diff --git a/openapi3/management-noEnums.yaml b/openapi3/management-noEnums.yaml index 77dbe165..3fd40ac1 100644 --- a/openapi3/management-noEnums.yaml +++ b/openapi3/management-noEnums.yaml @@ -1,7 +1,7 @@ openapi: 3.0.3 info: - title: Okta API - description: Allows customers to easily access the Okta API + title: Okta Admin Management + description: Allows customers to easily access the Okta Management APIs termsOfService: https://developer.okta.com/terms/ contact: name: Okta Developer Team @@ -10,146 +10,924 @@ info: license: name: Apache-2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html - version: 3.0.0 + version: 5.1.0 x-logo: url: logo.svg backgroundColor: transparent altText: Okta Developer -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html servers: - - url: https://{subdomain}.{domain} - variables: - subdomain: - default: your-subdomain - description: The subdomain of your organization - domain: - enum: - - okta.com - - oktapreview.com - - okta-emea.com - default: okta.com - description: The okta domain of your organization. - - url: https://{customDomain} + - url: https://{yourOktaDomain} variables: - customDomain: - default: auth.your-custom-domain.com - description: The custom domain configured for your organization + yourOktaDomain: + default: subdomain.okta.com + description: The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. tags: - name: AgentPools x-displayName: Agent Pools + description: The Agent Pools API provides operation to manage the update settings of the agents for your organization. + - name: ApiServiceIntegrations + x-displayName: API Service Integrations + description: | + This API provides operations to manage API service integration instances in your organization. + + For a current list of available API service integrations, see the [Okta Integration Network catalog](https://www.okta.com/integrations/?capability=api). + + See [Add an API Service Integration](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-api-service-integration) for corresponding admin instructions using the Admin Console. + If you want to build an API service integration, see [API service integrations in the OIN](https://developer.okta.com/docs/guides/oin-api-service-overview/). - name: ApiToken x-displayName: API Tokens + description: The API Tokens API provides operations to manage SSWS API tokens for your organization. - name: Application x-displayName: Applications + description: |- + The Applications API provides operations to manage apps in your org. + + To create a custom app integration instance, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) operation with the schema provided in the request payload. + + To create an app instance from the Okta Integration Network (OIN), use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) + operation with the corresponding OIN app schema in the request body. + - name: ApplicationConnections + x-displayName: Application Connections + description: | + The Application Connections API provides operations for configuring connections to an app. + + Okta supports token-based and OAuth 2.0-based provisioning connections for supported apps. + The following available provisioning connections are supported by the indicated apps: + + |
Connection
| Description |
Apps supported
| + | -------------------------------- | -------------- | ----------- | + | Token | The provisioning API connection is based on bearer token authentication. | | + | OAuth 2.0 | The provisioning API connection is based on OAuth 2.0 authentication. | | + + > **Note:** The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team. + - name: ApplicationFeatures + x-displayName: Application Features + description: | + The Application Features API supports operations to configure app provisioning feature settings. + + You must have app provisioning enabled to configure provisioning features. See [Update the default Provisioning Connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication). + + The following available provisioning features are supported by the indicated apps: + + |
Feature
| Description |
Apps supported
| + | -------------------- | -------------- | ----------- | + | `USER_PROVISIONING` | Similar to the app **Provisioning** > **To App** setting in the Admin Console, user profiles are pushed from Okta to the third-party app. You can configure rules for creating users, deactivating users, and syncing passwords. | | + | `INBOUND_PROVISIONING` | Similar to the app **Provisioning** > **To Okta** provisioning setting in the Admin Console, user profiles are imported from the third-party app into Okta. You can schedule user import and configure rules for user creation and matching. | | + + > **Note:** The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team. + - name: ApplicationGrants + x-displayName: Application Grants + description: | + The Application Grants API provides a set of operations to manage scope consent grants for an app. + + A scope consent grant represents an app's permission to include specific Okta scopes in OAuth 2.0 Bearer tokens. + If the app doesn't have permission to grant consent for a particular Okta scope, token requests that contain the scope are denied. + - name: ApplicationGroups + x-displayName: Application Groups + description: The Application Groups API provides a set of operations to manage group assignment for an app. + - name: ApplicationLogos + x-displayName: Application Logos + description: Provides a resource to manage the application instance logo + - name: ApplicationPolicies + x-displayName: Application Policies + description: The Application Policies API provides a resource to manage authentication policies associated with an app. + - name: ApplicationSSO + x-displayName: Application SSO + description: Provides a Single Sign-On (SSO) resource for an application + - name: ApplicationSSOCredentialKey + x-displayName: Application Key Credentials + description: | + The Application Key Credentials API provides a set of operations to manage an app's key store credentials. + - name: ApplicationSSOCredentialOAuth2ClientAuth + x-displayName: Application Client Auth Credentials + description: | + The Application Client Authentication Credentials API provides a set of operations to manage credentials used for OAuth 2.0 client authentication as described in [Client authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/client-auth/). + - name: ApplicationTokens + x-displayName: Application Tokens + description: | + Resource to manage OAuth 2.0 tokens for an app + > **Note:** To configure refresh tokens for an app, see + > [grant_types](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/settings/oauthClient/grant_types&t=request) + > and [refresh_token](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/settings/oauthClient/refresh_token&t=request). + - name: ApplicationUsers + x-displayName: Application Users + description: | + The Application Users API provides operations to manage app users and their assignments. + The object returned from assigning a user to an app is known as the Application User. + + You can assign users to apps for: + * SSO only + * SSO and provisioning + - name: AttackProtection + x-displayName: Attack Protection + description: The Attack Protection API provides operations to configure the User Lockout Settings and the Authenticator Settings in your org to protect against password abuse. - name: Authenticator x-displayName: Authenticators + description: |- + The Authenticators Administration API provides operations to configure which Authenticators are available to end users for use when they sign in to applications. + + End users are required to use one or more Authenticators based on the security requirements of the authentication policy. + + Okta Identity Engine currently supports Authenticators for the following factors: + + **Knowledge-based:** + * Password + * Security Question + + **Possession-based:** + * Phone (SMS, voice call) + * Email + * WebAuthn + * Duo + * Custom app - name: AuthorizationServer x-displayName: Authorization Servers + description: |- + Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them. + + **Work with the Default Authorization Server** + + Okta provides a pre-configured Custom Authorization Server with the name `default`. This Default Authorization Server includes a basic access policy and rule, which you can edit to control access. It allows you to specify `default` instead of the `authorizationServerId` in requests to it: + + `https://${yourOktaDomain}/api/v1/authorizationServers/default` + + vs + + `https://${yourOktaDomain}/api/v1/authorizationServers/${authorizationServerId}` for other Custom Authorization Servers + - name: AuthorizationServerAssoc + x-displayName: Authorization Server Associated Servers + description: Associated authorization servers allow you to designate a trusted authorization server that you associate with another authorization server. This type of association provides a way to configure [token exchange](https://developer.okta.com/docs/guides/set-up-token-exchange/main/#trusted-servers) between other authorization servers under the same Okta tenant. + - name: AuthorizationServerClaims + x-displayName: Authorization Server Claims + description: Provides operations to manage custom token claims for the given `authServerId` and `claimId` + - name: AuthorizationServerClients + x-displayName: Authorization Server Clients + description: |- + These endpoints allow you to manage tokens issued by an authorization server for a particular client. For example, you can revoke every active refresh token for a specific client. You can also revoke specific tokens or manage tokens at the User level. + + Read [Validate access tokens](https://developer.okta.com/docs/guides/validate-access-tokens/dotnet/main/) and [Validate ID tokens](https://developer.okta.com/docs/guides/validate-id-tokens/main/) to understand more about how OAuth 2.0 tokens work. + - name: AuthorizationServerKeys + x-displayName: Authorization Server Keys + description: |- + Provides operations to manage [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc7517) credentials for the given `authServerId`. + + > **Note:** Looking for how to obtain the jwks_uri for your org or custom authorization server? See the [well-known OpenID metadata endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/getWellKnownOpenIDConfigurationCustomAS) and the [well-known OAuth 2.0 metadata endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/getWellKnownOAuthConfigurationCustomAS). + - name: AuthorizationServerPolicies + x-displayName: Authorization Server Policies + description: Provides operations to manage policies for the given `authServerId`. + - name: AuthorizationServerRules + x-displayName: Authorization Server Rules + description: Provides operations to manage policy rules for the given `authServerId`, `policyId`, and `ruleId`. + - name: AuthorizationServerScopes + x-displayName: Authorization Server Scopes + description: Provides operations to manage custom token scopes for the given `authServerId` and `scopeId`. See [scope properties](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#scope-properties). - name: Behavior x-displayName: Behavior Rules - - name: Customization - x-displayName: Customizations + description: The Behavior Rules API provides operations to manage the behavior detection rules for your organization. + - name: Brands + x-displayName: Brands + description: |- + These endpoints allow you to manage Brands, and their metadata, in your orgs. With Brands, you can customize the following: + * [The Okta-hosted sign-in page](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/) + * [The sign-out page](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/) + * [Error pages](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/) + * [Email templates](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomTemplates/) + * [The Okta End-User Dashboard](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Themes/) + + > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: CAPTCHA x-displayName: CAPTCHAs - - name: Domain - x-displayName: Domains + description: |- + As an option to increase org security, Okta supports CAPTCHA services to prevent automated sign-in attempts. You can integrate one of two providers: [hCaptcha](https://www.hcaptcha.com/) or [reCAPTCHA v2](https://developers.google.com/recaptcha/docs/invisible). + + The vendor implementations supported by Okta are both invisible. They each run risk-analysis software in the background during user sign in to determine the likelihood that the user is a bot. This risk analysis is based on the settings that you configure with the provider that you choose. + + Before you configure your org to use CAPTCHA, sign in to the vendor of your choice or sign up for an account. For more details, refer to [CAPTCHA integration](https://help.okta.com/okta_help.htm?type=oie&id=csh-captcha). + - name: CustomDomain + x-displayName: Custom Domains + description: The Custom Domains API provides operations to manage custom domains for your organization. + - name: CustomPages + x-displayName: Custom Pages + description: |- + These endpoints allow you to customize the contents of various pages, including: + * The Okta-hosted sign-in page + * Error pages + * The sign-out page + + > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). + - name: CustomTemplates + x-displayName: Custom Email Templates + description: |- + These endpoints allow you to programmatically manage email customizations. + + Okta provides many customizable email templates. For example, the `UserActivation` email template allows users to activate their account. Use email customizations to override a template's default content. See the [list of email templates](https://developer.okta.com/docs/guides/custom-email/main/#use-customizable-email-templates). + + Each template has default content that Okta translates to any one of the supported languages. The following settings determine the language for emails sent from Okta to a user, if the user hasn't selected a specific display language: + * The user's locale property value (if specified) + * The org's display language + + See [Supported languages](https://developer.okta.com/docs/guides/custom-email/main/#supported-languages). + + The following constraints apply to email customizations: + * If an email template has any customizations at all, exactly one of them must be the default (where `isDefault` is `true`). Okta uses the default customization when no other customization applies to the user's language settings. + * Each email template can have only one customization for each supported language. + + ### Enable other locales + + + Use the [BCP 47 format](https://www.rfc-editor.org/info/bcp47) to enable more locales than Okta's 27 default languages. + + Once you create a customization with the new locale, the locale appears in the Admin Console along with the default-supported locales. + + Include `null` in the subject or body of the email customization. Okta replaces `null` with a default value based on the following order of priority: + + - An existing default email customization, if one exists + - Okta-provided translated content for the specified language, if one exists + - Okta-provided translated content for the brand locale, if it's set + - Okta-provided content in English + - name: Device + x-displayName: Devices + description: |- + The Okta Devices API provides a centralized integration platform to fetch and manage device information. Okta administrators can use these APIs to manage workforce identity Device object information. + + The Devices API supports the following **Device Operations**: + * Get, Delete Device objects. + * Perform lifecycle transitions on the Device objects. + Device lifecycle is defined as transitions of the Device Status by the associated operations. The Device object follows a predefined lifecycle transition flow. Device Lifecycle operations are idempotent and its calls are synchronous. + + The Devices API supports the following **Authorization Schemes**: + * SSWS - [API tokens](https://developer.okta.com/docs/reference/core-okta-api/#authentication) + * Bearer - [OAuth2.0 and OpenID Connect](https://developer.okta.com/docs/concepts/oauth-openid/) + + > **Note:** For devices to enroll in Okta and show up in the Devices API, the following actions are required: + > 1. Admins - Enable Okta FastPass. See [Enable FastPass](https://help.okta.com/okta_help.htm?type=oie&id=ext-fp-enable) + > 2. End users with existing mobile Okta Verify enrollments - After you upgrade your org to Okta Identity Engine, direct end users with existing Okta Verify enrollments to use [FastPass](https://help.okta.com/okta_help.htm?type=oie&id=csh-fp-main). + + > **Note:** End users with a new enrollment in Okta Verify on an Okta Identity Engine org have a device record created in the device inventory by default. + See [Device Registration](https://help.okta.com/okta_help.htm?type=oie&id=csh-device-registration), [Login Using Okta Verify](https://help.okta.com/okta_help.htm?type=eu&id=ext-ov-user-overview). + - name: DeviceAccess + x-displayName: Device Access + description: The Device Access API provides operations to configure device access settings. + - name: DeviceAssurance + x-displayName: Device Assurance Policies + description: The Device Assurance Policies API provides operations to manage device assurance policies in your organization. + - name: DirectoriesIntegration + x-displayName: Directories Integration + description: |- + > **Note:** Your Okta org needs to have the AD bidirectional group management feature enabled. Contact your Okta account team to enable this feature. + + The Directories Integration API provides operations to manage Active Directory objects in a connected on-premises directory through Okta. + - name: EmailCustomization + x-displayName: Email Customization + description: The Email Customization API provides operations to modify the email bounce list for your Okta org. + - name: EmailDomain + x-displayName: Email Domains + description: The Email Domains API provides operations to manage email domains for your organization. + - name: EmailServer + x-displayName: Email Servers + description: The Email Servers API allows you to configure a custom external email provider to send email notifications. By default, notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. Adding a custom email provider gives you more control over your email delivery. - name: EventHook x-displayName: Event Hooks + description: |- + The Event Hooks API provides operations to manage event hooks for your organization. + + For general information on event hooks and how to create and use them, see [Event hooks](https://developer.okta.com/docs/concepts/event-hooks/). The following documentation is only for the management API, which provides a CRUD interface for registering event hooks. + + For a step-by-step guide on implementing an example event hook, see the [Event hook](https://developer.okta.com/docs/guides/event-hook-implementation/) guide. + + When you create an event hook, you need to specify which events you want to subscribe to. To see the list of event types currently eligible for use in event hooks, use the [Event Types](https://developer.okta.com/docs/reference/api/event-types/#catalog) catalog and search with the parameter `event-hook-eligible`. - name: Feature x-displayName: Features + description: |- + The Okta Features API provides operations to manage self-service Early Access (EA) and Beta features in your org. + + > **Note:** Important background information for this API is available on the [Feature Lifecycle Management](https://developer.okta.com/docs/concepts/feature-lifecycle-management/) page. + - name: GovernanceBundle + x-displayName: IAM Governance Bundles + description: |- + These APIs allow you to manage governance bundles for the Admin Console, and manage roles and resources associated with the bundles. + For details on how governance bundles are supported from the Resource Management Access Platform (RAMP), see [Entitlement Management](https://help.okta.com/oie/en-us/content/topics/identity-governance/em/entitlement-mgt.htm). - name: Group x-displayName: Groups + description: The Groups API provides operations to manage Okta Groups and their user members for your org. + - name: GroupOwner + x-displayName: Group Owners + description: |- + The Group Owners API provides operations to manage owners of Okta Groups for your organization. + + > **Note**: This API is only available if you're subscribed to [Okta Identity Governance](https://www.okta.com/products/identity-governance/). Contact your Customer Success Manager or Account Executive for more information. + - name: GroupRule + x-displayName: Group Rules + description: The Group Rules API provides operations to manage rules for Okta Groups in your org. + - name: HookKey + x-displayName: Hook Keys + description: |- + The Okta Key Management API provides a CRUD interface for JSON Web Keys (JWK) used with other parts of the application, such as inline hooks. For information on how to create inline hooks, see [inline hooks](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/). + + > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: IdentityProvider x-displayName: Identity Providers + description: The Identity Providers API provides operations to manage federations with external Identity Providers (IdP). For example, your app can support signing in with credentials from Apple, Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (`OIDC`) protocol. + - name: IdentityProviderKeys + x-displayName: Identity Provider Keys + description: The Identity Provider Keys API provides operations to manage Key Credentials for Identity Providers. + - name: IdentityProviderSigningKeys + x-displayName: Identity Provider Signing Keys + description: |- + The Identity Provider Signing Keys API provides operations to manage signing Key Credentials and Certificate Signing Requests for Identity Providers. + > **Note:** Okta currently uses the same key for both request signing and the decryption of SAML assertions that the IdP encrypts. Changing your signing key also changes your decryption key. + - name: IdentityProviderUsers + x-displayName: Identity Provider Users + description: The Identity Provider Users API provides operations to manage Identity Provider Users. + - name: IdentitySource + x-displayName: Identity Sources + description: The Okta Identity Source API provides a mechanism to synchronize an HR source (the custom identity source) with Okta user profiles in an org. - name: InlineHook x-displayName: Inline Hooks - - name: SystemLog - x-displayName: System Log - - name: ProfileMapping - x-displayName: Profile Mappings - - name: UserType - x-displayName: User Types - - name: Schema - x-displayName: Schemas + description: |- + The Inline Hooks API provides operations to manage inline hooks for your organization. + + For general information on inline hooks and how to create and use them, see [inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/). The following documentation is only for the management API, which provides a CRUD interface for registering inline hooks. - name: LinkedObject x-displayName: Linked Objects - - name: OrgSetting - x-displayName: Org Settings + description: |- + Users have relationships to each other, like manager and subordinate or customer and sales representative. You can create users with relationships by using the Linked Objects API to represent the relationship. + + 1. Create a Linked Object definition such as Manager:Subordinate or Case Worker:Client. These pairs are represented by a `primary` attribute and an `associated` attribute. + 2. Link users together to create the relationship between the two. You create a Linked Object value with a single request that links one `primary` and one `associated` user. + + For each relationship: + + * A user has at most one `primary` link (a user has a single manager), but can have many `associated` links (a user can have many subordinates). + * A user can be the `primary` in one relationship and the `associated` in another. + * A user can be both the `primary` and `associated` in the same relationship. + + Okta Expression Language function for [Linked Objects](https://developer.okta.com/docs/reference/okta-expression-language/#linked-object-function) provides access to the details about a linked user. + + > **Note:** The Linked Objects feature isn't available for OpenID Connect claims. + + ## Example usage + + Okta allows you to create up to 200 Linked Object definitions. These definitions are one-to-many, for example: + + * A manager has many subordinates. Each subordinate has one manager. + * A sales representative has many customers. Each customer has one sales rep. + * A case worker has many clients. Each client has one case worker. + + Most organizations have more than one manager or sales representative. You can create the Linked Object definition once, and then assign the `primary` relationship to as many users as you have people in that relationship. + + You can assign the `associated` relationship for a single `primary` user to as many users as needed. The `associated` user can be related to only one `primary` per Linked Object definition. But a user can be assigned to more than one Linked Object definition. + + For example, assume that you've created one Linked Object definition for manager (`primary`) and for subordinates (`associated`): + + * Joe is Frank's manager. + * Bob is Joe's manager, but Jane's subordinate. + * Jane is the CEO, so she reports to herself. + + Thus, you can create chains of relationships (Jane > Bob > Joe > Frank) or terminal relationships (Jane is both `primary` and `associated` user). + + Then, if you create another Linked Object relationship for scrum team membership, you could assign relationships to the same four users: + + * Bob is the scrum lead for the Identity Scrum team. + * Joe and Frank are both contributors to the team. + + Bob can be the `primary` for a Manager:Subordinate, an `associated` user for that same Linked Object definition, and also the `primary` for the Scrumlead:Contributor Linked Object definition. + + To represent a relationship, create a Linked Object definition that specifies a `primary` (parent) relationship and an `associated` (child) relationship, and then add a link in which the appropriate user is assigned to each side of that link type. + + ## Links between user types + + If you created multiple user types (see [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/)), they all share the same Linked Object definitions. For example, if you have separate user types for employees and contractors, a link could designate an employee as the manager for a contractor, with the contractor being a subordinate of that employee. + + ## Link definition operations + + Link definition operations allow you to manage the creation and removal of the link definitions. If you remove a link definition, links based on that definition are unavailable. + + > **Note:** Links reappear if you recreate the definition. However, Okta is likely to change this behavior so that links don't reappear. Don't rely on this behavior in production environments. + - name: LogStream + x-displayName: Log Streaming + description: The Log Streaming API provides operations to manage Log Stream configurations for an org. You can configure up to two Log Stream integrations per org. + - name: NetworkZone + x-displayName: Network Zones + description: |- + The Network Zones API provides operations to manage system default and custom zones in your Okta org. + Network Zones are configurable boundaries that you can use to grant or restrict access to resources in your organization. + They're used for two purposes: + * `POLICY`: Network Zones used to guide policy decisions + * `BLOCKLIST`: Network Zones used to deny access from certain IP addresses, locations, Autonomous System Numbers (ASNs), proxy types, or IP service categories before policy evaluation + > **Note:** The Network Zone blocklist applies to all URLs for the org. + + See [Network zones](https://help.okta.com/okta_help.htm?id=ext_Security_Network) in the Okta product documentation. + + Your Okta org provides the following default system Network Zones that you can modify and use: + * `LegacyIpZone`: The system default IP Network Zone + * `BlockedIpZone`: The system default IP Blocklist Network Zone + * `DefaultEnhancedDynamicZone`: The system default Enhanced Dynamic Network Zone + + You can create and use the following custom Network Zones: + * IP Network Zone (`IP`): Allows you to define network perimeters around a set of IPs + * Dynamic Network Zone (`DYNAMIC`): Allows you to define network perimeters around location, IP type, or ASNs + * Enhanced Dynamic Network Zone (`DYNAMIC_V2`): Extends the Dynamic Network Zone and allows you to include or exclude specific locations, ASNs, or IP service categories + + > **Notes:** + > * To create multiple Network Zones, you must have Adaptive MFA enabled in your Okta org. + > * Enhanced Dynamic Network Zones is a [self-service Early Access (EA)](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature. You must enable **Enhanced Dynamic Network Zones** in your Org settings to access this API. See [Manage Early Access and Beta features](https://help.okta.com/okta_help.htm?id=ext_secur_manage_ea_bata). + - name: OktaApplicationSettings + x-displayName: Okta Application Settings + description: The Okta Application Settings API provides operations to manage settings for Okta apps in your org. + - name: OktaPersonalSettings + x-displayName: Okta Personal Settings + description: The Okta Personal Settings API provides operations to manage the [Okta Personal](https://www.okta.com/products/okta-personal/workforce) settings of your Okta org. + - name: OrgCreator + x-displayName: Org Creator + description: |- + > **Note:** You need to have the **Platform—Multi-org Deployment** product to enable the **Org Creator API** feature. Contact your Okta account team for more information. + + The Org Creator API provides an operation to create Okta orgs (child orgs) based on features from your current org (the parent org). See [Org Creator](https://developer.okta.com/docs/concepts/org-creator/). + - name: OrgSettingAdmin + x-displayName: Org Admin Settings + description: The Org Admin Settings API provides operations to manage the admin settings for your Okta org. + - name: OrgSettingCommunication + x-displayName: Org Communication Settings + description: The Org Communication Settings API provides operations to manage the communication settings for your Okta org. For example, opt users in or out of communication emails. + - name: OrgSettingContact + x-displayName: Org Contacts + description: The Org Contacts API provides operations to manage the contact types of your Okta org. + - name: OrgSettingCustomization + x-displayName: Org Customization + description: The Org Customization API provides operations to retrieve and modify custom settings for your Okta org. + - name: OrgSettingGeneral + x-displayName: Org General Settings + description: The Org General Settings API provides operations to manage the general settings of your Okta org. + - name: OrgSettingMetadata + x-displayName: Org Metadata + description: The Org Metadata API provides operation to fetch metadata for your Okta org. + - name: OrgSettingSupport + x-displayName: Org Support Settings + description: The Org Support Settings API provides operations to manage the support settings for your Okta org. - name: Policy x-displayName: Policies + description: |- + The Okta Policy API enables an Administrator to perform Policy and Policy Rule operations. The Policy framework is used by Okta to control Rules and settings that govern, among other things, user session lifetime, whether multi-factor authentication is required when logging in, what MFA factors may be employed, password complexity requirements, what types of self-service operations are permitted under various circumstances, and what identity provider to route users to. + + Policy settings for a particular Policy type, such as Sign On Policy, consist of one or more Policy objects, each of which contains one or more Policy Rules. Policies and Rules contain conditions that