'Intended use of the public key (Supported value: `sig`)' + type: string + example: sig + x5c: + $ref: '#/components/schemas/X5c' + x5t#S256: + description: Base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate + type: string + example: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdentityProvider: + type: object + properties: + created: + $ref: '#/components/schemas/Created' + id: type: string - format: date-time readOnly: true + description: Unique key for the IdP + example: 0oaWma58liwx40w6boYD + issuerMode: + $ref: '#/components/schemas/IdentityProviderIssuerMode' + lastUpdated: + $ref: '#/components/schemas/LastUpdated' name: type: string + maxLength: 100 + description: Unique name for the IdP + example: Sample Identity Provider policy: $ref: '#/components/schemas/IdentityProviderPolicy' properties: @@ -38421,27 +53131,70 @@ components: type: object properties: created: - type: string + $ref: '#/components/schemas/Created' externalId: type: string + description: Unique IdP-specific identifier for the User + readOnly: true + maxLength: 512 + example: saml.jackson@example.com id: type: string + description: Unique key of the User readOnly: true lastUpdated: - type: string + $ref: '#/components/schemas/LastUpdated' profile: type: object + description: |- + IdP-specific profile for the User. + + Identity Provider User profiles are IdP-specific but may be customized by the Profile Editor in the Admin Console. + + > **Note:** Okta variable names have reserved characters that may conflict with the name of an IdP assertion attribute. You can use the **External name** to define the attribute name as defined in an IdP assertion such as a SAML attribute name. additionalProperties: type: object properties: {} + example: + lastName: Jackson + subjectNameQualifier: example.com + subjectSpNameQualifier: urn:federation:example + authnContextClassRef: null + subjectNameId: saml.jackson@example.com + subjectConfirmationAddress: null + displayName: Saml Jackson + mobilePhone: +1-415-555-5141 + email: saml.jackson@example.com + subjectNameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + firstName: Saml + subjectSpProvidedId: null + subjectConfirmationMethod: null _embedded: type: object + description: Embedded resources related to the IdP User additionalProperties: type: object properties: {} readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' + type: object + additionalProperties: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + - properties: + idp: + description: The IdP instance + example: + href: https://{yourOktaDomain}/api/v1/idps/0oa1k5d68qR2954hb0g4 + allOf: + - $ref: '#/components/schemas/HrefObject' + user: + description: The linked Okta User + example: + href: https://{yourOktaDomain}/api/v1/users/00ulwodIu7wCfdiVR0g3 + allOf: + - $ref: '#/components/schemas/HrefObject' IdentityProviderCredentials: type: object properties: @@ -38485,23 +53238,36 @@ components: - CRL - DELTA_CRL - OCSP + IdentityProviderIssuerMode: + description: Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP + default: DYNAMIC + type: string + enum: + - CUSTOM_URL + - DYNAMIC + - ORG_URL + x-enumDescriptions: + ORG_URL: In the authorize request to the social IdP, Okta uses the Okta org's original domain URL (`https://${yourOktaDomain}`) as the domain in the `redirect_uri`. + CUSTOM_URL: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri`. You can set `issuerMode` to `CUSTOM_URL` only if you have a custom URL domain configured. + DYNAMIC: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri` if the request was made from the custom domain URL. Otherwise, Okta uses the Okta org's original domain URL if the request was made from the Okta org domain. IdentityProviderPolicy: + description: |- + Policy settings for the IdP. + The following provisioning and account linking actions are supported by each IdP provider: + | IdP type | User provisioning actions | Group provisioning actions | Account link actions | Account link filters | + | ----------------------------------------------------------------- | ------------------------- | ------------------------------------- | -------------------- | -------------------- | + | `SAML2` | `AUTO` or `DISABLED` | `NONE`, `ASSIGN`, `APPEND`, or `SYNC` | `AUTO`, `DISABLED` | `groups` | + | `X509` | `DISABLED` | No support for JIT provisioning | | | + | All social IdP types (any IdP type that isn't `SAML2` or `X509`) | `AUTO`, `DISABLED` | `NONE` or `ASSIGN` | `AUTO`, `DISABLED` | `groups` | allOf: - type: object properties: accountLink: $ref: '#/components/schemas/PolicyAccountLink' - mapAMRClaims: - type: boolean - description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>Enable mapping AMR from IdP to Okta to downstream apps - default: false - x-okta-lifecycle: - lifecycle: EA - isGenerallyAvailable: false - SKUs: - - Okta Identity Engine maxClockSkew: type: integer + description: Maximum allowable clock skew when processing messages from the IdP + example: 120000 provisioning: $ref: '#/components/schemas/Provisioning' subject: @@ -38523,45 +53289,113 @@ components: $ref: '#/components/schemas/IdentityProviderPolicyProvider' IdentityProviderProperties: nullable: true + description: The properties in the Identity Provider Properties object vary depending on the IdP type type: object properties: + aalValue: + type: string + nullable: true + description: |- + The [authentication assurance level](https://developers.login.gov/oidc/#aal-values) (AAL) value for the Login.gov IdP. + See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. additionalAmr: type: array + description: The additional Assurance Methods References (AMR) values for Smart Card IdPs. Applies to `X509` IdP type. nullable: true items: type: string + enum: + - sc + - hwk + - pin + - mfa + x-enumDescriptions: + sc: Smart card + hwk: Hardware-secured key + pin: Personal identification number + mfa: Multifactor authentication + ialValue: + type: string + nullable: true + description: |- + The [type of identity verification](https://developers.login.gov/oidc/#ial-values) (IAL) value for the Login.gov IdP. + See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. IdentityProviderType: + description: |- + The Identity Provider object's `type` property identifies the social or enterprise Identity Provider used for authentication. + Each Identity Provider uses a specific protocol, therefore the `protocol` property must correspond with the IdP `type`. + If the protocol is OAuth 2.0-based, the Protocol object's `scopes` property must also correspond with the scopes supported by the IdP `type`. + For policy actions supported by each IdP type, see [IdP type policy actions](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy&t=request). + + | Type | Description | Corresponding protocol | Corresponding protocol scopes | + | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -------------------------------------------------------------------- | + | `AMAZON` | [Amazon](https://developer.amazon.com/settings/console/registration?return_to=/) as the Identity Provider | OpenID Connect | `profile`, `profile:user_id` | + | `APPLE` | [Apple](https://developer.apple.com/sign-in-with-apple/) as the Identity Provider | OpenID Connect | `names`, `email`, `openid` | + | `DISCORD` | [Discord](https://discord.com/login) as the Identity Provider | OAuth 2.0 | `identify`, `email` | + | `FACEBOOK` | [Facebook](https://developers.facebook.com) as the Identity Provider | OAuth 2.0 | `public_profile`, `email` | + | `GITHUB` | [GitHub](https://github.com/join) as the Identity Provider | OAuth 2.0 | `user` | + | `GITLAB` | [GitLab](https://gitlab.com/users/sign_in) as the Identity Provider | OpenID Connect | `openid`, `read_user`, `profile`, `email` | + | `GOOGLE` | [Google](https://accounts.google.com/signup) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` | + | `LINKEDIN` | [LinkedIn](https://developer.linkedin.com/) as the Identity Provider | OAuth 2.0 | `r_emailaddress`, `r_liteprofile` | + | `LOGINGOV` | [Login.gov](https://developers.login.gov/) as the Identity Provider | OpenID Connect | `email`, `profile`, `profile:name` | + | `LOGINGOV_SANDBOX` | [Login.gov's identity sandbox](https://developers.login.gov/testing/) as the Identity Provider | OpenID Connect | `email`, `profile`, `profile:name` | + | `MICROSOFT` | [Microsoft Enterprise SSO](https://azure.microsoft.com/) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile`, `https://graph.microsoft.com/User.Read` | + | `OIDC` | IdP provider that supports [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) | OpenID Connect | `openid`, `email`, `profile` | + | `PAYPAL` | [Paypal](https://www.paypal.com/signin) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` | + | `PAYPAL_SANDBOX` | [Paypal Sandbox](https://developer.paypal.com/tools/sandbox/) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` | + | `SALESFORCE` | [SalesForce](https://login.salesforce.com/) as the Identity Provider | OAuth 2.0 | `id`, `email`, `profile` | + | `SAML2` | Enterprise IdP provider that supports the [SAML 2.0 Web Browser SSO Profile](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) | SAML 2.0 | | + | `SPOTIFY` | [Spotify](https://developer.spotify.com/) as the Identity Provider | OpenID Connect | `user-read-email`, `user-read-private` | + | `X509` | [Smart Card IdP](https://tools.ietf.org/html/rfc5280) | Mutual TLS | | + | `XERO` | [Xero](https://www.xero.com/us/signup/api/) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` | + | `YAHOO` | [Yahoo](https://login.yahoo.com/) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` | + | `YAHOOJP` | [Yahoo Japan](https://login.yahoo.co.jp/config/login) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` | type: string enum: + - AMAZON - APPLE - - AgentlessDSSO + - DISCORD - FACEBOOK + - GITHUB + - GITLAB - GOOGLE - - IWA - LINKEDIN + - LOGINGOV + - LOGINGOV_SANDBOX - MICROSOFT - OIDC - - OKTA + - PAYPAL + - PAYPAL_SANDBOX + - SALESFORCE - SAML2 + - SPOTIFY - X509 + - XERO + - YAHOO + - YAHOOJP IdentitySourceSession: type: object properties: created: type: string + description: The timestamp when the Identity Source Session was created format: date-time readOnly: true id: type: string + description: The ID of the Identity Source Session readOnly: true identitySourceId: type: string + description: The ID of the custom Identity Source for which the session is created readOnly: true importType: type: string + description: The type of import. All imports are `INCREMENTAL` imports. readOnly: true lastUpdated: type: string + description: The timestamp when the Identity Source Session was created format: date-time readOnly: true status: @@ -38576,46 +53410,61 @@ components: - EXPIRED - IN_PROGRESS - TRIGGERED + x-enumDescriptions: + CREATED: This is a new Identity Source Session that hasn't been processed. You can upload bulk data in this stage. + IN_PROGRESS: The bulk data is being uploaded to Okta. + TRIGGERED: Okta is processing the import data in this session. You can't load bulk data in this stage. + COMPLETED: The bulk data was processed and imported into Okta. + CLOSED: The Identity Source Session was canceled and isn't available for further activity. + EXPIRED: This Identity Source Session had the `CREATED` status and timed-out after 24 hours of inactivity. + ERROR: The processing of import data in the session encountered an error. You need to open a new session to upload the data again. IdentitySourceUserProfileForDelete: type: object properties: externalId: type: string + description: The external ID of the entity that needs to be deleted in Okta maxLength: 512 IdentitySourceUserProfileForUpsert: - additionalProperties: {} type: object properties: email: type: string format: email + description: Email address of the user minLength: 5 maxLength: 100 firstName: type: string + description: First name of the user minLength: 1 maxLength: 50 nullable: true homeAddress: type: string + description: Home address of the user maxLength: 4096 nullable: true lastName: type: string + description: Last name of the user minLength: 1 maxLength: 50 nullable: true mobilePhone: type: string + description: Mobile phone number of the user maxLength: 100 nullable: true secondEmail: type: string + description: Alternative email address of the user format: email minLength: 5 maxLength: 100 userName: type: string + description: Username of the user maxLength: 100 IdpDiscoveryPolicy: allOf: @@ -38623,7 +53472,9 @@ components: - type: object properties: conditions: - type: object + type: string + description: Policy conditions aren't supported for this policy type. + default: null nullable: true IdpDiscoveryPolicyRule: allOf: @@ -38687,6 +53538,7 @@ components: type: $ref: '#/components/schemas/IdentityProviderType' IdpSelectionType: + description: Determines whether the rule should use expression language or a specific IdP type: string enum: - DYNAMIC @@ -38915,28 +53767,25 @@ components: type: object x-okta-extensible: true InlineHookRequestObject: + description: The API request that triggered the inline hook type: object properties: - request: + id: + type: string + description: The unique identifier that Okta assigned to the API request + ipAddress: + type: string + description: The IP address of the client that made the API request + method: + type: string + description: The HTTP request method of the API request + url: type: object - description: The API request that triggered the inline hook + description: The URL of the API endpoint properties: - id: - type: string - description: The unique identifier that Okta assigned to the API request - method: - type: string - description: The HTTP request method of the API request - url: - type: object - description: The URL of the API endpoint - properties: - value: - type: string - description: The URL value of the API endpoint - ipAddress: + value: type: string - description: The IP address of the client that made the API request + description: The URL value of the API endpoint InlineHookResponse: type: object properties: @@ -38997,9 +53846,6 @@ components: JsonWebKey: type: object properties: - alg: - description: 'The algorithm used with the Key. Valid value: `RS256`' - type: string created: $ref: '#/components/schemas/createdProperty' e: @@ -39011,11 +53857,6 @@ components: type: string format: date-time readOnly: true - key_ops: - description: Identifies the operation(s) for which the key is intended to be used - type: array - items: - type: string kid: description: Unique identifier for the certificate type: string @@ -39031,12 +53872,6 @@ components: 'n': description: RSA modulus value that is used by both the public and private keys and provides a link between them type: string - status: - description: |- - An `ACTIVE` Key is used to sign tokens issued by the authorization server. Supported values: `ACTIVE`, `NEXT`, or `EXPIRED`<br> - A `NEXT` Key is the next Key that the authorization server uses to sign tokens when Keys are rotated. The `NEXT` Key might not be listed if it hasn't been generated yet. - An `EXPIRED` Key is the previous Key that the authorization server used to sign tokens. The `EXPIRED` Key might not be listed if no Key has expired or the expired Key was deleted. - type: string use: description: 'Acceptable use of the certificate. Valid value: `sig`' type: string @@ -39047,34 +53882,51 @@ components: items: type: string readOnly: true - x5t: - description: X.509 certificate SHA-1 thumbprint, which is the base64url-encoded SHA-1 thumbprint (digest) of the DER encoding of an X.509 certificate - type: string - readOnly: true x5t#S256: description: X.509 certificate SHA-256 thumbprint, which is the base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of an X.509 certificate type: string readOnly: true - x5u: - description: A URI that refers to a resource for the X.509 public key certificate or certificate chain corresponding to the key used to digitally sign the JWS (JSON Web Signature) - type: string - readOnly: true - _links: - $ref: '#/components/schemas/LinksSelf' JwkUse: type: object properties: use: $ref: '#/components/schemas/JwkUseType' JwkUseType: + description: Purpose of the certificate. The only supported value is `sig`. type: string enum: - sig + KeepCurrent: + type: object + properties: + keepCurrent: + description: Skip deleting the user's current session when set to `true` + type: boolean + default: true + KeepMeSignedIn: + type: object + properties: + postAuth: + description: Whether the post-authentication Keep Me Signed In flow is allowed + type: string + enum: + - ALLOWED + - NOT_ALLOWED + postAuthPromptFrequency: + description: If allowed, how often to display the post-authentication Keep Me Signed In prompt + default: P30D + $ref: '#/components/schemas/TimeDuration' KeyRequest: type: object properties: name: + description: Display name for the key type: string + uniqueItems: true + readOnly: false + minLength: 1 + maxLength: 255 + nullable: false KeyTrustLevelBrowserKey: description: Represents the attestation strength used by the Chrome Verified Access API example: CHROME_BROWSER_HW_KEY @@ -39101,8 +53953,14 @@ components: Language: description: The language specified as an [IETF BCP 47 language tag](https://datatracker.ietf.org/doc/html/rfc5646) type: string + LastUpdated: + format: date-time + description: Timestamp when the object was last updated + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true LifecycleCreateSettingObject: - description: Determines whether to update a user in the application when a user in Okta is updated + description: Determines whether to update a user in the app when a user in Okta is updated type: object properties: status: @@ -39161,7 +54019,7 @@ components: description: Description of the `primary` or the `associated` relationship name: type: string - description: API name of the `primary` or the `associated` link + description: 'API name of the `primary` or the `associated` link. The `name` parameter can''t start with a number and can only contain the following characters: `a-z`, `A-Z`,` 0-9`, and `_`.' title: type: string description: Display name of the `primary` or the `associated` link @@ -39189,9 +54047,22 @@ components: properties: activate: allOf: - - description: Activates an enrolled Factor. See [Activate a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/activateFactor) + - description: Activates an enrolled Factor. See [Activate a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/activateFactor). - $ref: '#/components/schemas/HrefObject' readOnly: true + LinksAerialConsentGranted: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + revoke: + $ref: '#/components/schemas/HrefObjectRevokeAerialConsent' + LinksAerialConsentRevoked: + allOf: + - type: object + properties: + grant: + $ref: '#/components/schemas/HrefObjectGrantAerialConsent' LinksAppAndUser: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of resources related to the Application User. type: object @@ -39203,20 +54074,40 @@ components: user: $ref: '#/components/schemas/HrefObjectUserLink' readOnly: true + LinksAssignee: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' LinksCancel: type: object properties: cancel: allOf: - - description: Cancels a `push` factor challenge with a `WAITING` status. + - description: Cancels a `push` factor challenge with a `WAITING` status - $ref: '#/components/schemas/HrefObject' readOnly: true + LinksCustomRoleResponse: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' + member: + $ref: '#/components/schemas/HrefObjectMemberLink' + permissions: + $ref: '#/components/schemas/HrefObjectPermissionsLink' + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + role: + $ref: '#/components/schemas/HrefObjectRoleLink' LinksDeactivate: type: object properties: deactivate: allOf: - - description: Deactivates the Factor. See [Unenroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/unenrollFactor) + - description: Deactivates the Factor. See [Unenroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/unenrollFactor). - $ref: '#/components/schemas/HrefObject' readOnly: true LinksEnroll: @@ -39224,7 +54115,7 @@ components: properties: enroll: allOf: - - description: Enrolls a supported Factor. See [Enroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/enrollFactor) + - description: Enrolls a supported Factor. See [Enroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/enrollFactor). - $ref: '#/components/schemas/HrefObject' readOnly: true LinksFactor: @@ -39235,6 +54126,22 @@ components: - description: Link to the Factor resource - $ref: '#/components/schemas/HrefObject' readOnly: true + LinksGovernanceResources: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the resources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + resources: + $ref: '#/components/schemas/HrefObjectGovernanceResourcesLink' + readOnly: true + LinksGovernanceSources: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the sources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectUserLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true LinksNext: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. Use the `LinksNext` object for dynamic discovery of related resources and lifecycle operations. type: object @@ -39242,6 +54149,15 @@ components: next: $ref: '#/components/schemas/HrefObject' readOnly: true + LinksNextForRoleAssignments: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + next: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The next page of results if [pagination](#pagination) is required + readOnly: true LinksPoll: type: object properties: @@ -39263,7 +54179,7 @@ components: properties: question: allOf: - - description: Lists all supported security questions. See [List all Supported Security Questions](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/listSupportedSecurityQuestions) + - description: Lists all supported security questions. See [List all Supported Security Questions](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/listSupportedSecurityQuestions). - $ref: '#/components/schemas/HrefObject' readOnly: true LinksResend: @@ -39271,11 +54187,11 @@ components: properties: resend: allOf: - - description: Resends the factor enrollment challenge. See [Resend a Factor enrollment](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/resendEnrollFactor) + - description: Resends the factor enrollment challenge. See [Resend a Factor enrollment](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/resendEnrollFactor). - $ref: '#/components/schemas/HrefObject' readOnly: true LinksSelf: - description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. type: object properties: self: @@ -39309,7 +54225,13 @@ components: - type: object properties: roles: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/HrefObjectRoleLink' + LinksSelfForRoleAssignment: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' LinksSelfLifecycleAndAuthorize: allOf: - $ref: '#/components/schemas/LinksSelfAndLifecycle' @@ -39333,12 +54255,17 @@ components: - description: Returns information on the specified user - $ref: '#/components/schemas/HrefObject' readOnly: true + LinksUserRef: + type: object + properties: + user: + $ref: '#/components/schemas/HrefObjectUserLink' LinksVerify: type: object properties: verify: allOf: - - description: Verifies the Factor resource. See [Verify a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor) + - description: Verifies the Factor resource. See [Verify a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor). - $ref: '#/components/schemas/HrefObject' readOnly: true ListProfileMappings: @@ -39377,32 +54304,55 @@ components: - LAT_LONG - SUBDIVISION LogActor: + description: Describes the user, app, client, or other entity (actor) who performs an action on a target. The actor is dependent on the action that is performed. All events have actors. type: object properties: alternateId: + description: Alternative ID of the actor type: string readOnly: true detailEntry: + description: Further details about the actor type: object - additionalProperties: - type: object - properties: {} + additionalProperties: true readOnly: true displayName: + description: Display name of the actor type: string readOnly: true id: + description: ID of the actor type: string readOnly: true type: + description: Type of actor type: string readOnly: true LogAuthenticationContext: + description: |- + All authentication relies on validating one or more credentials that prove the authenticity of the actor's identity. Credentials are sometimes provided by the actor, as is the case with passwords, and at other times provided by a third party, and validated by the authentication provider. + + The authenticationContext contains metadata about how the actor is authenticated. For example, an authenticationContext for an event, where a user authenticates with Integrated Windows Authentication (IWA), looks like the following: + ``` + { + "authenticationProvider": "ACTIVE_DIRECTORY", + "authenticationStep": 0, + "credentialProvider": null, + "credentialType": "IWA", + "externalSessionId": "102N1EKyPFERROGvK9wizMAPQ", + "interface": null, + "issuer": null + } + ``` + In this case, the user enters an IWA credential to authenticate against an Active Directory instance. All of the user's future-generated events in this sign-in session are going to share the same `externalSessionId`. + + Among other operations, this response object can be used to scan for suspicious sign-in activity or perform analytics on user authentication habits (for example, how often authentication scheme X is used versus authentication scheme Y). type: object properties: authenticationProvider: $ref: '#/components/schemas/LogAuthenticationProvider' authenticationStep: + description: The zero-based step number in the authentication pipeline. Currently unused and always set to `0`. type: integer readOnly: true credentialProvider: @@ -39410,14 +54360,17 @@ components: credentialType: $ref: '#/components/schemas/LogCredentialType' externalSessionId: + description: A proxy for the actor's [session ID](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) type: string readOnly: true interface: + description: The third-party user interface that the actor authenticates through, if any. type: string readOnly: true issuer: $ref: '#/components/schemas/LogIssuer' LogAuthenticationProvider: + description: The system that proves the identity of an actor using the credentials provided to it type: string enum: - ACTIVE_DIRECTORY @@ -39427,25 +54380,31 @@ components: - OKTA_AUTHENTICATION_PROVIDER - SOCIAL LogClient: + description: When an event is triggered by an HTTP request, the `client` object describes the [client](https://datatracker.ietf.org/doc/html/rfc2616) that issues the HTTP request. For instance, the web browser is the client when a user accesses Okta. When this request is received and processed, a sign-in event is fired. When the event isn't sourced to an HTTP request, such as an automatic update, the `client` object field is blank. type: object properties: device: + description: Type of device that the client operates from (for example, computer) type: string readOnly: true geographicalContext: $ref: '#/components/schemas/LogGeographicalContext' id: + description: For OAuth requests, this is the ID of the OAuth [client](https://datatracker.ietf.org/doc/html/rfc6749#section-1.1) making the request. For SSWS token requests, this is the ID of the agent making the request. type: string readOnly: true ipAddress: + description: IP address that the client is making its request from type: string readOnly: true userAgent: $ref: '#/components/schemas/LogUserAgent' zone: + description: The `name` of the [Zone](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/NetworkZone/#tag/NetworkZone/operation/getNetworkZone) that the client's location is mapped to type: string readOnly: true LogCredentialProvider: + description: A credential provider is a software service that manages identities and their associated credentials. When authentication occurs through credentials provided by a credential provider, the credential provider is recorded here. type: string enum: - DUO @@ -39456,25 +54415,98 @@ components: - SYMANTEC - YUBIKEY LogCredentialType: + description: The underlying technology/scheme used in the credential type: string enum: - ASSERTION + - CERTIFICATE + - DEVICE_UDID - EMAIL - IWA - JWT - OAuth 2.0 + - OKTA_CLIENT_SESSION - OTP - PASSWORD + - PRE_SHARED_SYMMETRIC_KEY - SMS LogDebugContext: + description: |- + For some kinds of events (for example, OLM provisioning, sign-in request, second factor SMS, and so on), the fields that are provided in other response objects aren't sufficient to adequately describe the operations that the event has performed. In such cases, the `debugContext` object provides a way to store additional information. + + For example, an event where a second factor SMS token is sent to a user may have a `debugContext` that looks like the following: + ``` + { + "debugData": { + "requestUri": "/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify", + "smsProvider": "TELESIGN", + "transactionId": "268632458E3C100F5F5F594C6DC689D4" + } + } + ``` + By inspecting the debugData field, you can find the URI that is used to trigger the second factor SMS (`/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify`), the SMS provider (`TELESIGN`), and the ID used by Telesign to identify this transaction (`268632458E3C100F5F5F594C6DC689D4`). + + If for some reason the information that is needed to implement a feature isn't provided in other response objects, you should scan the `debugContext.debugData` field for potentially useful fields. + > **Important:** The information contained in `debugContext.debugData` is intended to add context when troubleshooting customer platform issues. Both key names and values may change from release to release and aren't guaranteed to be stable. Therefore, they shouldn't be viewed as a data contract but as a debugging aid instead. type: object properties: debugData: type: object - additionalProperties: - type: object - properties: {} + description: A dynamic field that contains miscellaneous information that is dependent on the event type. + additionalProperties: true + readOnly: true + LogDevice: + description: The entity that describes a device enrolled with passwordless authentication using Okta Verify. + example: + LogDeviceObject: + $ref: '#/components/examples/LogDeviceObject' + type: object + properties: + device_integrator: + description: The integration platform or software used with the device + type: object + readOnly: true + disk_encryption_type: + $ref: '#/components/schemas/LogDiskEncryptionType' + id: + description: ID of the device + type: string + readOnly: true + jailbreak: + description: If the device has removed software restrictions + type: boolean + readOnly: true + managed: + description: Indicates if the device is configured for device management and is registered with Okta + type: boolean + readOnly: true + name: + type: string + readOnly: true + os_platform: + type: string + readOnly: true + os_version: + type: string readOnly: true + registered: + description: Indicates if the device is registered with an Okta org and is bound to an Okta Verify instance on the device + type: boolean + readOnly: true + screen_lock_type: + $ref: '#/components/schemas/LogScreenLockType' + secure_hardware_present: + description: The availability of hardware security on the device + type: boolean + readOnly: true + LogDiskEncryptionType: + type: string + enum: + - ALL_INTERNAL_VALUES + - FULL + - NONE + - SYSTEM_VOLUME + - USER LogEvent: type: object properties: @@ -39487,17 +54519,21 @@ components: debugContext: $ref: '#/components/schemas/LogDebugContext' displayMessage: + description: The display message for an event type: string readOnly: true eventType: + description: Type of event that is published type: string readOnly: true legacyEventType: + description: Associated Events API Action `objectType` attribute value type: string readOnly: true outcome: $ref: '#/components/schemas/LogOutcome' published: + description: Timestamp when the event is published type: string format: date-time readOnly: true @@ -39515,36 +54551,46 @@ components: transaction: $ref: '#/components/schemas/LogTransaction' uuid: + description: Unique identifier for an individual event type: string readOnly: true version: + description: Versioning indicator type: string readOnly: true LogGeographicalContext: + description: Geographical context describes a set of geographic coordinates. In addition to containing latitude and longitude data, the `GeographicalContext` object also contains address data of postal code-level granularity. Within the `Client` object, the geographical context refers to the physical location of the client when it sends the request that triggers this event. All `Transaction` events with `type` equal to `WEB` have a geographical context set. `Transaction` events with `type` equal to `JOB` don't have a geographical context set. The geographical context data can be missing if the geographical data for a request can't be resolved. type: object properties: city: + description: The city that encompasses the area that contains the geolocation coordinates, if available (for example, Seattle, San Francisco) type: string readOnly: true country: + description: Full name of the country that encompasses the area that contains the geolocation coordinates (for example, France, Uganda) type: string readOnly: true geolocation: $ref: '#/components/schemas/LogGeolocation' postalCode: + description: Postal code of the area that encompasses the geolocation coordinates type: string readOnly: true state: + description: Full name of the state or province that encompasses the area that contains the geolocation coordinates (for example, Montana, Ontario) type: string readOnly: true LogGeolocation: + description: The latitude and longitude of the geolocation where an action was performed. The object is formatted according to the [ISO-6709](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en) standard. type: object properties: lat: + description: Latitude which uses two digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Latitude) type: number format: double readOnly: true lon: + description: Longitude which uses three digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Longitude) type: number format: double readOnly: true @@ -39554,59 +54600,92 @@ components: geographicalContext: $ref: '#/components/schemas/LogGeographicalContext' ip: + description: IP address type: string readOnly: true source: + description: Details regarding the source type: string readOnly: true version: + description: IP address version type: string readOnly: true LogIssuer: + description: Describes the issuer of the authorization server when the authentication is performed through OAuth. This is the location where well-known resources regarding the details of the authorization servers are published. type: object properties: id: + description: Varies depending on the type of authentication. If authentication is SAML 2.0, `id` is the issuer in the SAML assertion. For social login, `id` is the issuer of the token. type: string readOnly: true type: + description: Information on the `issuer` and source of the SAML assertion or token type: string readOnly: true LogOutcome: type: object properties: reason: + description: Reason for the result, for example, `INVALID_CREDENTIALS` type: string readOnly: true + minLength: 1 + maxLength: 255 result: + description: Result of the action type: string readOnly: true + enum: + - SUCCESS + - FAILURE + - SKIPPED + - ALLOW + - DENY + - CHALLENGE + - UNKNOWN LogRequest: + description: The `Request` object describes details that are related to the HTTP request that triggers this event, if available. When the event isn't sourced to an HTTP request, such as an automatic update on the Okta servers, the `Request` object still exists, but the `ipChain` field is empty. type: object properties: ipChain: + description: If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format of clientIp, proxy1, proxy2, and so on. This field is useful when working with trusted proxies. type: array readOnly: true items: $ref: '#/components/schemas/LogIpAddress' + LogScreenLockType: + type: string + enum: + - BIOMETRIC + - NONE + - PASSCODE LogSecurityContext: + description: The `securityContext` object provides security information that is directly related to the evaluation of the event's IP reputation. IP reputation is a trustworthiness rating that evaluates how likely a sender is to be malicious and is based on the sender's IP address. As the name implies, the `securityContext` object is useful for security applications-flagging and inspecting suspicious events. type: object properties: asNumber: + description: The [Autonomous system](https://docs.telemetry.mozilla.org/datasets/other/asn_aggregates/reference) number that's associated with the autonomous system the event request was sourced to type: integer readOnly: true asOrg: + description: The organization that is associated with the autonomous system that the event request is sourced to type: string readOnly: true domain: + description: The domain name that's associated with the IP address of the inbound event request type: string readOnly: true isp: + description: The Internet service provider that's used to send the event's request type: string readOnly: true isProxy: + description: Specifies whether an event's request is from a known proxy type: boolean readOnly: true LogSeverity: + description: Indicates how severe the event is type: string enum: - DEBUG @@ -39739,31 +54818,48 @@ components: $schema: type: string readOnly: true - created: - type: string - readOnly: true + description: JSON Schema version identifier errorMessage: type: object + description: A collection of error messages for individual properties in the schema. Okta implements a subset of [ajv-errors](https://github.com/ajv-validator/ajv-errors). id: type: string readOnly: true - lastUpdated: - type: string - readOnly: true - name: + description: URI of Log Stream Schema + oneOf: + items: + $ref: '#/components/schemas/UserSchemaAttributeEnum' + type: array + nullable: true + description: |- + Non-empty array of valid JSON schemas. + + Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format: + + ``` + { + "const": "enumValue", + "title": "display name" + } + ```json + pattern: type: string - readOnly: true + description: For `string` Log Stream Schema property type, specifies the regular expression used to validate the property properties: type: object + description: Log Stream Schema properties object required: type: array items: type: string + description: Required properties for this Log Stream Schema object title: type: string + description: Name of the Log Streaming integration type: type: string readOnly: true + description: Type of Log Stream Schema property _links: $ref: '#/components/schemas/LinksSelf' LogStreamSelfLink: @@ -39850,30 +54946,27 @@ components: readOnly: true changeDetails: type: object + example: + LogTargetChangeDetails: + $ref: '#/components/examples/LogTargetChangeDetails' description: |- Details on the target's changes. Not all event types support the `changeDetails` property, and not all - target objects contain the `changeDetails` property.You must include a property within the object. When - querying on this property, you can't search on the `to` or `from` objects alone. You must include a - property within the object. + `target` objects contain the `changeDetails` property. You must include a property within the object. + + > **Note:** When querying the `changeDetails` property, you can't search on the `to` or `from` objects alone. You must include a property within the object. properties: from: type: object description: The original properties of the target - additionalProperties: - type: object - properties: {} + additionalProperties: true to: type: object description: The updated properties of the target - additionalProperties: - type: object - properties: {} + additionalProperties: true detailEntry: type: object description: Further details on the target - additionalProperties: - type: object - properties: {} + additionalProperties: true readOnly: true displayName: type: string @@ -39888,30 +54981,62 @@ components: description: The type of target readOnly: true LogTransaction: + description: |- + A `transaction` object comprises contextual information associated with its respective event. + This information is useful for understanding sequences of correlated events. + For example, a `transaction` object such as the following: + ``` + { + "id": "Wn4f-0RQ8D8lTSLkAmkKdQAADqo", + "type": "WEB", + "detail": null + } + ``` + indicates that a `WEB` request with `id` `Wn4f-0RQ8D8lTSLkAmkKdQAADqo` has created this event. + + A `transaction` object with a `requestApiTokenId` in the `detail` object, for example : + ``` + { + "id": "YjSlblAAqnKY7CdyCkXNBgAAAIU", + "type": "WEB", + "detail": { + "requestApiTokenId": "00T94e3cn9kSEO3c51s5" + } + } + ``` + indicates that this event was the result of an action performed through an API using the token identified by 00T94e3cn9kSEO3c51s5. The token ID is visible in the Admin Console, **Security** > **API**. See [API token management](https://help.okta.com/okta_help.htm?id=Security_API). For more information on API tokens, see [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/). type: object properties: detail: + description: Details for this transaction. type: object - additionalProperties: - type: object - properties: {} + additionalProperties: true readOnly: true id: + description: Unique identifier for this transaction. type: string readOnly: true type: + description: Describes the kind of transaction. `WEB` indicates a web request. `JOB` indicates an asynchronous task. type: string readOnly: true LogUserAgent: + description: | + "A user agent is software (a software agent) that is acting on behalf of a user." ([Definition of User Agent](https://developer.mozilla.org/en-US/docs/Glossary/User_agent)) + + In the Okta event data object, the `UserAgent` object provides specifications about the client software that makes event-triggering HTTP requests. User agent identification is often useful for identifying interoperability problems between servers and clients, and also for browser and operating system usage analytics. type: object properties: browser: + description: If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX) type: string readOnly: true os: + description: The operating system that the client runs on (for example, Windows 10) type: string readOnly: true rawUserAgent: + description: A raw string representation of the user agent that is formatted according to [section 5.5.3 of HTTP/1.1 Semantics and Content](https://datatracker.ietf.org/doc/html/rfc7231#section-5.5.3). Both the `browser` and the `OS` fields can be derived from this field. type: string readOnly: true MDMEnrollmentPolicyEnrollment: @@ -39926,76 +55051,58 @@ components: type: boolean enrollment: $ref: '#/components/schemas/MDMEnrollmentPolicyEnrollment' - MultifactorEnrollmentPolicy: + MetadataLink: allOf: - - $ref: '#/components/schemas/Policy' - - type: object - properties: - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - settings: - $ref: '#/components/schemas/MultifactorEnrollmentPolicySettings' - MultifactorEnrollmentPolicyAuthenticatorSettings: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [SAML metadata](/openapi/okta-management/management/tag/ApplicationSSO/#tag/ApplicationSSO/operation/previewSAMLmetadataForApplication) for SSO + MtlsCredentials: + description: Certificate chain description for verifying assertions from the Smart Card type: object properties: - constraints: - nullable: true - minimum: 0 - type: object - properties: - aaguidGroups: - type: array - items: - type: string - uniqueItems: true - x-okta-lifecycle: - lifecycle: GA - isGenerallyAvailable: false - SKUs: [] - enroll: - type: object - properties: - self: - $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorStatus' - key: - $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorType' - MultifactorEnrollmentPolicyAuthenticatorStatus: - type: string - enum: - - NOT_ALLOWED - - OPTIONAL - - REQUIRED - MultifactorEnrollmentPolicyAuthenticatorType: - type: string - enum: - - custom_app - - custom_otp - - duo - - external_idp - - google_otp - - okta_email - - okta_password - - okta_verify - - onprem_mfa - - phone_number - - rsa_token - - security_question - - symantec_vip - - webauthn - - yubikey_token - MultifactorEnrollmentPolicySettings: + trust: + $ref: '#/components/schemas/MtlsTrustCredentials' + MtlsEndpoints: type: object properties: - authenticators: - items: - $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorSettings' - type: array - type: - $ref: '#/components/schemas/MultifactorEnrollmentPolicySettingsType' - MultifactorEnrollmentPolicySettingsType: + sso: + $ref: '#/components/schemas/MtlsSsoEndpoint' + MtlsSsoEndpoint: + description: The Single Sign-On (SSO) endpoint is the IdP's `SingleSignOnService` endpoint + type: object + properties: + url: + type: string + maxLength: 1014 + example: https://{yourOktaDomain}.okta.com/login/cert + MtlsTrustCredentials: + type: object + properties: + audience: + type: string + description: Not used + example: null + issuer: + type: string + description: Description of the certificate issuer + maxLength: 1024 + example: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + revocation: + $ref: '#/components/schemas/MtlsTrustCredentialsRevocation' + revocationCacheLifetime: + type: number + description: Time in minutes to cache the certificate revocation information + maximum: 4320 + example: 2880 + MtlsTrustCredentialsRevocation: + description: Mechanism to validate the certificate + example: CRL type: string enum: - - AUTHENTICATORS + - CRL + - DELTA_CRL + - OCSP NetworkZone: type: object properties: @@ -40030,7 +55137,7 @@ components: The Okta org provides the following default system Network Zones: * `LegacyIpZone` * `BlockedIpZone` - * <x-lifecycle class="ea"></x-lifecycle> `DefaultEnhancedDynamicZone` + * `DefaultEnhancedDynamicZone` Admins can modify the name of the default system Network Zone and add up to 5000 gateway or proxy IP entries. type: @@ -40150,6 +55257,7 @@ components: type: string description: User ID readOnly: true + example: 00u5t60iloOHN9pBi0h7 type: type: string description: Type of user @@ -40229,22 +55337,201 @@ components: type: object properties: client_id: - description: Unique key for the client application. The `client_id` is immutable + description: Unique key for the client application. The `client_id` is immutable. type: string readOnly: true + example: 0oabskvc6442nkvQO0h7 client_name: description: Human-readable string name of the client application type: string readOnly: true + example: My App client_uri: type: string readOnly: true + example: https://www.example.com logo_uri: description: URL string that references a logo for the client consent dialog (not the sign-in dialog) type: string readOnly: true + example: https://www.example.com/logo.png _links: - $ref: '#/components/schemas/LinksSelf' + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + grants: + description: Link to the grant resources + allOf: + - $ref: '#/components/schemas/GrantResourcesHrefObject' + tokens: + description: Link to the token resources + allOf: + - $ref: '#/components/schemas/TokenResourcesHrefObject' + OAuth2ClientJsonWebKey: + type: object + properties: + alg: + type: string + description: Algorithm used in the key + example: RS256 + nullable: false + created: + type: string + description: Timestamp when the OAuth Client 2.0 JSON Web Key was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + e: + type: string + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false + id: + type: string + description: The unique ID of the OAuth Client JSON Web Key + example: pks2f4zrZbs8nUa7p0g4 + readOnly: true + nullable: false + kid: + type: string + description: Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS + example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + nullable: true + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + lastUpdated: + type: string + description: Timestamp when the OAuth Client 2.0 JSON Web Key was updated + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + 'n': + type: string + description: RSA key value (modulus) for key binding + example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client JSON Web Key + example: ACTIVE + nullable: false + default: ACTIVE + use: + type: string + description: Acceptable use of the JSON Web Key + example: sig + nullable: false + _links: + $ref: '#/components/schemas/OAuthClientSecretLinks' + readOnly: true + nullable: false + OAuth2ClientJsonWebKeyRequestBody: + type: object + properties: + alg: + type: string + description: Algorithm used in the key + example: RS256 + nullable: false + e: + type: string + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false + kid: + type: string + description: Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS + example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + nullable: true + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + 'n': + type: string + description: RSA key value (modulus) for key binding + example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client JSON Web Key + example: ACTIVE + use: + type: string + description: Acceptable use of the JSON Web Key + example: sig + nullable: false + OAuth2ClientSecret: + type: object + properties: + client_secret: + type: string + description: The OAuth 2.0 client secret string + example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + readOnly: true + nullable: false + created: + type: string + description: Timestamp when the OAuth Client 2.0 Secret was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + id: + type: string + description: The unique ID of the OAuth Client Secret + example: ocs2f4zrZbs8nUa7p0g4 + readOnly: true + nullable: false + lastUpdated: + type: string + description: Timestamp when the OAuth Client 2.0 Secret was updated + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + secret_hash: + type: string + description: OAuth 2.0 client secret string hash + example: yk4SVx4sUWVJVbHt6M-UPA + readOnly: true + nullable: false + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client Secret + example: ACTIVE + nullable: false + default: ACTIVE + _links: + $ref: '#/components/schemas/OAuthClientSecretLinks' + readOnly: true + nullable: false + OAuth2ClientSecretRequestBody: + type: object + properties: + client_secret: + type: string + description: The OAuth 2.0 client secret string + example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client Secret + example: ACTIVE OAuth2RefreshToken: type: object properties: @@ -40262,9 +55549,11 @@ components: type: string description: ID of the Token object readOnly: true + example: oar579Mcp7OUsNTlo0g3 issuer: type: string description: The complete URL of the authorization server that issued the Token + example: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 lastUpdated: $ref: '#/components/schemas/lastUpdatedProperty' scopes: @@ -40272,11 +55561,13 @@ components: description: The scope names attached to the Token items: type: string + example: offline_access status: $ref: '#/components/schemas/GrantOrTokenStatus' userId: type: string description: The ID of the user associated with the Token + example: 00u5t60iloOHN9pBi0h7 _embedded: type: object description: The embedded resources related to the object if the `expand` query parameter is specified @@ -40295,11 +55586,11 @@ components: app: description: Link to the app resource allOf: - - $ref: '#/components/schemas/AppCustomHrefObject' + - $ref: '#/components/schemas/AppResourceHrefObject' revoke: description: Link to revoke the refresh Token allOf: - - $ref: '#/components/schemas/AppCustomHrefObject' + - $ref: '#/components/schemas/RevokeRefreshTokenHrefObject' - properties: hints: properties: @@ -40311,21 +55602,22 @@ components: client: description: Link to the client resource allOf: - - $ref: '#/components/schemas/AppCustomHrefObject' + - $ref: '#/components/schemas/AppResourceHrefObject' user: description: Link to the user resource allOf: - - $ref: '#/components/schemas/AppCustomHrefObject' + - $ref: '#/components/schemas/UserResourceHrefObject' authorizationServer: description: Link to the Token authorization server resource allOf: - - $ref: '#/components/schemas/AppCustomHrefObject' + - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject' OAuth2RefreshTokenScope: type: object properties: description: type: string description: Description of the Scope + example: Requests a refresh token by default, used to obtain more access tokens without re-prompting the user for authentication displayName: type: string description: Name of the end user displayed in a consent dialog @@ -40333,9 +55625,11 @@ components: type: string description: Scope object ID readOnly: true + example: scppb56cIl4GvGxy70g3 name: type: string description: Scope name + example: offline_access _links: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. type: object @@ -40343,7 +55637,7 @@ components: scope: description: Link to Scope resource allOf: - - $ref: '#/components/schemas/AppCustomHrefObject' + - $ref: '#/components/schemas/OfflineAccessScopeResourceHrefObject' OAuth2Scope: type: object properties: @@ -40352,6 +55646,7 @@ components: default: type: boolean description: Indicates if this Scope is a default scope + default: false description: type: string description: Description of the Scope @@ -40369,9 +55664,16 @@ components: description: Scope name optional: type: boolean + description: Indicates whether the Scope is optional. When set to `true`, the user can skip consent for the scope. + default: false system: type: boolean description: Indicates if Okta created the Scope + default: false + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - name OAuth2ScopeConsentGrant: description: Grant object that represents an app consent scope grant type: object @@ -40380,6 +55682,7 @@ components: type: string description: Client ID of the app integration readOnly: true + example: oag3ih1zrm1cBFOiq0h6 created: $ref: '#/components/schemas/createdProperty' createdBy: @@ -40388,6 +55691,7 @@ components: type: string description: ID of the Grant object readOnly: true + example: oag3ih1zrm1cBFOiq0h6 issuer: type: string description: The issuer of your org authorization server. This is typically your Okta domain. @@ -40406,6 +55710,7 @@ components: type: string description: User ID that granted consent (if `source` is `END_USER`) readOnly: true + example: 00u5t60iloOHN9pBi0h7 _embedded: type: object description: Embedded resources related to the Grant @@ -40426,11 +55731,23 @@ components: app: description: Link to the app resource allOf: - - $ref: '#/components/schemas/AppCustomHrefObject' + - $ref: '#/components/schemas/AppResourceHrefObject' client: description: Link to the client resource allOf: - - $ref: '#/components/schemas/AppCustomHrefObject' + - $ref: '#/components/schemas/AppResourceHrefObject' + scope: + description: Link to the scope resource + allOf: + - $ref: '#/components/schemas/ScopeResourceHrefObject' + user: + description: Link to the user resource + allOf: + - $ref: '#/components/schemas/UserResourceHrefObject' + authorizationServer: + description: Link to the authorization server resource + allOf: + - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject' - readOnly: true required: - issuer @@ -40448,7 +55765,6 @@ components: default: IMPLICIT type: string enum: - - ADMIN - FLEXIBLE - IMPLICIT - REQUIRED @@ -40516,7 +55832,61 @@ components: properties: oauthClient: $ref: '#/components/schemas/ApplicationCredentialsOAuthClient' + OAuthAuthorizationEndpoint: + description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18) + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the IdP Authorization Server (AS) authorization endpoint + example: https://idp.example.com/authorize + OAuthClientSecretLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + delete: + $ref: '#/components/schemas/HrefObjectDeleteLink' + readOnly: true + OAuthCredentials: + description: Client authentication credentials for an [OAuth 2.0 Authorization Server](https://tools.ietf.org/html/rfc6749#section-2.3) + type: object + properties: + client: + $ref: '#/components/schemas/OAuthCredentialsClient' + signing: + $ref: '#/components/schemas/AppleClientSigning' + OAuthCredentialsClient: + description: |- + OAuth 2.0 and OpenID Connect Client object + > **Note:** You must complete client registration with the IdP Authorization Server for your Okta IdP instance to obtain client credentials. + type: object + properties: + client_id: + type: string + description: The [Unique identifier](https://tools.ietf.org/html/rfc6749#section-2.2) issued by the AS for the Okta IdP instance + maxLength: 1024 + example: your-client-id + client_secret: + type: string + description: The [Client secret](https://tools.ietf.org/html/rfc6749#section-2.3.1) issued by the AS for the Okta IdP instance + maxLength: 1024 + example: your-client-secret + pkce_required: + type: boolean + description: Require Proof Key for Code Exchange (PKCE) for additional verification + token_endpoint_auth_method: + type: string + description: Client authentication methods supported by the token endpoint + enum: + - private_key_jwt OAuthEndpointAuthenticationMethod: + description: Requested authentication method for the token endpoint + default: client_secret_basic type: string enum: - client_secret_basic @@ -40524,7 +55894,23 @@ components: - client_secret_post - none - private_key_jwt + OAuthEndpoints: + description: |- + The `OAUTH2` and `OIDC` protocols support the `authorization` and `token` endpoints. Also, the `OIDC` protocol supports the `userInfo` and `jwks` endpoints. + + The IdP Authorization Server (AS) endpoints are currently defined as part of the [IdP provider]((https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request)) and are read-only. + type: object + properties: + authorization: + $ref: '#/components/schemas/OAuthAuthorizationEndpoint' + jwks: + $ref: '#/components/schemas/OidcJwksEndpoint' + token: + $ref: '#/components/schemas/OAuthTokenEndpoint' + userInfo: + $ref: '#/components/schemas/OidcUserInfoEndpoint' OAuthGrantType: + description: Array of OAuth 2.0 grant type strings type: string enum: - authorization_code @@ -40537,6 +55923,7 @@ components: - urn:ietf:params:oauth:grant-type:jwt-bearer - urn:ietf:params:oauth:grant-type:saml2-bearer - urn:ietf:params:oauth:grant-type:token-exchange + - urn:openid:params:grant-type:ciba OAuthMetadata: type: object properties: @@ -40670,11 +56057,22 @@ components: - slack - zoomus OAuthResponseType: + description: Array of OAuth 2.0 response type strings type: string enum: - code - id_token - token + OAuthTokenEndpoint: + description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18) + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the IdP Authorization Server (AS) token endpoint + example: https://idp.example.com/token OINApplication: type: object properties: @@ -40931,6 +56329,17 @@ components: required: - adminUsername - adminPassword + OfflineAccessScopeResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: + type: string + description: Link name + example: offline_access Oidc: description: OIDC configuration details type: object @@ -40965,6 +56374,87 @@ components: required: - redirectUris - doc + OidcAlgorithms: + type: object + properties: + request: + $ref: '#/components/schemas/OidcRequestAlgorithm' + OidcJwksEndpoint: + description: Endpoint for the JSON Web Key Set (JWKS) document. This document contains signing keys that are used to validate the signatures from the provider. For more information on JWKS, see [JSON Web Key](https://tools.ietf.org/html/rfc7517). + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the endpoint to the JWK Set + example: https://idp.example.com/keys + OidcRequestAlgorithm: + description: Algorithm settings used to sign an authorization request + type: object + properties: + signature: + $ref: '#/components/schemas/OidcRequestSignatureAlgorithm' + OidcRequestSignatureAlgorithm: + description: |- + Signature Algorithm settings for signing authorization requests sent to the IdP + > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`). + type: object + properties: + algorithm: + $ref: '#/components/schemas/OidcSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' + OidcSigningAlgorithm: + type: string + enum: + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + OidcUserInfoEndpoint: + description: Endpoint for getting identity information about the User. For more information on the `/userinfo` endpoint, see [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the resource server's `/userinfo` endpoint + example: https://idp.example.com/userinfo + OktaActiveDirectoryGroupProfile: + description: |- + Profile for a Group that is imported from Active Directory. + + The `objectClass` for such groups is `okta:windows_security_principal`. + type: object + properties: + description: + type: string + example: example.com/West Coast/West Coast Users + description: Description of the Windows Group + dn: + type: string + example: CN=West Coast Users,OU=West Coast,DC=example,DC=com + description: The distinguished name of the Windows Group + externalId: + type: string + example: VKzYZ1C+IkSZxIWlrW5ITg== + description: Base-64 encoded GUID (`objectGUID`) of the Windows Group + name: + type: string + example: West Coast Users + description: Name of the Windows Group + samAccountName: + type: string + example: West Coast Users + description: Pre-Windows 2000 name of the Windows Group + windowsDomainQualifiedName: + type: string + example: EXAMPLE\\West Coast Users + description: Fully qualified name of the Windows Group OktaDeviceRiskChangeEvent: description: The device risk level changed type: object @@ -41012,12 +56502,11 @@ components: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. - subjects: - type: object + subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - - subjects + - subject - current_level - previous_level OktaIpChangeEvent: @@ -41055,14 +56544,23 @@ components: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. - subjects: - type: object + subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - - subjects + - subject - current_ip_address - previous_ip_address + OktaPersonalAdminFeatureSettings: + description: Defines a list of Okta Personal settings that can be enabled or disabled for the org + type: object + properties: + enableEnduserEntryPoints: + type: boolean + description: Allow entry points for an Okta Personal account in a Workforce org + enableExportApps: + type: boolean + description: Allow users to migrate apps from a Workforce account to an Okta Personal account OktaSignOnPolicy: allOf: - $ref: '#/components/schemas/Policy' @@ -41078,6 +56576,10 @@ components: people: $ref: '#/components/schemas/PolicyPeopleCondition' OktaSignOnPolicyFactorPromptMode: + description: | + Indicates if the User should be challenged for a second factor (MFA) based on the device being used, a Factor session lifetime, or on every sign-in attempt + + **Note:** Required only if `requireFactor` is set to `true`. type: string enum: - ALWAYS @@ -41101,7 +56603,6 @@ components: $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions' OktaSignOnPolicyRuleConditions: allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - type: object properties: authContext: @@ -41110,33 +56611,78 @@ components: $ref: '#/components/schemas/PolicyNetworkCondition' people: $ref: '#/components/schemas/PolicyPeopleCondition' + identityProvider: + $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' OktaSignOnPolicyRuleSignonActions: type: object properties: access: - $ref: '#/components/schemas/PolicyAccess' + type: string + enum: + - ALLOW + - DENY factorLifetime: type: integer + description: | + Interval of time that must elapse before the User is challenged for MFA, if the Factor prompt mode is set to `SESSION` + + **Note:** Required only if `requireFactor` is `true`. factorPromptMode: $ref: '#/components/schemas/OktaSignOnPolicyFactorPromptMode' + primaryFactor: + $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonPrimaryFactor' rememberDeviceByDefault: type: boolean + description: Indicates if Okta should automatically remember the device default: false requireFactor: type: boolean default: false + description: Indicates if multifactor authentication is required session: $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonSessionActions' + OktaSignOnPolicyRuleSignonPrimaryFactor: + description: |- + <x-lifecycle class="oie"></x-lifecycle> Indicates the primary factor used to establish a session for the org. Supported values: `PASSWORD_IDP_ANY_FACTOR` (users can use any factor required by the app authentication policy to establish a session), `PASSWORD_IDP` (users must always use a password to establish a session). + + **Note:** Required only if `access` is set to `ALLOW`. + type: string + enum: + - PASSWORD_IDP + - PASSWORD_IDP_ANY_FACTOR OktaSignOnPolicyRuleSignonSessionActions: + description: Properties governing the User's session lifetime type: object properties: maxSessionIdleMinutes: + description: Maximum number of minutes that a User session can be idle before the session is ended type: integer + default: 120 maxSessionLifetimeMinutes: + description: Maximum number of minutes from User sign in that a user's session is active. Set this to force Users to sign in again after the number of specified minutes. Disable by setting to `0`. This property is read-only for the default rule of the default global session policy. type: integer + default: 0 usePersistentCookie: + description: If set to `false`, user session cookies only last the length of a browser session. If set to `true`, user session cookies last across browser sessions. This setting doesn't impact administrators who can never have persistent session cookies. This property is read-only for the default rule of the default global session policy. type: boolean default: false + OktaUserGroupProfile: + description: |- + Profile for any Group that is not imported from Active Directory. Specifies the standard + and custom profile properties for a Group. + + The `objectClass` for these groups is `okta:user_group`. + type: object + properties: + description: + type: string + example: All Users West of The Rockies + description: Description of the Group + name: + type: string + example: West Coast Users + description: Name of the Group + x-okta-extensible: true OktaUserRiskChangeEvent: description: The user risk level changed type: object @@ -41184,12 +56730,11 @@ components: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. - subjects: - type: object + subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - - subjects + - subject - current_level - previous_level OpenIdConnectApplication: @@ -41203,7 +56748,7 @@ components: $ref: '#/components/schemas/OAuthApplicationCredentials' name: type: string - default: oidc_client + description: '`oidc_client` is the key name for an OAuth 2.0 client app instance' settings: $ref: '#/components/schemas/OpenIdConnectApplicationSettings' required: @@ -41211,25 +56756,70 @@ components: - settings - credentials OpenIdConnectApplicationConsentMethod: + description: | + Indicates whether user consent is required or implicit. + A consent dialog appears for the end user depending on the values of three elements: + + * [prompt](/openapi/okta-oauth/oauth/tag/OrgAS/#tag/OrgAS/operation/authorize!in=query&path=prompt&t=request): A query parameter that is used in requests to `/authorize` + * `consent_method` (this property) + * [consent](/openapi/okta-management/management/tag/AuthorizationServerScopes/#tag/AuthorizationServerScopes/operation/createOAuth2Scope!path=consent&t=request): A [Scope](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/AuthorizationServerScopes/) property that allows you to enable or disable user consent for an individual scope + + | `prompt` | `consent_method` | `consent` | Result + | ---------- | ----------- | ---------- | ----------- | + | CONSENT | TRUSTED or REQUIRED | REQUIRED | Prompted | + | CONSENT | TRUSTED or REQUIRED | FLEXIBLE | Prompted | + | CONSENT | TRUSTED | IMPLICIT | Not prompted | + | NONE | TRUSTED | FLEXIBLE, IMPLICIT, or REQUIRED | Not prompted | + | NONE | REQUIRED | FLEXIBLE or REQUIRED | Prompted | + | NONE | REQUIRED | IMPLICIT | Not prompted | + + > **Notes:** + > * If you request a scope that requires consent while using the `client_credentials` flow, an error is returned because the flow doesn't support user consent. + > * If the `prompt` value is set to `NONE`, but the `consent_method` and the consent values are set to `REQUIRED`, then an error occurs. + > * When a scope is requested during a Client Credentials grant flow and `consent` is set to `FLEXIBLE`, the scope is granted in the access token with no consent prompt. This occurs because there is no user involved in a two-legged OAuth 2.0 [Client Credentials](https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/) grant flow. + default: TRUSTED type: string enum: - REQUIRED - TRUSTED + x-enumDescriptions: + TRUSTED: The client is fully trusted (for example, a first-party app). The default consent method for app instances created with a [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request + REQUIRED: The client requires consent (for example, a third-party app). The default consent method for app instances created with a [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient) request OpenIdConnectApplicationIdpInitiatedLogin: + description: The type of IdP-initiated sign-in flow that the client supports type: object properties: default_scope: type: array + description: The scopes to use for the request when `mode` is `OKTA` items: type: string mode: type: string + description: | + The mode to use for the IdP-initiated sign-in flow. For `OKTA` or `SPEC` modes, the client must have an `initiate_login_uri` registered. + > **Note:** For web and SPA apps, if the mode is `SPEC` or `OKTA`, you must set `grant_types` to `authorization_code`, `implicit`, or `interaction_code`. + enum: + - DISABLED + - SPEC + - OKTA + x-enumDescriptions: + DISABLED: The client doesn't support the IdP-initiated sign-in flow. + SPEC: The client is redirected to the Relying Party's `initiate_login_uri`. + OKTA: Tokens are directly sent to the Relying Party. This corresponds to the **Okta Simplified** option in the Admin Console. + required: + - mode OpenIdConnectApplicationIssuerMode: + description: Indicates whether the Okta authorization server uses the original Okta org domain URL or a custom domain URL as the issuer of the ID token for this client type: string enum: - CUSTOM_URL - DYNAMIC - ORG_URL + x-enumDescriptions: + CUSTOM_URL: The issuer is returned in the appropriate OIDC token response. This is the default `issuer_mode` when you configured a custom domain for your org. + DYNAMIC: A request for the ID token made from the custom domain has the custom URL as the issuer. A request for the ID token made from an Okta org has the Org URL as the issuer. You can only set `issuer_mode` as DYNAMIC if the Dynamic Issuer Mode feature is enabled. Contact Okta Support to enable this feature. + ORG_URL: The issuer is returned based on the URL of your Okta organization. This is useful when you are using Okta’s default domain and do not have a custom domain configured. OpenIdConnectApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' @@ -41242,23 +56832,69 @@ components: properties: application_type: $ref: '#/components/schemas/OpenIdConnectApplicationType' + backchannel_authentication_request_signing_alg: + description: | + The signing algorithm for Client-Initiated Backchannel Authentication (CIBA) signed requests using JWT. If this value isn't set and a JWT-signed request is sent, the request fails. + > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. + type: string + enum: + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + - ES256 + - ES384 + - ES512 + backchannel_custom_authenticator_id: + description: | + The ID of the custom authenticator that authenticates the user + > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. + type: string + maxLength: 20 + minLength: 20 + backchannel_token_delivery_mode: + description: | + The delivery mode for Client-Initiated Backchannel Authentication (CIBA). Currently, only `poll` is supported. + > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. + enum: + - poll + - ping + - push + type: string client_uri: type: string + description: URL string of a web page providing information about the client + maxLength: 1024 consent_method: $ref: '#/components/schemas/OpenIdConnectApplicationConsentMethod' dpop_bound_access_tokens: type: boolean - description: Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header. + description: | + Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header. + > **Note:** If `dpop_bound_access_tokens` is true, then `client_credentials` and `implicit` aren't allowed in `grant_types`. default: false x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true frontchannel_logout_session_required: - description: Include user session details. + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>Determines whether Okta sends `sid` and `iss` in the logout request type: boolean + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine frontchannel_logout_uri: - description: URL where Okta sends the logout request. + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>URL where Okta sends the logout request type: string + maxLength: 1024 + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine grant_types: type: array items: @@ -41267,39 +56903,96 @@ components: $ref: '#/components/schemas/OpenIdConnectApplicationIdpInitiatedLogin' initiate_login_uri: type: string + description: URL string that a third party can use to initiate the sign-in flow by the client issuer_mode: $ref: '#/components/schemas/OpenIdConnectApplicationIssuerMode' jwks: $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClientKeys' jwks_uri: - description: URL string that references a JSON Web Key Set for validating JWTs presented to Okta. + description: URL string that references a JSON Web Key Set for validating JWTs presented to Okta type: string logo_uri: type: string + description: The URL string that references a logo for the client. This logo appears on the client tile in the End-User Dashboard. It also appears on the client consent dialog during the client consent flow. + maxLength: 1024 participate_slo: - description: Allows the app to participate in front-channel single logout. + description: | + <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>Allows the app to participate in front-channel Single Logout + + > **Note:** You can only enable `participate_slo` for `web` and `browser` application types (`application_type`). type: boolean + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine policy_uri: type: string + description: URL string of a web page providing the client's policy document post_logout_redirect_uris: type: array + description: Array of redirection URI strings for relying party-initiated logouts items: type: string redirect_uris: type: array + description: |- + Array of redirection URI strings for use in redirect-based flows. + > **Note:** At least one `redirect_uris` and `response_types` are required for all client types, with exceptions: if the client uses the [Resource Owner Password ](https://tools.ietf.org/html/rfc6749#section-4.3)flow (`grant_types` contains `password`) or [Client Credentials](https://tools.ietf.org/html/rfc6749#section-4.4)flow (`grant_types` contains `client_credentials`), then no `redirect_uris` or `response_types` is necessary. In these cases, you can pass either null or an empty array for these attributes. items: type: string refresh_token: $ref: '#/components/schemas/OpenIdConnectApplicationSettingsRefreshToken' + request_object_signing_alg: + description: The type of JSON Web Key Set (JWKS) algorithm that must be used for signing request objects + type: string + enum: + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + - ES256 + - ES384 + - ES512 response_types: type: array + description: Array of OAuth 2.0 response type strings items: $ref: '#/components/schemas/OAuthResponseType' + sector_identifier_uri: + type: string + description: The sector identifier used for pairwise `subject_type`. See [OIDC Pairwise Identifier Algorithm](https://openid.net/specs/openid-connect-messages-1_0-20.html#idtype.pairwise.alg) + maxLength: 1024 + subject_type: + description: Type of the subject + type: string + enum: + - public + - pairwise tos_uri: type: string + description: URL string of a web page providing the client's terms of service document wildcard_redirect: type: string + description: Indicates if the client is allowed to use wildcard matching of `redirect_uris` + enum: + - DISABLED + - SUBDOMAIN + x-enumDescriptions: + DISABLED: All redirect URIs must be absolute URIs and not include a fragment component. + SUBDOMAIN: | + Any configured redirect URIs may contain a single `*` character in the lowest-level domain (for example, `https://redirect-*-domain.example.com/oidc/redirect`) to act as a wildcard. + The wildcard subdomain must have at least one subdomain between it and the top level domain. + The wildcard can match any valid hostname characters, but can't span more than one domain. + For example, if `https://redirect-*-domain.example.com/oidc/redirect` is configured as a redirect URI, then `https://redirect-1-domain.example.com/oidc/redirect` and `https://redirect-sub-domain.example.com/oidc/redirect` match, but `https://redirect-1.sub-domain.example.com/oidc/redirect` doesn't match. + Only the `https` URI scheme can use wildcard redirect URIs. + > **Note:** The use of wildcard subdomains is discouraged as an insecure practice, since it may allow malicious actors to have tokens or authorization codes sent to unexpected or attacker-controlled pages. Exercise caution if you decide to include a wildcard redirect URI in your configuration. + required: + - grant_types OpenIdConnectApplicationSettingsClientKeys: + description: A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta type: object properties: keys: @@ -41330,12 +57023,20 @@ components: required: - rotation_type OpenIdConnectApplicationType: + description: |- + The type of client app + Specific `grant_types` are valid for each `application_type`. See [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient). type: string enum: - browser - native - service - web + x-enumDescriptions: + browser: Single-Page app (SPA) + native: Native app + service: API service app + web: Web app OpenIdConnectRefreshTokenRotationType: description: The refresh token rotation mode for the OAuth 2.0 client example: STATIC @@ -41434,6 +57135,137 @@ components: - properties: optInStatus: $ref: '#/components/schemas/HrefObject' + Org2OrgApplication: + title: Org2Org + x-tags: + - Application + x-okta-defined-as: + name: okta_org2org + example: + name: okta_org2org + label: Okta Org2Org + signOnMode: SAML_2_0 + settings: + app: + acsUrl: https://example.okta.com/sso/saml2/exampleid + audRestriction: https://www.okta.com/saml2/service-provider/exampleid + baseUrl: https://example.okta.com + description: | + Schema for the Okta Org2Org app (key name: `okta_org2org`) + + To create an Org2Org app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Notes:** + > * The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team. + > * The Okta Org2Org app supports `SAML_2_0` and `AUTO_LOGIN` sign-on modes. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + type: string + enum: + - okta_org2org + example: okta_org2org + signOnMode: + default: SAML_2_0 + enum: + - SAML_2_0 + - AUTO_LOGIN + x-enumDescriptions: + SAML_2_0: Federated Authentication with SAML 2.0 WebSSO + AUTO_LOGIN: Secure Web Authentication (SWA) + settings: + $ref: '#/components/schemas/Org2OrgApplicationSettings' + Org2OrgApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/Org2OrgApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + Org2OrgApplicationSettingsApplication: + description: Org2Org app instance properties + type: object + properties: + acsUrl: + type: string + description: The Assertion Consumer Service (ACS) URL of the source org (for `SAML_2_0` sign-on mode) + audRestriction: + type: string + description: The entity ID of the SP (for `SAML_2_0` sign-on mode) + example: https://www.okta.com/saml2/service-provider/exampleid + baseUrl: + type: string + description: The base URL of the target Okta org (for `SAML_2_0` sign-on mode) + creationState: + type: string + description: Used to track and manage the state of the app's creation or the provisioning process between two Okta orgs + preferUsernameOverEmail: + type: boolean + description: Indicates that you don't want to use an email address as the username + token: + type: string + description: An API token from the target org that's used to secure the connection between the orgs + tokenEncrypted: + type: string + description: Encrypted token to enhance security + required: + - baseUrl + OrgAerialConsent: + type: object + properties: + accountId: + description: The unique ID of the Aerial account + type: string + required: + - accountId + OrgAerialConsentDetails: + type: object + properties: + accountId: + description: The unique ID of the Aerial account + type: string + grantedBy: + type: string + description: Principal ID of the user who granted the permission + example: 00u23ej02I2RLFxS5406 + grantedDate: + type: string + description: Date when grant was created + example: '2024-07-24T16:01:13.000Z' + _links: + $ref: '#/components/schemas/LinksAerialConsentGranted' + required: + - accountId + OrgAerialConsentRevoked: + type: object + properties: + _links: + $ref: '#/components/schemas/LinksAerialConsentRevoked' + OrgAerialGrantNotFound: + type: object + properties: + accountId: + description: The unique ID of the Aerial account + type: string + grantedBy: + type: string + description: Principal ID of the user who granted the permission + example: 00u23ej02I2RLFxS5406 + grantedDate: + type: string + description: Date when grant was created + example: '2024-07-24T16:01:13.000Z' + _links: + $ref: '#/components/schemas/LinksAerialConsentGranted' OrgCAPTCHASettings: title: OrgCAPTCHASettings description: '' @@ -41455,33 +57287,121 @@ components: $ref: '#/components/schemas/HrefObject' readOnly: true OrgContactType: + description: Type of contact type: string enum: - BILLING - TECHNICAL OrgContactTypeObj: + anyOf: + - $ref: '#/components/schemas/orgBillingContactType' + - $ref: '#/components/schemas/orgTechnicalContactType' type: object properties: contactType: $ref: '#/components/schemas/OrgContactType' - _links: - $ref: '#/components/schemas/LinksSelf' + discriminator: + propertyName: contactType + mapping: + BILLING: '#/components/schemas/orgBillingContactType' + TECHNICAL: '#/components/schemas/orgTechnicalContactType' OrgContactUser: type: object properties: userId: type: string + description: Contact user ID _links: - $ref: '#/components/schemas/LinksSelf' + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the Contact Type User object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + user: + $ref: '#/components/schemas/HrefObjectUserLink' + OrgCreationAdmin: + description: |- + Profile and credential information for the first super admin user of the child Org. + If you plan to configure and manage the Org programmatically, create a system user with a dedicated email address and a strong password. + > **Note:** If you don't provide `credentials`, the super admin user is prompted to set up their credentials when they sign in to the Org for the first time. + writeOnly: true + type: object + properties: + credentials: + type: object + description: Specifies primary authentication and recovery credentials for a User. Credential types and requirements vary depending on the provider and security policy of the org. + properties: + password: + type: object + description: |- + Specifies a password for a user + > **Note:** For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation. + properties: + value: + type: string + writeOnly: true + description: Password value (which is validated by the Password Policy) + format: password + example: pa$$word + recovery_question: + $ref: '#/components/schemas/RecoveryQuestionCredential' + profile: + type: object + description: |- + Specifies the profile attributes for the first super admin user. The minimal set of required attributes are `email`, `firstName`, `lastName`, and `login`. + See [profile](/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response) for additional profile attributes. + properties: + firstName: + type: string + description: Given name of the User (`givenName`) + minLength: 1 + maxLength: 50 + nullable: true + lastName: + type: string + description: The family name of the User (`familyName`) + minLength: 1 + maxLength: 50 + nullable: true + email: + type: string + description: The primary email address of the User. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + format: email + minLength: 5 + maxLength: 100 + login: + type: string + description: The unique identifier for the User (`username`) + maxLength: 100 + additionalProperties: true + required: + - email + - login + - firstName + - lastName + required: + - profile OrgOktaCommunicationSetting: type: object properties: optOutEmailUsers: type: boolean + description: Indicates whether org users receive Okta communication emails readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + optIn: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to opt users in to communication emails + optOut: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to opt users out of communication emails OrgOktaSupportSetting: + description: Status of Okta Support Settings type: string enum: - DISABLED @@ -41492,67 +57412,116 @@ components: expiration: format: date-time type: string + description: Expiration of Okta Support readOnly: true + nullable: true support: $ref: '#/components/schemas/OrgOktaSupportSetting' _links: - $ref: '#/components/schemas/LinksSelf' + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the Okta Support Settings object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + extend: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to [extend Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/extendOktaSupport) + revoke: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to [revoke Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/revokeOktaSupport) + grant: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to [grant Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/grantOktaSupport) OrgPreferences: type: object properties: showEndUserFooter: type: boolean + description: Indicates if the footer is shown on the End-User Dashboard readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + hideEndUserFooter: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to hide the footer in the End-User Dashboard + showEndUserFooter: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to show the footer on the End-User Dashboard OrgSetting: type: object properties: address1: type: string + description: Primary address of the organization associated with the org address2: type: string + description: Secondary address of the organization associated with the org city: type: string + description: City of the organization associated with the org companyName: type: string + description: Name of org country: type: string + description: County of the organization associated with the org created: format: date-time readOnly: true type: string + description: When org was created endUserSupportHelpURL: type: string + description: Support link of org expiresAt: format: date-time readOnly: true type: string + description: Expiration of org id: readOnly: true type: string + description: Org ID lastUpdated: format: date-time readOnly: true type: string + description: When org was last updated phoneNumber: type: string + description: Phone number of the organization associated with the org postalCode: type: string + description: Postal code of the organization associated with the org state: type: string + description: State of the organization associated with the org status: readOnly: true type: string + description: Status of org + enum: + - ACTIVE + - INACTIVE subdomain: readOnly: true type: string + description: Subdomain of org supportPhoneNumber: type: string + description: Support help phone of the organization associated with the org website: type: string + description: Website of the organization associated with the org _links: - $ref: '#/components/schemas/LinksSelf' + $ref: '#/components/schemas/orgGeneralSettingLinks' OtpProtocol: description: The protocol used type: string @@ -41636,10 +57605,14 @@ components: description: ID of an existing user PasswordCredential: description: |- - When a user has a valid password, imported hashed password, or password hook, and a response object contains + Specifies a password for a user. + + When a User has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: **Security** > **Authenticators** > **Password** (or for Okta Classic orgs, use **Security** > **Authentication** > **Password**). + + For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation. type: object properties: hash: @@ -41651,13 +57624,14 @@ components: writeOnly: true description: Specifies the password for a user. The Password Policy validates this password. format: password + example: pa$$word PasswordCredentialHash: description: |- Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. See [Create User with Imported Hashed Password](https://developer.okta.com/docs/reference/api/users/#create-user-with-imported-hashed-password) - for information on using this object when creating a user. When updating a user with a hashed password, the user must be in the `STAGED` status. + for information on using this object when creating a user. When updating a User with a hashed password, the User must be in the `STAGED` status. type: object properties: algorithm: @@ -41702,25 +57676,25 @@ components: - SHA-256 - SHA-512 PasswordCredentialHook: - description: |- - Specify a [password import inline hook](https://developer.okta.com/docs/reference/password-hook/) to trigger verification of the user's password - the first time the user logs in. This allows an existing password to be imported into Okta directly from some other store. - See [Create User with Password Hook](https://developer.okta.com/docs/reference/api/users/#create-user-with-password-import-inline-hook) for information on using this object when creating a user. + description: Specify a [password import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook) to trigger verification of the User's password the first time the User signs in. This allows an existing password to be imported into Okta directly from some other store. type: object properties: type: type: string description: The type of password inline hook. Currently, must be set to default. PasswordDictionary: + description: Weak password dictionary lookup settings type: object properties: common: $ref: '#/components/schemas/PasswordDictionaryCommon' PasswordDictionaryCommon: + description: Lookup settings for commonly used passwords type: object properties: exclude: type: boolean + description: Indicates whether to check passwords against the common password dictionary default: false PasswordExpirationPolicyRuleCondition: type: object @@ -41760,10 +57734,10 @@ components: type: object properties: username: - description: The `username` that the end user supplied when attempting to sign in to Okta. + description: The `username` that the user supplied when attempting to sign in to Okta. type: string password: - description: The `password` that the end user supplied when attempting to sign in to Okta. + description: The `password` that the user supplied when attempting to sign in to Okta. type: string PasswordImportResponse: type: object @@ -41776,13 +57750,12 @@ components: properties: type: description: The location where you specify the command. For the password import inline hook, there's only one command, `com.okta.action.update`. - type: string value: description: |- The parameter value of the command. * To indicate that the supplied credentials are valid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "VERIFIED"}`. * To indicate that the supplied credentials are invalid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "UNVERIFIED"}`. - Alternatively, you can send an empty response (`204`). By default, the `data.action.credential` is always set to `UNVERIFIED`. + Alternatively, you can send an empty response (`204`). By default, the `data.action.credential` is always set to `UNVERIFIED`. type: object properties: credential: @@ -41834,6 +57807,8 @@ components: properties: skipUnlock: type: boolean + description: Indicates if, when performing an unlock operation on an Active Directory sourced User who is locked out of Okta, the system should also attempt to unlock the User's Windows account + default: false PasswordPolicyPasswordSettings: type: object properties: @@ -41844,49 +57819,81 @@ components: lockout: $ref: '#/components/schemas/PasswordPolicyPasswordSettingsLockout' PasswordPolicyPasswordSettingsAge: + description: Age settings type: object properties: expireWarnDays: type: integer + description: 'Specifies the number of days prior to password expiration when a User is warned to reset their password: `0` indicates no warning' + default: 0 historyCount: type: integer + description: 'Specifies the number of distinct passwords that a User must create before they can reuse a previous password: `0` indicates none' + default: 0 maxAgeDays: type: integer + description: 'Specifies how long (in days) a password remains valid before it expires: `0` indicates no limit' + default: 0 minAgeMinutes: type: integer + description: 'Specifies the minimum time interval (in minutes) between password changes: `0` indicates no limit' + default: 0 PasswordPolicyPasswordSettingsComplexity: + description: Complexity settings type: object properties: dictionary: $ref: '#/components/schemas/PasswordDictionary' excludeAttributes: type: array + description: 'The User profile attributes whose values must be excluded from the password: currently only supports `firstName` and `lastName`' + default: [] items: type: string excludeUsername: type: boolean + description: Indicates if the Username must be excluded from the password default: true minLength: type: integer + description: Minimum password length + default: 8 minLowerCase: type: integer + description: 'Indicates if a password must contain at least one lower case letter: `0` indicates no, `1` indicates yes' + default: 1 minNumber: type: integer + description: 'Indicates if a password must contain at least one number: `0` indicates no, `1` indicates yes' + default: 1 minSymbol: type: integer + description: 'Indicates if a password must contain at least one symbol (For example: !