determine whether they are applicable to a particular user at a particular time. - name: PrincipalRateLimit x-displayName: Principal Rate Limits + description: The Principal Rate Limits API provides operations to manage Principal Rate Limits for your organization. + - name: ProfileMapping + x-displayName: Profile Mappings + description: The Mappings API provides operations to manage the mapping of Profile properties between an Okta User and an App User using [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language). More information on Okta User and App User Profiles can be found in Okta's [User profiles](https://developer.okta.com/docs/concepts/user-profiles/#what-is-the-okta-universal-directory). - name: PushProvider x-displayName: Push Providers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + description: |- + The Okta Push Providers API provides a centralized integration platform to fetch and manage push provider configurations. Okta administrators can use these APIs to provide their push provider credentials, for example from APNs and FCM, so that Okta can send push notifications to their own custom app authenticator applications. + + The Push Providers API supports the following **Authorization Schemes**: + * SSWS - [API tokens](https://developer.okta.com/docs/reference/core-okta-api/#authentication) + * Bearer - [OAuth2.0 and OpenID Connect](https://developer.okta.com/docs/concepts/oauth-openid/) + + > **Notes:** + > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/reference/core-okta-api/#authentication). + > * You can use the Push Providers API as part of the "Create a custom authenticator" flow. See the [Custom authenticator integration guide](https://developer.okta.com/docs/guides/authenticators-custom-authenticator/android/main/). + - name: RateLimitSettings + x-displayName: Rate Limit Settings + description: The Rate Limit Settings APIs provide operations to manage settings and configurations surrounding rate limiting in your Okta organization. + - name: Realm + x-displayName: Realms + description: The Realms API provides operations to manage realms + - name: RealmAssignment + x-displayName: Realm Assignments + description: The Realm Assignments API provides operations to manage Realm Assignments + - name: RiskEvent + x-displayName: Risk Events + description: The Risk Events API provides the ability for third-party risk providers to send risk events to Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. + - name: RiskProvider + x-displayName: Risk Providers + description: The Risk Providers API enables you to manage the Risk Providers within Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. + - name: RoleAssignmentAUser + x-displayName: User Role Assignments + description: The User Role Assignments APIs allow you to assign roles and designate third-party admin status to Users. + - name: RoleAssignmentBGroup + x-displayName: Group Role Assignments + description: The Group Role Assignments APIs allow you to assign roles and designate third-party admin status to Groups. + - name: RoleAssignmentClient + x-displayName: Client Role Assignments + description: The Client Role Assignments APIs allow you to assign roles and designate third-party admin status to public client apps. + - name: RoleBTargetAdmin + x-displayName: User Role Targets + description: |- + User role targets are a way of limiting the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to an admin User within your org. + You can define admin roles to target Groups, Applications, and Application Instances. + + * **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group. + * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. + * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. + + > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Set Resources](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). + - name: RoleBTargetBGroup + x-displayName: Group Role Targets + description: |- + Group role targets allow you to limit the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to a Group within your org. + You can define admin roles to target Groups, Applications, and Application Instances. + + * **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group. + * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. + * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. + + > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Set Resources](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). + - name: RoleBTargetClient + x-displayName: Client Role Targets + description: |- + Client role targets allow you to limit the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to a client (Application) within your org. + You can define admin roles to target Groups, Applications, and Application Instances. + + * **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group. + * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. + * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. + + > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Sets](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). + - name: RoleCResourceSet + x-displayName: Resource Sets + description: The Resource Sets API provides operations to manage Resource Sets as a custom set of resources. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources). + - name: RoleCResourceSetResource + x-displayName: Resource Set Resources + description: The Resource Set Resources API provides operations to manage Resources within a Resource Set. You can add or remove Resources in Resource Sets. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources). + - name: RoleDResourceSetBinding + x-displayName: Role Resource Set Bindings + description: The Role Resource Set Bindings API provides operations to assign members to a [Custom Role](/openapi/okta-management/management/tag/RoleECustom/) that targets resources in a [Resource Set](/openapi/okta-management/management/tag/RoleCResourceSet/). The returned Role Resource Set Binding is a single unique combination of a principal, a resource set, and a custom role. You can assign custom roles to admins who are scoped to the designated resources in a resource set. + - name: RoleDResourceSetBindingMember + x-displayName: Role Resource Set Binding Members + description: The Role Resource Set Binding Members API provides operations to manage members in a [Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/). + - name: RoleECustom + x-displayName: Custom Roles + description: The Custom Roles API provides operations to manage custom roles that limit an admin's access to a subset of permissions and resources. + - name: RoleECustomPermission + x-displayName: Custom Role Permissions + description: The Custom Role Permissions API provides operations to manage the permissions assigned to a Custom Role. + - name: SSFReceiver + x-displayName: SSF Receiver + description: |- + + > This feature is only available with Identity Threat Protection in Identity Engine. + + Okta uses the [Shared Signals Framework (SSF)](https://sharedsignals.guide/) to receive security-related events and other data-subject signals from third-party security vendors. In this scenario, commonly used terms for third-party vendors that send signals are "transmitters", Okta is the "receiver", and the connection between the two entities is referred to as a "stream." + + The SSF Receiver API allows you to manage SSF vendor stream configurations between the transmitter and Okta. A stream is configured by [creating a Security Events Provider](/openapi/okta-management/management/tag/SSFReceiver/#tag/SSFReceiver/operation/createSecurityEventsProviderInstance) object in your Okta org. You can create a Security Events Provider object in Okta with a published well-known URL or an issuer-and-JWKS combination. + + After the Security Events Provider object is created for a transmitter, the provider can use the [SSF Security Event Tokens](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SSFSecurityEventToken/) API to publish events to Okta. While the SSF allows ingestion through push and poll-based operations, Okta currently supports only push-based operations. + - name: SSFSecurityEventToken + x-displayName: SSF Security Event Tokens + description: |- + + > This feature is only available with Identity Threat Protection in Identity Engine. + + The Shared Signals Framework (SSF) Security Event Tokens API allows third-party security event providers to send Security Event Tokens (SETs) to Okta. The provider must be configured in Okta as a Security Events Provider instance before transmitting a SET to Okta. See [Create a Security Events Provider](/openapi/okta-management/management/tag/SSFReceiver/#tag/SSFReceiver/operation/createSecurityEventsProviderInstance). After the token is verified, any appropriate action is performed upon ingestion. + + Okta uses the Shared Signals Framework (SSF) defined by the [OpenID Shared Signals and Events Framework specification](https://openid.net/specs/openid-sse-framework-1_0.html). A risk signal is ingested as a Security Event Token (SET), a type of JSON Web Token (JWT) that must comply with the SET standard: [RFC 8417 - Security Event Token(SET)](https://datatracker.ietf.org/doc/html/rfc8417). The `security.events.provider.receive_event` System Log event is created when a SET is published to Okta successfully. + - name: SSFTransmitter + x-displayName: SSF Transmitter + description: |- + + > **Note:** The SSF Transmitter API is a [self-service Early Access (EA)](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature. You must enable the **Enable Managed Apple ID federation and provisioning** feature in your Org settings to access this feature. See [Manage Early Access and Beta features](https://help.okta.com/okta_help.htm?id=ext_secur_manage_ea_bata). + + Okta uses the [Shared Signals Framework (SSF)](https://sharedsignals.guide) to send security-related events and other data-subject signals to third-party security vendors. In this scenario, commonly used terms for third-party vendors that receive signals are "receivers", Okta is the "transmitter", and the connection between the two entities is referred to as a "stream." + + The SSF Transmitter API allows you to manage SSF stream configurations between the receiver that receives signals transmitted by Okta. Okta sends signals in the form of [Security Event Tokens (SETs)](https://datatracker.ietf.org/doc/html/rfc8417) to a third-party SSF receiver. To enable the transmission of signals from Okta, you must create an SSF Stream using the SSF Transmitter API and configure the third-party receiver to accept signals from Okta. + - name: Schema + x-displayName: Schemas + description: |- + The Schemas API provides operations to manage custom User profiles as well as endpoints to discover the structure of the Log Stream configuration. + + Okta's [Universal Directory](https://help.okta.com/okta_help.htm?id=ext_About_Universal_Directory) allows administrators to define custom User profiles for Okta Users and Applications. + Okta adopts a subset of [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) as the schema language to describe and validate extensible User profiles. + For Log Stream Schemas, Okta uses [JSON Schema Draft 2020-12](https://json-schema.org/specification.html). + [JSON Schema](http://json-schema.org/) is a lightweight declarative format for describing the structure, constraints, and validation of JSON documents. + + > **Note:** Okta implements only a subset of [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) and [JSON Schema Draft 2020-12](https://json-schema.org/specification.html). This document describes which parts apply to Okta, and any extensions Okta has made to [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) and [JSON Schema Draft 2020-12](https://json-schema.org/specification.html). + + ### Unique Attributes + You can enforce uniqueness for custom properties in Okta user profiles or the Okta group profile, such as an employee identification number. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile. Different user types can have the same or different unique properties (up to the limit of five per type). + + Unique properties in Okta user profiles share a single namespace across all [user types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) in an org. If user types A and B both contain the property `ice cream` and you identify it as unique in both profiles, then if a user of type A has the value `chocolate`, no other users of type A or B (or any other user type that declares `ice cream` as unique) can have that value. + + Properties that aren't unique also aren't tracked for uniqueness. Suppose the property `candy` is unique in type E and not unique in type F. If a user of type E has the value `caramel` for the `candy` property, no other users of type E can also have the value `caramel`, but any number of users of type F can already have or later be assigned the value `caramel`. Furthermore, because `candy` is not unique in type F, any values users of type F may have are not considered when enforcing uniqueness for users of type E. No matter how many users of type F already have the value `cotton`, it might be assigned to a user of type E as long as no other such user already has that value. + + If you attempt to create or update a user with a duplicate value for a custom user property with a uniqueness restriction, the user creation or update operation fails. The user isn't created or updated until you enter a unique value. Similarly, creating or updating a group fails when the request contains a value for a unique custom group property that is duplicated by another group. + + `null` values don't enter into the uniqueness calculation. If the unique property isn't also specified as being required, you can also omit the value entirely. Multiple users or groups can omit the property and not violate uniqueness. + + To enforce uniqueness for custom properties, you can either add new unique custom properties or update existing custom properties to be unique. + + #### Add new unique custom property + + You can use the [add property to user profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [add property to group profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to add one or more unique custom user or group properties. Specify `"unique": true` on the properties to be marked as unique. The response shows the properties with `"unique": "UNIQUE_VALIDATED"` and uniqueness is then enforced on those properties. + + #### Update existing custom property to be unique + + You can use the [update user profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [update group profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to mark existing custom user or group properties as unique by specifying `"unique": true` on the properties to be marked as unique. + + After the request to mark existing custom properties as unique is submitted, an asynchronous validation check is performed to make sure that there are no existing duplicate entries. If you have a significant number of users or groups, the validation can take some time. + + A uniqueness status of `"unique": "PENDING_UNIQUENESS"` indicates that the validation check is still in progress. Use the Universal Directory page in the Admin Console (**Directory** > **Directory Integrations**) to track the status of the validation check. After the validation completes, if you submit a retrieve user schema request or a retreive group schema request, the property's uniqueness status changes to `UNIQUE_VALIDATED` if no duplicate records are found, and uniqueness is then enforced on that property. Otherwise, if duplicate records are found, the `unique` attribute of the schema property isn't shown in the get schema request and uniqueness isn't enforced on the schema property. + + #### Update existing unique custom property to be non-unique + + You can use the [update user profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [update group profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to change existing unique custom user or group properties to be non-unique by specifying `"unique": false` on the properties to be changed to non-unique. The response shows the properties without the `unique` attribute and the uniqueness constraint is then removed on those properties. + + **Note:** If multiple user types declare a property as unique and you remove the uniqueness constraint on one type, there may be a delay before users of other types that declare the property as unique can be assigned values formerly held by users of the first type. - name: Session x-displayName: Sessions + description: |- + Okta uses a cookie-based authentication mechanism to maintain a user's authentication Session across web requests. The Okta Sessions API provides operations to create and manage authentication Sessions for users in your Okta organization. + + >**Notes:** + > * Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies). + > * The Sessions API doesn't support direct authentication. Direct authentication is supported through the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#authentication-operations) or through OIDC using the [Resource Owner Password flow](https://developer.okta.com/docs/guides/implement-grant-type/ropassword/main/). + + ### Session cookie + + Okta uses an HTTP session cookie to provide access to your Okta organization and applications across web requests for an interactive user agent such as a web browser. A session cookie has an expiration configurable by an administrator for the organization and is valid until the cookie expires or the user closes the Session (logout) or browser application. + + ### Session token + + A [session token](https://developer.okta.com/docs/reference/api/authn/#session-token) is a one-time bearer token that provides proof of authentication and may be redeemed for an interactive SSO session in Okta in a user agent. Session tokens can only be used **once** to establish a Session for a user and are revoked when the token expires. + + Okta provides a very rich [Authentication API](https://developer.okta.com/docs/reference/api/authn/) to validate a [user's primary credentials](https://developer.okta.com/docs/reference/api/authn/#primary-authentication) and secondary [MFA factor](https://developer.okta.com/docs/reference/api/authn/#verify-factor). A session token is returned after successful authentication, which can be later exchanged for a session cookie that uses one of the following flows: + + - [Retrieve a session cookie by visiting the OpenID Connect Authorization Endpoint](https://developer.okta.com/docs/guides/session-cookie/main/#retrieve-a-session-cookie-through-the-openid-connect-authorization-endpoint) + - [Retrieve a session cookie by visiting a session redirect link](https://developer.okta.com/docs/guides/session-cookie/main/#retrieve-a-session-cookie-by-visiting-a-session-redirect-link) + - [Retrieve a session cookie by visiting an application embed link](https://developer.okta.com/docs/guides/session-cookie/main/#retrieve-a-session-cookie-by-visiting-an-application-embed-link) + + >**Note:** **Session tokens** are secrets and should be protected at rest and during transit. A session token for a user is equivalent to having the user's actual credentials. - name: Subscription x-displayName: Subscriptions + description: The Subscriptions API provides operations to manage email subscription settings for Okta administrator notifications. + - name: SystemLog + x-displayName: System Log + description: |- + The Okta System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. + + The Okta System Log API provides near real-time, read-only access to your organization's system log and is the programmatic counterpart of the [System Log UI](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog). + + The terms "event" and "log event" are often used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system, and a "log" or "log event" is the recorded fact. + + The System Log API supports these primary use cases: + * Event data export into a security information and event management system (SIEM) + * System monitoring + * Development debugging + * Event introspection and audit + + > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: Template x-displayName: SMS Templates + description: |- + The SMS Templates API provides operations to manage custom SMS templates for verification. + + > **Note:** Only SMS custom Templates are available through the API. + + SMS Templates customize the SMS message that is sent to users. One default SMS Template is provided. All custom Templates must have the variable `${code}` as part of the text. The `${code}` variable is replaced with the actual SMS code when the message is sent. Optionally, you can also use the variable `${org.name}`. If a Template contains `${org.name}`, it is replaced with the organization name before the SMS message is sent. + + ### SMS Template macros + + Only two macros are supported for SMS Templates: + + |
Type
| Description | + | -------------------- | ----------- | + | ${code} | The one-time verification code that's required for a user to sign in. | + | ${org.name} | The Okta org name that the user is trying to authenticate into. | + + >**Note:** The length of your SMS message can't exceed 160 characters. If the verification code portion of the message falls outside of the 160-character limit, your message isn't sent. + - name: Themes + x-displayName: Themes + description: |- + These endpoints allow you to customize the look and feel of pages and templates, including the following: + * The Okta-hosted sign-in page + * The sign-out page + * Error pages + * Email templates + * The Okta End-User Dashboard + + Each new org contains Okta default branding. You can upload your own assets (colors, background image, logo, and favicon) to replace the default assets. Then you can publish these assets directly to your pages and templates. + + > **Notes:** + > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). + > * Okta optimizes the `primaryColorContrastHex` and `secondaryColorContrastHex` properties for the highest contrast between the font color and the background or button color. To disable or override the contrast auto-detection, update either contrast value with an accepted contrast hex code. Any update disables future automatic optimizations for the contrast hex. + > * Contrast color is used by pages to optimize the opacity of text color when primary or secondary color is used as the background. - name: ThreatInsight x-displayName: ThreatInsight + description: |- + [Okta ThreatInsight](https://help.okta.com/okta_help.htm?id=ext_threatinsight) maintains a + constantly evolving list of IP addresses that consistently exhibit malicious activity. + Authentication requests that are associated with an IP in this list can be logged to the + [System Log](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog) and blocked. + ThreatInsight also covers non-authentication requests in limited capacity depending on the attack patterns of these malicious IPs. + + The ThreatInsight API provides operations to manage your org ThreatInsight configuration. + + > **Note:** To prevent abuse, Okta ThreatInsight works in a limited capacity for free trial edition orgs. Please contact Okta support if fully functional Okta ThreatInsight is required. - name: TrustedOrigin x-displayName: Trusted Origins + description: |- + The Trusted Origins API provides operations to manage Trusted Origins and sources. + + When external URLs are requested during sign-in, sign-out, or recovery operations, Okta checks those URLs against the allowed list of Trusted Origins. Trusted Origins also enable browser-based applications to access Okta APIs from JavaScript (CORS). If the origins aren't specified, the related operation (redirect or Okta API access) isn't permitted. + + You can also configure Trusted Origins to allow iFrame embedding of Okta resources, such as Okta sign-in pages and the Okta End-User Dashboard, within that origin. + + > **Notes:** + > * This feature is supported for Okta domains only. It isn't currently supported for custom domains. + > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). + - name: UISchema + x-displayName: UI Schema + description: |- + The Okta UI Schema API allows you to control how inputs appear on an enrollment form. The UI Schema API is only available as a part of Okta Identity Engine. + + If you're not sure which solution you're using, check the footer on any page of the Admin Console. The version number is appended with E for Identity Engine orgs and C for Classic Engine orgs. - name: User x-displayName: Users + description: "The Users API provides operations to manage users in your organization.\n> **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs.\n> OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/).\n\n### User status\nThe following diagram shows the flow of user status:\n![STAGED, PROVISIONED, ACTIVE, RECOVERY, LOCKED_OUT, PASSWORD_EXPIRED, or DEPROVISIONED](../../../../../images/users/okta-user-status.png)\n\n### User creation scenarios\n\n The following table describes the user experience and expectation of user status and welcome screen, depending on which options (security question and answer, password, and activate query) are defined during user creation.\n\n **User creation details and outcomes**\n\n | Security Q & A | Password | Activate Query Parameter | User Status | Login Credential | Welcome Screen |\n | ----- | -------- | ------------------------ | ------------- | ---------------------- | -------------- |\n | | | FALSE | `STAGED` | | |\n | | | TRUE | `PROVISIONED` or `ACTIVE` | One-Time Token (Email) or Email | X |\n | X | | FALSE | `STAGED` | | |\n | X | | TRUE | `PROVISIONED` or `ACTIVE` | One-Time Token (Email) or Email | X |\n | | X | FALSE | `STAGED` | | |\n | | X | TRUE | `ACTIVE` | Password | X |\n | X | X | FALSE | `STAGED` | | |\n | X | X | TRUE | `ACTIVE` | Password | |\n\nCreating users with a `FEDERATION` or `SOCIAL` provider sets the user status to either `ACTIVE` or `STAGED` based on the `activate` query parameter since these two providers don't support a `password` or `recovery_question` credential.\n\nMore information about the use cases are in the following sections and in the examples for [Create a user](/openapi/okta-management/management/tag/User/#tag/User/operation/createUser).\n\n#### Create user with Optional Password enabled\n\nWhen Optional Password is enabled, the user status following user creation can be affected by the enrollment policy. See [Create an authenticator enrollment policy](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-mfa-policy).\nBased on the group memberships that are specified when the user is created, a password may or may not be required to make the user's status `ACTIVE`.\n\nIf the enrollment policy that applies to the user (as determined by the groups assigned to the user) specifies that the Password authenticator is `required`, then in the case where the user is created without a password, the user is in the `PROVISIONED` status and\na One-Time Token is sent to the user through email. If the user is created with a password, then their status is set to ACTIVE, and they can immediately sign in using their Password authenticator.\n\nIf the enrollment policy that applies to the groups specified for the newly created user indicates that password is `optional` or `disabled`, then the Administrator can't specify a password for the user. Instead, the user status is set to `ACTIVE` and the user can immediately sign in using their Email authenticator. If policy permits, and the user so chooses, they can enroll a password after they sign in.\n\n#### Create user without credentials\n\nCreates a user without a `password` or a `recovery question & answer`.\n\nIf appropriate, when the user is activated, an email is sent to the user with an activation token that the user can use to complete the activation process.\nThis is the default flow for new user registration using the administrator UI.\n\n#### Create user with recovery question\n\nCreates a user without a `password`.\n\nWhen the user is activated, an email is sent to the user with an activation token that can be used to complete the activation process.\nThis flow is useful if migrating users from an existing user store.\n\n#### Create user with password\n\nCreates a user without a `recovery question & answer`.\n\nThe new user is able to sign in after activation with the assigned password. This flow is common when developing a custom user registration experience.\n> **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.\n\n#### Create User with imported hashed password\n\nCreates a user with a specified `hashed password`.\n\nThe new user is able to sign in after activation with the specified password.\n\nThis flow is common when migrating users from another data store in cases where we want to allow the users to retain their current passwords.\n> **Important:** Do not generate or send a one-time activation token when activating users with an imported password. Users should login with their imported password.\n\n#### Create user with password import inline hook\n\nCreates a user with a `Password Hook` object specifying that a password inline hook should be used to handle password verification.\n\nThe password inline hook is triggered to handle verification of the end user's password the first time the user tries to sign in, with Okta calling the password inline hook to check that the password the user supplied is valid. If the password is valid, Okta stores the hash of the password that was provided and can authenticate the user independently from then on. See [Password import inline hook](https://developer.okta.com/docs/reference/password-hook/) for more details.\n\nThe new user is able to sign in after activation with the valid password. This flow supports migrating users from another data store in cases where we wish to allow the users to retain their current passwords.\n> **Important:** Don't generate or send a one-time activation token when activating users with an password inline hook. Users should sign in with their existing password to be imported using the password import inline hook.\n\n#### Create user with password & recovery question\n\nCreates a new user with a `password` and `recovery question & answer`.\n\nThe new user is able to log in with the assigned password after activation. This flow is common when developing a custom user-registration experience.\n> **Important:** Don't generate or send a one-time activation token when activating users with an assigned password. Users should login with their assigned password.\n\n#### Create user with authentication provider\n\nCreates a new passwordless user with a `SOCIAL` or `FEDERATION` authentication provider that must be authenticated via a trusted Identity Provider.\n\n#### Create user in Group\n\nCreates a user that is added to the specified groups upon creation.\n\nUse this in conjunction with other create operations for a Group Administrator that is scoped to create users only in specified groups. The request may specify up to 20 group ids. (This limit applies only when creating a user. The user may later be added to more groups.)\n\n#### Create user with non-default user type\n\nCreates a user with a specified user type (see [User Types](https://developer.okta.com/docs/reference/api/user-types)). The type specification may be included with any of the above Create user operations; this example demonstrates creating a user without credentials.\nThe user type determines which [Schema](/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can be assigned a different user type only by an admin via a full replacement [PUT operation](https://developer.okta.com/docs/reference/api/user-types/#update-user-type).\n\n### Links object\n\nThe links object specifies link relations. See [`_links`](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=_links&t=response).\n\n> **Note:** This links object is different from [Linked Objects](/openapi/okta-management/management/tag/LinkedObject/).