@#$%^&*): `0` indicates no, `1` indicates yes' + default: 1 minUpperCase: type: integer + description: 'Indicates if a password must contain at least one upper case letter: `0` indicates no, `1` indicates yes' + default: 1 PasswordPolicyPasswordSettingsLockout: + description: Lockout settings type: object properties: autoUnlockMinutes: type: integer + description: 'Specifies the time interval (in minutes) a locked account remains locked before it is automatically unlocked: `0` indicates no limit' + default: 0 maxAttempts: type: integer + description: 'Specifies the number of times Users can attempt to sign in to their accounts with an invalid password before their accounts are locked: `0` indicates no limit' + default: 10 showLockoutFailures: type: boolean + description: Indicates if the User should be informed when their account is locked + default: false userLockoutNotificationChannels: type: array + description: How the user is notified when their account becomes locked. The only acceptable values are `[]` and `['EMAIL']`. + default: [] items: type: string PasswordPolicyRecoveryEmail: @@ -41905,13 +57912,16 @@ components: type: object properties: tokenLifetimeMinutes: + description: Lifetime (in minutes) of the recovery token type: integer + default: 10080 PasswordPolicyRecoveryFactorSettings: type: object properties: status: $ref: '#/components/schemas/LifecycleStatus' PasswordPolicyRecoveryFactors: + description: Settings for the Factors that can be used for recovery type: object properties: okta_call: @@ -41933,8 +57943,10 @@ components: type: object properties: minLength: + description: Minimum length of the password recovery question answer type: integer readOnly: true + default: 4 PasswordPolicyRecoveryQuestionProperties: type: object properties: @@ -41971,14 +57983,12 @@ components: selfServiceUnlock: $ref: '#/components/schemas/PasswordPolicyRuleAction' PasswordPolicyRuleConditions: - allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - - type: object - properties: - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' + type: object + properties: + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' PasswordPolicySettings: type: object properties: @@ -42001,7 +58011,7 @@ components: PASSWORD_REUSE: Password protection warning is triggered by password reuse PHISHING_REUSE: Password protection warning is triggered by password reuse on a phishing page PasswordSettingObject: - description: Determines whether Okta creates and pushes a password in the application for each assigned user + description: Determines whether Okta creates and pushes a password in the app for each assigned user type: object properties: change: @@ -42080,6 +58090,21 @@ components: description: Conditions for further restricting a permission nullable: true type: object + properties: + exclude: + type: object + description: Exclude attributes with specific values for the permission + additionalProperties: + type: object + properties: {} + nullable: true + include: + type: object + description: Include attributes with specific values for the permission + additionalProperties: + type: object + properties: {} + nullable: true Permissions: type: object properties: @@ -42087,6 +58112,13 @@ components: type: array items: $ref: '#/components/schemas/Permission' + PersonalAppsBlockList: + description: Defines a list of email domains with a subset of the properties for each domain + type: object + properties: + domains: + type: array + description: List of blocked email domains PinRequest: description: Pin Request type: object @@ -42103,11 +58135,14 @@ components: description: ID of an existing Okta user type: string PipelineType: - description: The authentication pipeline of the org. `idx` means the org is using the Identity Engine, while `v1` means the org is using the Classic authentication pipeline. + description: The authentication pipeline of the org type: string enum: - idx - v1 + x-enumDescriptions: + idx: Identity Engine + v1: Classic Engine Platform: type: string enum: @@ -42163,29 +58198,35 @@ components: type: string format: date-time readOnly: true + default: Assigned description: - description: Policy description + description: Description of the Policy type: string + default: null id: - description: Policy ID + description: Identifier of the Policy type: string readOnly: true + default: Assigned lastUpdated: - description: Timestamp when the Policy was last updated + description: Timestamp when the Policy was last modified type: string format: date-time readOnly: true + default: Assigned name: - description: Policy name + description: Name of the Policy type: string priority: description: Specifies the order in which this Policy is evaluated in relation to the other policies type: integer + default: Last / Lowest Priority, for example `1` status: $ref: '#/components/schemas/LifecycleStatus' system: description: Specifies whether Okta created the Policy type: boolean + default: false type: $ref: '#/components/schemas/PolicyType' _embedded: @@ -42196,16 +58237,19 @@ components: readOnly: true _links: $ref: '#/components/schemas/PolicyLinks' + required: + - name + - type discriminator: propertyName: type mapping: ACCESS_POLICY: '#/components/schemas/AccessPolicy' IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicy' - MFA_ENROLL: '#/components/schemas/MultifactorEnrollmentPolicy' + MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicy' OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' PASSWORD: '#/components/schemas/PasswordPolicy' PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy' - CONTINUOUS_ACCESS: '#/components/schemas/ContinuousAccessPolicy' + POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicy' ENTITY_RISK: '#/components/schemas/EntityRiskPolicy' PolicyAccess: type: string @@ -42213,6 +58257,7 @@ components: - ALLOW - DENY PolicyAccountLink: + description: Specifies the behavior for linking an IdP User to an existing Okta User type: object properties: action: @@ -42220,22 +58265,30 @@ components: filter: $ref: '#/components/schemas/PolicyAccountLinkFilter' PolicyAccountLinkAction: + description: Specifies the account linking action for an IdP User type: string enum: - AUTO - DISABLED + x-enumDescriptions: + AUTO: The IdP User is automatically linked to an Okta User when the transformed IdP User matches an existing Okta User according to [subject match rules](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/subject&t=request). + DISABLED: Okta never attempts to link the IdP User to an existing Okta User, but may still attempt to provision a new Okta User according to the [provisioning action type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/provisioning/action&t=request). PolicyAccountLinkFilter: + description: Specifies Group memberships to restrict which Users are available for account linking by an IdP type: object properties: groups: $ref: '#/components/schemas/PolicyAccountLinkFilterGroups' PolicyAccountLinkFilterGroups: + description: Group memberships used to determine link candidates type: object properties: include: type: array + description: Specifies the allowlist of Group identifiers to match against. Group memberships are restricted to type `OKTA_GROUP`. items: type: string + example: 00gjg5lzfBpn62wuF0g3 PolicyContext: type: object properties: @@ -42311,6 +58364,7 @@ components: $ref: '#/components/schemas/HrefObjectRulesLink' self: $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true PolicyMapping: type: object properties: @@ -42324,6 +58378,10 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the mapped application + policy: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the mapped policy PolicyMappingRequest: type: object properties: @@ -42342,10 +58400,12 @@ components: $ref: '#/components/schemas/PolicyNetworkConnection' exclude: type: array + description: The zones to exclude. Required only if connection data type is `ZONE` items: type: string include: type: array + description: The zones to include. Required only if connection data type is `ZONE` items: type: string PolicyNetworkConnection: @@ -42362,6 +58422,9 @@ components: $ref: '#/components/schemas/GroupCondition' users: $ref: '#/components/schemas/UserCondition' + required: + - groups + - users PolicyPlatformOperatingSystemType: type: string enum: @@ -42410,6 +58473,8 @@ components: default: false type: $ref: '#/components/schemas/PolicyRuleType' + _links: + $ref: '#/components/schemas/PolicyLinks' discriminator: propertyName: type mapping: @@ -42419,8 +58484,9 @@ components: RESOURCE_ACCESS: '#/components/schemas/AuthorizationServerPolicyRule' SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule' IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicyRule' - CONTINUOUS_ACCESS: '#/components/schemas/ContinuousAccessPolicyRule' + POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicyRule' ENTITY_RISK: '#/components/schemas/EntityRiskPolicyRule' + MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicyRule' PolicyRuleActions: type: object PolicyRuleActionsEnroll: @@ -42443,6 +58509,7 @@ components: type: string enum: - ANY + - LDAP_INTERFACE - RADIUS PolicyRuleConditions: type: object @@ -42494,30 +58561,48 @@ components: type: string enum: - ACCESS_POLICY - - CONTINUOUS_ACCESS - ENTITY_RISK - IDP_DISCOVERY - MFA_ENROLL - PASSWORD + - POST_AUTH_SESSION - PROFILE_ENROLLMENT - RESOURCE_ACCESS - SIGN_ON + PolicyRuleVerificationMethodType: + description: Verification method type + type: string + enum: + - ASSURANCE + - AUTH_METHOD_CHAIN PolicySubject: + description: Specifies the behavior for establishing, validating, and matching a username for an IdP User type: object properties: filter: type: string - format: - type: array - items: - type: string + description: |- + Optional [regular expression pattern](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions) used to filter untrusted IdP usernames. + * As a best security practice, you should define a regular expression pattern to filter untrusted IdP usernames. This is especially important if multiple IdPs are connected to your org. The filter prevents an IdP from issuing an assertion for any User, including partners or directory Users in your Okta org. + * For example, the filter pattern `(\S+@example\.com)` allows only Users that have an `@example.com` username suffix. It rejects assertions that have any other suffix such as `@corp.example.com` or `@partner.com`. + * Only `SAML2` and `OIDC` IdP providers support the `filter` property. + maxLength: 1024 + example: (\S+@example\.com) matchAttribute: type: string + description: |- + Okta User profile attribute for matching a transformed IdP username. Only for matchType `CUSTOM_ATTRIBUTE`. + The `matchAttribute` must be a valid Okta User profile attribute of one of the following types: + * String (with no format or 'email' format only) + * Integer + * Number + example: login matchType: $ref: '#/components/schemas/PolicySubjectMatchType' userNameTemplate: $ref: '#/components/schemas/PolicyUserNameTemplate' PolicySubjectMatchType: + description: Determines the Okta User profile attribute match conditions for account linking and authentication of the transformed IdP username type: string enum: - CUSTOM_ATTRIBUTE @@ -42527,18 +58612,18 @@ components: PolicyType: description: |- All Okta orgs contain only one IdP Discovery Policy with an immutable default Rule routing to your org's sign-in page. - Creating or replacing a policy with `IDP_DISCOVERY` type isn't supported. The following policy types are available with - the Okta Identity Engine: `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `CONTINUOUS_ACCESS`, and `ENTITY_RISK`. The `CONTINUOUS_ACCESS`, and `ENTITY_RISK` - policy types are in Early Access (EA). Contact your Okta account team to enable these features. + Creating or replacing a policy with the `IDP_DISCOVERY` type isn't supported. The following policy types are available with + Identity Engine: `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, and `ENTITY_RISK`. The `POST_AUTH_SESSION`, and `ENTITY_RISK` + policy types are in <x-lifecycle class="ea"></x-lifecycle>. Contact your Okta account team to enable these features. type: string enum: - ACCESS_POLICY - - CONTINUOUS_ACCESS - ENTITY_RISK - IDP_DISCOVERY - MFA_ENROLL - OKTA_SIGN_ON - PASSWORD + - POST_AUTH_SESSION - PROFILE_ENROLLMENT - RESOURCE_ACCESS PolicyTypeSimulation: @@ -42549,10 +58634,17 @@ components: - OKTA_SIGN_ON - PROFILE_ENROLLMENT PolicyUserNameTemplate: + description: |- + [Okta Expression Language (EL) expression](https://developer.okta.com/docs/reference/okta-expression-language/) to generate or transform a unique username for the IdP User. + * IdP User profile attributes can be referenced with the `idpuser` prefix such as `idpuser.subjectNameId`. + * You must define an IdP User profile attribute before it can be referenced in an Okta EL expression. To define an IdP User attribute policy, you may need to create a new IdP instance without a base profile property. Then edit the IdP User profile to update the IdP instance with an expression that references the IdP User profile attribute that you just created. type: object properties: template: type: string + minLength: 9 + maxLength: 1024 + example: idpuser.subjectNameId PolicyUserStatus: type: string enum: @@ -42604,6 +58696,89 @@ components: - OPTIONAL - REQUIRED default: OPTIONAL + PostAuthKeepMeSignedInPrompt: + type: object + properties: + acceptButtonText: + type: string + description: The label on the accept button when prompting for Stay signed in + rejectButtonText: + type: string + description: The label on the reject button when prompting for Stay signed in + subtitle: + type: string + description: The subtitle on the Sign-In Widget when prompting for Stay signed in + title: + type: string + description: The title on the Sign-In Widget when prompting for Stay signed in + PostAuthSessionFailureActionsObject: + type: object + properties: + action: + type: string + enum: + - RUN_WORKFLOW + - TERMINATE_SESSION + discriminator: + propertyName: action + mapping: + RUN_WORKFLOW: '#/components/schemas/PostAuthSessionPolicyRuleRunWorkflow' + TERMINATE_SESSION: '#/components/schemas/PostAuthSessionPolicyRuleTerminateSession' + PostAuthSessionPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + type: string + description: Policy conditions aren't supported for this policy type. + default: null + nullable: true + PostAuthSessionPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + type: object + description: The action to take in response to a failure of the reevaluated global session policy or authentication polices. + properties: + postAuthSession: + type: object + description: This object contains a `failureActions` array that defines the specific action to take when post auth session evaluation detects a failure. + properties: + failureActions: + type: array + description: An array of objects that define the action. It can be empty or contain two `action` value pairs. + items: + $ref: '#/components/schemas/PostAuthSessionFailureActionsObject' + conditions: + type: object + properties: + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + PostAuthSessionPolicyRuleRunWorkflow: + type: object + properties: + action: + type: string + enum: + - RUN_WORKFLOW + workflow: + type: object + description: This action runs a workflow + properties: + id: + type: integer + description: The `id` of the workflow that runs. + PostAuthSessionPolicyRuleTerminateSession: + type: object + properties: + action: + type: string + description: The action to take when post auth session evaluation detects a failure. + enum: + - TERMINATE_SESSION PreRegistrationInlineHook: type: object properties: @@ -42651,6 +58826,243 @@ components: type: string enum: - SSWS_TOKEN + PrivilegedAccount: + type: object + properties: + accountType: + $ref: '#/components/schemas/PrivilegedAccountType' + created: + type: string + format: date-time + description: Timestamp when the Privileged Account was created + readOnly: true + description: + description: The description of the Privileged Account + format: regex + maxLength: 255 + minLength: 0 + type: string + example: This is for accessing AWS Prod-5 + id: + description: The UUID of the Privileged Account + format: regex + pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ + readOnly: true + type: string + example: a747a818-a4c4-4446-8a87-704216495a08 + lastUpdated: + type: string + format: date-time + description: Timestamp when the Privileged Account was last updated + readOnly: true + name: + description: The human-readable name for the Privileged Account + format: regex + maxLength: 50 + minLength: 1 + pattern: ^[\w\-_. ]+$ + type: string + example: AWS Prod-5 account + ownerGroupIds: + description: A list of IDs of the Okta groups that own the Privileged Account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + description: A list of IDs of the Okta users that own the Privileged Account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00u11s48P9zGW8yqm0g5 + status: + $ref: '#/components/schemas/PrivilegedAccountStatus' + statusDetail: + $ref: '#/components/schemas/PrivilegedAccountStatusDetail' + required: + - name + - accountType + discriminator: + propertyName: accountType + mapping: + APP_ACCOUNT: '#/components/schemas/PrivilegedAccountDetailsAppAccount' + OKTA_USER_ACCOUNT: '#/components/schemas/PrivilegedAccountDetailsOktaUserAccount' + PrivilegedAccountCredentials: + description: Credentials for a Privileged Account + type: object + properties: + password: + type: string + writeOnly: true + description: The password associated with the Privileged Account + format: password + username: + type: string + description: The username associated with the Privileged Account + minLength: 1 + maxLength: 100 + example: testuser@example.com + required: + - username + PrivilegedAccountDetailsAppAccount: + description: Details for a SaaS Application Account, which will be managed as a Privileged Account + allOf: + - $ref: '#/components/schemas/PrivilegedAccount' + - type: object + properties: + details: + $ref: '#/components/schemas/PrivilegedAccountDetailsAppAccountSub' + required: + - details + PrivilegedAccountDetailsAppAccountSub: + description: Details for a SaaS Application Account, which will be managed as a Privileged Account + type: object + properties: + appGlobalName: + description: The name of the SaaS Application in the Okta Integration Network catalog + type: string + example: Salesforce + appInstanceName: + description: The instance name of the SaaS Application + type: string + example: Salesforce Prod + credentials: + $ref: '#/components/schemas/PrivilegedAccountCredentials' + oktaApplicationId: + description: The Okta app instance ID of the SaaS Application + type: string + example: aln1aqcs055ZRoizW0g8 + required: + - oktaApplicationId + - credentials + PrivilegedAccountDetailsOktaUserAccount: + description: Details for managing an Okta Universal Directory Account as a Privileged Account + allOf: + - $ref: '#/components/schemas/PrivilegedAccount' + - type: object + properties: + details: + $ref: '#/components/schemas/PrivilegedAccountDetailsOktaUserAccountSub' + required: + - details + PrivilegedAccountDetailsOktaUserAccountSub: + description: Details for managing an Okta Universal Directory Account as a Privileged Account + type: object + properties: + credentials: + $ref: '#/components/schemas/PrivilegedAccountCredentials' + email: + description: The email address for the Okta Universal Directory Account + type: string + example: foo@bar.com + minLength: 5 + maxLength: 100 + oktaUserId: + description: An optional Okta user ID. If supplied, converts the matching Okta Universal Directory Account to a Privileged Account and updates the account with the provided details. + type: string + example: 00u11s48P9zGW8yqm0g5 + required: + - email + - credentials + PrivilegedAccountForUpdate: + type: object + properties: + description: + description: The description of the Privileged Account + format: regex + maxLength: 255 + minLength: 0 + type: string + example: This is for accessing AWS Prod-5 + email: + description: The email address for the Okta Universal Directory Account + type: string + example: foo@bar.com + minLength: 5 + maxLength: 100 + name: + description: The human-readable name for the Privileged Account + format: regex + maxLength: 50 + minLength: 1 + pattern: ^[\w\-_. ]+$ + type: string + example: AWS Prod-5 account + ownerGroupIds: + description: A list of IDs of the Okta groups who own the Privileged Account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + description: A list of IDs of the Okta users who own the Privileged Account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00u11s48P9zGW8yqm0g5 + username: + type: string + description: The username associated with the Privileged Account + minLength: 1 + maxLength: 100 + example: testuser@example.com + PrivilegedAccountStatus: + description: Describes the current status of a Privileged Account + type: string + enum: + - ALERT + - ERROR + - INFO + - NO_ISSUES + - UNSECURED + x-enumDescriptions: + NO_ISSUES: The Account is ready for use in Okta Privileged Access + UNSECURED: The Account needs to be assigned to a Resource Group and a Project in Okta Privileged Access + INFO: An action involving the Account is currently in progress in Okta Privileged Access + ALERT: The Account requires attention from an Administrator + ERROR: An error is preventing the Account from being used in Okta Privileged Access + PrivilegedAccountStatusDetail: + description: Describes the detailed status of a Privileged Account + type: string + enum: + - CREATION_FAILED + - MISSING_PASSWORD + - PENDING + - ROTATED + - ROTATING + - ROTATION_FAILED + - STAGED + - VAULTED + x-enumDescriptions: + PENDING: The Account is in the process of being created + CREATION_FAILED: The Account could not be created + STAGED: The Account is in the Okta Privileged Access resource assignment area + ROTATING: The Account is assigned to a Project in Okta Privileged Access. Credentials are currently being synced using Okta Lifecycle Management. + ROTATED: The Account is assigned to a Project in Okta Privileged Access. Password rotations are fulfilled by Okta Lifecycle Management. + ROTATION_FAILED: The Account is assigned to a Project in Okta Privileged Access. An error occurred while using Okta Lifecycle Management to rotate the password. + VAULTED: The Account is assigned to a Project in Okta Privileged Access. A manually managed password is assigned to the Account. + MISSING_PASSWORD: The Account is assigned to a Project in Okta Privileged Access. A password is not assigned to the Account. + PrivilegedAccountType: + description: The type of Privileged Account + type: string + enum: + - APP_ACCOUNT + - OKTA_USER_ACCOUNT + x-enumDescriptions: + APP_ACCOUNT: SaaS Application Account + OKTA_USER_ACCOUNT: Okta Universal Directory Account PrivilegedResource: default: resourceType: OKTA_USER_ACCOUNT @@ -42661,26 +59073,33 @@ components: description: Timestamp when the object was created format: date-time readOnly: true - credentialChanged: - type: string - description: Timestamp when the credential was changed - format: date-time + example: '2024-06-10T11:11:01.000Z' + credentialSyncInfo: + $ref: '#/components/schemas/CredentialSyncInfo' readOnly: true - credentialSyncState: - $ref: '#/components/schemas/CredentialSyncState' + example: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-10T11:13:01.000Z' + syncState: NOT_SYNCED + errorCode: UNKNOWN_ERROR + errorReason: Unknown error id: type: string description: ID of the privileged resource readOnly: true + example: opa100xTfFs4MasRf0g4 lastUpdated: type: string description: Timestamp when the object was last updated format: date-time readOnly: true + example: '2024-06-10T11:13:01.000Z' resourceType: $ref: '#/components/schemas/PrivilegedResourceType' + example: APP_ACCOUNT status: $ref: '#/components/schemas/PrivilegedResourceStatus' + example: ACTIVE discriminator: propertyName: resourceType mapping: @@ -42697,7 +59116,6 @@ components: - $ref: '#/components/schemas/PrivilegedResource' required: - containerId - - credentials PrivilegedResourceAccountOkta: allOf: - type: object @@ -42705,12 +59123,13 @@ components: resourceId: type: string description: The user ID associated with the Okta privileged resource + example: 00u100xTfFs4MasRf0g4 credentials: $ref: '#/components/schemas/PrivilegedResourceCredentials' profile: $ref: '#/components/schemas/profile' - required: - - resourceId + example: + email: testuser@example.com - $ref: '#/components/schemas/PrivilegedResource' PrivilegedResourceCredentials: description: Credentials for the privileged account @@ -42721,19 +59140,24 @@ components: description: The password associated with the privileged resource format: password writeOnly: true + example: xf1bs9am2 userName: type: string description: The username associated with the privileged resource minLength: 1 maxLength: 100 example: testuser@example.com + required: + - userName PrivilegedResourceStatus: description: Current status of the privileged resource type: string enum: - ACTIVE - CREATED + - CREATION_FAILED - INACTIVE + - PENDING x-enumDescriptions: CREATED: The privileged resource is created but not yet managed by OPA ACTIVE: The privileged resource is currently managed by OPA @@ -42745,13 +59169,30 @@ components: enum: - APP_ACCOUNT - OKTA_USER_ACCOUNT + PrivilegedResourceUpdateRequest: + description: Update request for a privileged resource + type: object + properties: + profile: + $ref: '#/components/schemas/profile' + example: + email: testuser@example.com + userName: + type: string + description: The username associated with the privileged resource + minLength: 1 + maxLength: 100 + example: testuser@example.com ProfileEnrollmentPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: - $ref: '#/components/schemas/PolicyRuleConditions' + type: string + description: Policy conditions aren't supported for this policy type + default: null + nullable: true ProfileEnrollmentPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' @@ -42760,36 +59201,63 @@ components: actions: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActions' conditions: - $ref: '#/components/schemas/PolicyRuleConditions' + type: string + description: Policy Rule conditions aren't supported for this policy type + default: null + nullable: true ProfileEnrollmentPolicyRuleAction: type: object properties: access: type: string + enum: + - ALLOW + - DENY + description: '**Note:** The Profile Enrollment Action object can''t be modified to set the `access` property to `DENY` after the policy is created.' activationRequirements: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActivationRequirement' + allowedIdentifiers: + items: + type: string + type: array + description: <x-lifecycle class="ea"></x-lifecycle> A list of attributes to identify an end user. Can be used across Okta sign-in, unlock, and recovery flows. + default: + - login + enrollAuthenticatorTypes: + items: + type: string + type: array + description: Additional authenticator fields that can be used on the first page of user registration. Valid values only includes `'password'`. preRegistrationInlineHooks: items: $ref: '#/components/schemas/PreRegistrationInlineHook' type: array + description: (Optional) The `id` of at most one registration inline hook profileAttributes: items: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleProfileAttribute' type: array + description: A list of attributes to prompt the user during registration or progressive profiling. Where defined on the User schema, these attributes are persisted in the User profile. Non-schema attributes can also be added, which aren't persisted to the User's profile, but are included in requests to the registration inline hook. A maximum of 10 Profile properties is supported. progressiveProfilingAction: type: string enum: - ENABLED - DISABLED + description: Progressive profile enrollment helps evaluate the profile enrollment policy at every user login. Users can be prompted to provide input for newly required attributes. targetGroupIds: items: type: string type: array + description: (Optional, max 1 entry) The `id` of a Group that this User should be added to + uiSchemaId: + type: string + description: Value created by the backend. If present, all policy updates must include this attribute/value. unknownUserAction: type: string enum: - DENY - REGISTER + description: Which action should be taken if this User is new ProfileEnrollmentPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' @@ -42798,6 +59266,7 @@ components: profileEnrollment: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleAction' ProfileEnrollmentPolicyRuleActivationRequirement: + description: Contains a single Boolean property that indicates whether `emailVerification` should occur (`true`) or not (`false`, default) type: object properties: emailVerification: @@ -42807,10 +59276,14 @@ components: properties: label: type: string + description: A display-friendly label for this property name: type: string + description: The name of a User Profile property. Can be an existing property. required: type: boolean + description: (Optional, default `FALSE`) Indicates if this property is required for enrollment + default: false ProfileMapping: description: |- The Profile Mapping object describes a mapping between an Okta User's and an App User's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). @@ -42908,10 +59381,10 @@ components: $ref: '#/components/schemas/SourceLinks' ProfileSettingObject: description: | - This setting determines whether a user in the application gets updated when they're updated in Okta. + This setting determines whether a user in the app gets updated when they're updated in Okta. - If enabled, Okta updates a user's attributes in the application when the application is assigned. - Future changes made to the Okta user's profile automatically overwrite the corresponding attribute value in the application. + If enabled, Okta updates a user's attributes in the app when the app is assigned. + Future changes made to the Okta user's profile automatically overwrite the corresponding attribute value in the app. type: object properties: status: @@ -42940,6 +59413,110 @@ components: $ref: '#/components/schemas/ProtocolSettings' type: $ref: '#/components/schemas/ProtocolType' + ProtocolAlgorithmRequestScope: + description: Specifies whether to digitally sign authorization requests to the IdP + example: REQUEST + type: string + enum: + - NONE + - REQUEST + ProtocolAlgorithmResponseScope: + description: Specifies whether to verify responses from the IdP + example: ANY + type: string + enum: + - ANY + - RESPONSE + - TOKEN + ProtocolCredentialsKeyId: + description: IdP Key Credential reference to the Okta X.509 signature certificate + example: your-key-id + type: string + ProtocolEndpointBinding: + type: string + enum: + - HTTP-POST + - HTTP-REDIRECT + ProtocolMtls: + title: Mutual TLS Protocol + description: Protocol settings for the [MTLS Protocol](https://tools.ietf.org/html/rfc5246#section-7.4.4) + type: object + properties: + credentials: + $ref: '#/components/schemas/MtlsCredentials' + endpoints: + $ref: '#/components/schemas/MtlsEndpoints' + type: + type: string + description: Mutual TLS + enum: + - MTLS + ProtocolOAuth: + title: OAuth 2.0 Protocol + description: Protocol settings for authentication using the [OAuth 2.0 Authorization Code flow](https://tools.ietf.org/html/rfc6749#section-4.1) + type: object + properties: + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + scopes: + type: array + description: |- + IdP-defined permission bundles to request delegated access from the User + > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. + items: + type: string + example: public_profile + type: + type: string + description: OAuth 2.0 Authorization Code flow + enum: + - OAUTH2 + ProtocolOidc: + title: OpenID Connect Protocol + description: Protocol settings for authentication using the [OpenID Connect Protocol](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) + type: object + properties: + algorithms: + $ref: '#/components/schemas/OidcAlgorithms' + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + scopes: + type: array + description: |- + OpenID Connect and IdP-defined permission bundles to request delegated access from the User + > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. + items: + type: string + example: openid + type: + type: string + description: OpenID Connect Authorization Code flow + enum: + - OIDC + ProtocolSaml: + title: SAML 2.0 Protocol + description: Protocol settings for the [SAML 2.0 Authentication Request Protocol](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) + type: object + properties: + algorithms: + $ref: '#/components/schemas/SamlAlgorithms' + credentials: + $ref: '#/components/schemas/SamlCredentials' + endpoints: + $ref: '#/components/schemas/SamlEndpoints' + relayState: + $ref: '#/components/schemas/SamlRelayState' + settings: + $ref: '#/components/schemas/SamlSettings' + type: + type: string + description: SAML 2.0 protocol + enum: + - SAML2 ProtocolAlgorithmType: type: object properties: @@ -42978,11 +59555,6 @@ components: $ref: '#/components/schemas/ProtocolEndpointType' url: type: string - ProtocolEndpointBinding: - type: string - enum: - - HTTP-POST - - HTTP-REDIRECT ProtocolEndpointType: type: string enum: @@ -43035,6 +59607,7 @@ components: - APNS - FCM Provisioning: + description: Specifies the behavior for just-in-time (JIT) provisioning of an IdP User as a new Okta User and their Group memberships type: object properties: action: @@ -43045,13 +59618,22 @@ components: $ref: '#/components/schemas/ProvisioningGroups' profileMaster: type: boolean + description: Determines if the IdP should act as a source of truth for User profile attributes ProvisioningAction: + description: |- + Specifies the User provisioning action during authentication when an IdP User isn't linked to an existing Okta User. + * To successfully provision a new Okta User, you must enable just-in-time (JIT) provisioning in your org security settings. + * If the target username isn't unique or the resulting Okta User profile is missing a required profile attribute, JIT provisioning may fail. + * New Okta Users are provisioned with either a `FEDERATION` or `SOCIAL` authentication provider depending on the IdP type. type: string enum: - AUTO - - CALLOUT - DISABLED + x-enumDescriptions: + AUTO: The IdP User profile is transformed through defined universal directory profile mappings to an Okta User profile and automatically provisioned as an Okta User. + DISABLED: Okta rejects the authentication request and skips provisioning of a new Okta User if the IdP User isn't linked to an existing Okta User. ProvisioningConditions: + description: Conditional behaviors for an IdP User during authentication type: object properties: deprovisioned: @@ -43179,32 +59761,55 @@ components: required: - authScheme ProvisioningDeprovisionedAction: + description: Specifies the action during authentication when an IdP User is linked to a previously deprovisioned Okta User type: string enum: - NONE - REACTIVATE + x-enumDescriptions: + NONE: Take no action. If an IdP User that matches a previously deprovisioned Okta User attempts to authenticate, authentication fails. + REACTIVATE: If an IdP User that matches a previously deprovisioned Okta User attempts to authenticate, reactivate the matching User in Okta and allow the authentication attempt to proceed. ProvisioningDeprovisionedCondition: - description: Not supported with OIDC IdPs + description: Behavior for a previously deprovisioned IdP User during authentication. Not supported with OIDC IdPs. type: object properties: action: $ref: '#/components/schemas/ProvisioningDeprovisionedAction' ProvisioningGroups: + description: Provisioning settings for a User's Group memberships type: object properties: action: $ref: '#/components/schemas/ProvisioningGroupsAction' assignments: type: array + description: List of `OKTA_GROUP` Group identifiers to add an IdP User as a member with the `ASSIGN` action items: type: string + example: 00gak46y5hydV6NdM0g4 filter: type: array + description: Allowlist of `OKTA_GROUP` Group identifiers for the `APPEND` or `SYNC` provisioning action items: type: string + example: 00gak46y5hydV6NdM0g4 sourceAttributeName: type: string + description: IdP User profile attribute name (case-insensitive) for an array value that contains Group memberships + maxLength: 1024 + example: Groups ProvisioningGroupsAction: + description: |- + Provisioning action for the IdP User's Group memberships + + | Enum | Description | Existing OKTA_GROUP Memberships | Existing APP_GROUP Memberships | Existing BUILT_IN Memberships | + | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------ | ----------------------------- | + | `APPEND` | Adds a User to any Group defined by the IdP as a value of the `sourceAttributeName` array that matches the name of the allow listed Group defined in the `filter` | Unchanged | Unchanged | Unchanged | + | `ASSIGN` | Assigns a User to Groups defined in the `assignments` array | Unchanged | Unchanged | Unchanged | + | `NONE` | Skips processing of Group memberships | Unchanged | Unchanged | Unchanged | + | `SYNC` | Group memberships are sourced by the IdP as a value of the `sourceAttributeName` array that matches the name of the Group defined in the `filter` | Removed if not defined by the IdP in `sourceAttributeName` and matching name of the Group in `filter` | Unchanged | Unchanged | + + > **Note:** Group provisioning action is processed independently from profile sourcing. You can sync Group memberships through SAML with profile sourcing disabled. type: string enum: - APPEND @@ -43212,12 +59817,16 @@ components: - NONE - SYNC ProvisioningSuspendedAction: + description: Specifies the action during authentication when an IdP User is linked to a previously suspended Okta User type: string enum: - NONE - UNSUSPEND + x-enumDescriptions: + NONE: Take no action. If an IdP User that matches a previously suspended Okta User attempts to authenticate, authentication fails. + UNSUSPEND: If an IdP User that matches a previously suspended Okta User attempts to authenticate, unsuspend the matching User in Okta and allow the authentication attempt to proceed. ProvisioningSuspendedCondition: - description: Not supported with OIDC IdPs + description: Behavior for a previously suspended IdP User during authentication. Not supported with OIDC IdPs. type: object properties: action: @@ -43356,21 +59965,214 @@ components: - name RecoveryQuestionCredential: description: |- - Specifies a secret question and answer that's validated (case insensitive) when a user forgets their + Specifies a secret question and answer that's validated (case insensitive) when a User forgets their password or unlocks their account. The answer property is write-only. type: object properties: answer: type: string - description: The recovery question answer + description: The answer to the recovery question minimum: 1 maximum: 100 writeOnly: true + example: se7en question: type: string description: The recovery question minimum: 1 maximum: 100 + example: what is your favourite movie? + RefreshToken: + description: The refresh token + type: object + properties: + jti: + description: The refresh token ID + type: string + RegistrationInlineHook: + allOf: + - $ref: '#/components/schemas/InlineHook' + - type: object + RegistrationInlineHookCommand: + type: object + properties: + type: + type: string + enum: + - com.okta.user.profile.update + - com.okta.action.update + - com.okta.user.progressive.profile.update + RegistrationInlineHookPPData: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + - type: object + properties: + data: + type: object + properties: + context: + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + user: + type: object + properties: + passwordChanged: + type: string + format: date-time + description: The last time the user's password was updated + _links: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled. + type: object + properties: + groups: + description: URL to retrieve the individual user's group memberships + allOf: + - $ref: '#/components/schemas/HrefObject' + factors: + description: URL to retrieve individual user's factor enrollments + allOf: + - $ref: '#/components/schemas/HrefObject' + profile: + additionalProperties: true + type: object + description: The user to update's current attributes + id: + type: string + action: + description: The default action the system takes. Set to `ALLOW`. `DENY` is never sent to your external service + type: string + userProfileUpdate: + additionalProperties: true + type: object + description: Name-value pairs for each new attribute supplied by the user in the Progressive Profile form + RegistrationInlineHookRequest: + type: object + properties: + eventType: + type: string + description: The type of inline hook. The registration inline hook type is `com.okta.user.pre-registration`. + requestType: + $ref: '#/components/schemas/RegistrationInlineHookRequestType' + discriminator: + propertyName: requestType + mapping: + self.service.registration: '#/components/schemas/RegistrationInlineHookSSRData' + progressive.profile: '#/components/schemas/RegistrationInlineHookPPData' + RegistrationInlineHookRequestType: + description: The type of registration hook. Use either `self.service.registration` or `progressive.profile`. + type: string + enum: + - progressive.profile + - self.service.registration + RegistrationInlineHookResponse: + type: object + properties: + commands: + type: array + RegistrationInlineHookSSRData: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + - type: object + properties: + data: + type: object + properties: + context: + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + action: + description: The default action the system will take. Will be `ALLOW`. `DENY` will never be sent to your external service. + type: string + userProfile: + additionalProperties: true + type: object + description: The name-value pairs for each registration-related attribute supplied by the user in the Profile Enrollment form. + RegistrationResponse: + type: object + properties: + commands: + description: |- + The `commands` object lets you invoke commands to modify or add values to the attributes in the Okta user profile that are created for this user. The object also lets you control whether or not the registration attempt is allowed to proceed. + + This object is an array, allowing you to send multiple commands in your response. Each array element requires a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you wish to execute, and `value` is where you supply parameters for that command. + + The registration inline hook supports these three commands: + * `com.okta.user.profile.update`: Change attribute values in the user's Okta user profile. For SSR only. Invalid if used with a Progressive Profile response. + * `com.okta.action.update`: Allow or deny the user's registration. + * `com.okta.user.progressive.profile.update`: Change attribute values in the user's Okta Progressive Profile. + type: array + items: + type: object + properties: + type: + description: |- + The location where you specify the command. To set attributes in the user's Okta profile, supply a `type` property set to `com.okta.user.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Okta user profile attributes you want to set. The attributes must already exist in your user profile schema. + + To explicitly allow or deny registration to the user, supply a type property set to `com.okta.action.update`, together with a value property set to `{"registration": "ALLOW"}` or `{"registration": "DENY"}`. The default is to allow registration. + + In Okta Identity Engine, to set attributes in the user's profile, supply a `type` property set to `com.okta.user.progressive.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Progressive Enrollment attributes that you want to set. See [Registration inline hook - Send response](https://developer.okta.com/docs/guides/registration-inline-hook/nodejs/main/#send-response). + + Commands are applied in the order that they appear in the array. Within a single `com.okta.user.profile.update` or `com.okta.user.progressive.profile.update command`, attributes are updated in the order that they appear in the `value` object. + + You can never use a command to update the user's password, but you are allowed to set the values of attributes other than password that are designated sensitive in your Okta user schema. However, the values of those sensitive attributes, if included as fields in the Profile Enrollment form, aren't included in the `data.userProfile` object sent to your external service by Okta. See [data.userProfile](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook!path=0/data/userProfile&t=request). + type: string + value: + additionalProperties: true + description: |- + The `value` object is the parameter to pass to the command. + + For `com.okta.user.profile.update` commands, `value` should be an object containing one or more name-value pairs for the attributes you wish to update. + + For `com.okta.action.update` commands, the value should be an object containing the attribute `action` set to a value of either `ALLOW` or `DENY`, indicating whether the registration should be permitted or not. + + Registrations are allowed by default, so setting a value of `ALLOW` for the action field is valid but superfluous. + type: object + Error: + description: |- + For the registration inline hook, the `error` object provides a way of displaying an error message to the end user who is trying to register or update their profile. + + * If you're using the Okta Sign-In Widget for Profile Enrollment, only the `errorSummary` messages of the `errorCauses` objects that your external service returns appear as inline errors, given the following: + * You don't customize the error handling behavior of the widget. + * The `location` of `errorSummary` in the `errorCauses` object specifies the request object's user profile attribute. + * If you don't return a value for the `errorCauses` object, and deny the user's registration attempt through the `commands` object in your response to Okta, one of the following generic messages appears to the end user: + * "Registration cannot be completed at this time." (SSR) + * "We found some errors. Please review the form and make corrections." (Progressive Enrollment) + * If you don't return an `error` object at all and the registration is denied, the following generic message appears to the end user: + * "Registration denied." (SSR) + * "Profile update denied." (Progressive Enrollment) + + >**Note:** If you include an error object in your response, no commands are executed and the registration fails. This holds true even if the top-level `errorSummary` and the `errorCauses` objects are omitted. + type: object + properties: + errorSummary: + type: string + description: Human-readable summary of one or more errors + errorCauses: + type: array + items: + type: object + properties: + errorSummary: + type: string + description: Human-readable summary of the error. + reason: + type: string + description: A brief, enum-like string that indicates the nature of the error. For example, `UNIQUE_CONSTRAINT` for a property uniqueness violation. + locationType: + type: string + description: Where in the request the error was found (`body`, `header`, `url`, or `query`). + location: + description: The valid JSON path to the location of the error. For example, if there was an error in the user's `login` field, the `location` might be `data.userProfile.login`. + type: string + domain: + type: string + description: Indicates the source of the error. If the error was in the user's profile, for example, you might use `end-user`. If the error occurred in the external service, you might use `external-service`. ReleaseChannel: description: Release channel for auto-update type: string @@ -43407,6 +60209,7 @@ components: resetPasswordUrl: type: string readOnly: true + example: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO ResourceSelectorCreateRequestSchema: type: object properties: @@ -43497,7 +60300,7 @@ components: description: Description of the Resource Set id: type: string - description: Unique key for the role + description: Unique ID for the Resource Set object readOnly: true label: type: string @@ -43610,29 +60413,60 @@ components: created: type: string format: date-time - description: Timestamp when the role was created + description: Timestamp when the Resource Set Resource object was created readOnly: true - description: - type: string - description: Description of the Resource Set id: type: string - description: Unique key for the role + description: Unique ID of the Resource Set Resource object readOnly: true lastUpdated: type: string format: date-time - description: Timestamp when the role was last updated + description: Timestamp when this object was last updated readOnly: true + orn: + type: string + description: The Okta Resource Name (ORN) of the resource _links: - $ref: '#/components/schemas/LinksSelf' + description: Related discoverable resources + readOnly: true + properties: + self: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The REST API URL of the related resource + resource: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to this Resource Set Resource object (self) + groups: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: If applicable, the REST API URL of the related Groups resource + users: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: If applicable, the REST API URL of the related Users resource ResourceSetResourcePatchRequest: type: object properties: additions: type: array + description: A list of resources to add to the Resource Set items: type: string + description: Resource in ORN or REST API URL format + ResourceSetResourcePostRequest: + type: object + properties: + resourceOrnOrUrl: + type: string + description: Resource in ORN or REST API URL format + required: + - resourceOrnOrUrl + - conditions + ResourceSetResourcePutRequest: + type: object ResourceSetResources: type: object properties: @@ -43656,7 +60490,11 @@ components: _links: $ref: '#/components/schemas/LinksNext' ResponseLinks: + description: Link objects type: object + properties: + _links: + $ref: '#/components/schemas/LinksSelf' ResponseMode: type: string enum: @@ -43690,6 +60528,13 @@ components: - id_token - id_token token - token + RevokeRefreshTokenHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 RiscIdentifierChangedEvent: description: The subject's identifier has changed, which is either an email address or a phone number change type: object @@ -43703,12 +60548,28 @@ components: type: string description: The new identifier value example: new.email@okta.example.com - subjects: - type: object + subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - - subjects + - subject + RiskDetectionTypesPolicyRuleCondition: + description: <x-lifecycle class="oie"></x-lifecycle> An object that references detected risk events. This object can have an `include` parameter or an `exclude` parameter, but not both. + type: object + properties: + exclude: + type: array + description: An array of detected risk events to exclude in the entity policy rule + items: + $ref: '#/components/schemas/DetectedRiskEvents' + include: + type: array + description: An array of detected risk events to include in the entity policy rule + items: + $ref: '#/components/schemas/DetectedRiskEvents' + required: + - exclude + - include RiskEvent: type: object properties: @@ -43810,10 +60671,19 @@ components: none: No action enforce_and_log: Use risk event information to evaluate risks during authentication attempts and include risk event information in the System Log RiskScorePolicyRuleCondition: + description: Specifies a particular level of risk to match on type: object properties: level: type: string + description: The level to match + enum: + - ANY + - LOW + - MEDIUM + - HIGH + required: + - level Role: type: object properties: @@ -43853,9 +60723,11 @@ components: id: type: string readOnly: true + description: The ID of the User orn: type: string readOnly: true + description: ORN representing the assignee _links: $ref: '#/components/schemas/LinksSelfAndRoles' RoleAssignedUsers: @@ -43866,12 +60738,77 @@ components: items: $ref: '#/components/schemas/RoleAssignedUser' _links: - $ref: '#/components/schemas/LinksNext' + $ref: '#/components/schemas/LinksNextForRoleAssignments' RoleAssignmentType: + description: Role assignment type type: string enum: + - CLIENT - GROUP - USER + x-enumDescriptions: + USER: The Role is assigned to a User + GROUP: The Role is assigned to a Group + CLIENT: The Role is assigned to a Client Application + RoleGovernance: + description: List of all User Role Governance Sources + type: object + properties: + grants: + type: array + items: + $ref: '#/components/schemas/RoleGovernanceSource' + _links: + $ref: '#/components/schemas/LinksGovernanceSources' + RoleGovernanceResource: + description: The resource of a grant + type: object + properties: + label: + type: string + description: The resource name + resource: + type: string + description: The resources id + RoleGovernanceResources: + description: The resources of a grant + type: object + properties: + resources: + type: array + items: + $ref: '#/components/schemas/RoleGovernanceResource' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + RoleGovernanceSource: + description: User Role Governance Source + type: object + properties: + bundleId: + type: string + readOnly: true + description: '`id` of the entitlement bundle' + expirationDate: + type: string + format: date-time + readOnly: true + description: The expiration date of the entitlement bundle + grantId: + type: string + readOnly: true + description: '`id` of the grant' + type: + $ref: '#/components/schemas/GovernanceSourceType' + _links: + allOf: + - $ref: '#/components/schemas/LinksGovernanceResources' + - $ref: '#/components/schemas/LinksSelf' + required: + - type + - grantId + - resources RolePermissionType: description: Permission type type: string @@ -43902,6 +60839,7 @@ components: - okta.identityProviders.manage - okta.identityProviders.read - okta.profilesources.import.run + - okta.support.cases.manage - okta.users.appAssignment.manage - okta.users.create - okta.users.credentials.expirePassword @@ -43924,6 +60862,8 @@ components: description: Standard role type type: string enum: + - ACCESS_CERTIFICATIONS_ADMIN + - ACCESS_REQUESTS_ADMIN - API_ACCESS_MANAGEMENT_ADMIN - API_ADMIN - APP_ADMIN @@ -43949,6 +60889,229 @@ components: REPORT_ADMIN: Report Administrator SUPER_ADMIN: Super Administrator USER_ADMIN: Group Administrator + ACCESS_CERTIFICATIONS_ADMIN: Access Certifications Administrator (predefined Resource Sets) + ACCESS_REQUESTS_ADMIN: Access Requests Administrator (predefined Resource Sets) <x-lifecycle class="ea"></x-lifecycle> + RotatePasswordRequest: + description: Rotate password request for the privileged account + type: object + properties: + password: + type: string + description: The password associated with the privileged resource + format: password + writeOnly: true + example: xf1bs9am2 + secretVersionId: + type: string + description: The version ID of the password secret from the OPA vault + minLength: 1 + maxLength: 36 + example: 9f8400-e29b-41d4-a716-926655440034 + required: + - password + - secretVersionId + SAMLHookResponse: + type: object + properties: + commands: + description: |- + The `commands` object is where you tell Okta to add additional claims to the assertion or to modify the existing assertion statements. + + `commands` is an array, allowing you to send multiple commands. In each array element, include a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command. + In the case of the SAML assertion inline hook, the `value` property is itself a nested object, in which you specify a particular operation, a path to act on, and a value. + type: array + items: + type: object + properties: + type: + type: string + description: One of the supported commands `com.okta.assertion.patch` + value: + type: array + items: + type: object + properties: + op: + type: string + description: |- + The name of one of the supported ops: + `add`: Add a new claim to the assertion + `replace`: Modify any element of the assertion + > **Note:** If a response to the SAML assertion inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta process flow continues with the original SAML assertion returned. + path: + type: string + description: Location, within the assertion, to apply the operation + value: + oneOf: + - type: string + - type: integer + - type: object + description: |- + The value of the claim that you add or replace, and can also include other attributes. If adding to a claim, add another `value` attribute residing within an array called `attributeValues`. + + See the following examples: + + #### Simple value (integer or string) + + `"value": 300` or `"value": "replacementString"` + + #### Attribute value (object) + + ` "value": { + "authContextClassRef": "replacementValue" + }` + + #### AttributeValues array value (object) + + ` "value": { + "attributes": { + "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" + }, + "attributeValues": [ + {"attributes": { + "xsi:type": "xs:string" + }, + "value": "4321"} + ] + }` + error: + description: |- + An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log. + The string supplied in the `errorSummary` property is recorded in the System Log event. + > **Note:** If the error object doesn't include the defined `errorSummary` property, the following common default message + is returned to the end user: `The callback service returned an error`. + + > **Note:** If a response to a SAML inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta SAML inline hook process continues, and the user is created. + type: object + properties: + errorSummary: + description: A human-readable summary of the error + type: string + SAMLPayLoad: + type: object + properties: + data: + type: object + properties: + context: + allOf: + - $ref: '#/components/schemas/BaseContext' + - type: object + properties: + protocol: + description: Details of the assertion protocol being used + type: object + properties: + type: + description: The type of authentication protocol being used for the assertion + type: string + example: SAML2.0 + issuer: + type: object + properties: + id: + description: The unique identifier of the issuer that provided the SAML assertion + type: string + example: 0oath92zlO60urQOP0g3 + name: + description: The name of the issuer that provided the SAML assertion + type: string + example: SAML 2.0 App + uri: + description: The base URI of the SAML endpoint that's used to assert the authorization + type: string + example: http://www.okta.com/exkth8lMzFm0HZOTU0g3 + assertion: + description: Details of the SAML assertion that was generated + type: object + properties: + subject: + description: Provides a JSON representation of the `<saml:Subject>` element of the SAML assertion + type: object + properties: + nameId: + description: The unique identifier of the user + type: string + example: user@example.com + nameFormat: + description: Indicates how to interpret the attribute name + type: string + example: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + confirmation: + type: object + properties: + method: + description: Used to indicate how the authorization server confirmed the SAML assertion + type: string + example: urn:oasis:names:tc:SAML:2.0:cm:bearer + data: + type: object + properties: + recipient: + description: The token endpoint URL of the authorization server + type: string + example: http://www.example.com:7070/saml/sso + authentication: + description: Provides a JSON representation of the `<saml:AuthnStatement>` element of the SAML assertion + type: object + properties: + sessionIndex: + description: The unique identifier describing the assertion statement + type: string + example: id1553800523546.312669168 + authnContext: + description: Details of the authentication methods used for the SAML assertion + type: object + properties: + authnContextClassRef: + description: Describes the identity provider's supported authentication context classes + type: string + example: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + conditions: + description: Provides a JSON representation of the `<saml:Conditions>` element of the SAML assertion + type: object + properties: + audienceRestriction: + description: Describes which service providers the assertion is valid for + type: array + items: + type: string + example: + - urn:example:sp + claims: + description: Provides a JSON representation of the `<saml:AttributeStatement>` element contained in the generated SAML assertion. Contains any optional SAML attribute statements that you have defined for the app using the Admin Console's **SAML Settings**. + type: object + additionalProperties: + type: object + properties: + attributes: + type: object + properties: + NameFormat: + type: string + description: Indicates how to interpret the attribute name + attributeValues: + type: array + items: + type: object + properties: + attributes: + type: object + properties: + xsi:type: + type: string + description: Used to derive the type of the attribute + value: + type: string + description: The actual value of the attribute + lifetime: + description: Specifies the expiration time, in seconds, of the SAML assertion + type: object + properties: + expiration: + description: The expiration time in seconds + type: integer + example: 300 SafeBrowsingProtectionLevel: description: Represents the current value of the Safe Browsing protection level example: ENHANCED_PROTECTION @@ -44062,6 +61225,22 @@ components: maxLength: 1024 description: Assertion Consumer Service (ACS) URL example: https://${org.subdomain}.example.com/saml/login + claims: + type: array + description: Attribute statements to appear in the Okta SAML assertion + items: + type: object + properties: + name: + type: string + description: The attribute name + example: Address + values: + type: array + description: The Okta values inserted in the attribute statement + items: + type: string + example: ${user.homeAddress} doc: type: string format: uri @@ -44071,6 +61250,13 @@ components: type: string description: Globally unique name for your SAML entity. For instance, your Identity Provider (IdP) or Service Provider (SP) URL. example: https://${org.subdomain}.example.com + groups: + type: array + description: Defines the group attribute names for the SAML assertion statement. Okta inserts the list of Okta user groups into the attribute names in the statement. + items: + type: string + description: A group attribute name in your SAML app + example: groups required: - acs - entityId @@ -44096,8 +61282,7 @@ components: properties: app: type: object - additionalProperties: - type: string + additionalProperties: true signOn: $ref: '#/components/schemas/Saml11ApplicationSettingsSignOn' Saml11ApplicationSettingsSignOn: @@ -44117,6 +61302,22 @@ components: ssoAcsUrlOverride: type: string description: Assertion Consumer Services (ACS) URL value for the Service Provider (SP). This URL is always used for Identity Provider (IdP) initiated sign-on requests. + SamlAcsEndpoint: + description: Okta's `SPSSODescriptor` endpoint where the IdP sends a `<SAMLResponse>` message + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + type: + $ref: '#/components/schemas/SamlEndpointType' + SamlAlgorithms: + description: Settings for signing and verifying SAML messages + type: object + properties: + request: + $ref: '#/components/schemas/SamlRequestAlgorithm' + response: + $ref: '#/components/schemas/SamlResponseAlgorithm' SamlApplication: allOf: - $ref: '#/components/schemas/Application' @@ -44127,6 +61328,7 @@ components: name: type: string description: A unique key is generated for the custom app instance when you use SAML_2_0 `signOnMode`. + readOnly: true settings: $ref: '#/components/schemas/SamlApplicationSettings' SamlApplicationSettings: @@ -44134,46 +61336,52 @@ components: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: - app: - $ref: '#/components/schemas/SamlApplicationSettingsApplication' signOn: $ref: '#/components/schemas/SamlApplicationSettingsSignOn' - SamlApplicationSettingsApplication: - type: object - properties: - acsUrl: - type: string - audRestriction: - type: string - baseUrl: - type: string SamlApplicationSettingsSignOn: description: |- - SAML sign-on attributes. - > **Note:** Only for SAML 2.0, set either `destinationOverride` or `ssoAcsUrl` to configure any other SAML 2.0 attributes in this section. + SAML 2.0 sign-on attributes. + > **Note:** Set either `destinationOverride` or `ssoAcsUrl` to configure any other SAML 2.0 attributes in this section. type: object properties: acsEndpoints: type: array + description: An array of ACS endpoints. You can configure a maximum of 100 endpoints. items: $ref: '#/components/schemas/AcsEndpoint' allowMultipleAcsEndpoints: + description: Determines whether the app allows you to configure multiple ACS URIs type: boolean assertionSigned: type: boolean + description: Determines whether the SAML assertion is digitally signed attributeStatements: type: array + description: | + A list of custom attribute statements for the app's SAML assertion. See [SAML 2.0 Technical Overview](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html). + + There are two types of attribute statements: + | Type | Description | + | ---- | ----------- | + | EXPRESSION | Generic attribute statement that can be dynamic and supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/) | + | GROUP | Group attribute statement | items: $ref: '#/components/schemas/SamlAttributeStatement' audience: type: string + description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP. audienceOverride: type: string description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). authnContextClassRef: type: string + description: Identifies the SAML authentication context class for the assertion's authentication statement configuredAttributeStatements: type: array + description: | + The list of dynamic attribute statements for the SAML assertion inherited from app metadata (apps from the OIN) during app creation. + + There are two types of attribute statements: `EXPRESSION` and `GROUP`. items: $ref: '#/components/schemas/SamlAttributeStatement' defaultRelayState: @@ -44181,46 +61389,57 @@ components: description: Identifies a specific application resource in an IdP-initiated SSO scenario destination: type: string + description: Identifies the location inside the SAML assertion where the SAML response should be sent destinationOverride: type: string description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). digestAlgorithm: type: string + description: Determines the digest algorithm used to digitally sign the SAML assertion and response honorForceAuthn: type: boolean description: Set to `true` to prompt users for their credentials when a SAML request has the `ForceAuthn` attribute set to `true` idpIssuer: type: string + description: SAML Issuer ID inlineHooks: + description: Associates the app with SAML inline hooks. See [the SAML assertion inline hook reference](https://developer.okta.com/docs/reference/saml-hook/). items: $ref: '#/components/schemas/SignOnInlineHook' type: array participateSlo: $ref: '#/components/schemas/SloParticipate' recipient: + description: The location where the app may present the SAML assertion type: string recipientOverride: type: string description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). requestCompressed: type: boolean + description: Determines whether the SAML request is expected to be compressed responseSigned: type: boolean + description: |- + Determines whether the SAML authentication response message is digitally signed by the IdP + > **Note:** Either (or both) `responseSigned` or `assertionSigned` must be `TRUE`. samlAssertionLifetimeSeconds: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true type: integer - description: For SAML 2.0 only.