\n\n#### Individual users versus collection of users\n\nFor an individual user result, the links object contains a full set of link relations available for that user as determined by your policies. For a collection of users, the links object contains only the `self` link. Operations that return a collection of users include [List all users](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) and [List all member users](openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroupUsers).\n\nThe following table shows some links that may be available on a user, as determined by your policies:\n\n| Link Relation Type | Description |\n|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n|self\t | A self-referential link to this user |\n|activate\t | Lifecycle action to [activate the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) |\n|deactivate |\tLifecycle action to [deactivate the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/deactivateUser) |\n|suspend |\tLifecycle action to [suspend the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/suspendUser) |\n|unsuspend |\tLifecycle action to [unsuspend the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/unsuspendUser) |\n|resetPassword |\tLifecycle action to [trigger a password reset](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) |\n|expirePassword |\tLifecycle action to [expire the user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/expirePassword) |\n|resetFactors |\tLifecycle action to [reset all MFA factors](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/resetFactors) |\n|unlock |\tLifecycle action to [unlock a locked-out user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/unlockUser) |\n|forgotPassword |\t[Resets a user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/forgotPassword) by validating the user's recovery credential. |\n|changePassword |\t[Changes a user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changePassword) validating the user's current password |\n|changeRecoveryQuestion |\t[Changes a user's recovery credential](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changeRecoveryQuestion) by validating the user's current password |" + - name: UserCred + x-displayName: User Credentials + description: The User Credentials API provides operations to manage user credentials in your org. - name: UserFactor - x-displayName: Factors - - name: NetworkZone - x-displayName: Network Zones - - name: DeviceAssurance - x-displayName: Device Assurance Policies -x-tagGroups: - - name: User Directory - tags: - - User - - Group - - UserType - - Schema - - LinkedObject - - ProfileMapping - - name: Security - tags: - - ApiToken - - Application - - Authenticator - - AuthorizationServer - - Behavior - - CAPTCHA - - DeviceAssurance - - IdentityProvider - - Policy - - PushProvider - - Session - - ThreatInsight - - TrustedOrigin - - UserFactor - - NetworkZone - - name: Customization - tags: - - Customization - - Domain - - Template - - name: Rate Limits - tags: - - PrincipalRateLimit - - name: Other - tags: - - AgentPools - - EventHook - - Feature - - InlineHook - - OrgSetting - - SystemLog - - Subscription + x-displayName: User Factors + description: |- + The Factors API provides operations to enroll, manage, and verify factors for multifactor authentication (MFA). Generally, authentication involves verifying a different one-time passcode (OTP). Manage both administration and end-user accounts, or verify an individual factor at any time. + Okta supports several different types of Factors: + + | Factor Type | Description | + |-----------------------|-------------| + | `call` | Software OTP sent using a voice call to a registered phone number | + | `sms` | Software OTP sent using SMS to a registered phone number | + | `email` | Software OTP sent using email | + | `question` | Additional knowledge-based security question | + | `push` | Out-of-band verification using a push notification to a device and transaction verification with digital signature | + | `token` | Software or hardware OTP sent to a device | + | `token:hardware` | Hardware OTP sent to a device | + | `token:hotp` | Custom [TOTP](https://www.ietf.org/rfc/rfc6238.txt) factor that uses an extension of the HMAC-based one-time passcode (HOTP) algorithm | + | `token:software:totp` | Software time-based one-time passcode (TOTP) | + | `u2f` | Hardware Universal 2nd Factor (U2F) device | + | `web` | HTML inline frame (iframe) for embedding verification from a third party | + | `webauthn` | Hardware WebAuthn device | + | `signed_nonce` | Okta Fastpass (device-bound authentication). This is available for OIE orgs if the org has users that have enrolled with Okta Verify after the org started using OIE. | + - name: UserGrant + x-displayName: User Grants + description: |- + The User Grants API provides operations to manage user consent Grants in your org. + + A consent represents a user's explicit permission to allow an app to access resources protected by scopes. Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they've already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scope is deactivated or deleted. + + > **Hint:** For all grant operations, you can use `me` instead of the `userId` in an endpoint that contains `/users`, in an active session with no SSWS token (API token). For example: `https://${yourOktaDomain}/api/v1/users/me/grants` returns all the grants for the active session user. + + > **Note:** Some browsers have begun blocking third-party cookies by default, disrupting Okta functionality in certain flows. For more information, see [FAQ: How Blocking Third Party Cookies Can Potentially Impact Your Okta Environment](https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment). + - name: UserLifecycle + x-displayName: User Lifecycle + description: |- + The User Lifecycle API provides lifecycle operations, which are non-idempotent operations that initiate a state transition for a user's status. Some operations are asynchronous while others are synchronous. + The user's current status limits what operations are allowed. + - name: UserLinkedObject + x-displayName: User Linked Objects + description: |- + The User Linked Objects API provides operations to manage User Linked Objects in your org. + Use link value operations to assign Users to a relationship, represented by a pair of `primary` and `associated` links. See also the [Linked Objects API](/openapi/okta-management/management/tag/LinkedObject/). + + For these operations, the examples use consistent IDs so that you can follow the operations more easily: + * `manager` is the `primary` relationship and is assigned `00u5t60iloOHN9pBi0h7` + * `subordinate` is the `associated` relationship and is assigned to IDs `00u5zex6ztMbOZhF50h7` and `00u1tsf0nQKavLDUh0g5` + - name: UserOAuth + x-displayName: User OAuth 2.0 Token Management + description: |- + The User OAuth 2.0 Token Management API provides operations to manage tokens issued by an Authorization Server for a particular User and Client in your org. For example, you can revoke every active refresh token for a User in the context of a specific Client. You can also [revoke specific tokens](https://developer.okta.com/docs/guides/revoke-tokens/main/) or [manage tokens at the authorization server level](/openapi/okta-management/management/tag/AuthorizationServer/). + + Read [Validate Access Tokens](https://developer.okta.com/docs/guides/validate-access-tokens/) to understand more about how OAuth 2.0 tokens work. + - name: UserResources + x-displayName: User Resources + description: The User Resources API provides operations related to User resources. + - name: UserRisk + x-displayName: User Risk + description: |- + + > This feature is only available with Identity Threat Protection in Identity Engine. + + The User Risk API enables you to manage a user's risk level within Okta. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + - name: UserSessions + x-displayName: User Sessions + description: The User Sessions API provides operations to manage User sessions in your org. + - name: UserType + x-displayName: User Types + description: The User Types API provides operations to manage user types. + - name: WebAuthnPreregistration + x-displayName: WebAuthn Preregistration + description: The WebAuthn Preregistration API provides a flow to initiate and set up WebAuthn Preregistration authenticator enrollments through third-party fulfillment providers. +externalDocs: + description: Find more info here + url: https://developer.okta.com/docs/reference/core-okta-api/#design-principles paths: + /.well-known/app-authenticator-configuration: + get: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Retrieve the Well-Known App Authenticator Configuration + description: Retrieves the well-known app authenticator configuration. Includes an app authenticator's settings, supported methods, and other details. + operationId: getWellKnownAppAuthenticatorConfiguration + parameters: + - name: oauthClientId + in: query + description: Filters app authenticator configurations by `oauthClientId` + required: true + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/WellKnownAppAuthenticatorConfiguration' + examples: + AuthenticatorConfiguration: + $ref: '#/components/examples/WellKnownAppAuthenticatorConfigurationCustomApp' + '400': + $ref: '#/components/responses/ErrorMissingRequiredParameter400' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: [] + tags: + - Authenticator + /.well-known/okta-organization: + get: + summary: Retrieve the Well-Known Org Metadata + description: Retrieves the well-known org metadata, which includes the org ID, configured custom domains, authentication pipeline, and various other org settings + operationId: getWellknownOrgMetadata + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/WellKnownOrgMetadata' + examples: + Identity Engine Org with Custom Domain: + $ref: '#/components/examples/WellKnownOrgMetadataResponseCustomUrlOie' + Classic Org: + $ref: '#/components/examples/WellKnownOrgMetadataResponseClassic' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: [] + tags: + - OrgSettingMetadata + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /.well-known/ssf-configuration: + get: + summary: Retrieve the SSF Transmitter metadata + description: Retrieves SSF Transmitter configuration metadata. This includes all supported endpoints and key information about certain properties of the Okta org as the transmitter, such as `delivery_methods_supported`, `issuer`, and `jwks_uri`. + operationId: getWellknownSsfMetadata + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/WellKnownSSFMetadata' + examples: + wellKnownSSFMetadataExample: + $ref: '#/components/examples/wellKnownSSFMetadataExample' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: [] + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/agentPools: get: summary: List all Agent Pools - description: Fetches AgentPools based on request parameters for a given org - operationId: getAgentPools + description: Lists all agent pools with pagination support + operationId: listAgentPools parameters: - $ref: '#/components/parameters/queryLimitPerPoolType' - $ref: '#/components/parameters/queryPoolType' @@ -168,18 +946,22 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates: + parameters: + - $ref: '#/components/parameters/pathPoolId' get: summary: List all Agent Pool updates - description: Gets List of Agent pool updates - operationId: getAgentPoolsUpdates + description: Lists all agent pool updates + operationId: listAgentPoolsUpdates parameters: - - $ref: '#/components/parameters/pathPoolId' - $ref: '#/components/parameters/queryScheduled' responses: '200': @@ -197,17 +979,18 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Agent Pool update description: Creates an Agent pool update \n For user flow 2 manual update, starts the update immediately. \n For user flow 3, schedules the update based on the configured update window and delay. operationId: createAgentPoolsUpdate - parameters: - - $ref: '#/components/parameters/pathPoolId' requestBody: content: application/json: @@ -230,17 +1013,20 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/settings: parameters: - $ref: '#/components/parameters/pathPoolId' get: summary: Retrieve an Agent Pool update's settings - description: Gets the current state of the agent pool update instance settings + description: Retrieves the current state of the agent pool update instance settings operationId: getAgentPoolsUpdateSettings responses: '200': @@ -256,15 +1042,18 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update an Agent pool update settings - description: Updates Agent pool update settings - operationId: setAgentPoolsUpdateSettings + summary: Update an Agent Pool update settings + description: Updates an agent pool update settings + operationId: updateAgentPoolsUpdateSettings requestBody: content: application/json: @@ -287,18 +1076,21 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}: parameters: - $ref: '#/components/parameters/pathPoolId' - $ref: '#/components/parameters/pathUpdateId' get: summary: Retrieve an Agent Pool update by id - description: Gets Agent pool update from updateId + description: Retrieves Agent pool update from updateId operationId: getAgentPoolsUpdateInstance responses: '200': @@ -314,11 +1106,14 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update an Agent Pool update by id description: Updates Agent pool update and return latest agent pool update @@ -345,11 +1140,14 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Agent Pool update description: Deletes Agent pool update @@ -364,11 +1162,14 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/activate: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -391,11 +1192,14 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/deactivate: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -418,11 +1222,14 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/pause: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -445,11 +1252,14 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/resume: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -472,11 +1282,14 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/retry: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -499,11 +1312,14 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/stop: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -526,24 +1342,19 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/api-tokens: get: summary: List all API Token Metadata - description: Enumerates the metadata of the active API tokens in your organization. + description: Lists all the metadata of the active API tokens operationId: listApiTokens - parameters: - - $ref: '#/components/parameters/queryAfter' - - $ref: '#/components/parameters/queryLimit' - - name: q - in: query - description: Finds a token that matches the name or clientName. - schema: - type: string responses: '200': description: OK @@ -561,15 +1372,18 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apiTokens.read tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/api-tokens/current: delete: summary: Revoke the Current API Token - description: Revokes the API token provided in the Authorization header. + description: Revokes the API token provided in the Authorization header operationId: revokeCurrentApiToken responses: '204': @@ -579,15 +1393,18 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] + - apiToken: [] tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/api-tokens/{apiTokenId}: parameters: - $ref: '#/components/parameters/pathApiTokenId' get: summary: Retrieve an API Token's Metadata - description: Get the metadata for an active API token by id. + description: Retrieves the metadata for an active API token by `apiTokenId` operationId: getApiToken responses: '200': @@ -606,14 +1423,61 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apiTokens.read tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Upsert an API Token Network Condition + description: Upserts an API Token Network Condition by `apiTokenId` + operationId: upsertApiToken + requestBody: + content: + application/json: + example: + name: api_token_name + clientName: client_name + userId: 00uabcdefg1234567890 + network: + connection: ANYWHERE + created: '2021-11-09T20:38:10.000Z' + schema: + $ref: '#/components/schemas/ApiTokenUpdate' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ApiToken' + examples: + HCaptcha: + $ref: '#/components/examples/ApiTokenMetadataResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apiTokens.manage + tags: + - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke an API Token - description: Revoke an API token by id. + description: Revokes an API token by `apiTokenId` operationId: revokeApiToken responses: '204': @@ -625,44 +1489,64 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apiTokens.manage tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps: get: summary: List all Applications - description: Enumerates apps added to your organization with pagination. A subset of apps can be returned that match a supported filter expression or query. + description: Lists all apps in the org with pagination. A subset of apps can be returned that match a supported filter expression or query. The results are [paginated](/#pagination) according to the `limit` parameter. If there are multiple pages of results, the header contains a `next` link. Treat the link as an opaque value (follow it, don't parse it). operationId: listApplications parameters: - name: q in: query + description: Searches for apps with `name` or `label` properties that starts with the `q` value using the `startsWith` operation schema: type: string + example: Okta - name: after in: query - description: Specifies the pagination cursor for the next page of apps + description: Specifies the [pagination](/#pagination) cursor for the next page of results. Treat this as an opaque value obtained through the `next` link relationship. schema: type: string + example: 16278919418571 + - name: useOptimization + in: query + description: Specifies whether to use query optimization. If you specify `useOptimization=true` in the request query, the response contains a subset of app instance properties. + schema: + type: boolean + default: false - name: limit in: query - description: Specifies the number of results for a page + description: Specifies the number of results per page schema: type: integer format: int32 default: -1 + maximum: 200 - name: filter in: query - description: Filters apps by status, user.id, group.id or credentials.signing.kid expression - schema: - type: string - - name: expand - in: query - description: Traverses users link relationship and optionally embeds Application User resource + description: Filters apps by `status`, `user.id`, `group.id`, `credentials.signing.kid` or `name` expression that supports the `eq` operator schema: type: string + examples: + ActiveStatusEx: + value: status eq "ACTIVE" + summary: Filter for active apps + NameFilterEx: + value: name eq "okta_org2org" + summary: Filter for apps with `okta_org2org` name + CredKidEx: + value: credentials.signing.kid eq "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-F1bm4" + summary: Filter for apps using a specific key + - $ref: '#/components/parameters/queryAppsExpand' - name: includeNonDeleted + description: Specifies whether to include non-active, but not deleted apps in the results in: query schema: type: boolean @@ -676,19 +1560,36 @@ paths: type: array items: $ref: '#/components/schemas/Application' + examples: + ResponseExample1: + $ref: '#/components/examples/GetApplicationsByUserResponseEx' + ResponseExample2: + $ref: '#/components/examples/GetApplicationsByGroupResponseEx' + ResponseExample3: + $ref: '#/components/examples/GetApplicationsByKeyResponseEx' + ResponseExample4: + $ref: '#/components/examples/GetApplicationsByNameResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.read tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Application - description: Adds a new application to your Okta organization. + description: | + Creates an app instance in your Okta org. + + You can either create an OIN app instance or a custom app instance: + * OIN app instances have prescribed `name` (key app definition) and `signOnMode` options. See the [OIN schemas](/openapi/okta-management/management/tag/Application/#tag/Application/schema/GoogleApplication) for the request body. + * For custom app instances, select the [signOnMode](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/signOnMode&t=request) that pertains to your app and specify the required parameters in the request body. operationId: createApplication parameters: - name: activate @@ -707,6 +1608,25 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStoreEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0Ex' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectEx' required: true responses: '200': @@ -715,6 +1635,25 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkAppResponseEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginAppResponseEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthResponseEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStoreResponseEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationResponseEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginResponseEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldResponseEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0ResponseEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -722,26 +1661,36 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/google/{appId}/oauth2/callback: + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/office365/{appId}/oauth2/callback: + parameters: + - $ref: '#/components/parameters/pathAppId' /api/v1/apps/{appId}: + parameters: + - $ref: '#/components/parameters/pathAppId' get: summary: Retrieve an Application - description: Fetches an application from your Okta organization by `id`. + description: Retrieves an application from your Okta organization by `id` operationId: getApplication parameters: - - name: appId - in: path - required: true - schema: - type: string - name: expand in: query + description: |- + An optional query parameter to return the specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property. + Valid value: `expand=user/{userId}` schema: type: string + example: user/0oa1gjh63g214q0Hq0g4 responses: '200': description: Success @@ -749,6 +1698,9 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + RetrieveEx1: + $ref: '#/components/examples/GetApplicationsResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -756,27 +1708,47 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.read tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Application - description: Updates an application in your organization. - operationId: updateApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string + description: | + Replaces properties for an application + > **Notes:** + > * All required properties must be specified in the request body + > * You can't modify system-assigned properties, such as `id`, `name`, `status`, `created`, and `lastUpdated`. The values for these properties in the PUT request body are ignored. + operationId: replaceApplication x-codegen-request-body-name: application requestBody: content: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkPutEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginPutEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthPutEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStorePutEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationPutEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginPutEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldPutEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0PutEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectPutEx' required: true responses: '200': @@ -785,6 +1757,25 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkPutResponseEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginPutResponseEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthPutResponseEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStorePutResponseEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationPutResponseEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginPutResponseEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldPutResponseEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0PutResponseEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectPutResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -794,21 +1785,18 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Application - description: Removes an inactive application. + description: Deletes an inactive application operationId: deleteApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -820,29 +1808,35 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default: + parameters: + - $ref: '#/components/parameters/pathAppId' get: summary: Retrieve the default Provisioning Connection - description: Get default Provisioning Connection for application + description: Retrieves the default Provisioning Connection for an app operationId: getDefaultProvisioningConnectionForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/ProvisioningConnection' + $ref: '#/components/schemas/ProvisioningConnectionResponse' + examples: + ProvisioningConnectionTokenZscalerEx: + $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileZscalerEx' + ProvisioningConnectionTokenOrg2OrgEx: + $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx' + ProvisioningConnectionOauthO365Ex: + $ref: '#/components/examples/ProvisioningConnectionOauthResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -850,38 +1844,59 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.read tags: - - Application + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update the default Provisioning Connection - description: Set default Provisioning Connection for application - operationId: setDefaultProvisioningConnectionForApplication + description: Updates the default Provisioning Connection for an app + operationId: updateDefaultProvisioningConnectionForApplication parameters: - - in: path - name: appId - required: true - schema: - type: string - in: query name: activate schema: type: boolean + description: Activates the Provisioning Connection requestBody: content: application/json: schema: - $ref: '#/components/schemas/ProvisioningConnectionRequest' + oneOf: + - $ref: '#/components/schemas/ProvisioningConnectionTokenRequest' + - $ref: '#/components/schemas/ProvisioningConnectionOauthRequest' + examples: + ProvisioningConnectionTokenZscalerEx: + $ref: '#/components/examples/ProvisioningConnectionTokenRequestEx' + ProvisioningConnectionTokenOrg2OrgEx: + $ref: '#/components/examples/ProvisioningConnectionTokenOrg2OrgRequestEx' + ProvisioningConnectionOauthO365Ex: + $ref: '#/components/examples/ProvisioningConnectionOauthO365RequestEx' required: true responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ProvisioningConnectionResponse' '201': description: Created content: application/json: schema: - $ref: '#/components/schemas/ProvisioningConnection' + $ref: '#/components/schemas/ProvisioningConnectionResponse' + examples: + ProvisioningConnectionTokenZscalerEx: + $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileZscalerEx' + ProvisioningConnectionTokenOrg2OrgEx: + $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx' + ProvisioningConnectionOauthO365Ex: + $ref: '#/components/examples/ProvisioningConnectionOauthResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -891,22 +1906,21 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAppId' post: summary: Activate the default Provisioning Connection - description: Activates the default Provisioning Connection for an application. + description: Activates the default Provisioning Connection for an app operationId: activateDefaultProvisioningConnectionForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string responses: '204': description: No Content @@ -917,22 +1931,21 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAppId' post: - summary: Deactivate the default Provisioning Connection for an Application - description: Deactivates the default Provisioning Connection for an application. + summary: Deactivate the default Provisioning Connection + description: Deactivates the default Provisioning Connection for an app operationId: deactivateDefaultProvisioningConnectionForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string responses: '204': description: No Content @@ -943,22 +1956,21 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs: + parameters: + - $ref: '#/components/parameters/pathAppId' get: summary: List all Certificate Signing Requests - description: Enumerates Certificate Signing Requests for an application + description: Lists all Certificate Signing Requests for an application operationId: listCsrsForApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -975,21 +1987,22 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.read tags: - - Application + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Generate a Certificate Signing Request - description: Generates a new key pair and returns the Certificate Signing Request for it. + description: |- + Generates a new key pair and returns the Certificate Signing Request(CSR) for it. The information in a CSR is used by the Certificate Authority (CA) to verify and create your certificate. It also contains the public key that is included in your certificate. + + Returns CSR in `pkcs#10` format if the `Accept` media type is `application/pkcs10` or a CSR object if the `Accept` media type is `application/json`. + > **Note:** The key pair isn't listed in the Key Credentials for the app until it's published. operationId: generateCsrForApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string x-codegen-request-body-name: metadata requestBody: content: @@ -1000,10 +2013,36 @@ paths: responses: '201': description: Created + headers: + Content-Type: + schema: + type: string + description: The Content-Type of the response + examples: + pkcs10Header: + summary: application/pkcs10 Content-Type header + value: application/pkcs10; filename=okta.p10 + json: + summary: application/json Content-Type header + value: application/json + Content-Transfer-Encoding: + schema: + type: string + description: Encoding of the response + example: base64 content: + application/pkcs10: + schema: + $ref: '#/components/schemas/AppCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/AppCsrPkcs10Response' application/json: schema: $ref: '#/components/schemas/Csr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/AppCsrJsonResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1013,34 +2052,58 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs/{csrId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathCsrId' get: summary: Retrieve a Certificate Signing Request - description: Fetches a certificate signing request for the app by `id`. + description: |- + Retrieves a Certificate Signing Request (CSR) for the app by `csrId`. + + Returns a Base64-encoded CSR in DER format if the `Accept` media type is `application/pkcs10` or a CSR object if the `Accept` media type is `application/json`. operationId: getCsrForApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: csrId - in: path - required: true - schema: - type: string responses: '200': description: Success + headers: + Content-Type: + schema: + type: string + description: The Content-Type of the response + examples: + pkcs10Header: + summary: application/pkcs10 Content-Type header + value: application/pkcs10; filename=okta.p10 + json: + summary: application/json Content-Type header + value: application/json + Content-Transfer-Encoding: + schema: + type: string + description: Encoding of the response + example: base64 content: application/json: schema: $ref: '#/components/schemas/Csr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/AppCsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/AppCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/AppCsrPkcs10Response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1048,26 +2111,18 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.read tags: - - Application + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke a Certificate Signing Request - description: Revokes a certificate signing request and deletes the key pair from the application. + description: Revokes a Certificate Signing Request and deletes the key pair from the app operationId: revokeCsrFromApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: csrId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -1079,27 +2134,24 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs/{csrId}/lifecycle/publish: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathCsrId' post: summary: Publish a Certificate Signing Request - description: Updates a certificate signing request for the app with a signed X.509 certificate and adds it into the application key credentials + description: |- + Publishes a Certificate Signing Request (CSR) for the app with a signed X.509 certificate and adds it into the Application Key Credentials. + > **Note:** Publishing a certificate completes the lifecycle of the CSR and it's no longer accessible. operationId: publishCsrFromApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: csrId - in: path - required: true - schema: - type: string requestBody: required: true content: @@ -1107,16 +2159,26 @@ paths: schema: type: string format: binary + description: |- + X.509 certificate in `CER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: '@certificate.pem' x-okta-operationId: publishBinaryCerCert application/pkix-cert: schema: type: string format: binary + description: |- + X.509 certificate in `DER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q== x-okta-operationId: publishBinaryDerCert application/x-pem-file: schema: type: string format: binary + description: X.509 certificate in `PEM` format + example: '@certificate.pem' x-okta-operationId: publishBinaryPemCert responses: '201': @@ -1125,8 +2187,20 @@ paths: application/json: schema: $ref: '#/components/schemas/JsonWebKey' + examples: + PublishCSR: + $ref: '#/components/examples/KeyCredentialExample' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorPublishCSRCertDoesNotMatchCSR: + $ref: '#/components/examples/ErrorPublishCSRCertDoesNotMatchCSR' + ErrorPublishCSRCertValidityLessThan90Days: + $ref: '#/components/examples/ErrorPublishCSRCertValidityLessThan90Days' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1134,31 +2208,35 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application - /api/v1/apps/{appId}/credentials/keys: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks: + parameters: + - $ref: '#/components/parameters/pathAppId' get: - summary: List all Key Credentials - description: Enumerates key credentials for an application - operationId: listApplicationKeys - parameters: - - name: appId - in: path - required: true - schema: - type: string + summary: List all the OAuth 2.0 Client JSON Web Keys + description: Lists all JSON Web Keys for an OAuth 2.0 client app + operationId: listJwk responses: '200': - description: Success + description: OK content: application/json: schema: type: array items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + OAuthClientJsonWebKeyListResponseExample: + $ref: '#/components/examples/oAuthClientJsonWebKeyListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1166,68 +2244,90 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.read tags: - - Application - /api/v1/apps/{appId}/credentials/keys/generate: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Generate a Key Credential - description: Generates a new X.509 certificate for an application key credential - operationId: generateApplicationKey - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: validityYears - in: query - schema: - type: integer + summary: Add a JSON Web Key + description: |- + Adds a new JSON Web Key to the client’s JSON Web Keys. + > **Note:** This API doesn't allow you to add a key if the existing key doesn't have a `kid`. This is also consistent with how the [Dynamic Client Registration](/openapi/okta-oauth/oauth/tag/Client/) or [Applications](/openapi/okta-management/management/tag/Application/) APIs behave, as they don't allow the creation of multiple keys without `kids`. Use the [Replace an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) or the [Replace a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/replaceClient) operation to update the JWKS or [Delete an OAuth 2.0 Client JSON Web Key](/openapi/okta-management/management/tag/ApplicationSSOCredentialOAuth2ClientAuth/#tag/ApplicationSSOCredentialOAuth2ClientAuth/operation/deletejwk) and re-add the key with a `kid`. + operationId: addJwk + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBody' + examples: + createOAuth2ClientJsonWebKeyRequestBody: + $ref: '#/components/examples/oAuthClientJsonWebKeyRequest' responses: '201': description: Created content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + newOAuth2ClientSecretResponse: + $ref: '#/components/examples/oAuthClientJsonWebKey' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorClientJsonWebKeyNonUniqueKid: + $ref: '#/components/examples/ErrorClientJsonWebKeyNonUniqueKid' + ErrorClientJsonWebKeyDuplicateKid: + $ref: '#/components/examples/ErrorClientJsonWebKeyDuplicateKid' + ErrorClientJsonWebKeyKidLengthTooShort: + $ref: '#/components/examples/ErrorClientJsonWebKeyKidLengthTooShort' + ErrorClientJsonWebKeyTooManyKids: + $ref: '#/components/examples/ErrorClientJsonWebKeyTooManyKids' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application - /api/v1/apps/{appId}/credentials/keys/{keyId}: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks/{keyId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' get: - summary: Retrieve a Key Credential - description: Gets a specific application key credential by kid - operationId: getApplicationKey - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: keyId - in: path - required: true - schema: - type: string + summary: Retrieve an OAuth 2.0 Client JSON Web Key + description: Retrieves an OAuth 2.0 Client JSON Web Key by `keyId`. + operationId: getJwk responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + type: object + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + OAuthClientJsonWebKeyResponseExample: + $ref: '#/components/examples/oAuthClientJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1235,40 +2335,32 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.read tags: - - Application - /api/v1/apps/{appId}/credentials/keys/{keyId}/clone: - post: - summary: Clone a Key Credential - description: Clones a X.509 certificate for an application key credential from a source application to target application. - operationId: cloneApplicationKey - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: keyId - in: path - required: true - schema: - type: string - - name: targetAid - in: query - description: Unique key of the target Application - required: true - schema: - type: string + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an OAuth 2.0 Client JSON Web Key + description: Deletes an OAuth 2.0 Client JSON Web Key by `keyId`. You can only delete an inactive key. + operationId: deletejwk responses: - '201': - description: Created + '204': + description: No Content + '400': + description: Bad Request content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/Error' + examples: + ErrorDeleteActiveJsonWebKey: + $ref: '#/components/examples/ErrorDeleteActiveJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1276,31 +2368,34 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application - /api/v1/apps/{appId}/features: - get: - summary: List all Features - description: List Features for application - operationId: listFeaturesForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + post: + summary: Activate an OAuth 2.0 Client JSON Web Key + description: Activates an OAuth 2.0 Client JSON Web Key by `keyId` + operationId: activateOAuth2ClientJsonWebKey responses: '200': - description: Success + description: OK content: application/json: schema: - items: - $ref: '#/components/schemas/ApplicationFeature' - type: array + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + activateOAuth2ClientJsonWebKeyResponse: + $ref: '#/components/examples/oAuthClientJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1308,76 +2403,45 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.apps.read + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - Application - /api/v1/apps/{appId}/features/{name}: - get: - summary: Retrieve a Feature - description: Fetches a Feature object for an application. - operationId: getFeatureForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: name - required: true - schema: - type: string + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + post: + summary: Deactivate an OAuth 2.0 Client JSON Web Key + description: Deactivates an OAuth 2.0 Client JSON Web Key by `keyId`. + operationId: deactivateOAuth2ClientJsonWebKey responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/ApplicationFeature' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.apps.read - tags: - - Application - put: - summary: Update a Feature - description: Updates a Feature object for an application. - operationId: updateFeatureForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: name - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/CapabilitiesObject' - required: true - responses: - '200': - description: Success + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + deactivateOAuth2ClientJsonWebKeyResponse: + $ref: '#/components/examples/deactivateOAuth2ClientJsonWebKeyResponse' + '400': + description: Bad Request content: application/json: schema: - $ref: '#/components/schemas/ApplicationFeature' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/Error' + examples: + ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod: + $ref: '#/components/examples/ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod' + ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm: + $ref: '#/components/examples/ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1385,26 +2449,21 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application - /api/v1/apps/{appId}/grants: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/keys: + parameters: + - $ref: '#/components/parameters/pathAppId' get: - summary: List all Scope Consent Grants - description: Lists all scope consent grants for the application - operationId: listScopeConsentGrants - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + summary: List all Key Credentials + description: Lists all key credentials for an app + operationId: listApplicationKeys responses: '200': description: Success @@ -1413,7 +2472,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + $ref: '#/components/schemas/JsonWebKey' + examples: + ListAllKeyCredentialsExample: + $ref: '#/components/examples/ListAllKeyCredentialsExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1421,35 +2483,50 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] + - apiToken: [] + - oauth2: + - okta.apps.read tags: - - Application + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/keys/generate: + parameters: + - $ref: '#/components/parameters/pathAppId' post: - summary: Grant Consent to Scope - description: Grants consent for the application to request an OAuth 2.0 Okta scope - operationId: grantConsentToScope + summary: Generate a Key Credential + description: |- + Generates a new X.509 certificate for an app key credential + > **Note:** To update an Application with the newly generated key credential, use the [Replace an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) request with the new [credentials.signing.kid](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing/kid&t=request) value in the request body. You can provide just the [Signing Credential object](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing&t=request) instead of the entire [Application Credential object](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials&t=request). + operationId: generateApplicationKey parameters: - - name: appId - in: path + - name: validityYears + description: Expiry years of the Application Key Credential + in: query required: true schema: - type: string - x-codegen-request-body-name: oAuth2ScopeConsentGrant - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' - required: true + type: integer + example: 5 responses: '201': description: Created content: application/json: schema: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorKeyCredentialInvalidValidity: + $ref: '#/components/examples/ErrorKeyCredentialInvalidValidity' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1457,36 +2534,32 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - Application - /api/v1/apps/{appId}/grants/{grantId}: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/keys/{keyId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathKeyId' get: - summary: Retrieve a Scope Consent Grant - description: Fetches a single scope consent grant for the application - operationId: getScopeConsentGrant - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: grantId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + summary: Retrieve a Key Credential + description: Retrieves a specific Application Key Credential by `kid` + operationId: getApplicationKey responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1494,28 +2567,53 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] + - apiToken: [] + - oauth2: + - okta.apps.read tags: - - Application - delete: - summary: Revoke a Scope Consent Grant - description: Revokes permission for the application to request the given scope - operationId: revokeScopeConsentGrant + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/keys/{keyId}/clone: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathKeyId' + post: + summary: Clone a Key Credential + description: |- + Clones an X.509 certificate for an Application Key Credential from a source app to a target app. + + For step-by-step instructions to clone a credential, see [Share application key credentials for IdPs across apps](https://developer.okta.com/docs/guides/sharing-cert/main/). + > **Note:** Sharing certificates isn't a recommended security practice. + operationId: cloneApplicationKey parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: grantId - in: path + - name: targetAid + in: query + description: Unique key of the target Application required: true schema: type: string + example: 0ouuytCAJSSDELFTUIDS responses: - '204': - description: No Content - content: {} + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorKeyCredentialCloneDuplicateKey: + $ref: '#/components/examples/ErrorKeyCredentialCloneDuplicateKey' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1523,49 +2621,35 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - Application - /api/v1/apps/{appId}/groups: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets: + parameters: + - $ref: '#/components/parameters/pathAppId' get: - summary: List all Assigned Groups - description: Enumerates group assignments for an application. - operationId: listApplicationGroupAssignments - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: q - in: query - schema: - type: string - - name: after - in: query - description: Specifies the pagination cursor for the next page of assignments - schema: - type: string - - name: limit - in: query - description: Specifies the number of results for a page - schema: - type: integer - format: int32 - default: -1 - - name: expand - in: query - schema: - type: string + summary: List all OAuth 2.0 Client Secrets + description: Lists all client secrets for an OAuth 2.0 client app + operationId: listOAuth2ClientSecrets responses: '200': - description: Success + description: OK content: application/json: schema: type: array items: - $ref: '#/components/schemas/ApplicationGroupAssignment' + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + OAuthClientSecretListResponseExample: + $ref: '#/components/examples/oAuthClientSecretListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1573,81 +2657,95 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.read tags: - - Application - /api/v1/apps/{appId}/groups/{groupId}: - get: - summary: Retrieve an Assigned Group - description: Fetches an application group assignment - operationId: getApplicationGroupAssignment - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: groupId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an OAuth 2.0 Client Secret + description: |- + Creates an OAuth 2.0 Client Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects. + > **Note:** This API lets you bring your own secret. If [token_endpoint_auth_method](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/credentials/oauthClient/token_endpoint_auth_method&t=request) of the app is `client_secret_jwt`, then the minimum length of `client_secret` is 32 characters. If no secret is specified in the request, Okta adds a new system-generated secret. + operationId: createOAuth2ClientSecret + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecretRequestBody' + examples: + createOAuth2ClientSecretSystemGeneratedRequestBody: + $ref: '#/components/examples/createOAuth2ClientSecretSystemGeneratedRequestBody' + createOAuth2ClientSecretCustomRequestBody: + $ref: '#/components/examples/createOAuth2ClientSecretCustomRequestBody' responses: - '200': - description: Success + '201': + description: Created content: application/json: schema: - $ref: '#/components/schemas/ApplicationGroupAssignment' + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + newOAuth2ClientSecretResponse: + $ref: '#/components/examples/oAuth2ClientSecretResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorClientSecretTooLong: + $ref: '#/components/examples/ErrorClientSecretTooLong' + ErrorClientSecretTooShort: + $ref: '#/components/examples/ErrorClientSecretTooShort' + ErrorClientSecretTooShortJWT: + $ref: '#/components/examples/ErrorClientSecretTooShortWithClientSecretJWT' + ErrorClientSecretPrivateKeyJWT: + $ref: '#/components/examples/ErrorClientSecretWithPrivateKeyJWT' + ErrorClientSecretNonAscii: + $ref: '#/components/examples/ErrorClientSecretNonAscii' + ErrorMaxNumberOfSecrets: + $ref: '#/components/examples/ErrorMaxNumberOfSecrets' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.apps.read + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - Application - put: - summary: Assign a Group - description: Assigns a group to an application - operationId: createApplicationGroupAssignment - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: groupId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: applicationGroupAssignment - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/ApplicationGroupAssignment' - required: false + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets/{secretId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' + get: + summary: Retrieve an OAuth 2.0 Client Secret + description: Retrieves an OAuth 2.0 Client Secret by `secretId` + operationId: getOAuth2ClientSecret responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/ApplicationGroupAssignment' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + type: object + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + OAuthClientSecretResponseExample: + $ref: '#/components/examples/oAuth2ClientSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1655,30 +2753,32 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.apps.manage + - apiToken: [] + - oauth2: + - okta.apps.read tags: - - Application + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a Group - description: Removes a group assignment from an application. - operationId: deleteApplicationGroupAssignment - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: groupId - in: path - required: true - schema: - type: string + summary: Delete an OAuth 2.0 Client Secret + description: Deletes an OAuth 2.0 Client Secret by `secretId`. You can only delete an inactive Secret. + operationId: deleteOAuth2ClientSecret responses: '204': description: No Content - content: {} + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeleteActiveClientSecret: + $ref: '#/components/examples/ErrorDeleteActiveSecret' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1686,26 +2786,34 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application - /api/v1/apps/{appId}/lifecycle/activate: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' post: - summary: Activate an Application - description: Activates an inactive application. - operationId: activateApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string + summary: Activate an OAuth 2.0 Client Secret + description: Activates an OAuth 2.0 Client Secret by `secretId` + operationId: activateOAuth2ClientSecret responses: '200': - description: Success - content: {} + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + activateOAuth2ClientSecretResponse: + $ref: '#/components/examples/activateOAuth2ClientSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1713,26 +2821,43 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application - /api/v1/apps/{appId}/lifecycle/deactivate: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' post: - summary: Deactivate an Application - description: Deactivates an active application. - operationId: deactivateApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string + summary: Deactivate an OAuth 2.0 Client Secret + description: Deactivates an OAuth 2.0 Client Secret by `secretId`. You can't deactivate a secret if it's the only secret of the client. + operationId: deactivateOAuth2ClientSecret responses: '200': - description: Success - content: {} + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + deactivateOAuth2ClientSecretResponse: + $ref: '#/components/examples/deactivateOAuth2ClientSecretResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeactivateTheOnlyClientSecret: + $ref: '#/components/examples/ErrorDeactivateTheOnlyClientSecret' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1740,38 +2865,45 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application - /api/v1/apps/{appId}/logo: - post: - summary: Upload a Logo - description: The file must be in PNG, JPG, or GIF format, and less than 1 MB in size. For best results use landscape orientation, a transparent background, and a minimum size of 420px by 120px to prevent upscaling. - operationId: uploadApplicationLogo - parameters: - - in: path - name: appId - required: true - schema: - type: string - requestBody: - content: - multipart/form-data: - schema: - type: object - properties: - file: - type: string - format: binary - required: - - file + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/features: + parameters: + - $ref: '#/components/parameters/pathAppId' + get: + summary: List all Features + description: | + Lists all features for an app + > **Note:** This request returns an error if provisioning isn't enabled for the app. + > To set up provisioning, see [Update the default Provisioning Connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication). + operationId: listFeaturesForApplication responses: - '201': - description: Created + '200': + description: Success + content: + application/json: + schema: + items: + $ref: '#/components/schemas/ApplicationFeature' + type: array + examples: + ListAppFeatureResponse: + $ref: '#/components/examples/AppFeatureListResponseEx' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ListAppFeatureAPIValidationFailed: + $ref: '#/components/examples/ErrorAppFeatureAPIValidationFailed' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1779,45 +2911,32 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.apps.manage + - apiToken: [] + - oauth2: + - okta.apps.read tags: - - Application - /api/v1/apps/{appId}/tokens: + - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/features/{featureName}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathFeatureName' get: - summary: List all OAuth 2.0 Tokens - description: Lists all tokens for the application - operationId: listOAuth2TokensForApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: 20 + summary: Retrieve a Feature + description: Retrieves a Feature object for an app + operationId: getFeatureForApplication responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/OAuth2Token' + $ref: '#/components/schemas/ApplicationFeature' + examples: + AppFeatureResponse: + $ref: '#/components/examples/AppFeatureResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1825,25 +2944,47 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.read tags: - - Application - delete: - summary: Revoke all OAuth 2.0 Tokens - description: Revokes all tokens for the specified application - operationId: revokeOAuth2TokensForApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string + - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Update a Feature + description: | + Updates a Feature object for an app + > **Note:** This endpoint supports partial updates. + operationId: updateFeatureForApplication + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/CapabilitiesObject' + - $ref: '#/components/schemas/CapabilitiesInboundProvisioningObject' + examples: + UpdateAppFeatureEx: + $ref: '#/components/examples/UpdateAppFeatureRequestEx' + UpdateInboundProvisioningFeatureEx: + $ref: '#/components/examples/UpdateInboundProvisioningFeatureRequestEx' + required: true responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ApplicationFeature' + examples: + UpdateAppFeatureEx: + $ref: '#/components/examples/UpdateAppFeatureResponseEx' + UpdateInboundProvisioningFeatureEx: + $ref: '#/components/examples/UpdateInboundProvisioningFeatureResponseEx' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1851,38 +2992,35 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application - /api/v1/apps/{appId}/tokens/{tokenId}: + - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/grants: + parameters: + - $ref: '#/components/parameters/pathAppId' get: - summary: Retrieve an OAuth 2.0 Token - description: Gets a token for the specified application - operationId: getOAuth2TokenForApplication + summary: List all app Grants + description: Lists all scope consent Grants for the app + operationId: listScopeConsentGrants parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/queryAppGrantsExpand' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2Token' + type: array + items: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + ListAppGrantsExample: + $ref: '#/components/examples/ListAppGrantsEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1890,26 +3028,94 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.apps.read + - apiToken: [] + - oauth2: + - okta.appGrants.read tags: - - Application - delete: - summary: Revoke an OAuth 2.0 Token - description: Revokes the specified token for the specified application - operationId: revokeOAuth2TokenForApplication + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Grant consent to scope + description: Grants consent for the app to request an OAuth 2.0 Okta scope + operationId: grantConsentToScope + x-codegen-request-body-name: oAuth2ScopeConsentGrant + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsPostEx' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsEx' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.appGrants.manage + tags: + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/grants/{grantId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathGrantId' + get: + summary: Retrieve an app Grant + description: Retrieves a single scope consent Grant object for the app + operationId: getScopeConsentGrant parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/queryAppGrantsExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsEx' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.appGrants.read + tags: + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke an app Grant + description: Revokes permission for the app to grant the given scope + operationId: revokeScopeConsentGrant responses: '204': description: No Content @@ -1921,50 +3127,38 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.apps.manage + - apiToken: [] + - oauth2: + - okta.appGrants.manage tags: - - Application - /api/v1/apps/{appId}/users: + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/groups: + parameters: + - $ref: '#/components/parameters/pathAppId' get: - summary: List all Assigned Users - description: Enumerates all assigned [application users](#application-user-model) for an application. - operationId: listApplicationUsers + summary: List all Application Groups + description: Lists all app group assignments + operationId: listApplicationGroupAssignments parameters: - - name: appId - in: path - required: true - schema: - type: string - name: q in: query + description: |- + Specifies a filter for a list of assigned groups returned based on their names. The value of `q` is matched against the group `name`. + This filter only supports the `startsWith` operation that matches the `q` string against the beginning of the [Group name](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=profile/name&t=response). schema: type: string - - name: query_scope - in: query - schema: - type: string + example: test - name: after in: query - description: specifies the pagination cursor for the next page of assignments - schema: - type: string - - name: limit - in: query - description: specifies the number of results for a page - schema: - type: integer - format: int32 - default: -1 - - name: filter - in: query - schema: - type: string - - name: expand - in: query + description: Specifies the pagination cursor for the `next` page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string + example: 16275000448691 + - $ref: '#/components/parameters/queryGroupAssignmentLimit' + - $ref: '#/components/parameters/queryGroupAssignmentWithMetadataExpand' responses: '200': description: Success @@ -1973,7 +3167,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/AppUser' + $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + listGroupAssignmentsResponseExample: + $ref: '#/components/examples/GroupAssignmentExListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1981,37 +3178,34 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.read tags: - - Application - post: - summary: Assign a User - description: Assigns an user to an application with [credentials](#application-user-credentials-object) and an app-specific [profile](#application-user-profile-object). Profile mappings defined for the application are first applied before applying any profile properties specified in the request. - operationId: assignUserToApplication + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/groups/{groupId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathGroupId' + get: + summary: Retrieve an Application Group + description: Retrieves an app group assignment + operationId: getApplicationGroupAssignment parameters: - - name: appId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: appUser - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AppUser' - required: true + - $ref: '#/components/parameters/queryGroupAssignmentWithGroupExpand' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/AppUser' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + getGroupAssignmentResponseExample: + $ref: '#/components/examples/EmbeddedGroupAssignmentSampleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2019,38 +3213,42 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.apps.manage + - apiToken: [] + - oauth2: + - okta.apps.read tags: - - Application - /api/v1/apps/{appId}/users/{userId}: - get: - summary: Retrieve an Assigned User - description: Fetches a specific user assignment for application by `id`. - operationId: getApplicationUser - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Assign an Application Group + description: |- + Assigns a [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) to an app, which in turn assigns the app to each [User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/) that belongs to the group. + The resulting Application User [scope](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers!c=200&path=scope&t=response) is `GROUP` since the assignment was from the group membership. + operationId: assignGroupToApplication + x-codegen-request-body-name: applicationGroupAssignment + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + putGroupAssignmentRequestExample: + $ref: '#/components/examples/GroupAssignmentPutRequestExample' + required: false responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/AppUser' + $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + putGroupAssignmentResponseExample: + $ref: '#/components/examples/GroupAssignmentPutResponseExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2058,40 +3256,39 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.apps.read + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - Application - post: - summary: Update an Application Profile for Assigned User - description: Updates a user's profile for an application - operationId: updateApplicationUser - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: appUser + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + patch: + summary: Update an Application Group + description: Updates a group assignment to an app + operationId: updateGroupAssignmentToApplication requestBody: content: application/json: schema: - $ref: '#/components/schemas/AppUser' - required: true + type: array + items: + $ref: '#/components/schemas/JsonPatchOperation' + examples: + groupAssignmentPatchRequetExample: + $ref: '#/components/examples/GroupAssignmentPatchRequestExample' + required: false responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/AppUser' + $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + patchGroupAssignmentResponseExample: + $ref: '#/components/examples/GroupAssignmentPatchResponseExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2101,32 +3298,18 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a User - description: Removes an assignment for a user from an application. - operationId: deleteApplicationUser - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string - - name: sendEmail - in: query - schema: - type: boolean - default: false - x-okta-added-version: 1.5.0 + summary: Unassign an Application Group + description: Unassigns a Group from an app + operationId: unassignApplicationFromGroup responses: '204': description: No Content @@ -2138,53 +3321,51 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.apps.manage tags: - - Application - /api/v1/authenticators: - get: - summary: List all Authenticators - description: Enumerates authenticators in your organization. - operationId: listAuthenticators + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAppId' + post: + summary: Activate an Application + description: Activates an inactive application + operationId: activateApplication responses: '200': description: Success - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Authenticator' - type: array + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authenticators.read + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - Authenticator - /api/v1/authenticators/{authenticatorId}: - get: - summary: Retrieve an Authenticator - description: Fetches an authenticator from your Okta organization by `authenticatorId`. - operationId: getAuthenticator - parameters: - - in: path - name: authenticatorId - required: true - schema: - type: string + - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAppId' + post: + summary: Deactivate an Application + description: Deactivates an active application + operationId: deactivateApplication responses: '200': description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/Authenticator' + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2192,35 +3373,47 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authenticators.read + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - Authenticator - put: - summary: Replace an Authenticator - description: Updates an authenticator - operationId: updateAuthenticator - parameters: - - in: path - name: authenticatorId - required: true - schema: - type: string - x-codegen-request-body-name: authenticator + - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/logo: + parameters: + - $ref: '#/components/parameters/pathAppId' + post: + summary: Upload an application Logo + description: | + Uploads a logo for the app instance. + If the app already has a logo, this operation replaces the previous logo. + + The logo is visible in the Admin Console as an icon for your app instance. + If you have one `appLink` object configured, this logo also appears in the End-User Dashboard as an icon for your app. + > **Note:** If you have multiple `appLink` objects, use the Admin Console to add logos for each app link. + > You can't use the API to add logos for multiple app links. + operationId: uploadApplicationLogo requestBody: content: - application/json: + multipart/form-data: schema: - $ref: '#/components/schemas/Authenticator' - required: true + type: object + properties: + file: + type: string + format: binary + description: | + The image file containing the logo. + + The file must be in PNG, JPG, SVG, or GIF format, and less than one MB in size. + For best results, use an image with a transparent background and a square dimension of 200 x 200 pixels to prevent upscaling. + required: + - file responses: - '200': - description: OK - content: - application/json: - schema: - $ref: '#/components/schemas/Authenticator' + '201': + description: Content Created '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2230,29 +3423,30 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authenticators.manage + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - Authenticator - /api/v1/authenticators/{authenticatorId}/lifecycle/activate: - post: - summary: Activate an Authenticator - description: Activates an authenticator by `authenticatorId`. - operationId: activateAuthenticator - parameters: - - in: path - name: authenticatorId - required: true - schema: - type: string + - ApplicationLogos + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/policies/{policyId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathPolicyId' + put: + summary: Assign an Authentication Policy + description: |- + Assigns an app to an [authentication policy](/openapi/okta-management/management/tag/Policy/), identified by `policyId`. + If the app was previously assigned to another policy, this operation replaces that assignment with the updated policy identified by `policyId`. + + > **Note:** When you [merge duplicate authentication policies](https://help.okta.com/okta_help.htm?type=oie&id=ext-merge-auth-policies), + the policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email with merged results. + operationId: assignApplicationPolicy responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/Authenticator' + '204': + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2260,29 +3454,74 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authenticators.manage + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - Authenticator - /api/v1/authenticators/{authenticatorId}/lifecycle/deactivate: - post: - summary: Deactivate an Authenticator - description: Deactivates an authenticator by `authenticatorId`. - operationId: deactivateAuthenticator + - ApplicationPolicies + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/apps/{appId}/sso/saml/metadata: + parameters: + - $ref: '#/components/parameters/pathAppId' + get: + summary: Preview the application SAML metadata + description: Previews the SSO SAML metadata for an application + operationId: previewSAMLmetadataForApplication parameters: - - in: path - name: authenticatorId + - name: kid + in: query required: true schema: - type: string + type: integer + example: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo responses: '200': - description: Success + description: OK content: - application/json: + text/xml: schema: - $ref: '#/components/schemas/Authenticator' + type: string + description: SAML metadata in XML + examples: + previewSAML: + summary: SAML metadata example + value: | + + + + + + + MIIDqDCCApCgAwIBAgIGAVGNO4qeMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEG + A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU + MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJ + ARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODUwMDhaFw0xNzEyMTAxODUxMDdaMIGUMQswCQYD + VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG + A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEc + MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC + ggEBALAakG48bgcTWHdwmVLHig0mkiRejxIVm3wbzrNSJcBruTq2zCYZ1rGfVxTYON8kJqvkXPmv + kzWKhpEkvhubL+mx29XpXY0AsNIfgcm5xIV56yhXSvlMdqzGo3ciRwoACaF+ClNLxmXK9UTZD89B + bVVGCG5AEvja0eCQ0GYsO5i9aSI5aTroab8Aew31PuWl/RGQWmjVy8+7P4wwkKKJNKCpxMYDlhfa + WRp0zwUSbUCO0qEyeAYdZx6CLES4FGrDi/7D6G+ewWC+kbz1tL1XpF2Dcg3+IOlHrV6VWzz3rG39 + v9zFIncjvoQJFDGWhpqGqcmXvgH0Ze3SVcVF01T+bK0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA + AHmnSZ4imjNrIf9wxfQIcqHXEBoJ+oJtd59cw1Ur/YQY9pKXxoglqCQ54ZmlIf4GghlcZhslLO+m + NdkQVwSmWMh6KLxVM18/xAkq8zyKbMbvQnTjFB7x45bgokwbjhivWqrB5LYHHCVN7k/8mKlS4eCK + Ci6RGEmErjojr4QN2xV0qAqP6CcGANgpepsQJCzlWucMFKAh0x9Kl8fmiQodfyLXyrebYsVnLrMf + jxE1b6dg4jKvv975tf5wreQSYZ7m//g3/+NnuDKkN/03HqhV7hTNi1fyctXk8I5Nwgyr+pT5LT2k + YoEdncuy+GQGzE9yLOhC4HNfHQXpqp2tMPdRlw== + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + + + + '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2290,29 +3529,29 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authenticators.manage + - apiToken: [] + - oauth2: + - okta.apps.read tags: - - Authenticator - /api/v1/authorizationServers: + - ApplicationSSO + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/tokens: + parameters: + - $ref: '#/components/parameters/pathAppId' get: - summary: List all Authorization Servers - description: Success - operationId: listAuthorizationServers + summary: List all Application Refresh Tokens + description: | + Lists all refresh tokens for an app + + > **Note:** The results are [paginated](/#pagination) according to the `limit` parameter. + > If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). + operationId: listOAuth2TokensForApplication parameters: - - name: q - in: query - schema: - type: string - - name: limit - in: query - schema: - type: string - - name: after - in: query - schema: - type: string + - $ref: '#/components/parameters/queryAppGrantsExpand' + - $ref: '#/components/parameters/queryAppAfter' + - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success @@ -2321,65 +3560,33 @@ paths: schema: type: array items: - $ref: '#/components/schemas/AuthorizationServer' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.read - tags: - - AuthorizationServer - post: - summary: Create an Authorization Server - description: Success - operationId: createAuthorizationServer - x-codegen-request-body-name: authorizationServer - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServer' - required: true - responses: - '201': - description: Created - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServer' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + getOAuth2TokenForApplicationListExample: + $ref: '#/components/examples/OAuth2RefreshTokenResponseListEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.apps.read tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}: - get: - summary: Retrieve an Authorization Server - description: Success - operationId: getAuthorizationServer - parameters: - - name: authServerId - in: path - required: true - schema: - type: string + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke all Application Tokens + description: Revokes all OAuth 2.0 refresh tokens for the specified app. Any access tokens issued with these refresh tokens are also revoked, but access tokens issued without a refresh token aren't affected. + operationId: revokeOAuth2TokensForApplication responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServer' + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2387,37 +3594,34 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.read + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - AuthorizationServer - put: - summary: Replace an Authorization Server - description: Success - operationId: updateAuthorizationServer + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/tokens/{tokenId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathTokenId' + get: + summary: Retrieve an Application Token + description: Retrieves a refresh token for the specified app + operationId: getOAuth2TokenForApplication parameters: - - name: authServerId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: authorizationServer - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServer' - required: true + - $ref: '#/components/parameters/queryAppGrantsExpand' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServer' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + getOAuth2TokenForApplicationExample: + $ref: '#/components/examples/OAuth2RefreshTokenResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2425,21 +3629,18 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.apps.read tags: - - AuthorizationServer + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete an Authorization Server - description: Success - operationId: deleteAuthorizationServer - parameters: - - name: authServerId - in: path - required: true - schema: - type: string + summary: Revoke an Application Token + description: Revokes the specified token for the specified app + operationId: revokeOAuth2TokenForApplication responses: '204': description: No Content @@ -2451,22 +3652,26 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/claims: + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/users: + parameters: + - $ref: '#/components/parameters/pathAppId' get: - summary: List all Custom Token Claims - description: Success - operationId: listOAuth2Claims + summary: List all Application Users + description: Lists all assigned users for an app + operationId: listApplicationUsers parameters: - - name: authServerId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/queryAppAfter' + - $ref: '#/components/parameters/queryAppLimit' + - $ref: '#/components/parameters/queryAppUserQ' + - $ref: '#/components/parameters/queryAppUserExpand' responses: '200': description: Success @@ -2475,7 +3680,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/OAuth2Claim' + $ref: '#/components/schemas/AppUser' + examples: + ListAppUsersExample: + $ref: '#/components/examples/AppUserListEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2483,72 +3691,91 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.read + - apiToken: [] + - oauth2: + - okta.apps.read tags: - - AuthorizationServer + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a Custom Token Claim - description: Success - operationId: createOAuth2Claim - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: oAuth2Claim + summary: Assign an Application User + description: |- + Assigns a user to an app for: + + * SSO only
+ Assignments to SSO apps typically don't include a user profile. + However, if your SSO app requires a profile but doesn't have provisioning enabled, you can add profile attributes in the request body. + + * SSO and provisioning
+ Assignments to SSO and provisioning apps typically include credentials and an app-specific profile. + Profile mappings defined for the app are applied first before applying any profile properties that are specified in the request body. + > **Notes:** + > * When Universal Directory is enabled, you can only specify profile properties that aren't defined in profile mappings. + > * Omit mapped properties during assignment to minimize assignment errors. + operationId: assignUserToApplication + x-codegen-request-body-name: appUser requestBody: content: application/json: schema: - $ref: '#/components/schemas/OAuth2Claim' + $ref: '#/components/schemas/AppUserAssignRequest' + examples: + AppUserSSOEx: + $ref: '#/components/examples/AppUserAssignSSORequest' + AppUserProvEx: + $ref: '#/components/examples/AppUserAssignProvRequest' required: true responses: - '201': + '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2Claim' + $ref: '#/components/schemas/AppUser' + examples: + AppUserSSOEx: + $ref: '#/components/examples/AppUserSSOResponse' + AppUserProvEx: + $ref: '#/components/examples/AppUserProvResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/responses/ErrorAppUserForbidden403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/claims/{claimId}: + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/users/{userId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathAppUserId' get: - summary: Retrieve a Custom Token Claim - description: Success - operationId: getOAuth2Claim + summary: Retrieve an Application User + description: Retrieves a specific user assignment for a specific app + operationId: getApplicationUser parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: claimId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/queryAppUserExpand' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2Claim' + $ref: '#/components/schemas/AppUser' + examples: + GetAppUserExample: + $ref: '#/components/examples/AppUserProvExpandResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2556,32 +3783,29 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.read + - apiToken: [] + - oauth2: + - okta.apps.read tags: - - AuthorizationServer - put: - summary: Replace a Custom Token Claim - description: Success - operationId: updateOAuth2Claim - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: claimId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: oAuth2Claim + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update an Application User + description: Updates the profile or credentials of a user assigned to an app + operationId: updateApplicationUser + x-codegen-request-body-name: appUser requestBody: content: application/json: schema: - $ref: '#/components/schemas/OAuth2Claim' + $ref: '#/components/schemas/AppUserUpdateRequest' + examples: + AppUserUpdateCredEx: + $ref: '#/components/examples/AppUserUpdateCredRequest' + AppUserUpdateProfileEx: + $ref: '#/components/examples/AppUserUpdateProfileRequest' required: true responses: '200': @@ -2589,36 +3813,47 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/OAuth2Claim' + $ref: '#/components/schemas/AppUser' + examples: + AppUserUpdateCredEx: + $ref: '#/components/examples/AppUserCredUpdateResponse' + AppUserUpdateProfileEx: + $ref: '#/components/examples/AppUserProfUpdateResponse' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/responses/ErrorAppUserUpdateBadRequest400' '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/responses/ErrorAppUserForbidden403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - AuthorizationServer + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a Custom Token Claim - description: Success - operationId: deleteOAuth2Claim + summary: Unassign an Application User + description: |- + Unassigns a user from an app + + For directories like Active Directory and LDAP, they act as the owner of the user's credential with Okta delegating authentication (DelAuth) to that directory. + If this request is successful for a user when DelAuth is enabled, then the user is in a state with no password. You can then reset the user's password. + + > **Important:** This is a destructive operation. You can't recover the user's app profile. If the app is enabled for provisioning and configured to deactivate users, the user is also deactivated in the target app. + operationId: unassignUserFromApplication parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: claimId - in: path - required: true + - name: sendEmail + in: query + description: Sends a deactivation email to the administrator if `true` schema: - type: string + type: boolean + default: false + x-okta-added-version: 1.5.0 responses: '204': description: No Content @@ -2630,31 +3865,38 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/clients: - get: - summary: List all Clients - description: Success - operationId: listOAuth2ClientsForAuthorizationServer + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appName}/{appId}/oauth2/callback: + parameters: + - $ref: '#/components/parameters/pathOAuthProvisioningAppName' + - $ref: '#/components/parameters/pathAppId' + post: + summary: Verify the Provisioning Connection + description: | + Verifies the OAuth 2.0-based connection as part of the OAuth 2.0 consent flow. The validation of the consent flow is the last step of the provisioning setup for an OAuth 2.0-based connection. + Currently, this operation only supports `office365`,`google`, `zoomus`, and `slack` apps. + operationId: verifyProvisioningConnectionForApplication parameters: - - name: authServerId - in: path - required: true + - name: code + in: query + schema: + type: string + description: Unique string associated with each authentication request + - name: state + in: query schema: type: string + description: A temporary code string that the client exchanges for an access token responses: - '200': - description: Success - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/OAuth2Client' + '204': + description: No content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2662,125 +3904,90 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.read + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens: + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/authenticators: get: - summary: List all Refresh Tokens for a Client - description: Success - operationId: listRefreshTokensForAuthorizationServerAndClient - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: -1 + summary: List all Authenticators + description: Lists all authenticators + operationId: listAuthenticators responses: '200': description: Success content: application/json: schema: - type: array items: - $ref: '#/components/schemas/OAuth2RefreshToken' + $ref: '#/components/schemas/AuthenticatorBase' + type: array + examples: + OrgAuthenticatorsEx: + $ref: '#/components/examples/AuthenticatorsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.read + - apiToken: [] + - oauth2: + - okta.authenticators.read tags: - - AuthorizationServer - delete: - summary: Revoke all Refresh Tokens for a Client - description: Success - operationId: revokeRefreshTokensForAuthorizationServerAndClient + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create an Authenticator + description: Creates an authenticator + operationId: createAuthenticator parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true + - in: query + name: activate + description: Whether to execute the activation lifecycle operation when Okta creates the authenticator schema: - type: string + type: boolean + default: true + x-codegen-request-body-name: authenticator + requestBody: + $ref: '#/components/requestBodies/AuthenticatorRequestBody' responses: - '204': - description: No Content - content: {} + '200': + $ref: '#/components/responses/AuthenticatorResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.authenticators.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' get: - summary: Retrieve a Refresh Token for a Client - description: Success - operationId: getRefreshTokenForAuthorizationServerAndClient - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + summary: Retrieve an Authenticator + description: Retrieves an authenticator from your Okta organization by `authenticatorId` + operationId: getAuthenticator responses: '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2RefreshToken' + $ref: '#/components/responses/AuthenticatorResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2788,35 +3995,28 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.read + - apiToken: [] + - oauth2: + - okta.authenticators.read tags: - - AuthorizationServer - delete: - summary: Revoke a Refresh Token for a Client - description: Success - operationId: revokeRefreshTokenForAuthorizationServerAndClient - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace an Authenticator + description: Replaces the properties for an Authenticator identified by `authenticatorId` + operationId: replaceAuthenticator + x-codegen-request-body-name: authenticator + requestBody: + $ref: '#/components/requestBodies/AuthenticatorRequestBody' responses: - '204': - description: No Content - content: {} + '200': + $ref: '#/components/responses/AuthenticatorResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2824,31 +4024,26 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.authenticators.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/credentials/keys: - get: - summary: List all Credential Keys - description: Success - operationId: listAuthorizationServerKeys - parameters: - - name: authServerId - in: path - required: true - schema: - type: string + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + post: + summary: Activate an Authenticator + description: Activates an authenticator by `authenticatorId` + operationId: activateAuthenticator responses: '200': - description: Success - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/responses/AuthenticatorResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2856,38 +4051,164 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.read + - apiToken: [] + - oauth2: + - okta.authenticators.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' post: - summary: Rotate all Credential Keys - description: Success - operationId: rotateAuthorizationServerKeys - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: use + summary: Deactivate an Authenticator + description: Deactivates an authenticator by `authenticatorId` + operationId: deactivateAuthenticator + responses: + '200': + $ref: '#/components/responses/AuthenticatorResponseInactiveWebAuthn' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}/methods: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + get: + summary: List all Methods of an Authenticator + description: |- + Lists all Methods of an Authenticator identified by `authenticatorId` + > **Note:** + > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + > This feature has several limitations when enrolling a security key: + > - Enrollment is currently unsupported on Firefox. + > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + > - If prompted during enrollment, users must allow Okta to see the make and model of the security key. + operationId: listAuthenticatorMethods + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + Phone: + $ref: '#/components/examples/AuthenticatorMethodPhone' + WebAuthn: + $ref: '#/components/examples/AuthenticatorMethodWebauth' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.read + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}/methods/{methodType}: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + - $ref: '#/components/parameters/pathMethodType' + get: + summary: Retrieve an Authenticator Method + description: |- + Retrieves a Method identified by `methodType` of an Authenticator identified by `authenticatorId` + > **Note:** + > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + > This feature has several limitations when enrolling a security key: + > - Enrollment is currently unsupported on Firefox. + > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + > - If prompted during enrollment, users must allow Okta to see the make and model of the security key. + operationId: getAuthenticatorMethod + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + sms: + $ref: '#/components/examples/AuthenticatorMethodSms' + voice: + $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' + webAuthn: + $ref: '#/components/examples/AuthenticatorMethodWebauth' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.read + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace an Authenticator Method + description: |- + Replaces a Method of `methodType` for an Authenticator identified by `authenticatorId` + > **Note:** + > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + > This feature has several limitations when enrolling a security key: + > - Enrollment is currently unsupported on Firefox. + > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + > - If prompted during enrollment, users must allow Okta to see the make and model of the security key. + operationId: replaceAuthenticatorMethod requestBody: content: application/json: schema: - $ref: '#/components/schemas/JwkUse' - required: true + $ref: '#/components/schemas/AuthenticatorMethodBase' responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + sms: + $ref: '#/components/examples/AuthenticatorMethodSms' + voice: + $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' + webAuthn: + $ref: '#/components/examples/AuthenticatorMethodWebauth' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2897,26 +4218,43 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.authenticators.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/lifecycle/activate: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + - $ref: '#/components/parameters/pathMethodType' post: - summary: Activate an Authorization Server - description: Success - operationId: activateAuthorizationServer - parameters: - - name: authServerId - in: path - required: true - schema: - type: string + summary: Activate an Authenticator Method + description: |- + Activates a Method for an Authenticator identified by `authenticatorId` and `methodType` + > **Note:** + > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + > This feature has several limitations when enrolling a security key: + > - Enrollment is currently unsupported on Firefox. + > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + > - If prompted during enrollment, users must allow Okta to see the make and model of the security key. + operationId: activateAuthenticatorMethod responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + sms: + $ref: '#/components/examples/AuthenticatorMethodSms' + webAuthn: + $ref: '#/components/examples/AuthenticatorMethodWebauth' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2924,26 +4262,41 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.authenticators.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/lifecycle/deactivate: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + - $ref: '#/components/parameters/pathMethodType' post: - summary: Deactivate an Authorization Server - description: Success - operationId: deactivateAuthorizationServer - parameters: - - name: authServerId - in: path - required: true - schema: - type: string + summary: Deactivate an Authenticator Method + description: |- + Deactivates a Method for an Authenticator identified by `authenticatorId` and `methodType` + > **Note:** + > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + > This feature has several limitations when enrolling a security key: + > - Enrollment is currently unsupported on Firefox. + > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + > - If prompted during enrollment, users must allow Okta to see the make and model of the security key. + operationId: deactivateAuthenticatorMethod responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + voice: + $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2951,20 +4304,38 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.authenticators.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authorizationServers: get: - summary: List all Policies - description: Success - operationId: listAuthorizationServerPolicies + summary: List all Authorization Servers + description: Lists all custom authorization servers in the org + operationId: listAuthorizationServers parameters: - - name: authServerId - in: path - required: true + - name: q + in: query + description: Searches the `name` and `audiences` of authorization servers for matching values + example: customasone + schema: + type: string + - name: limit + in: query + description: 'Specifies the number of authorization server results on a page. Maximum value: 200' + schema: + type: integer + format: int32 + default: 200 + - name: after + in: query + description: Specifies the pagination cursor for the next page of authorization servers. Treat as an opaque value and obtain through the next link relationship. schema: type: string responses: @@ -2975,35 +4346,38 @@ paths: schema: type: array items: - $ref: '#/components/schemas/AuthorizationServerPolicy' + $ref: '#/components/schemas/AuthorizationServer' + examples: + ListAuthServers: + $ref: '#/components/examples/ListAuthServersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: - summary: Create a Policy - description: Success - operationId: createAuthorizationServerPolicy - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: policy + summary: Create an Authorization Server + description: Creates an authorization server + operationId: createAuthorizationServer + x-codegen-request-body-name: authorizationServer requestBody: content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicy' + $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAuthServer: + $ref: '#/components/examples/CreateAuthServerBody' required: true responses: '201': @@ -3011,44 +4385,44 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicy' + $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAuthServer: + $ref: '#/components/examples/CreateAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies/{policyId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: - summary: Retrieve a Policy - description: Success - operationId: getAuthorizationServerPolicy - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string + summary: Retrieve an Authorization Server + description: Retrieves an authorization server + operationId: getAuthorizationServer responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicy' + $ref: '#/components/schemas/AuthorizationServer' + examples: + RetrieveAuthServer: + $ref: '#/components/examples/RetrieveAuthServerResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3056,32 +4430,29 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: - summary: Replace a Policy - description: Success - operationId: updateAuthorizationServerPolicy - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: policy + summary: Replace an Authorization Server + description: Replaces an authorization server + operationId: replaceAuthorizationServer + x-codegen-request-body-name: authorizationServer requestBody: content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicy' + $ref: '#/components/schemas/AuthorizationServer' + examples: + ReplaceAuthServer: + $ref: '#/components/examples/ReplaceAuthServerBody' required: true responses: '200': @@ -3089,7 +4460,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicy' + $ref: '#/components/schemas/AuthorizationServer' + examples: + ReplaceAuthServer: + $ref: '#/components/examples/ReplaceAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3099,26 +4473,20 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: - summary: Delete a Policy - description: Success - operationId: deleteAuthorizationServerPolicy - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string + summary: Delete an Authorization Server + description: Deletes an authorization server + operationId: deleteAuthorizationServer responses: '204': description: No Content @@ -3130,59 +4498,129 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/activate: - post: - summary: Activate a Policy - description: Activate Authorization Server Policy - operationId: activateAuthorizationServerPolicy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/associatedServers: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + get: + summary: List all associated Authorization Servers + description: Lists all associated Authorization Servers by trusted type for the given `authServerId` + operationId: listAssociatedServersByTrustedType parameters: - - name: authServerId - in: path - required: true + - name: trusted + in: query + description: Searches trusted authorization servers when `true` or searches untrusted authorization servers when `false` + schema: + type: boolean + - name: q + in: query + description: Searches for the name or audience of the associated authorization servers + example: customasone schema: type: string - - name: policyId - in: path - required: true + - name: limit + in: query + description: Specifies the number of results for a page + schema: + type: integer + format: int32 + default: 200 + - name: after + in: query + description: Specifies the pagination cursor for the next page of the associated authorization servers schema: type: string responses: - '204': - description: No Content - content: {} - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthorizationServer' + examples: + ListAssocAuthServer: + $ref: '#/components/examples/ListAssocAuthServerResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/deactivate: + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: - summary: Deactivate a Policy - description: Deactivate Authorization Server Policy - operationId: deactivateAuthorizationServerPolicy - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string + summary: Create an associated Authorization Server + description: Creates trusted relationships between the given authorization server and other authorization servers + operationId: createAssociatedServers + x-codegen-request-body-name: associatedServerMediated + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AssociatedServerMediated' + examples: + CreateAssocAuthServer: + $ref: '#/components/examples/CreateAssocAuthServerBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAssocAuthServer: + $ref: '#/components/examples/CreateAssocAuthServerResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/associatedServers/{associatedServerId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathAssociatedServerId' + delete: + summary: Delete an associated Authorization Server + description: Deletes an associated Authorization Server + operationId: deleteAssociatedServer responses: '204': description: No Content @@ -3194,27 +4632,23 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules: + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/claims: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: - summary: List all Policy Rules - description: Enumerates all policy rules for the specified Custom Authorization Server and Policy. - operationId: listAuthorizationServerPolicyRules - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: authServerId - in: path - required: true - schema: - type: string + summary: List all custom token Claims + description: Lists all custom token Claims defined for a specified custom authorization server + operationId: listOAuth2Claims responses: '200': description: Success @@ -3223,7 +4657,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + $ref: '#/components/schemas/OAuth2Claim' + examples: + ListCustomTokenClaims: + $ref: '#/components/examples/ListCustomTokenClaimsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3231,40 +4668,40 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: - summary: Create a Policy Rule - description: Creates a policy rule for the specified Custom Authorization Server and Policy. - operationId: createAuthorizationServerPolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: authServerId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: policyRule + summary: Create a custom token Claim + description: Creates a custom token Claim for a custom authorization server + operationId: createOAuth2Claim + x-codegen-request-body-name: oAuth2Claim requestBody: content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + $ref: '#/components/schemas/OAuth2Claim' + examples: + CreateCustomTokenClaim: + $ref: '#/components/examples/CreateCustomTokenClaimBody' required: true responses: '201': - description: Created + description: Success content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + $ref: '#/components/schemas/OAuth2Claim' + examples: + CreateCustomTokenClaim: + $ref: '#/components/examples/CreateCustomTokenClaimResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3274,39 +4711,34 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}: + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/claims/{claimId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathClaimId' get: - summary: Retrieve a Policy Rule - description: Returns a Policy Rule by ID that is defined in the specified Custom Authorization Server and Policy. - operationId: getAuthorizationServerPolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: authServerId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string + summary: Retrieve a custom token Claim + description: Retrieves a custom token Claim by the specified `claimId` + operationId: getOAuth2Claim responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + $ref: '#/components/schemas/OAuth2Claim' + examples: + RetrieveCustomTokenClaim: + $ref: '#/components/examples/RetrieveCustomTokenClaimResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3314,37 +4746,29 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: - summary: Replace a Policy Rule - description: Updates the configuration of the Policy Rule defined in the specified Custom Authorization Server and Policy. - operationId: updateAuthorizationServerPolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: authServerId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: policyRule + summary: Replace a custom token Claim + description: Replaces a custom token Claim specified by the `claimId` + operationId: replaceOAuth2Claim + x-codegen-request-body-name: oAuth2Claim requestBody: content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + $ref: '#/components/schemas/OAuth2Claim' + examples: + ReplaceCustomTokenClaim: + $ref: '#/components/examples/ReplaceCustomTokenClaimBody' required: true responses: '200': @@ -3352,7 +4776,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + $ref: '#/components/schemas/OAuth2Claim' + examples: + ReplaceCustomTokenClaim: + $ref: '#/components/examples/ReplaceCustomTokenClaimResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3362,68 +4789,20 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: - summary: Delete a Policy Rule - description: Deletes a Policy Rule defined in the specified Custom Authorization Server and Policy. - operationId: deleteAuthorizationServerPolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: authServerId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string - responses: - '204': - description: No Content - content: {} - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage - tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/activate: - post: - summary: Activate a Policy Rule - description: Activate Authorization Server Policy Rule - operationId: activateAuthorizationServerPolicyRule - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string + summary: Delete a custom token Claim + description: Deletes a custom token Claim specified by the `claimId` + operationId: deleteOAuth2Claim responses: '204': description: No Content @@ -3435,36 +4814,35 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: - post: - summary: Deactivate a Policy Rule - description: Deactivate Authorization Server Policy Rule - operationId: deactivateAuthorizationServerPolicyRule - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/clients: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + get: + summary: List all Client resources for an authorization server + description: Lists all Client resources for which the specified authorization server has tokens + operationId: listOAuth2ClientsForAuthorizationServer responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2Client' + examples: + ListClients: + $ref: '#/components/examples/ListClientsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3472,36 +4850,38 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.authorizationServers.manage + - apiToken: [] + - oauth2: + - okta.authorizationServers.read tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/scopes: + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathClientId' get: - summary: List all Custom Token Scopes - description: Success - operationId: listOAuth2Scopes + summary: List all refresh tokens for a Client + description: Lists all refresh tokens issued by an authorization server for a specific Client + operationId: listRefreshTokensForAuthorizationServerAndClient parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: q - in: query - schema: - type: string - - name: filter + - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string - - name: cursor + - name: after in: query + description: Specifies the pagination cursor for the next page of tokens schema: type: string - name: limit in: query + description: The maximum number of tokens to return (maximum 200) schema: type: integer format: int32 @@ -3514,7 +4894,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/OAuth2Scope' + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + ListRefreshTokenClients: + $ref: '#/components/examples/ListRefreshTokensClientsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3522,37 +4905,91 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer - post: - summary: Create a Custom Token Scope - description: Success - operationId: createOAuth2Scope + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + delete: + summary: Revoke all refresh tokens for a Client + description: Revokes all refresh tokens for a Client + operationId: revokeRefreshTokensForAuthorizationServerAndClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathTokenId' + get: + summary: Retrieve a refresh token for a Client + description: Retrieves a refresh token for a Client + operationId: getRefreshTokenForAuthorizationServerAndClient parameters: - - name: authServerId - in: path - required: true + - name: expand + in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string - x-codegen-request-body-name: oAuth2Scope - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Scope' - required: true responses: - '201': + '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2Scope' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + RetrieveRefreshTokenClient: + $ref: '#/components/examples/RetrieveRefreshTokenClientResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + delete: + summary: Revoke a refresh token for a Client + description: Revokes a refresh token for a Client + operationId: revokeRefreshTokenForAuthorizationServerAndClient + responses: + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3560,34 +4997,35 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/scopes/{scopeId}: + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/credentials/keys: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: - summary: Retrieve a Custom Token Scope - description: Success - operationId: getOAuth2Scope - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: scopeId - in: path - required: true - schema: - type: string + summary: List all Credential Keys + description: Lists all of the current, future, and expired Keys used by the Custom Authorization Server + operationId: listAuthorizationServerKeys responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2Scope' + type: array + items: + $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + ListAuthorizationServerKeys: + $ref: '#/components/examples/ListAuthorizationServerKeys' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3595,32 +5033,76 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer - put: - summary: Replace a Custom Token Scope - description: Success - operationId: updateOAuth2Scope - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: scopeId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: oAuth2Scope + - AuthorizationServerKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/credentials/keys/{keyId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathCredentialKeyId' + get: + summary: Retrieve an Authorization Server Key + description: Retrieves an Authorization Server Key specified by the `keyId` + operationId: getAuthorizationServerKey + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + ActiveAuthorizationServerKey: + $ref: '#/components/examples/ActiveAuthorizationServerKey' + NextAuthorizationServerKey: + $ref: '#/components/examples/NextAuthorizationServerKey' + ExpiredAuthorizationServerKey: + $ref: '#/components/examples/ExpiredAuthorizationServerKey' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + post: + summary: Rotate all Credential Keys + description: |- + Rotates the current Keys for a Custom Authorization Server. If you rotate Keys, + the `ACTIVE` Key becomes the `EXPIRED` Key, the `NEXT` Key becomes the `ACTIVE` Key, + and the Custom Authorization Server immediately begins using the new active + Key to sign tokens. + + > **Note:** Okta rotates your Keys automatically in `AUTO` mode. You can rotate Keys + yourself in either mode. If Keys are rotated manually, you should invalidate any intermediate cache + and fetch the Keys again using the Keys endpoint. + operationId: rotateAuthorizationServerKeys + x-codegen-request-body-name: use requestBody: content: application/json: schema: - $ref: '#/components/schemas/OAuth2Scope' + $ref: '#/components/schemas/JwkUse' required: true responses: '200': @@ -3628,9 +5110,49 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/OAuth2Scope' + type: array + items: + $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + RotateAuthorizationServerKeys: + $ref: '#/components/examples/ListAuthorizationServerKeys' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidRotateUse: + $ref: '#/components/examples/InvalidRotateUse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + post: + summary: Activate an Authorization Server + description: Activates an authorization server + operationId: activateAuthorizationServer + responses: + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3638,26 +5160,23 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServer - delete: - summary: Delete a Custom Token Scope - description: Success - operationId: deleteOAuth2Scope - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: scopeId - in: path - required: true - schema: - type: string + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + post: + summary: Deactivate an Authorization Server + description: Deactivates an authorization server + operationId: deactivateAuthorizationServer responses: '204': description: No Content @@ -3669,48 +5188,65 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServer - /api/v1/behaviors: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/policies: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: - summary: List all Behavior Detection Rules - description: Enumerates Behavior Detection Rules in your organization with pagination. - operationId: listBehaviorDetectionRules + summary: List all Policies + description: Lists all policies + operationId: listAuthorizationServerPolicies responses: '200': - description: OK + description: Success content: application/json: schema: type: array items: - $ref: '#/components/schemas/BehaviorRule' + $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + ListAuthorizationServerPolicies: + $ref: '#/components/examples/ListAuthorizationServerPolicies' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.behaviors.read + - apiToken: [] + - oauth2: + - okta.authorizationServers.read tags: - - Behavior + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: - summary: Create a Behavior Detection Rule - description: Adds a new Behavior Detection Rule to your organization. - operationId: createBehaviorDetectionRule - x-codegen-request-body-name: rule + summary: Create a Policy + description: Creates a policy + operationId: createAuthorizationServerPolicy + x-codegen-request-body-name: policy requestBody: content: application/json: schema: - $ref: '#/components/schemas/BehaviorRule' + $ref: '#/components/schemas/AuthorizationServerPolicy' examples: - BehaviorRuleRequest: - $ref: '#/components/examples/BehaviorRuleRequest' + CreateAuthorizationServerPolicyRule: + $ref: '#/components/examples/CreateAuthorizationServerPolicyRequest' required: true responses: '201': @@ -3718,159 +5254,144 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/BehaviorRule' + $ref: '#/components/schemas/AuthorizationServerPolicy' examples: - BehaviorRuleReSponse: - $ref: '#/components/examples/BehaviorRuleResponse' + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' '400': - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - API Validation Failed: - $ref: '#/components/examples/ErrorApiValidationFailed' + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.behaviors.manage + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Behavior - /api/v1/behaviors/{behaviorId}: + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/policies/{policyId}: parameters: - - $ref: '#/components/parameters/pathBehaviorId' + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' get: - summary: Retrieve a Behavior Detection Rule - description: Fetches a Behavior Detection Rule by `behaviorId`. - operationId: getBehaviorDetectionRule + summary: Retrieve a Policy + description: Retrieves a policy + operationId: getAuthorizationServerPolicy responses: '200': - description: OK + description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/BehaviorRule' + $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - Resource Not Found: - $ref: '#/components/examples/ErrorResourceNotFound' + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.behaviors.read + - apiToken: [] + - oauth2: + - okta.authorizationServers.read tags: - - Behavior + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: - summary: Replace a Behavior Detection Rule - description: Update a Behavior Detection Rule by `behaviorId`. - operationId: updateBehaviorDetectionRule - x-codegen-request-body-name: rule + summary: Replace a Policy + description: Replaces a policy + operationId: replaceAuthorizationServerPolicy + x-codegen-request-body-name: policy requestBody: content: application/json: schema: - $ref: '#/components/schemas/BehaviorRule' + $ref: '#/components/schemas/AuthorizationServerPolicy' examples: - BehaviorRuleRequest: - $ref: '#/components/examples/BehaviorRuleRequest' + UpdateAuthorizationServerPolicyRule: + $ref: '#/components/examples/UpdateAuthorizationServerPolicyRequest' required: true responses: '200': - description: Created + description: Success content: application/json: schema: - $ref: '#/components/schemas/BehaviorRule' + $ref: '#/components/schemas/AuthorizationServerPolicy' examples: - BehaviorRuleReSponse: - $ref: '#/components/examples/BehaviorRuleResponse' + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' '400': - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - API Validation Failed: - $ref: '#/components/examples/ErrorApiValidationFailed' + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - Resource Not Found: - $ref: '#/components/examples/ErrorResourceNotFound' + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.behaviors.manage + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Behavior + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: - summary: Delete a Behavior Detection Rule - description: Delete a Behavior Detection Rule by `behaviorId`. - operationId: deleteBehaviorDetectionRule + summary: Delete a Policy + description: Deletes a policy + operationId: deleteAuthorizationServerPolicy responses: '204': description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - Resource Not Found: - $ref: '#/components/examples/ErrorResourceNotFound' + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.behaviors.manage + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Behavior - /api/v1/behaviors/{behaviorId}/lifecycle/activate: + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' post: - summary: Activate a Behavior Detection Rule - description: Activate Behavior Detection Rule - operationId: activateBehaviorDetectionRule - parameters: - - $ref: '#/components/parameters/pathBehaviorId' + summary: Activate a Policy + description: Activates an authorization server policy + operationId: activateAuthorizationServerPolicy responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/BehaviorRule' - examples: - BehaviorRuleReSponse: - $ref: '#/components/examples/BehaviorRuleResponse' + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3878,28 +5399,28 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.behaviors.manage + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Behavior - /api/v1/behaviors/{behaviorId}/lifecycle/deactivate: + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' post: - summary: Deactivate a Behavior Detection Rule - description: Deactivate Behavior Detection Rule - operationId: deactivateBehaviorDetectionRule - parameters: - - $ref: '#/components/parameters/pathBehaviorId' + summary: Deactivate a Policy + description: Deactivates an authorization server policy + operationId: deactivateAuthorizationServerPolicy responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/BehaviorRule' - examples: - BehaviorRuleReSponse: - $ref: '#/components/examples/BehaviorRuleResponse' + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3907,93 +5428,79 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.behaviors.manage + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Behavior - /api/v1/brands: + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' get: - summary: List all Brands - description: List all the brands in your org. - operationId: listBrands + summary: List all Policy Rules + description: Lists all policy rules for the specified Custom Authorization Server and Policy + operationId: listAuthorizationServerPolicyRules responses: '200': - description: OK + description: Success content: application/json: schema: type: array items: - $ref: '#/components/schemas/Brand' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.read - tags: - - Customization - /api/v1/brands/{brandId}: - parameters: - - in: path - name: brandId - required: true - schema: - type: string - get: - summary: Retrieve a Brand - description: Fetches a brand by `brandId` - operationId: getBrand - responses: - '200': - description: OK - content: - application/json: - schema: - $ref: '#/components/schemas/Brand' + $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + ListAuthorizationServerPolicyRules: + $ref: '#/components/examples/ListAuthorizationServerPolicyRules' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.read + - apiToken: [] + - oauth2: + - okta.authorizationServers.read tags: - - Customization - put: - summary: Replace a Brand - description: Updates a brand by `brandId` - operationId: updateBrand - x-codegen-request-body-name: brand + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + post: + summary: Create a Policy Rule + description: Creates a policy rule for the specified Custom Authorization Server and Policy + operationId: createAuthorizationServerPolicyRule + x-codegen-request-body-name: policyRule requestBody: content: application/json: schema: - $ref: '#/components/schemas/Brand' + $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest' + examples: + CreateAuthorizationServerPolicyRule: + $ref: '#/components/examples/CreateAuthorizationServerPolicyRuleRequest' required: true responses: - '200': - description: OK + '201': + description: Created content: application/json: schema: - $ref: '#/components/schemas/Brand' + $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' '400': - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4001,511 +5508,598 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.manage + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Customization - /api/v1/brands/{brandId}/pages/error: + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}: parameters: - - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' get: - summary: Retrieve the Error Page - description: Retrieves the error page. - operationId: retrieveErrorPage + summary: Retrieve a Policy Rule + description: Retrieves a policy rule by `ruleId` + operationId: getAuthorizationServerPolicyRule responses: '200': - description: Successfully retrieved the error page. + description: Success content: application/json: schema: - $ref: '#/components/schemas/CustomizablePage' + $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.read + - apiToken: [] + - oauth2: + - okta.authorizationServers.read tags: - - Customization + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: - summary: Replace the Error Page - description: Replaces the error page. - operationId: replaceErrorPage + summary: Replace a Policy Rule + description: Replaces the configuration of the Policy Rule defined in the specified Custom Authorization Server and Policy + operationId: replaceAuthorizationServerPolicyRule + x-codegen-request-body-name: policyRule requestBody: content: application/json: schema: - $ref: '#/components/schemas/CustomizablePage' + $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest' + examples: + UpdateAuthorizationServerPolicyRule: + $ref: '#/components/examples/UpdateAuthorizationServerPolicyRuleRequest' required: true responses: '200': - description: Successfully replaced the error page. + description: Success content: application/json: schema: - $ref: '#/components/schemas/CustomizablePage' + $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' '400': - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.manage + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Customization + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: - summary: Reset the Error Page - description: Resets the error page. - operationId: resetErrorPage + summary: Delete a Policy Rule + description: Deletes a Policy Rule defined in the specified Custom Authorization Server and Policy + operationId: deleteAuthorizationServerPolicyRule responses: '204': - description: Successfully reset the error page. + description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.manage + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Customization - /api/v1/brands/{brandId}/pages/error/preview: + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/activate: parameters: - - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' post: - summary: Preview the Error Page - description: Previews the error page. - operationId: previewErrorPage - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/CustomizablePage' - required: true + summary: Activate a Policy Rule + description: Activates an authorization server policy rule + operationId: activateAuthorizationServerPolicyRule responses: - '200': - description: Successfully previewed the error page. - content: - text/html: - schema: - type: string - '400': - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.read + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Customization - /api/v1/brands/{brandId}/pages/sign-in: + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: parameters: - - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' + post: + summary: Deactivate a Policy Rule + description: Deactivates an authorization server policy rule + operationId: deactivateAuthorizationServerPolicyRule + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/scopes: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: - summary: Retrieve the Sign-in Page - description: Retrieves the sign-in page. - operationId: retrieveSignInPage + summary: List all Custom Token Scopes + description: Lists all custom token scopes + operationId: listOAuth2Scopes + parameters: + - name: q + in: query + description: Searches the `name` of Custom Token Scopes for matching values + schema: + type: string + - name: filter + in: query + description: Filter expression for Custom Token Scopes + schema: + type: string + - name: after + in: query + description: |- + Specifies the pagination cursor for the next page of scopes. + Treat the after cursor as an opaque value and obtain it through the next link relationship. See [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + - name: limit + in: query + description: |- + Specifies the number of objects to return per page. + If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). See [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: integer + maximum: 200 responses: '200': - description: Successfully retrieved the sign-in page. + description: Success content: application/json: schema: - $ref: '#/components/schemas/SignInPage' + type: array + items: + $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleScopes: + $ref: '#/components/examples/ExampleOAuth2Scopes' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '429': + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.read + - apiToken: [] + - oauth2: + - okta.authorizationServers.read tags: - - Customization - put: - summary: Replace the Sign-in Page - description: Replaces the sign-in page. - operationId: replaceSignInPage + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + post: + summary: Create a Custom Token Scope + description: Creates a custom token scope + operationId: createOAuth2Scope + x-codegen-request-body-name: oAuth2Scope requestBody: content: application/json: schema: - $ref: '#/components/schemas/SignInPage' + $ref: '#/components/schemas/OAuth2Scope' + examples: + CreateOAuth2ScopeRequest: + $ref: '#/components/examples/CreateOAuth2ScopeRequest' required: true responses: - '200': - description: Successfully replaced the sign-in page. + '201': + description: Success content: application/json: schema: - $ref: '#/components/schemas/SignInPage' + $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleOAuth2Scope: + $ref: '#/components/examples/ExampleOAuth2Scope' '400': - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.manage + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Customization - delete: - summary: Reset the Sign-in Page - description: Reset the sign-in page. - operationId: resetSignInPage + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/scopes/{scopeId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathScopeId' + get: + summary: Retrieve a Custom Token Scope + description: Retrieves a custom token scope + operationId: getOAuth2Scope responses: - '204': - description: Successfully reset the sign-in page. - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleOAuth2Scope: + $ref: '#/components/examples/ExampleOAuth2Scope' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.manage + - apiToken: [] + - oauth2: + - okta.authorizationServers.read tags: - - Customization - /api/v1/brands/{brandId}/pages/sign-in/preview: - parameters: - - $ref: '#/components/parameters/pathBrandId' - post: - summary: Preview the Sign-in Page. - description: Preview the sign-in page. - operationId: previewSignInPage + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + put: + summary: Replace a Custom Token Scope + description: Replaces a custom token scope + operationId: replaceOAuth2Scope + x-codegen-request-body-name: oAuth2Scope requestBody: content: application/json: schema: - $ref: '#/components/schemas/SignInPage' + $ref: '#/components/schemas/OAuth2Scope' + examples: + UpdateOAuth2Scope: + $ref: '#/components/examples/UpdateOAuth2ScopeRequest' required: true responses: '200': - description: Successfully previewed the sign-in page. - content: - text/html: - schema: - type: string - '400': - description: Bad Request + description: Success content: application/json: schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/schemas/OAuth2Scope' + examples: + UpdatedOAuth2Scope: + $ref: '#/components/examples/UpdatedOAuth2ScopeResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.read + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Customization - /api/v1/brands/{brandId}/pages/sign-in/widget-versions: - parameters: - - $ref: '#/components/parameters/pathBrandId' - get: - summary: List all Sign-in Widget Versions - description: List all sign-in widget versions. - operationId: listAllSignInWidgetVersions + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + delete: + summary: Delete a Custom Token Scope + description: Deletes a custom token scope + operationId: deleteOAuth2Scope responses: - '200': - description: Successfully listed the sign-in widget versions. - content: - application/json: - schema: - type: array - items: - type: string - pattern: ^\d+\.