<br>Determines the SAML app session lifetimes with Okta + description: Determines the SAML app session lifetimes with Okta example: 3600 signatureAlgorithm: type: string + description: Determines the signing algorithm used to digitally sign the SAML assertion and response slo: $ref: '#/components/schemas/SingleLogout' spCertificate: - $ref: '#/components/schemas/SpCertificate' + $ref: '#/components/schemas/SamlSpCertificate' spIssuer: type: string + description: The issuer ID for the Service Provider. This property appears when SLO is enabled. ssoAcsUrl: type: string description: Single Sign-On Assertion Consumer Service (ACS) URL @@ -44231,6 +61450,23 @@ components: type: string subjectNameIdTemplate: type: string + description: Template for app user's username when a user is assigned to the app + required: + - allowMultipleAcsEndpoints + - assertionSigned + - audience + - authnContextClassRef + - destination + - digestAlgorithm + - honorForceAuthn + - idpIssuer + - recipient + - requestCompressed + - responseSigned + - signatureAlgorithm + - ssoAcsUrl + - subjectNameIdFormat + - subjectNameIdTemplate SamlAttributeStatement: description: Define custom attribute statements for the integration. These statements are inserted into the SAML assertions shared with your app type: object @@ -44249,6 +61485,148 @@ components: type: array items: type: string + SamlCredentials: + description: Federation Trust Credentials for verifying assertions from the IdP and signing requests to the IdP + type: object + properties: + signing: + $ref: '#/components/schemas/SamlSigningCredentials' + trust: + $ref: '#/components/schemas/SamlTrustCredentials' + SamlEndpointType: + description: Determines whether to publish an instance-specific (trust) or organization (shared) ACS endpoint in the SAML metadata + default: INSTANCE + type: string + enum: + - INSTANCE + - ORG + SamlEndpoints: + description: SAML 2.0 HTTP binding settings for IdP and SP (Okta) + type: object + properties: + acs: + $ref: '#/components/schemas/SamlAcsEndpoint' + sso: + $ref: '#/components/schemas/SamlSsoEndpoint' + SamlNameIdFormat: + description: SAML 2.0 Name Identifier formats + default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + type: string + enum: + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + SamlRelayState: + description: Relay state settings for IdP + type: object + properties: + format: + $ref: '#/components/schemas/SamlRelayStateFormat' + SamlRelayStateFormat: + description: The format used to generate the `relayState` in the SAML request. The `FROM_URL` format is used if this value is null. + type: string + enum: + - FROM_URL + - OPAQUE + SamlRequestAlgorithm: + description: Algorithm settings used to secure an `<AuthnRequest>` message + type: object + properties: + signature: + $ref: '#/components/schemas/SamlRequestSignatureAlgorithm' + SamlRequestSignatureAlgorithm: + description: |- + XML digital Signature Algorithm settings for signing `<AuthnRequest>` messages sent to the IdP + > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`). + type: object + properties: + algorithm: + $ref: '#/components/schemas/SamlSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' + SamlResponseAlgorithm: + description: Algorithm settings for verifying `<SAMLResponse>` messages and `<Assertion>` elements from the IdP + type: object + properties: + signature: + $ref: '#/components/schemas/SamlResponseSignatureAlgorithm' + SamlResponseSignatureAlgorithm: + description: XML digital Signature Algorithm settings for verifying `<SAMLResponse>` messages and `<Assertion>` elements from the IdP + type: object + properties: + algorithm: + $ref: '#/components/schemas/SamlSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmResponseScope' + SamlSettings: + description: Advanced settings for the SAML 2.0 protocol + type: object + properties: + honorPersistentNameId: + type: boolean + description: Determines if the IdP should persist account linking when the incoming assertion NameID format is `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` + default: true + nameFormat: + $ref: '#/components/schemas/SamlNameIdFormat' + SamlSigningAlgorithm: + example: SHA-256 + type: string + enum: + - SHA-1 + - SHA-256 + SamlSigningCredentials: + description: Key used for signing requests to the IdP + type: object + properties: + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + SamlSpCertificate: + description: The certificate that Okta uses to validate Single Logout (SLO) requests and responses + type: object + properties: + x5c: + type: array + description: A list that contains exactly one x509 encoded certificate + items: + type: string + SamlSsoEndpoint: + description: IdP's `SingleSignOnService` endpoint where Okta sends an `<AuthnRequest>` message + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + destination: + type: string + description: |- + URI reference that indicates the address to which the `<AuthnRequest>` message is sent. + The `destination` property is required if request signatures are specified. See [SAML 2.0 Request Algorithm object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=protocol/0/algorithms/request&t=request). + maxLength: 512 + example: https://idp.example.com/saml2/sso + url: + type: string + description: |- + URL of the binding-specific endpoint to send an `<AuthnRequest>` message to the IdP. + The value of `url` defaults to the same value as the `sso` endpoint if omitted during creation of a new IdP instance. + The `url` should be the same value as the `Location` attribute for a published binding in the IdP's SAML Metadata `IDPSSODescriptor`. + maxLength: 1014 + example: https://idp.example.com/saml2/sso + SamlTrustCredentials: + description: Federation Trust Credentials for verifying assertions from the IdP + type: object + properties: + audience: + type: string + description: URI that identifies the target Okta IdP instance (SP) for an `<Assertion>` + maxLength: 1024 + example: https://www.okta.com/saml2/service-provider/spgv32vOnpdyeGSaiUpL + issuer: + type: string + description: URI that identifies the issuer (IdP) of a `<SAMLResponse>` message `<Assertion>` element + maxLength: 1024 + example: urn:example:idp + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' ScheduledUserLifecycleAction: type: object properties: @@ -44270,8 +61648,22 @@ components: $ref: '#/components/schemas/ApplicationCredentialsSigning' userName: type: string + description: Shared username for the app + minLength: 1 + maxLength: 100 Scope: type: string + ScopeResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scpCmCCV1DpxVkCaye2X + title: + type: string + description: Link name + example: My phone ScreenLockType: type: string enum: @@ -44309,22 +61701,35 @@ components: properties: optionalField1: type: string + description: Name of the optional parameter in the sign-in form optionalField1Value: type: string + description: Name of the optional value in the sign-in form optionalField2: type: string + description: Name of the optional parameter in the sign-in form optionalField2Value: type: string + description: Name of the optional value in the sign-in form optionalField3: type: string + description: Name of the optional parameter in the sign-in form optionalField3Value: type: string + description: Name of the optional value in the sign-in form passwordField: type: string + description: CSS selector for the **Password** field in the sign-in form url: type: string + description: The URL of the sign-in page for this app usernameField: type: string + description: CSS selector for the **Username** field in the sign-in form + required: + - passwordField + - url + - usernameField SecurityEvent: type: object properties: @@ -44333,12 +61738,11 @@ components: format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 - subjects: - type: object + subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - - subjects + - subject SecurityEventReason: type: object properties: @@ -44393,7 +61797,6 @@ components: description: Audience example: https://receiverexample.okta.com/ events: - type: object $ref: '#/components/schemas/SecurityEventTokenRequestJwtEvents' iat: type: integer @@ -44419,22 +61822,16 @@ components: type: object properties: https://schemas.okta.com/secevent/okta/event-type/device-risk-change: - type: object $ref: '#/components/schemas/OktaDeviceRiskChangeEvent' https://schemas.okta.com/secevent/okta/event-type/ip-change: - type: object $ref: '#/components/schemas/OktaIpChangeEvent' https://schemas.okta.com/secevent/okta/event-type/user-risk-change: - type: object $ref: '#/components/schemas/OktaUserRiskChangeEvent' https://schemas.openid.net/secevent/caep/event-type/device-compliance-change: - type: object $ref: '#/components/schemas/CaepDeviceComplianceChangeEvent' https://schemas.openid.net/secevent/caep/event-type/session-revoked: - type: object $ref: '#/components/schemas/CaepSessionRevokedEvent' https://schemas.openid.net/secevent/risc/event-type/identifier-changed: - type: object $ref: '#/components/schemas/RiscIdentifierChangedEvent' SecurityEventTokenRequestJwtHeader: title: Security Event Token JWT header @@ -44499,7 +61896,6 @@ components: maxLength: 100 example: Target SSF Provider settings: - type: object description: Information about the Security Events Provider for signal ingestion $ref: '#/components/schemas/SecurityEventsProviderSettingsResponse' status: @@ -44580,19 +61976,18 @@ components: - OKTA - RANDOM SelfServicePasswordResetAction: - allOf: - - $ref: '#/components/schemas/PasswordPolicyRuleAction' - - type: object - - description: Enables or disables users to reset their own password and defines the authenticators and constraints needed to complete the reset - properties: - type: - type: string - readOnly: true - description: The type of rule action - enum: - - selfServicePasswordReset - requirement: - $ref: '#/components/schemas/SsprRequirement' + description: Enables or disables users to reset their own password and defines the authenticators and constraints needed to complete the reset + type: object + properties: + access: + $ref: '#/components/schemas/PolicyAccess' + requirement: + $ref: '#/components/schemas/SsprRequirement' + type: + type: string + description: <x-lifecycle class="oie"></x-lifecycle> The type of rule action + enum: + - selfServicePasswordReset Session: type: object properties: @@ -44713,44 +62108,64 @@ components: properties: signInLabel: type: string + description: The label for the sign in widget usernameLabel: type: string + description: The label for the username field usernameInfoTip: type: string + description: The label for the username information tip passwordLabel: type: string + description: The label for the password field passwordInfoTip: type: string + description: The label for the password information tip showPasswordVisibilityToggle: type: boolean + description: Allows users to see their passwords as they type showUserIdentifier: type: boolean + description: Allows the user's identifier to appear on authentication and enrollment pages forgotPasswordLabel: type: string + description: The label for the forgot password page forgotPasswordUrl: type: string + description: The forgot password URL unlockAccountLabel: type: string + description: The label for the unlock account link unlockAccountUrl: type: string + description: The unlock account URL helpLabel: type: string + description: The label for the help link helpUrl: type: string + description: The help link URL customLink1Label: type: string + description: The label for the first custom link customLink1Url: type: string + description: The URL for the first custom link customLink2Label: type: string + description: The label for the second custom link customLink2Url: type: string + description: The URL for the second custom link authenticatorPageCustomLinkLabel: type: string + description: The label for the authenticator page custom link authenticatorPageCustomLinkUrl: type: string + description: The URL for the authenticator page custom link classicRecoveryFlowEmailOrUsernameLabel: type: string + description: The label for the username field in the classic recovery flow widgetGeneration: $ref: '#/components/schemas/WidgetGeneration' widgetVersion: @@ -44786,7 +62201,7 @@ components: - RS384 - RS512 SimulatePolicyBody: - description: The request body required for a simulate policy operation. + description: The request body required for a simulate policy operation type: object properties: appInstance: @@ -44892,14 +62307,18 @@ components: - NOT_MATCH - UNDEFINED SingleLogout: + description: Determines if the app supports Single Logout (SLO) type: object properties: enabled: type: boolean + description: Whether the application supports SLO issuer: type: string + description: The issuer of the Service Provider that generates the SLO request logoutUrl: type: string + description: The location where the logout response is sent SlackApplication: title: Slack x-tags: @@ -44961,6 +62380,7 @@ components: required: - domain SloParticipate: + description: Determines if the app participates in Single Logout (SLO) type: object properties: bindingType: @@ -44971,13 +62391,13 @@ components: - REDIRECT enabled: type: boolean - description: Allows the app to participate in front-channel single logout. + description: Indicates whether the app is allowed to participate in front-channel SLO logoutRequestUrl: type: string - description: URL where Okta sends the logout request. + description: URL where Okta sends the logout request sessionIndexRequired: type: boolean - description: Include user session details. + description: Determines whether Okta sends the `SessionIndex` elements in the logout request SmsTemplate: type: object properties: @@ -45020,25 +62440,40 @@ components: enum: - SMS_VERIFY_CODE SocialAuthToken: + description: The Social Authentication Token object provides the tokens and associated metadata provided by social providers during social authentication. type: object properties: expiresAt: - type: string - format: date-time - readOnly: true + $ref: '#/components/schemas/ExpiresAt' id: type: string + description: Unique identifier for the token readOnly: true + example: NXp9GaX1eOA-XVF_H9fn2Q scopes: type: array + description: The scopes that the token is good for + readOnly: true items: type: string + example: + - openid + - foo token: type: string + description: The raw token + readOnly: true + example: JBTWGV22G4ZGKV3N tokenAuthScheme: type: string + readOnly: true + description: The token authentication scheme as defined by the social provider + example: Bearer tokenType: type: string + readOnly: true + description: The type of token defined by the [OAuth Token Exchange Spec](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07#section-3) + example: urn:ietf:params:oauth:token-type:access_token SourceLinks: allOf: - $ref: '#/components/schemas/LinksSelf' @@ -45048,13 +62483,6 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' - description: The associated schema - SpCertificate: - type: object - properties: - x5c: - type: array - items: - type: string SplunkEdition: description: Edition of the Splunk Cloud instance example: aws @@ -45107,9 +62535,15 @@ components: - email - otp SsprRequirement: - description: Describes the initial and secondary authenticator requirements a user needs to reset their password + description: <x-lifecycle class="oie"></x-lifecycle> Describes the initial and secondary authenticator requirements a user needs to reset their password type: object properties: + accessControl: + description: Determines which authentication requirements a user needs to perform self-service operations. `AUTH_POLICY` defers conditions and authentication requirements to the [Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). `LEGACY` refers to the requirements described by this rule. + type: string + enum: + - AUTH_POLICY + - LEGACY primary: $ref: '#/components/schemas/SsprPrimaryRequirement' stepUp: @@ -45131,12 +62565,65 @@ components: - security_question required: type: boolean + StandardRole: + title: Standard Role Assignment + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + id: + type: string + description: Role Assignment ID + readOnly: true + label: + type: string + description: Label for the Role Assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the Role Assignment + type: + $ref: '#/components/schemas/RoleType' + _embedded: + type: object + description: Optional embedded resources for the Role Assignment + properties: + targets: + type: object + description: Targets configured for the Role Assignment + properties: + groups: + type: array + description: Group targets + items: + $ref: '#/components/schemas/Group' + catalog: + description: App targets + properties: + apps: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + _links: + $ref: '#/components/schemas/LinksAssignee' StandardRoleAssignmentSchema: + title: Standard Role type: object properties: type: type: string - description: Standard role type + description: Specify the standard or IAM-based role type. See [standard roles](/openapi/okta-management/guides/roles/#standard-roles). StreamConfiguration: title: Stream Configuration type: object @@ -45157,7 +62644,6 @@ components: A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. example: https://example.com delivery: - type: object $ref: '#/components/schemas/StreamConfigurationDelivery' events_delivered: type: array @@ -45226,7 +62712,6 @@ components: type: object properties: delivery: - type: object $ref: '#/components/schemas/StreamConfigurationDelivery' events_requested: type: array @@ -45255,7 +62740,7 @@ components: authorization_header: type: string description: The HTTP Authorization header that is included for each HTTP POST request - example: Basic dXNlcjpwYXNzd29yZA== + example: '{authorizationHeaderValue}' nullable: true maxLength: 8192 endpoint_url: @@ -45414,30 +62899,42 @@ components: properties: buttonField: type: string + description: CSS selector for the **Sign-In** button in the sign-in form (for SWA apps with the `template_swa` app name definition) buttonSelector: type: string - checkbox: - type: string + description: CSS selector for the **Sign-In** button in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) extraFieldSelector: type: string + description: Enter the CSS selector for the extra field (for three-field SWA apps with the `template_swa3field` app name definition). extraFieldValue: type: string + description: Enter the value for the extra field in the form (for three-field SWA apps with the `template_swa3field` app name definition). loginUrlRegex: type: string + description: A regular expression that further restricts targetURL to the specified regular expression passwordField: type: string + description: CSS selector for the **Password** field in the sign-in form (for SWA apps with the `template_swa` app name definition) passwordSelector: type: string - redirectUrl: - type: string + description: CSS selector for the **Password** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) targetURL: type: string + description: The URL of the sign-in page for this app (for three-field SWA apps with the `template_swa3field` app name definition) url: type: string + description: The URL of the sign-in page for this app (for SWA apps with the `template_swa` app name definition) usernameField: type: string + description: CSS selector for the **Username** field in the sign-in form (for SWA apps with the `template_swa` app name definition) userNameSelector: type: string + description: CSS selector for the **Username** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) + required: + - buttonField + - passwordField + - usernameField + - url TelephonyRequest: type: object properties: @@ -45676,6 +63173,8 @@ components: properties: thirdPartyAdmin: type: boolean + description: Indicates if third-party admin is enabled + example: false ThreatInsightConfiguration: type: object properties: @@ -45744,6 +63243,626 @@ components: type: string enum: - poll + TokenHookResponse: + description: |- + For the token inline hook, the `commands` and `error` objects that you can return in the JSON payload of your response are defined in the following sections. + > **Note:** The size of your response payload must be less than 256 KB. + type: object + properties: + commands: + description: |- + You can use the `commands` object to provide commands to Okta. It's where you can tell Okta to add more claims to the token. + The `commands` object is an array, allowing you to send multiple commands. In each array element, there needs to be a `type` property and `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command. + In the case of the token hook type, the `value` property is itself a nested object in which you specify a particular operation, a path to act on, and a value. + type: array + items: + type: object + properties: + type: + description: |- + One of the supported commands: + `com.okta.identity.patch`: Modify an ID token + `com.okta.access.patch`: Modify an access token + > **Note:** The `commands` array should only contain commands that can be applied to the requested tokens. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`. + type: string + value: + description: The `value` object is where you specify the operation to perform. It's an array, which allows you to request more than one operation. + type: array + items: + type: object + properties: + op: + description: |- + The name of one of the supported ops: `add`: Add a claim. `replace`: Modify an existing claim and update the token lifetime. `remove`: Remove an existing claim. + #### `op: add` notes + + <details> + <summary>Add a claim</summary> + + Add a claim + + **Existing JSON** + + ``` + { + "employeeId": "00u12345678" + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.assertion.patch", + "value": [ + { + "op": "add", + "path": "/claims/extPatientId", + "value": "1234" + } + ] + }, + { + "type": "com.okta.assertion.patch", + "value": [ + { + "op": "add", + "path": "/claims/external_guid", + "value": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 1234, + "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ``` + + > **Note:** If you use the `add` operation and include an existing claim in your response with a different value, that value is replaced. Use the `replace` operation instead. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. See `op: replace` notes. + </details> + + <details> + <summary>Add new members to existing JSON objects</summary> + + If you have a JSON object in a claim called `employee_profile`, and you want to add the `department_id` member to the claim, the existing JSON is updated by specifying the claim in the path, followed by the name of the object member. + + **Existing JSON** + + ``` + { + "employee_profile": { + "employee_id": "1234", + "name": "Anna" + } + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "add", + "path": "/claims/employee_profile/department_id", + "value": "4947" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employee_profile": { + "employee_id": "1234", + "name": "Anna", + "department_id": "4947" + } + } + ``` + + > **Note:** If you attempt to add a member within a JSON object that doesn't exist or using an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. + </details> + + <details> + <summary>Add new elements to existing arrays</summary> + + Append an element to an array by specifying the name of the array, followed by the index where you want to insert the element in the path. Alternatively, you can specify the array name followed by a hyphen (-) in the path to append an element at the end of the array. For example, you have an array that contains the user's preferred airports, and you want to add a new airport to the array. The existing target JSON object is updated by specifying the claim in the path, followed by the index of where to insert the claim. + + **Existing JSON** + + ``` + { + "preferred_airports":[ + "sjc", + "sfo", + "oak" + ] + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "add", + "path": "/claims/preferred_airports/3", + "value": "lax" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "preferred_airports":[ + "sjc", + "sfo", + "oak", + "lax" + ] + } + ``` + + > **Note:** If you attempt to add an element within an array that doesn't exist or specify an invalid index, the entire PATCH fails and errors are logged in the token hooks events. + </details> + + #### `op: replace` notes + + <details> + <summary>Modify an existing claim</summary> + + You can modify (`replace`) existing custom claims or OIDC standard profile claims, such as `birthdate` and `locale`. You can't, however, modify any system-specific claims, such as `iss` or `ver`. Also, you can't modify a claim that isn't currently part of the token in the request payload. Attempting to modify a system-specific claim or using an invalid operation results in the entire PATCH failing and errors logged in the token hooks events. + + See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify. + + > **Note:** Although the `aud` and `sub` claims are listed as reserved claims, you can modify those claims in access tokens. You can't modify these claims in ID tokens. + + See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify. + + **Existing target JSON object** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 1234, + "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/claims/extPatientId", + "value": "12345" + }, + { + "op": "replace", + "path": "/claims/external_guid", + "value": "D1495796-G98E-585C-959E-1269CD6766B8" + } + ] + } + ] + } + ``` + + **Updated JSON*** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 12345, + "external_guid": "D1495796-G98E-585C-959E-1269CD6766B8" + } + ``` + + </details> + + <details> + <summary>Modify members within existing JSON objects and arrays</summary> + + Use the `replace` operation to modify members within JSON objects and elements within arrays. For example, you have a JSON object in a claim called `employee_profile`, and you want to update the email address of the employee. The existing target JSON object is updated by specifying the claim in the path, followed by the name of the object member that you want to modify. + + **Existing target JSON object** + + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna.v@company.com" + } + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/claims/employee_profile/email", + "value": "anna@company.com" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna@company.com" + } + } + ``` + + > **Note:** If you attempt to modify a member within a JSON object that doesn't exist or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. + + Similarly, you can replace elements in an array by specifying the array name and the valid index of the element that you want to replace in the path. + </details> + + <details> + <summary>Modify token lifetimes</summary> + You can modify how long the access and ID tokens are valid by specifying the `lifetime` in seconds. The `lifetime` value must be a minimum of five minutes (300 seconds) and a maximum of 24 hours (86,400 seconds). + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/token/lifetime/expiration", + "value": 36000 + } + ] + }, + { + "type": "com.okta.access.patch", + "value": [ + { + "op": "replace", + "path": "/token/lifetime/expiration", + "value": 36000 + } + ] + } + ] + } + ``` + + </details> + + #### `op: remove` notes + + <details> + <summary>Remove a claim</summary> + + You can remove existing custom claims or OIDC standard profile claims, such as `birthdate` or `locale`. You can't, however, remove any system-specific claims, such as `iss` or `ver`. You also can't remove a claim that isn't currently part of the token in the request payload. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. + + See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify. + + See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify. + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/birthdate", + "value": null + } + ] + }, + { + "type": "com.okta.access.patch", + "value": [ + { + "op": "remove", + "path": "/claims/external_guid" + } + ] + } + ] + } + ``` + + > **Note:** The `value` property for the `remove` operation isn't required. If you provide it in the response, it should be set to `null`. Providing any other value fails the entire PATCH response. + + </details> + + <details> + <summary>Remove members from existing arrays</summary> + + Use the `remove` operation to remove members from existing arrays. For example, you have an array that contains the user's preferred airports, and you want to remove an airport from the array. The existing target JSON object is updated by specifying the array name followed by the index of the element that you want to remove. You don't need to specify a value for the remove operation, but you can specify `null` as the value if you want. + + **Existing target JSON object** + + ``` + { + "preferred_airports": [ + "sjc", + "lax", + "sfo", + "oak" + ] + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/preferred_airports/1" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "preferred_airports": [ + "sjc", + "sfo", + "oak" + ] + } + ``` + + </details> + + <details> + <summary>Remove members from existing JSON objects</summary> + + Use the `remove` operation to remove members from existing JSON objects. Do this by specifying the JSON object in the path, followed by the claim member that you would like to remove. For example, you have an `employee_profile` claim, and you want to remove `email` from it. + + **Existing target JSON object** + + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna.v@company.com" + } + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/employee_profile/email" + } + ] + } + ] + } + ``` + + **Updated JSON** + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + } + } + ``` + + </details> + type: string + path: + description: Location within the token to apply the operation, specified as a slash-delimited path. When you add, replace, or remove a claim, this path always begins with `/claims/` and is followed by the name of the new claim that you're adding. When you replace a token lifetime, the path should always be `/token/lifetime/expiration`. + type: string + value: + description: Value to set the claim to. + oneOf: + - type: string + - type: integer + - type: object + error: + description: When an error object is returned, it causes Okta to return an OAuth 2.0 error to the requester of the token. In the error response, the value of `error` is `server_error`, and the value of `error_description` is the string that you supplied in the `errorSummary` property of the `error` object that you returned. + type: object + properties: + errorSummary: + description: 'Human-readable summary of the error. If the error object doesn''t include the `errorSummary` property defined, the following common default message is returned to the end user: `The callback service returned an error`.' + type: string + TokenPayLoad: + type: object + properties: + data: + type: object + properties: + context: + allOf: + - $ref: '#/components/schemas/BaseContext' + - type: object + properties: + protocol: + description: Details of the authentication protocol + type: object + properties: + type: + description: The type of authentication protocol used + type: string + example: OAUTH2.0 + request: + $ref: '#/components/schemas/TokenProtocolRequest' + OriginalGrant: + description: Information about the original token request used to get the refresh token being used, when in a refresh token request + type: object + properties: + request: + $ref: '#/components/schemas/TokenProtocolRequest' + refresh_token: + $ref: '#/components/schemas/RefreshToken' + issuer: + description: The authorization server's issuer identifier + type: object + properties: + uri: + description: The authorization server's issuer identifier + type: string + format: uri + client: + description: The client making the token request + type: object + properties: + id: + description: The unique identifier of the client + type: string + name: + description: The name of the client + type: string + type: + description: The type of client + type: string + example: PUBLIC + policy: + description: The authorization server policy used to mint the token + type: object + properties: + id: + description: The unique identifier for the policy + type: string + example: 00p4ktaq2ryOYtsHC0g7 + rule: + description: The authorization server policy rule used to mint the token + type: object + properties: + id: + description: The unique identifier for the policy rule + type: string + example: 0pr4ktb7elD3ZvrMy0g7 + identity: + allOf: + - description: Provides information on the properties of the ID token that Okta has generated, including the existing claims that it contains + - $ref: '#/components/schemas/BaseToken' + access: + allOf: + - description: Provides information on the properties of the access token that Okta has generated, including the existing claims that it contains + - $ref: '#/components/schemas/BaseToken' + - type: object + properties: + scopes: + description: The scopes contained in the token. For descriptions of the scopes that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#scopes). + type: object + refresh_token: + $ref: '#/components/schemas/RefreshToken' + TokenProtocolRequest: + description: Details of the token request + type: object + properties: + client_id: + description: The ID of the client associated with the token + type: string + grant_type: + $ref: '#/components/schemas/GrantType' + redirect_uri: + description: Specifies the callback location where the authorization was sent + type: string + format: uri + response_mode: + description: The authorization response mode + type: string + enum: + - form_post + - fragment + - okta_post_message + - query + response_type: + description: The authorization response type + type: string + enum: + - code + - id_token + - token + - none + scope: + description: The scopes requested + type: string + state: + type: string + TokenRequest: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/TokenPayLoad' + TokenResourcesHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens TokenResponse: type: object properties: @@ -45941,7 +64060,7 @@ components: - radio_yes_no - radio_true_false x-enumDescriptions: - text: The default format for the majority of property types. + text: The default format for the majority of property types radio: Radio button options. This option is only available for `string` data types with an `enum` or `one of` constraint. select: Displays input as a dropdown list. This option is only available for the `country-code` data type or a string data type with an enum or one of constraint. checkbox: Displays input as a checkbox. This option is only available for Boolean data types. @@ -45959,13 +64078,13 @@ components: properties: buttonLabel: type: string - description: Specifies the button label for the `Submit` button at the bottom of the enrollment form. + description: Specifies the button label for the `Submit` button at the bottom of the enrollment form default: Submit elements: $ref: '#/components/schemas/UIElement' label: type: string - description: Specifies the label at the top of the enrollment form under the logo. + description: Specifies the label at the top of the enrollment form under the logo default: Sign in type: type: string @@ -46090,7 +64209,7 @@ components: $ref: '#/components/schemas/UserProfile' realmId: type: string - description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the Realm in which the user is residing + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the Realm in which the User is residing example: guo1bfiNtSnZYILxO0g4 x-okta-lifecycle: lifecycle: EA @@ -46101,13 +64220,13 @@ components: properties: activated: type: string - description: The timestamp when the user status transitioned to `ACTIVE` + description: The timestamp when the User status transitioned to `ACTIVE` format: date-time readOnly: true nullable: true created: type: string - description: The timestamp when the user was created + description: The timestamp when the User was created format: date-time readOnly: true credentials: @@ -46124,12 +64243,12 @@ components: nullable: true lastUpdated: type: string - description: The timestamp when the user was last updated + description: The timestamp when the User was last updated format: date-time readOnly: true passwordChanged: type: string - description: The timestamp when the user's password was last updated + description: The timestamp when the User's password was last updated format: date-time readOnly: true nullable: true @@ -46137,7 +64256,7 @@ components: $ref: '#/components/schemas/UserProfile' realmId: type: string - description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the Realm in which the user is residing + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the Realm in which the User is residing example: guo1bfiNtSnZYILxO0g4 x-okta-lifecycle: lifecycle: EA @@ -46148,7 +64267,7 @@ components: $ref: '#/components/schemas/UserStatus' statusChanged: type: string - description: The timestamp when the status of the user last changed + description: The timestamp when the status of the User last changed format: date-time readOnly: true nullable: true @@ -46158,7 +64277,7 @@ components: $ref: '#/components/schemas/UserType' _embedded: type: object - description: If specified, includes embedded resources related to the user + description: Embedded resources related to the User using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification additionalProperties: type: object properties: {} @@ -46168,7 +64287,7 @@ components: Specifies link relations (see [Web Linking](https://datatracker.ietf.org/doc/html/rfc8288) available for the current status of a user. The Links object is used for dynamic discovery of related resources, lifecycle operations, and credential operations. The Links object is read-only. - For an individual user result, the Links object contains a full set of link relations available for that user as determined by your policies. + For an individual User result, the Links object contains a full set of link relations available for that User as determined by your policies. For a collection of users, the Links object contains only the `self` link. Operations that return a collection of Users include List Users and List Group Members. allOf: - $ref: '#/components/schemas/LinksSelf' @@ -46183,15 +64302,15 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' resetPassword: - description: URL to reset the user's password + description: URL to reset the User's password allOf: - $ref: '#/components/schemas/HrefObject' resetFactors: - description: URL to reset the user's factors + description: URL to reset the User's factors allOf: - $ref: '#/components/schemas/HrefObject' expirePassword: - description: URL to expire the user's password + description: URL to expire the User's password allOf: - $ref: '#/components/schemas/HrefObject' forgotPassword: @@ -46199,7 +64318,7 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' changeRecoveryQuestion: - description: URL to change the user's recovery question + description: URL to change the User's recovery question allOf: - $ref: '#/components/schemas/HrefObject' deactivate: @@ -46211,11 +64330,11 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' changePassword: - description: URL to change the user's password + description: URL to change the User's password allOf: - $ref: '#/components/schemas/HrefObject' schema: - description: URL to the user's profile schema + description: URL to the User's profile schema allOf: - $ref: '#/components/schemas/HrefObject' suspend: @@ -46231,7 +64350,7 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' type: - description: URL to the user type + description: URL to the User Type allOf: - $ref: '#/components/schemas/HrefObject' - readOnly: true @@ -46241,11 +64360,17 @@ components: activationToken: type: string readOnly: true + example: XE6wE17zmphl3KqAPFxO + description: |- + Token received as part of an activation user request. If a password was set before the user was activated, then user must sign in with their password or the `activationToken` and not the activation link. More information about using the `activationToken` + to login can be found in the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#primary-authentication-with-activation-token). activationUrl: type: string readOnly: true + example: https://{yourOktaDomain}/welcome/XE6wE17zmphl3KqAPFxO + description: If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link. UserBlock: - description: The description of the access block + description: Describes how the account is blocked from access. If `appliesTo` is `ANY_DEVICES`, then the account is blocked for all devices. If `appliesTo` is `UNKNOWN_DEVICES`, then the account is only blocked for unknown devices. type: object properties: appliesTo: @@ -46278,7 +64403,11 @@ components: type: array items: type: string + required: + - exclude + - include UserCredentials: + description: Specifies primary authentication and recovery credentials for a User. Credential types and requirements vary depending on the provider and security policy of the org. type: object properties: password: @@ -46328,7 +64457,7 @@ components: properties: {} readOnly: true _links: - type: object + $ref: '#/components/schemas/UserFactorLinks' discriminator: propertyName: factorType mapping: @@ -46338,15 +64467,15 @@ components: question: '#/components/schemas/UserFactorSecurityQuestion' sms: '#/components/schemas/UserFactorSMS' token: '#/components/schemas/UserFactorToken' - token:hardware: '#/components/schemas/UserFactorHardware' - token:hotp: '#/components/schemas/UserFactorCustomHOTP' - token:software:totp: '#/components/schemas/UserFactorTOTP' + token:hardware: '#/components/schemas/UserFactorTokenHardware' + token:hotp: '#/components/schemas/UserFactorTokenHOTP' + token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP' u2f: '#/components/schemas/UserFactorU2F' web: '#/components/schemas/UserFactorWeb' webauthn: '#/components/schemas/UserFactorWebAuthn' - hotp: '#/components/schemas/UserFactorCustomHOTP' + hotp: '#/components/schemas/UserFactorTokenHOTP' UserFactorActivatePush: - description: Activation requests have a short lifetime and expire if activation isn't completed before the indicated timestamp. If the activation expires, use the returned `activate` link to restart the process. + description: Activation requests have a short lifetime and expire if the activation isn't completed before the indicated timestamp. If the activation expires, use the returned `activate` link to restart the process. type: object properties: expiresAt: @@ -46356,10 +64485,10 @@ components: example: '2022-08-25T00:31:00.000Z' readOnly: true factorResult: - $ref: '#/components/schemas/UserFactorActivatePushResponse' + $ref: '#/components/schemas/UserFactorActivatePushResult' readOnly: true - UserFactorActivatePushResponse: - description: Result of a Factor verification + UserFactorActivatePushResult: + description: Result of a Factor activation type: string enum: - CANCELLED @@ -46406,8 +64535,8 @@ components: call: '#/components/schemas/UserFactorCall' email: '#/components/schemas/UserFactorEmail' sms: '#/components/schemas/UserFactorSMS' - push: '#/components/schemas/UserFactorActivatePush' - token:software:totp: '#/components/schemas/UserFactorTOTP' + push: '#/components/schemas/UserFactorPush' + token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP' u2f: '#/components/schemas/UserFactorU2F' webauthn: '#/components/schemas/UserFactorWebAuthn' UserFactorCall: @@ -46428,29 +64557,11 @@ components: nullable: true maxLength: 15 phoneNumber: - description: Phone number of the Factor. You should format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/). + description: Phone number of the Factor. Format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/). example: '+15554151337' type: string pattern: ^\+[1-9]\d{1,14}$ maxLength: 15 - UserFactorCustomHOTP: - title: token:hotp - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - factorProfileId: - description: ID of an existing Custom TOTP Factor profile. To create this, see [Custom TOTP Factor](https://help.okta.com/okta_help.htm?id=ext-mfa-totp). - type: string - profile: - $ref: '#/components/schemas/UserFactorCustomHOTPProfile' - UserFactorCustomHOTPProfile: - type: object - properties: - sharedSecret: - description: Unique secret key used to generate the OTP - type: string - example: 484f97be3213b117e3a20438e291540a UserFactorEmail: title: email allOf: @@ -46463,32 +64574,10 @@ components: type: object properties: email: - description: Email address of the user. Must be either the primary or secondary email address associated with the Okta user account. + description: Email address of the user. This must be either the primary or secondary email address associated with the Okta user account. maxLength: 100 example: z.cool@example.com type: string - UserFactorHardware: - title: token:hardware - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/UserFactorHardwareProfile' - verify: - type: object - properties: - passCode: - description: OTP for the current time window - type: string - example: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji - UserFactorHardwareProfile: - type: object - properties: - credentialId: - description: ID for the Factor credential - example: dade.murphy@example.com - type: string UserFactorLinks: allOf: - $ref: '#/components/schemas/LinksActivate' @@ -46527,14 +64616,6 @@ components: - $ref: '#/components/schemas/UserFactor' - type: object properties: - expiresAt: - description: Timestamp when the Factor verification attempt expires - type: string - format: date-time - example: '2022-08-25T00:31:00.000Z' - readOnly: true - factorResult: - $ref: '#/components/schemas/UserFactorResultType' profile: $ref: '#/components/schemas/UserFactorPushProfile' UserFactorPushProfile: @@ -46597,7 +64678,10 @@ components: _links: allOf: - $ref: '#/components/schemas/LinksVerify' - - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factor: + $ref: '#/components/schemas/UserFactor' UserFactorPushTransactionSuccess: $ref: '#/components/schemas/UserFactorPushTransaction' UserFactorPushTransactionTimeout: @@ -46615,7 +64699,10 @@ components: _links: allOf: - $ref: '#/components/schemas/LinksVerify' - - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factor: + $ref: '#/components/schemas/UserFactor' UserFactorPushTransactionWaiting: allOf: - $ref: '#/components/schemas/UserFactorPushTransaction' @@ -46706,7 +64793,7 @@ components: - favorite_sports_player type: string questionText: - description: Human-readable text displayed to the user + description: Human-readable text that's displayed to the user example: What is the food you least liked as a child? type: string readOnly: true @@ -46756,23 +64843,49 @@ components: readOnly: true _links: $ref: '#/components/schemas/UserFactorLinks' - UserFactorTOTP: - title: token:software:totp + UserFactorToken: + title: token allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: - $ref: '#/components/schemas/UserFactorTOTPProfile' - UserFactorTOTPProfile: + $ref: '#/components/schemas/UserFactorTokenProfile' + verify: + oneOf: + - $ref: '#/components/schemas/UserFactorTokenVerifyRSA' + - $ref: '#/components/schemas/UserFactorTokenVerifySymantec' + UserFactorTokenFactorVerificationObject: type: object properties: - credentialId: - description: ID for the Factor credential - example: dade.murphy@example.com + nextPassCode: + description: OTP for the next time window type: string - UserFactorToken: - title: token + example: 678195 + passCode: + description: OTP for the current time window + type: string + example: 875498 + UserFactorTokenHOTP: + title: token:hotp + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorProfileId: + description: ID of an existing Custom TOTP Factor profile. To create this, see [Custom TOTP Factor](https://help.okta.com/okta_help.htm?id=ext-mfa-totp). + type: string + profile: + $ref: '#/components/schemas/UserFactorTokenHOTPProfile' + UserFactorTokenHOTPProfile: + type: object + properties: + sharedSecret: + description: Unique secret key used to generate the OTP + type: string + example: 484f97be3213b117e3a20438e291540a + UserFactorTokenHardware: + title: token:hardware allOf: - $ref: '#/components/schemas/UserFactor' - type: object @@ -46780,9 +64893,12 @@ components: profile: $ref: '#/components/schemas/UserFactorTokenProfile' verify: - oneOf: - - $ref: '#/components/schemas/UserFactorTokenVerifyRSA' - - $ref: '#/components/schemas/UserFactorTokenVerifySymantec' + type: object + properties: + passCode: + description: OTP for the current time window + type: string + example: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji UserFactorTokenProfile: type: object properties: @@ -46790,6 +64906,14 @@ components: description: ID for the Factor credential example: dade.murphy@example.com type: string + UserFactorTokenSoftwareTOTP: + title: token:software:totp + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + profile: + $ref: '#/components/schemas/UserFactorTokenProfile' UserFactorTokenVerifyRSA: title: RSA SecurID type: object @@ -46904,7 +65028,7 @@ components: - TIME_WINDOW_EXCEEDED - WAITING x-enumDescriptions: - CANCELED: User canceled the verification + CANCELED: User cancelled the verification CHALLENGE: Okta issued a verification challenge ERROR: Verification encountered an unexpected server error EXPIRED: User didn't complete the verification within the allowed time window @@ -46949,6 +65073,55 @@ components: description: ID for the Factor credential example: dade.murphy@example.com type: string + UserFactorYubikeyOtpToken: + type: object + properties: + created: + description: Timestamp when the Token was created + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + id: + description: ID of the Token + type: string + example: ykkwcx13nrDq8g4oy0g3 + readOnly: true + lastUpdated: + description: Timestamp when the Token was last updated + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + lastVerified: + description: Timestamp when the Token was last verified + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + profile: + type: object + description: Specified profile information for token + additionalProperties: + type: object + properties: {} + status: + description: Token status + type: string + enum: + - BLOCKED + - UNASSIGNED + - ACTIVE + - REVOKED + - DELETED + - INACTIVE + _embedded: + type: object + additionalProperties: + type: object + properties: {} + _links: + $ref: '#/components/schemas/UserFactorLinks' UserGetSingleton: allOf: - $ref: '#/components/schemas/User' @@ -46960,7 +65133,7 @@ components: properties: blocks: type: array - description: A list of access block details for the user account + description: A list of access block details for the User account items: $ref: '#/components/schemas/UserBlock' UserIdentifierConditionEvaluatorPattern: @@ -46971,7 +65144,10 @@ components: $ref: '#/components/schemas/UserIdentifierMatchType' value: type: string - description: The regex expression of a simple match string + description: The regular expression or simple match string + required: + - matchType + - value UserIdentifierMatchType: description: The type of pattern. For regex, use `EXPRESSION`. type: string @@ -46982,17 +65158,23 @@ components: - STARTS_WITH - SUFFIX UserIdentifierPolicyRuleCondition: + description: Specifies a user identifier condition to match on type: object properties: attribute: type: string + description: The name of the profile attribute to match against. Only used when type is `ATTRIBUTE`. patterns: type: array items: $ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern' type: $ref: '#/components/schemas/UserIdentifierType' + required: + - patterns + - type UserIdentifierType: + description: What to match against, either user ID or an attribute in the user's Okta profile. type: string enum: - ATTRIBUTE @@ -47002,6 +65184,159 @@ components: properties: externalId: type: string + description: Unique IdP-specific identifier for a User + example: '121749775026145' + UserImportRequest: + type: object + properties: + data: + $ref: '#/components/schemas/UserImportRequestData' + eventType: + type: string + description: The type of inline hook. The user import inline hook type is `com.okta.import.transform`. + source: + description: The ID of the user import inline hook + type: string + UserImportRequestData: + type: object + properties: + action: + type: object + description: The object that specifies the default action Okta is set to take + properties: + result: + description: |- + The current default action that results when Okta imports a user. The two possible values are `CREATE_USER` and `LINK_USER`. You + can change the action that is taken by means of the commands object you return. + type: string + enum: + - CREATE_USER + - LINK_USER + x-enumDescriptions: + CREATE_USER: A new Okta user profile is created for the user + LINK_USER: The user is treated as a match for the existing Okta user identified by the value of `data.user.id` + appUser: + type: object + description: The app user profile being imported + properties: + profile: + type: object + description: |- + Provides the name-value pairs of the attributes contained in the app user profile of the user who is being imported. You can change + the values of attributes in the user's app profile by means of the `commands` object you return. If you change attributes in the app + profile, they then flow through to the Okta user profile, based on matching and mapping rules. + additionalProperties: + type: string + context: + type: object + properties: + conflicts: + description: An array of user profile attributes that are in conflict + type: array + items: + additionalProperties: true + type: string + application: + type: object + description: Details of the app from which the user is being imported + properties: + name: + type: string + description: The app name + id: + type: string + description: The app ID + label: + type: string + description: The user-defined display name for the app + status: + type: string + description: The status of the app + enum: + - ACTIVE + - INACTIVE + job: + type: object + description: The details of the running import job + properties: + id: + type: string + description: The ID number of the import job + type: + type: string + description: The type of import job + matches: + type: array + description: The list of Okta users currently matched to the app user based on import matching. There can be more than one match. + items: + additionalProperties: true + type: string + policy: + type: array + description: The list of any policies that apply to the import matching + items: + additionalProperties: true + type: string + user: + type: object + description: |- + Provides information on the Okta user profile currently set to be used for the user who is being imported, based on the matching + rules and attribute mappings that were applied. + properties: + profile: + description: |- + The `data.user.profile` contains the name-value pairs of the attributes in the user profile. If the user has been matched to an existing + Okta user, a `data.user.id` object is included, containing the unique identifier of the Okta user profile. + + You can change the values of the attributes by means of the `commands` object you return. + type: object + additionalProperties: + type: string + UserImportResponse: + type: object + properties: + commands: + description: |- + The `commands` object is where you can provide commands to Okta. It is an array that allows you to send multiple commands. + Each array element needs to consist of a type-value pair. + type: array + items: + type: object + properties: + type: + description: |- + The command types supported for the import inline hook. + When using the `com.okta.action.update` command to specify that the user should be treated as a match, you need to also provide a `com.okta.user.update` command that sets the ID of the Okta user. + type: string + enum: + - com.okta.appUser.profile.update + - com.okta.user.profile.update + - com.okta.action.update + - com.okta.user.update + x-enumDescriptions: + com.okta.appUser.profile.update: Change values of attributes in the user's app user profile + com.okta.user.profile.update: Change values of attributes in the user's Okta user profile + com.okta.action.update: Specify whether to create a new Okta user for the user being imported or treat them as a match of an existing Okta user + com.okta.user.update: Specify the existing Okta user that the imported user should be treated as a match of. + value: + description: |- + The `value` object is the parameter to pass to the command. In the case of the `com.okta.appUser.profile.update` and `com.okta.user.profile.update` commands, + the parameter should be a list of one or more profile attributes and the values you wish to set them to. In the case of the `com.okta.action.update` command, + the parameter should be a `result` property set to either `CREATE_USER` or `LINK_USER`. + type: object + additionalProperties: + type: string + error: + description: |- + An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log. + The string supplied in the `errorSummary` property is recorded in the System Log event. + + >**Note:** If a response to an import inline hook request is not received from your external service within three seconds, a timeout occurs. In this scenario, the Okta import process continues and the user is created. + type: object + properties: + errorSummary: + description: A human-readable summary of the error + type: string UserLifecycleAttributePolicyRuleCondition: type: object properties: @@ -47048,19 +65383,18 @@ components: Specifies the default and custom profile properties for a user. The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643). - The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and - specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the administrator UI - or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications. + + The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications. You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions. - Custom attributes may contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. + Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. type: object properties: city: type: string - description: The city or locality of the user's address (`locality`) + description: The city or locality of the User's address (`locality`) maxLength: 128 nullable: true costCenter: @@ -47068,20 +65402,20 @@ components: description: Name of the cost center assigned to a user nullable: true countryCode: - description: The country name component of the user's address (`country`) + description: The country name component of the User's address (`country`). For validation, see [ISO 3166-1 alpha 2 "short" code format](https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema-22#ref-ISO3166). type: string maxLength: 2 nullable: true department: type: string - description: Name of the user's department + description: Name of the User's department displayName: type: string - description: Name of the user suitable for display to end users + description: Name of the User suitable for display to end users nullable: true division: type: string - description: Name of the user's division + description: Name of the User's division nullable: true email: type: string @@ -47094,7 +65428,7 @@ components: type: string firstName: type: string - description: Given name of the user (`givenName`) + description: Given name of the User (`givenName`) minLength: 1 maxLength: 50 nullable: true @@ -47104,31 +65438,38 @@ components: nullable: true honorificSuffix: type: string - description: Honorific suffix(es) of the user + description: Honorific suffix(es) of the User nullable: true lastName: type: string - description: The family name of the user (`familyName`) + description: The family name of the User (`familyName`) minLength: 1 maxLength: 50 nullable: true locale: type: string description: |- - The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. + The User's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example, en_US specifies the language English and country US. This value is `en_US` by default. login: type: string - description: The unique identifier for the user (`username`). For validation, see [Login pattern validation](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation). See also [Okta login](https://developer.okta.com/docs/reference/api/users/#okta-login). - maxLength: 100 + description: |- + The unique identifier for the User (`username`). For validation, see [Login pattern validation](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation). + + Every user within your Okta org must have a unique identifier for a login. This constraint applies to all users you import from other systems or applications such as Active Directory. Your organization is the top-level namespace to mix and match logins from all your connected applications or directories. Careful consideration of naming conventions for your login identifier will make it easier to onboard new applications in the future. + + Logins are not considered unique if they differ only in case and/or diacritical marks. If one of your users has a login of Isaac.Brock@example.com, there cannot be another user whose login is isaac.brock@example.com, nor isáàc.bröck@example.com. + + Okta has a default ambiguous name resolution policy for usernames that include @-signs. (By default, usernames must be formatted as email addresses and thus always include @-signs. You can remove that restriction using either the Admin Console or the Schemas API (opens new window).) Users can sign in with their non-qualified short name (for example: isaac.brock with username isaac.brock@example.com) as long as the short name is still unique within the organization. + maxLength: 100 minLength: 5 manager: type: string - description: The `displayName` of the user's manager + description: The `displayName` of the User's manager nullable: true managerId: type: string - description: The `id` of the user's manager + description: The `id` of the User's manager nullable: true middleName: type: string @@ -47142,55 +65483,55 @@ components: nullable: true nickName: type: string - description: The casual way to address the user in real life + description: The casual way to address the User in real life nullable: true organization: type: string - description: Name of the the user's organization + description: Name of the the User's organization nullable: true postalAddress: type: string - description: Mailing address component of the user's address + description: Mailing address component of the User's address maxLength: 4096 nullable: true preferredLanguage: type: string - description: The user's preferred written or spoken language + description: The User's preferred written or spoken language. For validation, see [RFC 7231 Section 5.3.5](https://datatracker.ietf.org/doc/html/rfc7231#section-5.3.5). nullable: true primaryPhone: type: string - description: The primary phone number of the user such as a home number + description: The primary phone number of the User such as a home number maxLength: 100 minLength: 0 nullable: true profileUrl: type: string - description: The URL of the user's online profile. For example, a web page. See [URL](https://datatracker.ietf.org/doc/html/rfc1808). + description: The URL of the User's online profile. For example, a web page. See [URL](https://datatracker.ietf.org/doc/html/rfc1808). nullable: true secondEmail: type: string format: email - description: The secondary email address of the user typically used for account recovery + description: The secondary email address of the User typically used for account recovery. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). minLength: 5 maxLength: 100 nullable: true state: type: string - description: The state or region component of the user's address (`region`) + description: The state or region component of the User's address (`region`) maxLength: 128 nullable: true streetAddress: type: string - description: The full street address component of the user's address + description: The full street address component of the User's address maxLength: 1024 nullable: true timezone: type: string - description: The user's time zone + description: The User's time zone nullable: true title: type: string - description: The user's title, such as Vice President + description: The User's title, such as Vice President nullable: true userType: type: string @@ -47198,7 +65539,7 @@ components: nullable: true zipCode: type: string - description: The ZIP code or postal code component of the user's address (`postalCode`) + description: The ZIP code or postal code component of the User's address (`postalCode`) maxLength: 50 nullable: true UserProvisioningApplicationFeature: @@ -47208,33 +65549,122 @@ components: - properties: capabilities: $ref: '#/components/schemas/CapabilitiesObject' + UserResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + title: + type: string + description: Link name + example: SAML Jackson + UserRiskGetResponse: + type: object + properties: + riskLevel: + $ref: '#/components/schemas/UserRiskLevelAll' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUserRef' + discriminator: + propertyName: riskLevel + mapping: + HIGH: '#/components/schemas/UserRiskLevelExists' + MEDIUM: '#/components/schemas/UserRiskLevelExists' + LOW: '#/components/schemas/UserRiskLevelExists' + NONE: '#/components/schemas/UserRiskLevelNone' + UserRiskLevelAll: + description: The risk level associated with the user + type: string + enum: + - HIGH + - LOW + - MEDIUM + - NONE + UserRiskLevelExists: + allOf: + - $ref: '#/components/schemas/UserRiskGetResponse' + - type: object + properties: + reason: + $ref: '#/components/schemas/UserRiskReason' + UserRiskLevelNone: + allOf: + - $ref: '#/components/schemas/UserRiskGetResponse' + UserRiskLevelPut: + description: The risk level associated with the user + type: string + enum: + - HIGH + - LOW + UserRiskPutResponse: + type: object + properties: + reason: + $ref: '#/components/schemas/UserRiskReason' + riskLevel: + $ref: '#/components/schemas/UserRiskLevelPut' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUserRef' + UserRiskReason: + description: Describes the risk level for the user + example: Admin override risk + type: string + UserRiskRequest: + type: object + properties: + riskLevel: + type: string + description: The risk level associated with the user + enum: + - HIGH + - LOW UserSchema: type: object properties: $schema: type: string readOnly: true + description: JSON Schema version identifier created: type: string readOnly: true + description: Timestamp when the Schema was created definitions: - $ref: '#/components/schemas/UserSchemaDefinitions' + allOf: + - $ref: '#/components/schemas/UserSchemaDefinitions' + description: |- + User Profile subschemas + + The Profile object for a User is defined by a composite Schema of base and custom properties using a JSON path to reference subschemas. The `#base` properties are defined and versioned by Okta, while `#custom` properties are extensible. Custom property names for the Profile object must be unique and can't conflict with a property name defined in the `#base` subschema. id: type: string readOnly: true + description: URI of User Schema lastUpdated: type: string readOnly: true + description: Timestamp when the Schema was last updated name: type: string readOnly: true + description: Name of the Schema properties: - $ref: '#/components/schemas/UserSchemaProperties' + allOf: + - $ref: '#/components/schemas/UserSchemaProperties' + description: User Object Properties title: type: string + description: User-defined display name for the Schema type: type: string readOnly: true + description: Type of [root Schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4) _links: $ref: '#/components/schemas/LinksSelf' UserSchemaAttribute: @@ -47242,48 +65672,107 @@ components: properties: description: type: string + description: Description of the property enum: type: array + nullable: true + description: |- + Enumerated value of the property. + + The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements. items: - type: string + anyOf: + - type: string + - type: integer externalName: type: string + description: |- + Name of the property as it exists in an external application + + **NOTE**: When you add a custom property, only Identity Provider app user schemas require `externalName` to be + included in the request body. If an existing custom Identity Provider app user schema property has an empty + `externalName`, requests aren't allowed to update other properties until the `externalName` is defined. externalNamespace: type: string - items: - $ref: '#/components/schemas/UserSchemaAttributeItems' + description: Namespace from the external application + format: + description: Identifies the type of data represented by the string + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeFormat' master: - $ref: '#/components/schemas/UserSchemaAttributeMaster' + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMaster' + description: Identifies where the property is mastered maxLength: type: integer + description: Maximum character length of a string property nullable: true minLength: type: integer + description: Minimum character length of a string property nullable: true mutability: - type: string + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString' + description: Defines the mutability of the property oneOf: type: array + nullable: true + description: |- + Non-empty array of valid JSON schemas. + + Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format: + + ``` + { + "const": "enumValue", + "title": "display name" + } + ```json + + When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order. + + ``` + {"enum": ["S","M","L","XL"], + "oneOf": [ + {"const": "S", "title": "Small"}, + {"const": "M", "title": "Medium"}, + {"const": "L", "title": "Large"}, + {"const": "XL", "title": "Extra Large"} + ] + } + ```json + + The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value. items: $ref: '#/components/schemas/UserSchemaAttributeEnum' pattern: type: string + description: For `string` property types, specifies the regular expression used to validate the property permissions: type: array + nullable: true + description: Access control permissions for the property items: $ref: '#/components/schemas/UserSchemaAttributePermission' required: type: boolean + nullable: true + description: Determines whether the property is required scope: $ref: '#/components/schemas/UserSchemaAttributeScope' title: type: string + minLength: 1 + description: User-defined display name for the property type: - $ref: '#/components/schemas/UserSchemaAttributeType' - union: - $ref: '#/components/schemas/UserSchemaAttributeUnion' + description: Type of property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeType' unique: - type: string + description: Determines whether property values must be unique + type: boolean + nullable: true x-okta-allow-null-property-value-for-updates: true UserSchemaAttributeEnum: type: object @@ -47292,6 +65781,19 @@ components: type: string title: type: string + UserSchemaAttributeFormat: + type: string + enum: + - country-code + - date-time + - email + - encrypted + - hashed + - language-code + - locale + - ref-id + - timezone + - uri UserSchemaAttributeItems: type: object properties: @@ -47306,6 +65808,7 @@ components: type: type: string UserSchemaAttributeMaster: + nullable: true type: object properties: priority: @@ -47327,13 +65830,22 @@ components: - OKTA - OVERRIDE - PROFILE_MASTER + UserSchemaAttributeMutabilityString: + type: string + enum: + - IMMUTABLE + - READ_ONLY + - READ_WRITE + - WRITE_ONLY UserSchemaAttributePermission: type: object properties: action: type: string + description: Determines whether the principal can view or modify the property principal: type: string + description: Security principal UserSchemaAttributeScope: type: string enum: @@ -47347,89 +65859,169 @@ components: - integer - number - string - UserSchemaAttributeUnion: - type: string - enum: - - DISABLE - - ENABLE UserSchemaBase: + description: |- + All Okta-defined Profile properties are defined in a Profile subschema with the resolution scope `#base`. You can't modify these properties, except to update permissions, to change the nullability of `firstName` and `lastName`, or to specify a pattern for `login`. They can't be removed. + + The base User Profile is based on the [System for Cross-domain Identity Management: Core Schema](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#section-4.1.1) and has the standard properties detailed below. type: object properties: id: type: string + description: The subschema name + readOnly: true properties: - $ref: '#/components/schemas/UserSchemaBaseProperties' + description: The `#base` object properties + allOf: + - $ref: '#/components/schemas/UserSchemaBaseProperties' required: type: array + description: A collection indicating required property names + readOnly: true items: type: string type: type: string + description: The object type + readOnly: true UserSchemaBaseProperties: type: object properties: city: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: City or locality component of the User's address (`locality`) costCenter: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of a cost center assigned to the User countryCode: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Country name component of the User's address (`country`.) This property uses [ISO 3166-1 alpha 2 "short" code format](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166). department: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User's department displayName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User, suitable for display to end Users division: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User's division email: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Primary email address of the User. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). employeeNumber: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Organization or company assigned unique identifier for the User firstName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Given name of the User (`givenName`) honorificPrefix: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Honorific prefix(es) of the User or title in most Western languages honorificSuffix: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Honorific suffix(es) of the User lastName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Family name of the User (`familyName`) locale: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: |- + User's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. + + A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example: `en_US` specifies the language English and country US. This value is `en_US` by default. login: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: |- + Unique identifier for the User (`username`) + + The login property is validated according to its pattern attribute, which is a string. By default, the attribute is null. When the attribute is null, the username is required to be formatted as an email address as defined by [RFC 6531 Section 3.3](http://tools.ietf.org/html/rfc6531#section-3.3). The pattern can be set through the API to one of the following forms. (The Admin Console provides access to the same forms.) + * A login pattern of `".+"` indicates that there is no restriction on usernames. Any non-empty, unique value is permitted, and the minimum length of five isn't enforced. In this case, usernames don't need to include the `@` character. If a name does include `@`, the portion ahead of the `@` can be used for logging in, provided it identifies a unique User within the org. + * A login pattern of the form `"[...]+"` indicates that usernames must only contain characters from the set given between the brackets. The enclosing brackets and final `+` are required for this form. Character ranges can be indicated using hyphens. To include the hyphen itself in the allowed set, the hyphen must appear first. Any characters in the set except the hyphen, a-z, A-Z, and 0-9 must be preceded by a backslash (`\`). For example, `"[a-z13579\.]+"` would restrict usernames to lowercase letters, odd digits, and periods, while `"[-a-zA-Z0-9]+"` would allow basic alphanumeric characters and hyphens. manager: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: The `displayName` of the User's manager managerId: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: The `id` of the User's manager middleName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Middle name(s) of the User mobilePhone: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Mobile phone number of the User nickName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Casual way to address the User in real life organization: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User's organization postalAddress: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Mailing address component of the User's address preferredLanguage: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: User's preferred written or spoken languages. This property is formatted according to [RFC 7231 Section 5.3.5](https://tools.ietf.org/html/rfc7231#section-5.3.5). primaryPhone: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Primary phone number of the User, such as home number profileUrl: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: URL of the User's online Profile (for example, a web page.) This property is formatted according to the [Relative Uniform Resource Locators specification](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166). secondEmail: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Secondary email address of the User typically used for account recovery. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). state: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: State or region component of the User's address (`region`) streetAddress: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Full street address component of the User's address timezone: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: User's time zone. This property is formatted according to the [IANA Time Zone database format](https://tools.ietf.org/html/rfc6557). title: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: User's title, such as "Vice President" userType: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: |- + Used to describe the organization to the User relationship such as "Employee" or "Contractor". + + **Note:** The `userType` field is an arbitrary string value and isn't related to the newer [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature. zipCode: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: ZIP code or postal code component of the User's address (`postalCode`) UserSchemaDefinitions: type: object properties: @@ -47455,22 +66047,33 @@ components: $ref: type: string UserSchemaPublic: + description: All custom Profile properties are defined in a Profile subschema with the resolution scope `#custom` type: object properties: id: type: string + description: The subschema name + readOnly: true properties: type: object + description: The `#custom` object properties additionalProperties: $ref: '#/components/schemas/UserSchemaAttribute' required: type: array + description: A collection indicating required property names + readOnly: true items: type: string type: type: string + description: The object type + readOnly: true UserStatus: - description: The current status of the user + description: |- + The current status of the user. + + The status of a User changes in response to explicit events, such as admin-driven lifecycle changes, user login, or self-service password recovery. Okta doesn't asynchronously sweep through users and update their password expiry state, for example. Instead, Okta evaluates password policy at login time, notices the password has expired, and moves the User to the expired state. When running reports, remember that the data is valid as of the last login or lifecycle event for that user. type: string enum: - ACTIVE @@ -47523,24 +66126,28 @@ components: readOnly: true name: type: string - description: |- - The name of the User Type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters. - This value becomes read-only after creation and can't be updated. + description: The name of the User Type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters. This value becomes read-only after creation and can't be updated. _links: $ref: '#/components/schemas/UserTypeLinks' required: - name - displayName UserTypeCondition: + description: <x-lifecycle class="oie"></x-lifecycle> Specifies which User Types to include and/or exclude properties: exclude: items: type: string type: array + description: The User Types to exclude include: items: type: string type: array + description: The User Types to include + required: + - exclude + - include UserTypeLinks: allOf: - $ref: '#/components/schemas/LinksSelf' @@ -47582,19 +66189,25 @@ components: - DISCOURAGED - PREFERRED - REQUIRED + UsersLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Application Users](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers) resource VerificationMethod: + description: |- + Describes the method for verifying the user. The supported method types are `ASSURANCE` and `AUTH_METHOD_CHAIN`. + + <x-lifecycle class="ea"></x-lifecycle> The method type `AUTH_METHOD_CHAIN` is an [Early Access](https://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) (Self-Service) feature. You can + enable the feature for your org from the **Settings** > **Features** page in the Admin Console. type: object properties: - constraints: - items: - $ref: '#/components/schemas/AccessPolicyConstraints' - type: array - factorMode: - type: string - reauthenticateIn: - type: string type: - type: string + $ref: '#/components/schemas/PolicyRuleVerificationMethodType' + discriminator: + propertyName: type + mapping: + ASSURANCE: '#/components/schemas/AssuranceMethod' + AUTH_METHOD_CHAIN: '#/components/schemas/AuthenticationMethodChainMethod' Version: description: The version specified as a [Semantic Version](https://semver.org/). type: string @@ -47758,6 +66371,7 @@ components: format: uri example: https://{yourOktaDomain}/oauth2/v1/keys WidgetGeneration: + description: The generation of the Sign-in Widget type: string enum: - G2 @@ -47793,28 +66407,64 @@ components: properties: attributeStatements: type: string + description: You can federate user attributes such as Okta profile fields, LDAP, Active Directory, and Workday values. The SP uses the federated WS-Fed attribute values accordingly. audienceRestriction: type: string + description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP. authnContextClassRef: type: string + description: Identifies the SAML authentication context class for the assertion's authentication statement groupFilter: type: string + description: A regular expression that filters for the User Groups you want included with the `groupName` attribute. If the matching User Group has a corresponding AD group, then the attribute statement includes the value of the attribute specified by `groupValueFormat`. If the matching User Group doesn't contain a corresponding AD group, then the `groupName` is used in the attribute statement. groupName: type: string + description: The group name to include in the WS-Fed response attribute statement. This property is used in conjunction with the `groupFilter` property. Groups that are filtered through the `groupFilter` expression are included with the `groupName` in the attribute statement. Any users that belong to the group you've filtered are included in the WS-Fed response attribute statement. groupValueFormat: type: string + description: Specifies the WS-Fed assertion attribute value for filtered groups. This attribute is only applied to Active Directory groups. + enum: + - windowsDomainQualifiedName + - samAccountName + - dn nameIDFormat: type: string + description: The username format that you send in the WS-Fed response realm: type: string + description: The uniform resource identifier (URI) of the WS-Fed app that's used to share resources securely within a domain. It's the identity that's sent to the Okta IdP when signing in. See [Realm name](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_Configure_Okta_Template_WS_Federation#Realm). siteURL: type: string + description: Launch URL for the web app usernameAttribute: type: string + description: Specifies additional username attribute statements to include in the WS-Fed assertion + enum: + - username + - upn + - upnAndUsername + - none wReplyOverride: type: boolean + description: Enables a web app to override the `wReplyURL` URL with a reply parameter. wReplyURL: type: string + description: The WS-Fed SP endpoint where your users sign in + example: http://test.acme.com/example-post-sign/ + required: + - audienceRestriction + - groupValueFormat + - wReplyURL + - nameIDFormat + - authnContextClassRef + - siteURL + - usernameAttribute + X5c: + description: Base64-encoded X.509 certificate chain with DER encoding + items: + type: string + example: MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + type: array ZoomUsApplication: title: Zoom x-tags: @@ -47923,6 +66573,41 @@ components: siteDomain: type: string description: Your Zscaler domain + _embedded: + description: The Public Key Details are defined in the `_embedded` property of the Key object. + type: object + properties: + alg: + description: Algorithm used in the key + type: string + nullable: false + readOnly: true + e: + description: RSA key value (exponent) for key binding + type: string + nullable: false + readOnly: true + kid: + description: Unique identifier for the certificate + type: string + uniqueItems: true + nullable: false + readOnly: true + kty: + description: Cryptographic algorithm family for the certificate's keypair + type: string + nullable: false + readOnly: true + 'n': + description: RSA key value (modulus) for key binding + type: string + nullable: false + readOnly: true + use: + description: Acceptable use of the certificate + type: string + nullable: true + readOnly: true appLink: type: object properties: @@ -47934,6 +66619,7 @@ components: createdProperty: description: Timestamp when the object was created format: date-time + example: '2017-03-28T01:11:10.000Z' type: string readOnly: true enabledPagesType: @@ -47952,6 +66638,65 @@ components: description: Timestamp when the object was last updated type: string readOnly: true + orgBillingContactType: + description: Org billing contact + type: object + properties: + contactType: + $ref: '#/components/schemas/OrgContactType' + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org billing Contact Type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + billing: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the org billing [Contact Type User](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource + orgGeneralSettingLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + type: object + properties: + contacts: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Contacts](/openapi/okta-management/management/tag/OrgSettingContact/) resource + logo: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the org logo + oktaCommunication: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Communication Settings](/openapi/okta-management/management/tag/OrgSettingCommunication/) resource + oktaSupport: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Support Settings](/openapi/okta-management/management/tag/OrgSettingSupport/) resource + preferences: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Preferences](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/getOrgPreferences) resource + uploadLogo: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Upload Org Logo](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/uploadOrgLogo) resource + readOnly: true + orgTechnicalContactType: + description: Org technical contact + type: object + properties: + contactType: + $ref: '#/components/schemas/OrgContactType' + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org technical Contact Type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + technical: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the org technical [Contact Type User](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource postAPIServiceIntegrationInstance: allOf: - $ref: '#/components/schemas/APIServiceIntegrationInstance' @@ -48089,6 +66834,7 @@ components: okta.apps.manage: Allows the app to create and manage Apps in your Okta organization okta.apps.read: Allows the app to read information about Apps in your Okta organization okta.authenticators.manage: Allows the app to manage all authenticators. For example, enrollments or resets. + okta.authenticators.manage.self: Allows the app to manage a user's own authenticators. For example, enrollments or resets. okta.authenticators.read: Allows the app to read org authenticators information okta.authorizationServers.manage: Allows the app to create and manage Authorization Servers in your Okta organization okta.authorizationServers.read: Allows the app to read information about Authorization Servers in your Okta organization @@ -48100,11 +66846,15 @@ components: okta.captchas.read: Allows the app to read information about CAPTCHAs in your Okta organization okta.deviceAssurance.manage: Allows the app to manage device assurances okta.deviceAssurance.read: Allows the app to read device assurances + okta.deviceChecks.manage: Allows the app to manage device checks + okta.deviceChecks.read: Allows the app to read device checks okta.devices.manage: Allows the app to manage device status transitions and delete a device okta.devices.read: Allows the app to read the existing device's profile and search devices okta.directories.groups.manage: Allows the app to manage AD/LDAP Groups for your Okta organization okta.domains.manage: Allows the app to manage custom Domains for your Okta organization okta.domains.read: Allows the app to read information about custom Domains for your Okta organization + okta.dr.manage: Allows the app to manage disaster recovery + okta.dr.read: Allows the app to read the disaster recovery status okta.emailDomains.manage: Allows the app to manage Email Domains for your Okta organization okta.emailDomains.read: Allows the app to read information about Email Domains for your Okta organization okta.emailServers.manage: Allows the app to manage Email Servers for your Okta organization @@ -48134,10 +66884,14 @@ components: okta.oauthIntegrations.read: Allows the app to read API service Integration instances in your Okta organization okta.orgs.manage: Allows the app to manage organization-specific details for your Okta organization okta.orgs.read: Allows the app to read organization-specific details about your Okta organization + okta.personal.adminSettings.manage: Allows the app to manage the personal admin settings for the signed-in user + okta.personal.adminSettings.read: Allows the app to read the personal admin settings for the signed-in user okta.policies.manage: Allows the app to manage policies in your Okta organization okta.policies.read: Allows the app to read information about policies in your Okta organization okta.principalRateLimits.manage: Allows the app to create and manage Principal Rate Limits in your Okta organization okta.principalRateLimits.read: Allows the app to read information about Principal Rate Limits in your Okta organization + okta.privilegedAccounts.manage: Allows the app to create and manage Privileged Accounts in your Okta organization + okta.privilegedAccounts.read: Allows the app to read Privileged Accounts in your Okta organization okta.privilegedResources.manage: Allows the app to create privileged resources and manage their details okta.privilegedResources.read: Allows the app to read the details of existing privileged resources okta.profileMappings.manage: Allows the app to manage user profile mappings in your Okta organization @@ -48171,9 +66925,13 @@ components: okta.trustedOrigins.read: Allows the app to read all Trusted Origins in your Okta organization okta.uischemas.manage: Allows the app to manage all the UI Schemas in your Okta organization okta.uischemas.read: Allows the app to read all the UI Schemas in your Okta organization - okta.userTypes.manage: Allows the app to manage user types in your Okta organization - okta.userTypes.read: Allows the app to read user types in your Okta organization + okta.userRisk.manage: Allows the app to manage a user's risk in your Okta org + okta.userRisk.read: Allows the app to read a user's risk in your Okta org + okta.userTypes.manage: Allows the app to manage user types in your Okta org + okta.userTypes.read: Allows the app to read user types in your Okta org okta.users.manage: Allows the app to create new users and to manage all users' profile and credentials information + okta.users.manage.self: Allows the app to manage the signed-in user's profile and credentials okta.users.read: Allows the app to read the existing users' profiles and credentials + okta.users.read.self: Allows the app to read the signed-in user's profile and credentials ssf.manage: Allows the app to create and manage Shared Signals Framework (SSF) in your Okta organization ssf.read: Allows the app to read information about Shared Signals Framework (SSF) in your Okta organization