\d+$ + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.read + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage tags: - - Customization - /api/v1/brands/{brandId}/pages/sign-out: - parameters: - - $ref: '#/components/parameters/pathBrandId' + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/behaviors: get: - summary: Retrieve the Sign-out Page Settings - description: Retrieves the sign-out page settings. - operationId: retrieveSignOutPageSettings + summary: List all Behavior Detection Rules + description: Lists all behavior detection rules with pagination support + operationId: listBehaviorDetectionRules responses: '200': - description: Successfully retrieved the sign-out page settings. + description: OK content: application/json: schema: - $ref: '#/components/schemas/HostedPage' + type: array + items: + $ref: '#/components/schemas/BehaviorRule' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.read + - apiToken: [] + - oauth2: + - okta.behaviors.read tags: - - Customization - put: - summary: Replace the Sign-out Page Settings - description: Replaces the sign-out page settings. - operationId: replaceSignOutPageSettings + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Behavior Detection Rule + description: Creates a new behavior detection rule + operationId: createBehaviorDetectionRule + x-codegen-request-body-name: rule requestBody: content: application/json: schema: - $ref: '#/components/schemas/HostedPage' + $ref: '#/components/schemas/BehaviorRule' + examples: + BehaviorRuleRequest: + $ref: '#/components/examples/BehaviorRuleRequest' required: true responses: - '200': - description: Successfully replaced the sign-out page settings. + '201': + description: Created content: application/json: schema: - $ref: '#/components/schemas/HostedPage' + $ref: '#/components/schemas/BehaviorRule' + examples: + BehaviorRuleReSponse: + $ref: '#/components/examples/BehaviorRuleResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.manage - tags: - - Customization - /api/v1/brands/{brandId}/templates/email: - parameters: - - $ref: '#/components/parameters/pathBrandId' - get: - summary: List all Email Templates - description: Lists all email templates. - operationId: listEmailTemplates - parameters: - - $ref: '#/components/parameters/queryAfter' - - $ref: '#/components/parameters/queryLimit' - - $ref: '#/components/parameters/queryExpandEmailTemplate' - responses: - '200': - description: Successfully returned the list of email templates. - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/EmailTemplate' examples: - List email templates response: - $ref: '#/components/examples/ListEmailTemplateResponse' - headers: - Link: - schema: - type: string - description: The pagination header containing links to the current and next page of results. See [Pagination](https://developer.okta.com/docs/reference/core-okta-api/#pagination) for more information. + API Validation Failed: + $ref: '#/components/examples/ErrorApiValidationFailed' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.read + - apiToken: [] + - oauth2: + - okta.behaviors.manage tags: - - Customization - /api/v1/brands/{brandId}/templates/email/{templateName}: + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/behaviors/{behaviorId}: parameters: - - $ref: '#/components/parameters/pathBrandId' - - $ref: '#/components/parameters/pathTemplateName' + - $ref: '#/components/parameters/pathBehaviorId' get: - summary: Retrieve an Email Template - description: Gets the details of an email template by name. - operationId: getEmailTemplate - parameters: - - $ref: '#/components/parameters/queryExpandEmailTemplate' + summary: Retrieve a Behavior Detection Rule + description: Retrieves a Behavior Detection Rule by `behaviorId` + operationId: getBehaviorDetectionRule responses: '200': - description: Successfully retrieved the email template. + description: OK content: application/json: schema: - $ref: '#/components/schemas/EmailTemplate' - examples: - Get email template response: - $ref: '#/components/examples/GetEmailTemplateResponse' + $ref: '#/components/schemas/BehaviorRule' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.read - tags: - - Customization - /api/v1/brands/{brandId}/templates/email/{templateName}/customizations: - parameters: - - $ref: '#/components/parameters/pathBrandId' - - $ref: '#/components/parameters/pathTemplateName' - get: - summary: List all Email Customizations - description: Lists all customizations of an email template. - operationId: listEmailCustomizations - parameters: - - $ref: '#/components/parameters/queryAfter' - - $ref: '#/components/parameters/queryLimit' - responses: - '200': - description: Successfully retrieved all email customizations for the specified email template. + description: Not Found content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/EmailCustomization' + $ref: '#/components/schemas/Error' examples: - List Email customizations response: - $ref: '#/components/examples/ListEmailCustomizationResponse' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' + Resource Not Found: + $ref: '#/components/examples/ErrorResourceNotFound' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.read + - apiToken: [] + - oauth2: + - okta.behaviors.read tags: - - Customization - post: - summary: Create an Email Customization - description: Creates a new email customization. - operationId: createEmailCustomization - x-codegen-request-body-name: instance + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Behavior Detection Rule + description: Replaces a Behavior Detection Rule by `behaviorId` + operationId: replaceBehaviorDetectionRule + x-codegen-request-body-name: rule requestBody: content: application/json: schema: - $ref: '#/components/schemas/EmailCustomization' + $ref: '#/components/schemas/BehaviorRule' examples: - Create email customization request: - $ref: '#/components/examples/CreateUpdateEmailCustomizationRequest' + BehaviorRuleRequest: + $ref: '#/components/examples/BehaviorRuleRequest' + required: true responses: - '201': - description: Successfully created the email customization. + '200': + description: Created content: application/json: schema: - $ref: '#/components/schemas/EmailCustomization' + $ref: '#/components/schemas/BehaviorRule' examples: - Create email customization response: - $ref: '#/components/examples/CreateUpdateEmailCustomizationResponse' + BehaviorRuleReSponse: + $ref: '#/components/examples/BehaviorRuleResponse' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '409': - description: Could not create the email customization because it conflicts with an existing email customization. + description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: - Default email customization already exists: - $ref: '#/components/examples/ErrorEmailCustomizationDefaultAlreadyExists' - Email customization already exists for the specified language: - $ref: '#/components/examples/ErrorEmailCustomizationLanguageAlreadyExists' + API Validation Failed: + $ref: '#/components/examples/ErrorApiValidationFailed' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Resource Not Found: + $ref: '#/components/examples/ErrorResourceNotFound' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.manage + - apiToken: [] + - oauth2: + - okta.behaviors.manage tags: - - Customization + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete all Email Customizations - description: Deletes all customizations for an email template. - operationId: deleteAllCustomizations + summary: Delete a Behavior Detection Rule + description: Deletes a Behavior Detection Rule by `behaviorId` + operationId: deleteBehaviorDetectionRule responses: '204': - description: Successfully deleted all customizations for the email template. - content: {} + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - $ref: '#/components/responses/ErrorResourceNotFound404' + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Resource Not Found: + $ref: '#/components/examples/ErrorResourceNotFound' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.manage + - apiToken: [] + - oauth2: + - okta.behaviors.manage tags: - - Customization - /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}: + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/behaviors/{behaviorId}/lifecycle/activate: parameters: - - $ref: '#/components/parameters/pathBrandId' - - $ref: '#/components/parameters/pathTemplateName' - - $ref: '#/components/parameters/pathCustomizationId' - get: - summary: Retrieve an Email Customization - description: Gets an email customization by its unique identifier. - operationId: getEmailCustomization + - $ref: '#/components/parameters/pathBehaviorId' + post: + summary: Activate a Behavior Detection Rule + description: Activates a behavior detection rule + operationId: activateBehaviorDetectionRule responses: '200': - description: Successfully retrieved the email customization. + description: Success content: application/json: schema: - $ref: '#/components/schemas/EmailCustomization' + $ref: '#/components/schemas/BehaviorRule' examples: - Get email customization response: - $ref: '#/components/examples/EmailCustomizationResponse' + BehaviorRuleReSponse: + $ref: '#/components/examples/BehaviorRuleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4513,110 +6107,146 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.read + - apiToken: [] + - oauth2: + - okta.behaviors.manage tags: - - Customization - put: - summary: Replace an Email Customization - description: Updates an existing email customization using the property values provided. - operationId: updateEmailCustomization - x-codegen-request-body-name: instance - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/EmailCustomization' - examples: - Update email customization request: - $ref: '#/components/examples/CreateUpdateEmailCustomizationRequest' - description: Request + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/behaviors/{behaviorId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathBehaviorId' + post: + summary: Deactivate a Behavior Detection Rule + description: Deactivates a behavior detection rule + operationId: deactivateBehaviorDetectionRule responses: '200': - description: Successfully updated the email customization. + description: Success content: application/json: schema: - $ref: '#/components/schemas/EmailCustomization' + $ref: '#/components/schemas/BehaviorRule' examples: - Update email customization response: - $ref: '#/components/examples/CreateUpdateEmailCustomizationResponse' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + BehaviorRuleReSponse: + $ref: '#/components/examples/BehaviorRuleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' - '409': - description: Could not update the email customization because the update would cause a conflict with an existing email customization. + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.behaviors.manage + tags: + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands: + get: + summary: List all Brands + description: Lists all the brands in your org + operationId: listBrands + parameters: + - $ref: '#/components/parameters/queryExpandBrand' + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + - $ref: '#/components/parameters/queryFilter' + responses: + '200': + description: Successfully returned the list of brands content: application/json: schema: - $ref: '#/components/schemas/Error' + type: array + items: + $ref: '#/components/schemas/BrandWithEmbedded' examples: - Default email customization already exists: - $ref: '#/components/examples/ErrorEmailCustomizationDefaultAlreadyExists' - Email customization already exists for the specified language: - $ref: '#/components/examples/ErrorEmailCustomizationLanguageAlreadyExists' - Cannot set the default email customization's isDefault to false: - $ref: '#/components/examples/ErrorEmailCustomizationCannotClearDefault' + Get brands response: + $ref: '#/components/examples/ListBrandsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.manage + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - Customization - delete: - summary: Delete an Email Customization - description: Deletes an email customization by its unique identifier. - operationId: deleteEmailCustomization + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Brand + description: Creates a new brand in your org + operationId: createBrand + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateBrandRequest' + examples: + Create brand request: + $ref: '#/components/examples/CreateBrandRequest' responses: - '204': - description: Successfully deleted the email customization. - content: {} + '201': + description: Successfully created the brand + content: + application/json: + schema: + $ref: '#/components/schemas/Brand' + examples: + Create brand response: + $ref: '#/components/examples/CreateBrandResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '409': - description: Could not delete the email customization deleted because it is the default email customization. + description: Could not create the new brand because same name already exist. content: application/json: schema: $ref: '#/components/schemas/Error' examples: - Cannot delete default email customization: - $ref: '#/components/examples/ErrorEmailCustomizationCannotDeleteDefault' + Cannot create brand with the same name: + $ref: '#/components/examples/ErrorCreateBrandExists' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.manage + - apiToken: [] + - oauth2: + - okta.brands.manage tags: - - Customization - /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}/preview: + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}: parameters: - $ref: '#/components/parameters/pathBrandId' - - $ref: '#/components/parameters/pathTemplateName' - - $ref: '#/components/parameters/pathCustomizationId' get: - summary: Preview an Email Customization - description: Generates a preview of an email customization. All variable references (e.g., `${user.profile.firstName}`) are populated using the current user's context. - operationId: getCustomizationPreview + summary: Retrieve a Brand + description: Retrieves a brand by `brandId` + operationId: getBrand + parameters: + - $ref: '#/components/parameters/queryExpandBrand' responses: '200': - description: Successfully generated a preview of the email customization. + description: Successfully retrieved the brand content: application/json: schema: - $ref: '#/components/schemas/EmailPreview' + $ref: '#/components/schemas/BrandWithEmbedded' examples: - Preview email customization response: - $ref: '#/components/examples/PreviewEmailCustomizationResponse' + Get brand response: + $ref: '#/components/examples/GetBrandResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4624,31 +6254,108 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.read + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - Customization - /api/v1/brands/{brandId}/templates/email/{templateName}/default-content: + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Brand + description: |+ + Replaces a brand by `brandId` + + Passing an invalid `brandId` returns a `404 Not Found` status code with the error code `E0000007`. + + Not providing `agreeToCustomPrivacyPolicy` with `customPrivacyPolicyUrl` returns a `400 Bad Request` status code with the error code `E0000001`. + + operationId: replaceBrand + x-codegen-request-body-name: brand + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BrandRequest' + examples: + Update brand request: + $ref: '#/components/examples/UpdateBrandRequest' + required: true + responses: + '200': + description: Successfully replaced the brand + content: + application/json: + schema: + $ref: '#/components/schemas/Brand' + examples: + Update brand response: + $ref: '#/components/examples/UpdateBrandResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a brand + description: Deletes a brand by `brandId` + operationId: deleteBrand + responses: + '204': + description: Successfully deleted the brand. + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: Conflict + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Cannot delete default brand: + $ref: '#/components/examples/ErrorDeleteDefaultBrand' + Cannot delete brand associated with a domain: + $ref: '#/components/examples/ErrorDeleteBrandAssociatedWithDomain' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/domains: parameters: - $ref: '#/components/parameters/pathBrandId' - - $ref: '#/components/parameters/pathTemplateName' get: - summary: Retrieve an Email Template Default Content - description: Gets an email template's default content. - operationId: getEmailDefaultContent - parameters: - - $ref: '#/components/parameters/queryLanguage' + summary: List all Domains associated with a Brand + description: Lists all domains associated with a brand by `brandId` + operationId: listBrandDomains responses: '200': - description: Successfully retrieved the email template's default content. + description: Successfully returned the list of domains for the brand content: application/json: schema: - $ref: '#/components/schemas/EmailDefaultContent' - examples: - Get email template default content response: - $ref: '#/components/examples/EmailTemplateDefaultContentResponse' + $ref: '#/components/schemas/BrandDomains' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4656,31 +6363,29 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.read + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - Customization - /api/v1/brands/{brandId}/templates/email/{templateName}/default-content/preview: + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/pages/error: parameters: - $ref: '#/components/parameters/pathBrandId' - - $ref: '#/components/parameters/pathTemplateName' + - $ref: '#/components/parameters/queryExpandPageRoot' get: - summary: Preview the Email Template Default Content - description: Generates a preview of an email template's default content. All variable references (e.g., `${user.profile.firstName}`) are populated using the current user's context. - operationId: getEmailDefaultPreview - parameters: - - $ref: '#/components/parameters/queryLanguage' + summary: Retrieve the Error Page Sub-Resources + description: Retrieves the error page sub-resources. The `expand` query parameter specifies which sub-resources to include in the response. + operationId: getErrorPage responses: '200': - description: Successfully generated a preview of the email template's default content. + description: Successfully retrieved the error page. content: application/json: schema: - $ref: '#/components/schemas/EmailPreview' - examples: - Preview email template default content response: - $ref: '#/components/examples/PreviewEmailTemplateDefaultContentResponse' + $ref: '#/components/schemas/PageRoot' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4688,29 +6393,33 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.read + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - Customization - /api/v1/brands/{brandId}/templates/email/{templateName}/settings: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/pages/error/customized: parameters: - $ref: '#/components/parameters/pathBrandId' - - $ref: '#/components/parameters/pathTemplateName' get: - summary: Retrieve the Email Template Settings - description: Gets an email template's settings. - operationId: getEmailSettings + summary: Retrieve the Customized Error Page + description: Retrieves the customized error page. The customized error page appears in your live environment. + operationId: getCustomizedErrorPage responses: '200': - description: Successfully retrieved the email template's settings. + description: Successfully retrieved the customized error page. + headers: + Location: + schema: + type: string + format: uri content: application/json: schema: - $ref: '#/components/schemas/EmailSettings' - examples: - Get email template settings response: - $ref: '#/components/examples/EmailSettingsResponse' + $ref: '#/components/schemas/ErrorPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4718,63 +6427,60 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.read + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace the Email Template Settings - description: Updates an email template's settings. - operationId: updateEmailSettings + summary: Replace the Customized Error Page + description: Replaces the customized error page. The customized error page appears in your live environment. + operationId: replaceCustomizedErrorPage requestBody: content: application/json: schema: - $ref: '#/components/schemas/EmailSettings' + $ref: '#/components/schemas/ErrorPage' + required: true responses: - '204': - description: Successfully updated the email template's settings. - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '422': - description: Could not update the email template's settings due to an invalid setting value. + '200': + description: Successfully replaced the customized error page. + headers: + Location: + schema: + type: string + format: uri content: application/json: schema: - $ref: '#/components/schemas/Error' - examples: - Invalid email template recipients: - $ref: '#/components/examples/ErrorInvalidEmailTemplateRecipients' + $ref: '#/components/schemas/ErrorPage' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.manage + - apiToken: [] + - oauth2: + - okta.brands.manage tags: - - Customization - /api/v1/brands/{brandId}/templates/email/{templateName}/test: - parameters: - - $ref: '#/components/parameters/pathBrandId' - - $ref: '#/components/parameters/pathTemplateName' - post: - summary: Send a Test Email - description: |- - Sends a test email to the current user’s primary and secondary email addresses. The email content is selected based on the following priority: - 1. The email customization for the language specified in the `language` query parameter. - 2. The email template's default customization. - 3. The email template’s default content, translated to the current user's language. - operationId: sendTestEmail - parameters: - - $ref: '#/components/parameters/queryLanguage' + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the Customized Error Page + description: Deletes the customized error page. As a result, the default error page appears in your live environment. + operationId: deleteCustomizedErrorPage responses: '204': - description: Successfully sent a test email. + description: Successfully deleted the customized error page. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' @@ -4783,31 +6489,28 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.read + - apiToken: [] + - oauth2: + - okta.brands.manage tags: - - Customization - /api/v1/brands/{brandId}/themes: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/pages/error/default: parameters: - - in: path - name: brandId - required: true - schema: - type: string + - $ref: '#/components/parameters/pathBrandId' get: - summary: List all Themes - description: List all the themes in your brand - operationId: listBrandThemes + summary: Retrieve the Default Error Page + description: Retrieves the default error page. The default error page appears when no customized error page exists. + operationId: getDefaultErrorPage responses: '200': - description: OK + description: Successfully retrieved the default error page. content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/ThemeResponse' + $ref: '#/components/schemas/ErrorPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4815,34 +6518,33 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.brands.read tags: - - Customization - /api/v1/brands/{brandId}/themes/{themeId}: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/pages/error/preview: parameters: - - in: path - name: brandId - required: true - schema: - type: string - - in: path - name: themeId - required: true - schema: - type: string + - $ref: '#/components/parameters/pathBrandId' get: - summary: Retrieve a Theme - description: Fetches a theme for a brand - operationId: getBrandTheme + summary: Retrieve the Preview Error Page Preview + description: Retrieves the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`. + operationId: getPreviewErrorPage responses: '200': - description: OK + description: Successfully retrieved the preview error page. + headers: + Location: + schema: + type: string + format: uri content: application/json: schema: - $ref: '#/components/schemas/ThemeResponse' + $ref: '#/components/schemas/ErrorPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4850,389 +6552,373 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace a Theme - description: Updates a theme for a brand - operationId: updateBrandTheme - x-codegen-request-body-name: theme + summary: Replace the Preview Error Page + description: Replaces the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`. + operationId: replacePreviewErrorPage requestBody: content: application/json: schema: - $ref: '#/components/schemas/Theme' + $ref: '#/components/schemas/ErrorPage' required: true responses: '200': - description: OK - content: - application/json: + description: Successfully replaced the preview error page. + headers: + Location: schema: - $ref: '#/components/schemas/ThemeResponse' - '400': - description: Bad Request + type: string + format: uri content: application/json: schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/schemas/ErrorPage' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.brands.manage tags: - - Customization - /api/v1/brands/{brandId}/themes/{themeId}/background-image: - parameters: - - in: path - name: brandId - required: true - schema: - type: string - - in: path - name: themeId - required: true - schema: - type: string - post: - summary: Upload the Background Image - description: Updates the background image for your Theme - operationId: uploadBrandThemeBackgroundImage - requestBody: - content: - multipart/form-data: - schema: - type: object - description: The file must be in PNG, JPG, or GIF format and less than 2 MB in size. - properties: - file: - type: string - format: binary - required: - - file - description: background image file + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the Preview Error Page + description: Deletes the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`. + operationId: deletePreviewErrorPage responses: - '201': - description: Created - content: - application/json: - schema: - $ref: '#/components/schemas/ImageUploadResponse' - '400': - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + '204': + description: Successfully deleted the preview error page. + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.brands.manage tags: - - Customization - delete: - summary: Delete the Background Image - description: Deletes a Theme background image. - operationId: deleteBrandThemeBackgroundImage + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/pages/sign-in: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/queryExpandPageRoot' + get: + summary: Retrieve the Sign-in Page Sub-Resources + description: Retrieves the sign-in page sub-resources. The `expand` query parameter specifies which sub-resources to include in the response. + operationId: getSignInPage responses: - '204': - description: No Content - content: {} + '200': + description: Successfully retrieved the sign-in page. + content: + application/json: + schema: + $ref: '#/components/schemas/PageRoot' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/pages/sign-in/customized: + parameters: + - $ref: '#/components/parameters/pathBrandId' + get: + summary: Retrieve the Customized Sign-in Page + description: Retrieves the customized sign-in page. The customized sign-in page appears in your live environment. + operationId: getCustomizedSignInPage + responses: + '200': + description: Successfully retrieved the customized sign-in page. + headers: + Location: + schema: + type: string + format: uri content: application/json: schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/schemas/SignInPage' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.manage + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - Customization - /api/v1/brands/{brandId}/themes/{themeId}/favicon: - parameters: - - in: path - name: brandId - required: true - schema: - type: string - - in: path - name: themeId - required: true - schema: - type: string - post: - summary: Upload the Favicon - description: Updates the favicon for your theme - operationId: uploadBrandThemeFavicon + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Customized Sign-in Page + description: Replaces the customized sign-in page. The customized sign-in page appears in your live environment. + operationId: replaceCustomizedSignInPage requestBody: content: - multipart/form-data: + application/json: schema: - type: object - description: The file must be in PNG, or ico format and less than ?? in size and 128 x 128 dimensions - properties: - file: - type: string - format: binary - required: - - file - description: favicon file + $ref: '#/components/schemas/SignInPage' + required: true responses: - '201': - description: Created - content: - application/json: + '200': + description: Successfully replaced the customized sign-in page. + headers: + Location: schema: - $ref: '#/components/schemas/ImageUploadResponse' - '400': - description: Bad Request + type: string + format: uri content: application/json: schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/schemas/SignInPage' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.brands.manage tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete the Favicon - description: Deletes a Theme favicon. The theme will use the default Okta favicon. - operationId: deleteBrandThemeFavicon + summary: Delete the Customized Sign-in Page + description: Deletes the customized sign-in page. As a result, the default sign-in page appears in your live environment. + operationId: deleteCustomizedSignInPage responses: '204': - description: No Content + description: Successfully deleted the sign-in page. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.brands.manage tags: - - Customization - /api/v1/brands/{brandId}/themes/{themeId}/logo: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/pages/sign-in/default: parameters: - - in: path - name: brandId - required: true - schema: - type: string - - in: path - name: themeId - required: true - schema: - type: string - post: - summary: Upload the Logo - description: Updates the logo for your Theme - operationId: uploadBrandThemeLogo - requestBody: - content: - multipart/form-data: - schema: - description: The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling. - type: object - properties: - file: - type: string - format: binary - required: - - file - description: logo file + - $ref: '#/components/parameters/pathBrandId' + get: + summary: Retrieve the Default Sign-in Page + description: Retrieves the default sign-in page. The default sign-in page appears when no customized sign-in page exists. + operationId: getDefaultSignInPage responses: '200': - description: Success + description: Successfully retrieved the default sign-in page. content: application/json: schema: - $ref: '#/components/schemas/ImageUploadResponse' - '400': - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/schemas/SignInPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.manage - tags: - - Customization - delete: - summary: Delete the Logo - description: Deletes a Theme logo. The theme will use the default Okta logo. - operationId: deleteBrandThemeLogo - responses: - '204': - description: No Content - content: {} - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.brands.manage + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - Customization - /api/v1/captchas: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/pages/sign-in/preview: + parameters: + - $ref: '#/components/parameters/pathBrandId' get: - summary: List all CAPTCHA instances - description: Enumerates CAPTCHA instances in your organization with pagination. A subset of CAPTCHA instances can be returned that match a supported filter expression or query. - operationId: listCaptchaInstances + summary: Retrieve the Preview Sign-in Page Preview + description: Retrieves the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`. + operationId: getPreviewSignInPage responses: '200': - description: OK + description: Successfully retrieved the preview sign-in page. + headers: + Location: + schema: + type: string + format: uri content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/CAPTCHAInstance' + $ref: '#/components/schemas/SignInPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.captchas.read + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - CAPTCHA - post: - summary: Create a CAPTCHA instance - description: Adds a new CAPTCHA instance to your organization. In the current release, we only allow one CAPTCHA instance per org. - operationId: createCaptchaInstance - x-codegen-request-body-name: instance + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Preview Sign-in Page + description: Replaces the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`. + operationId: replacePreviewSignInPage requestBody: content: application/json: schema: - $ref: '#/components/schemas/CAPTCHAInstance' - examples: - HCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' - ReCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' + $ref: '#/components/schemas/SignInPage' required: true responses: - '201': - description: Created + '200': + description: Successfully replaced the preview sign-in page. + headers: + Location: + schema: + type: string + format: uri content: application/json: schema: - $ref: '#/components/schemas/CAPTCHAInstance' - examples: - HCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' - ReCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' + $ref: '#/components/schemas/SignInPage' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': - description: Forbidden + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the Preview Sign-in Page + description: Deletes the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`. + operationId: deletePreviewSignInPage + responses: + '204': + description: Successfully deleted the preview sign-in page. + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/pages/sign-in/widget-versions: + parameters: + - $ref: '#/components/parameters/pathBrandId' + get: + summary: List all Sign-in Widget Versions + description: Lists all sign-in widget versions supported by the current org + operationId: listAllSignInWidgetVersions + responses: + '200': + description: Successfully listed the sign-in widget versions. content: application/json: schema: - $ref: '#/components/schemas/Error' - examples: - Access Denied: - $ref: '#/components/examples/ErrorAccessDenied' - Error Limit of One CAPTCHA instance per org: - $ref: '#/components/examples/ErrorCAPTCHALimitOfOne' + type: array + items: + type: string + pattern: ^\d+\.\d+$ + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.captchas.manage + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - CAPTCHA - /api/v1/captchas/{captchaId}: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/pages/sign-out/customized: parameters: - - $ref: '#/components/parameters/pathCaptchaId' + - $ref: '#/components/parameters/pathBrandId' get: - summary: Retrieve a CAPTCHA Instance - description: Fetches a CAPTCHA instance by `captchaId`. - operationId: getCaptchaInstance + summary: Retrieve the Sign-out Page Settings + description: Retrieves the sign-out page settings + operationId: getSignOutPageSettings responses: '200': - description: OK + description: Successfully retrieved the sign-out page settings. content: application/json: schema: - $ref: '#/components/schemas/CAPTCHAInstance' - examples: - HCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' - ReCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' + $ref: '#/components/schemas/HostedPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5240,39 +6926,31 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.captchas.read + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - CAPTCHA - post: - summary: Update a CAPTCHA instance - description: Partially update a CAPTCHA instance by `captchaId`. - operationId: partialUpdateCaptchaInstance - x-codegen-request-body-name: instance + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Sign-out Page Settings + description: Replaces the sign-out page settings + operationId: replaceSignOutPageSettings requestBody: content: application/json: schema: - $ref: '#/components/schemas/CAPTCHAInstance' - examples: - HCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' - ReCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' + $ref: '#/components/schemas/HostedPage' required: true responses: '200': - description: OK + description: Successfully replaced the sign-out page settings. content: application/json: schema: - $ref: '#/components/schemas/CAPTCHAInstance' - examples: - HCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' - ReCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' + $ref: '#/components/schemas/HostedPage' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -5282,41 +6960,42 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.captchas.manage + - apiToken: [] + - oauth2: + - okta.brands.manage tags: - - CAPTCHA - put: - summary: Replace a CAPTCHA instance - description: Update a CAPTCHA instance by `captchaId`. - operationId: updateCaptchaInstance - x-codegen-request-body-name: instance - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/CAPTCHAInstance' - examples: - HCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' - ReCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' - required: true + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/templates/email: + parameters: + - $ref: '#/components/parameters/pathBrandId' + get: + summary: List all Email Templates + description: Lists all supported email templates + operationId: listEmailTemplates + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + - $ref: '#/components/parameters/queryExpandEmailTemplate' responses: '200': - description: OK + description: Successfully returned the list of email templates. content: application/json: schema: - $ref: '#/components/schemas/CAPTCHAInstance' + type: array + items: + $ref: '#/components/schemas/EmailTemplateResponse' examples: - HCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' - ReCaptcha: - $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + List email templates response: + $ref: '#/components/examples/ListEmailTemplateResponse' + headers: + Link: + schema: + type: string + description: The pagination header containing links to the current and next page of results. See [Pagination](/#pagination) for more information. '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5324,123 +7003,192 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.captchas.manage + - apiToken: [] + - oauth2: + - okta.templates.read tags: - - CAPTCHA - delete: - summary: Delete a CAPTCHA Instance - description: Delete a CAPTCHA instance by `captchaId`. If the CAPTCHA instance is currently being used in the org, the delete will not be allowed. - operationId: deleteCaptchaInstance + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/templates/email/{templateName}: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + get: + summary: Retrieve an Email Template + description: Retrieves the details of an email template by name + operationId: getEmailTemplate + parameters: + - $ref: '#/components/parameters/queryExpandEmailTemplate' responses: - '204': - description: No Content - '403': - description: Forbidden - headers: {} + '200': + description: Successfully retrieved the email template. content: application/json: schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/schemas/EmailTemplateResponse' examples: - Access Denied: - $ref: '#/components/examples/ErrorAccessDenied' - Cannot remove CAPTCHA in use: - $ref: '#/components/examples/ErrorCAPTCHAOrgWideSetting' + Get email template response: + $ref: '#/components/examples/GetEmailTemplateResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.captchas.manage + - apiToken: [] + - oauth2: + - okta.templates.read tags: - - CAPTCHA - /api/v1/device-assurances: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/templates/email/{templateName}/customizations: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' get: - summary: List all Device Assurance Policies - description: Enumerates Device Assurance Policies in your organization. - operationId: listDeviceAssurancePolicies + summary: List all Email Customizations + description: | + Lists all customizations of an email template + + If Custom languages for Okta Email Templates is enabled, all existing customizations are retrieved, including customizations for additional languages. If disabled, only customizations for Okta-supported languages are returned. + operationId: listEmailCustomizations + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' responses: '200': - description: OK + description: Successfully retrieved all email customizations for the specified email template. content: application/json: schema: type: array items: - $ref: '#/components/schemas/DeviceAssurance' + $ref: '#/components/schemas/EmailCustomization' + examples: + List Email customizations response: + $ref: '#/components/examples/ListEmailCustomizationResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '429': + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.deviceAssurance.read + - apiToken: [] + - oauth2: + - okta.templates.read tags: - - DeviceAssurance + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a Device Assurance Policy - description: Adds a new Device Assurance Policy. - operationId: createDeviceAssurancePolicy - x-codegen-request-body-name: deviceAssurance + summary: Create an Email Customization + description: | + Creates a new Email Customization + + If Custom languages for Okta Email Templates is enabled, you can create a customization for any BCP47 language in addition to the Okta-supported languages. + operationId: createEmailCustomization + x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/DeviceAssurance' + $ref: '#/components/schemas/EmailCustomization' examples: - ANDROID: - $ref: '#/components/examples/DeviceAssuranceAndroidRequest' - MACOS: - $ref: '#/components/examples/DeviceAssuranceMacOSRequest' - WINDOWS: - $ref: '#/components/examples/DeviceAssuranceWindowsRequest' - IOS: - $ref: '#/components/examples/DeviceAssuranceIosRequest' - required: true + Create email customization request: + $ref: '#/components/examples/CreateUpdateEmailCustomizationRequest' responses: - '200': - description: OK + '201': + description: Successfully created the email customization. content: application/json: schema: - $ref: '#/components/schemas/DeviceAssurance' + $ref: '#/components/schemas/EmailCustomization' examples: - DeviceAssuranceResponse: - $ref: '#/components/examples/DeviceAssuranceResponse' + Create email customization response: + $ref: '#/components/examples/CreateUpdateEmailCustomizationResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: Could not create the email customization because it conflicts with an existing email customization. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Default email customization already exists: + $ref: '#/components/examples/ErrorEmailCustomizationDefaultAlreadyExists' + Email customization already exists for the specified language: + $ref: '#/components/examples/ErrorEmailCustomizationLanguageAlreadyExists' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete all Email Customizations + description: | + Deletes all customizations for an email template + + If Custom languages for Okta Email Templates is enabled, all customizations are deleted, including customizations for additional languages. If disabled, only customizations in Okta-supported languages are deleted. + operationId: deleteAllCustomizations + responses: + '204': + description: Successfully deleted all customizations for the email template. + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.deviceAssurance.manage + - apiToken: [] + - oauth2: + - okta.templates.manage tags: - - DeviceAssurance - /api/v1/device-assurances/{deviceAssuranceId}: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + - $ref: '#/components/parameters/pathCustomizationId' get: - summary: Retrieve a Device Assurance Policy - description: Fetches a Device Assurance Policy by `deviceAssuranceId`. - operationId: getDeviceAssurancePolicy - parameters: - - $ref: '#/components/parameters/pathDeviceAssuranceId' + summary: Retrieve an Email Customization + description: | + Retrieves an email customization by its unique identifier + + If Custom languages for Okta Email Templates is disabled, requests to retrieve an additional language customization by ID result in a `404 Not Found` error response. + operationId: getEmailCustomization responses: '200': - description: OK + description: Successfully retrieved the email customization. content: application/json: schema: - $ref: '#/components/schemas/DeviceAssurance' + $ref: '#/components/schemas/EmailCustomization' examples: - DeviceAssuranceResponse: - $ref: '#/components/examples/DeviceAssuranceResponse' + Get email customization response: + $ref: '#/components/examples/EmailCustomizationResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5448,150 +7196,208 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.deviceAssurance.read + - apiToken: [] + - oauth2: + - okta.templates.read tags: - - DeviceAssurance + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace a Device Assurance Policy - description: Updates a Device Assurance Policy by `deviceAssuranceId`. - operationId: updateDeviceAssurancePolicy - parameters: - - $ref: '#/components/parameters/pathDeviceAssuranceId' - x-codegen-request-body-name: deviceAssurance + summary: Replace an Email Customization + description: | + Replaces an email customization using property values + + If Custom languages for Okta Email Templates is disabled, requests to update a customization for an additional language return a `404 Not Found` error response. + operationId: replaceEmailCustomization + x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/DeviceAssurance' + $ref: '#/components/schemas/EmailCustomization' examples: - DeviceAssuranceResponse: - $ref: '#/components/examples/DeviceAssuranceResponse' - required: true + Update email customization request: + $ref: '#/components/examples/CreateUpdateEmailCustomizationRequest' + description: Request responses: '200': - description: OK + description: Successfully updated the email customization. content: application/json: schema: - $ref: '#/components/schemas/DeviceAssurance' + $ref: '#/components/schemas/EmailCustomization' examples: - DeviceAssuranceResponse: - $ref: '#/components/examples/DeviceAssuranceResponse' + Update email customization response: + $ref: '#/components/examples/CreateUpdateEmailCustomizationResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: Could not update the email customization because the update would cause a conflict with an existing email customization. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Default email customization already exists: + $ref: '#/components/examples/ErrorEmailCustomizationDefaultAlreadyExists' + Email customization already exists for the specified language: + $ref: '#/components/examples/ErrorEmailCustomizationLanguageAlreadyExists' + Cannot set the default email customization's isDefault to false: + $ref: '#/components/examples/ErrorEmailCustomizationCannotClearDefault' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.deviceAssurance.manage + - apiToken: [] + - oauth2: + - okta.templates.manage tags: - - DeviceAssurance + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a Device Assurance Policy - description: Delete a Device Assurance Policy by `deviceAssuranceId`. If the Device Assurance Policy is currently being used in the org Authentication Policies, the delete will not be allowed. - operationId: deleteDeviceAssurancePolicy - parameters: - - $ref: '#/components/parameters/pathDeviceAssuranceId' + summary: Delete an Email Customization + description: | + Deletes an Email Customization by its unique identifier + + If Custom languages for Okta Email Templates is disabled, deletion of an existing additional language customization by ID doesn't register. + operationId: deleteEmailCustomization responses: '204': - description: No Content + description: Successfully deleted the email customization. + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '409': - description: Conflict - headers: {} + description: Could not delete the email customization deleted because it is the default email customization. content: application/json: schema: $ref: '#/components/schemas/Error' examples: - Cannot delete device assurance policy in use by authentication policies: - $ref: '#/components/examples/ErrorDeviceAssuranceInUse' + Cannot delete default email customization: + $ref: '#/components/examples/ErrorEmailCustomizationCannotDeleteDefault' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.deviceAssurance.manage + - apiToken: [] + - oauth2: + - okta.templates.manage tags: - - DeviceAssurance - /api/v1/domains: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}/preview: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + - $ref: '#/components/parameters/pathCustomizationId' get: - summary: List all Domains - description: List all verified custom Domains for the org. - operationId: listDomains + summary: Retrieve a Preview of an Email Customization + description: | + Retrieves a Preview of an Email Customization. All variable references are populated from the current user's context. For example, `${user.profile.firstName}`. + + If Custom languages for Okta Email Templates is disabled, requests for the preview of an additional language customization by ID return a `404 Not Found` error response. + operationId: getCustomizationPreview responses: '200': - description: Success + description: Successfully generated a preview of the email customization. content: application/json: schema: - $ref: '#/components/schemas/DomainListResponse' + $ref: '#/components/schemas/EmailPreview' + examples: + Preview email customization response: + $ref: '#/components/examples/PreviewEmailCustomizationResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.domains.read + - apiToken: [] + - oauth2: + - okta.templates.read tags: - - Domain - post: - summary: Create a Domain - description: Creates your domain. - operationId: createDomain - x-codegen-request-body-name: domain - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Domain' - required: true + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/templates/email/{templateName}/default-content: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + get: + summary: Retrieve an Email Template Default Content + description: | + Retrieves an email template's default content + + Defaults to the current user's language given the following: + - Custom languages for Okta Email Templates is enabled + - An additional language is specified for the `language` parameter + operationId: getEmailDefaultContent + parameters: + - $ref: '#/components/parameters/queryLanguage' responses: '200': - description: Success + description: Successfully retrieved the email template's default content. content: application/json: schema: - $ref: '#/components/schemas/DomainResponse' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/EmailDefaultContent' + examples: + Get email template default content response: + $ref: '#/components/examples/EmailTemplateDefaultContentResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.domains.manage + - apiToken: [] + - oauth2: + - okta.templates.read tags: - - Domain - /api/v1/domains/{domainId}: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/templates/email/{templateName}/default-content/preview: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' get: - summary: Retrieve a Domain - description: Fetches a Domain by `id`. - operationId: getDomain + summary: Retrieve a Preview of the Email Template default content + description: | + Retrieves a preview of an Email Template's default content. All variable references are populated using the current user's context. For example, `${user.profile.firstName}`. + + Defaults to the current user's language given the following: + - Custom languages for Okta Email Templates is enabled + - An additional language is specified for the `language` parameter + operationId: getEmailDefaultPreview parameters: - - name: domainId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/queryLanguage' responses: '200': - description: Success + description: Successfully generated a preview of the email template's default content. content: application/json: schema: - $ref: '#/components/schemas/DomainResponse' + $ref: '#/components/schemas/EmailPreview' + examples: + Preview email template default content response: + $ref: '#/components/examples/PreviewEmailTemplateDefaultContentResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5599,25 +7405,32 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.domains.read + - apiToken: [] + - oauth2: + - okta.templates.read tags: - - Domain - delete: - summary: Delete a Domain - description: Deletes a Domain by `id`. - operationId: deleteDomain - parameters: - - name: domainId - in: path - required: true - schema: - type: string + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/templates/email/{templateName}/settings: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + get: + summary: Retrieve the Email Template Settings + description: Retrieves an email template's settings + operationId: getEmailSettings responses: - '204': - description: No Content - content: {} + '200': + description: Successfully retrieved the email template's settings. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailSettingsResponse' + examples: + Get email template settings response: + $ref: '#/components/examples/EmailSettingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5625,65 +7438,115 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.domains.manage + - apiToken: [] + - oauth2: + - okta.templates.read tags: - - Domain - /api/v1/domains/{domainId}/certificate: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace the Certificate - description: Creates the Certificate for the Domain. - operationId: createCertificate - parameters: - - name: domainId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: certificate + summary: Replace the Email Template Settings + description: Replaces an email template's settings + operationId: replaceEmailSettings requestBody: content: application/json: schema: - $ref: '#/components/schemas/DomainCertificate' - required: true + $ref: '#/components/schemas/EmailSettings' responses: - '204': - description: No Content - content: {} + '200': + description: Successfully updated the email template's settings. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailSettings' + examples: + Update email template settings: + $ref: '#/components/examples/EmailSettingsResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' + '422': + description: Could not update the email template's settings due to an invalid setting value. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Invalid email template recipients: + $ref: '#/components/examples/ErrorInvalidEmailTemplateRecipients' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.domains.manage + - apiToken: [] + - oauth2: + - okta.templates.manage tags: - - Domain - /api/v1/domains/{domainId}/verify: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/templates/email/{templateName}/test: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' post: - summary: Verify a Domain - description: Verifies the Domain by `id`. - operationId: verifyDomain + summary: Send a Test Email + description: |- + Sends a test email to the current user’s primary and secondary email addresses. The email content is selected based on the following priority: + 1. The email customization for the language specified in the `language` query parameter. + If Custom languages for Okta Email Templates is enabled and the `language` parameter is an additional language, the test email uses the customization corresponding to the language. + 2. The email template's default customization. + 3. The email template’s default content, translated to the current user's language. + operationId: sendTestEmail parameters: - - name: domainId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/queryLanguage' + responses: + '204': + description: Successfully sent a test email. + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/themes: + parameters: + - $ref: '#/components/parameters/pathBrandId' + get: + summary: List all Themes + description: |- + Lists all the themes in your brand. + + > **Important:** Currently each org supports only one Theme, therefore this contains a single object only. + operationId: listBrandThemes responses: '200': - description: Success + description: Successfully returned the list of themes content: application/json: schema: - $ref: '#/components/schemas/DomainResponse' + type: array + items: + $ref: '#/components/schemas/ThemeResponse' + examples: + Get themes response: + $ref: '#/components/examples/ListThemesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5691,77 +7554,118 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.domains.manage + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - Domain - /api/v1/email-domains: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/themes/{themeId}: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathThemeId' get: - summary: List all email domains - description: List all the email domains in your org. - operationId: listEmailDomains + summary: Retrieve a Theme + description: Retrieves a theme for a brand + operationId: getBrandTheme responses: '200': - description: OK + description: Successfully retrieved the theme content: application/json: schema: - $ref: '#/components/schemas/EmailDomainListResponse' + $ref: '#/components/schemas/ThemeResponse' + examples: + Get theme response: + $ref: '#/components/examples/GetThemeResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.email-domains.read + - apiToken: [] + - oauth2: + - okta.brands.read tags: - - EmailDomain - post: - summary: Create an Email Domain - description: Creates a custom email domain. - operationId: createEmailDomain - x-codegen-request-body-name: emailDomain + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Theme + description: Replaces a theme for a brand + operationId: replaceBrandTheme + x-codegen-request-body-name: theme requestBody: content: application/json: schema: - $ref: '#/components/schemas/EmailDomain' + $ref: '#/components/schemas/UpdateThemeRequest' + examples: + Update theme request: + $ref: '#/components/examples/UpdateThemeRequest' required: true responses: '200': - description: Success + description: Successfully replaced the theme content: application/json: schema: - $ref: '#/components/schemas/EmailDomainResponse' + $ref: '#/components/schemas/ThemeResponse' + examples: + Update theme response: + $ref: '#/components/examples/UpdateThemeResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.email-domains.manage + - apiToken: [] + - oauth2: + - okta.brands.manage tags: - - EmailDomain - /api/v1/email-domains/{emailDomainId}: - get: - summary: Retrieve a Email Domain - description: Fetches an Email Domain by `emailDomainId`. - operationId: getEmailDomain - parameters: - - $ref: '#/components/parameters/pathEmailDomainId' + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/themes/{themeId}/background-image: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathThemeId' + post: + summary: Upload the Background Image + description: Uploads and replaces the background image for the theme. The file must be in PNG, JPG, or GIF format and less than 2 MB in size. + operationId: uploadBrandThemeBackgroundImage + requestBody: + content: + multipart/form-data: + schema: + type: object + description: The file must be in PNG, JPG, or GIF format and less than 2 MB in size. + properties: + file: + type: string + format: binary + required: + - file + description: background image file responses: - '200': - description: Success + '201': + description: Content Created content: application/json: schema: - $ref: '#/components/schemas/EmailDomainResponse' + $ref: '#/components/schemas/ImageUploadResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5769,31 +7673,65 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.email-domains.read + - apiToken: [] + - oauth2: + - okta.brands.manage tags: - - EmailDomain - put: - summary: Update an Email Domain - description: Updates an email domain by `emailDomainId` - operationId: updateEmailDomain - parameters: - - $ref: '#/components/parameters/pathEmailDomainId' - x-codegen-request-body-name: updateEmailDomain + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the Background Image + description: Deletes a Theme background image + operationId: deleteBrandThemeBackgroundImage + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/themes/{themeId}/favicon: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathThemeId' + post: + summary: Upload the Favicon + description: Uploads and replaces the favicon for the theme + operationId: uploadBrandThemeFavicon requestBody: content: - application/json: + multipart/form-data: schema: - $ref: '#/components/schemas/UpdateEmailDomain' - required: true + type: object + description: The file must be in PNG or ICO format and have a 1:1 ratio with a maximum dimension of 512 x 512 + properties: + file: + type: string + format: binary + required: + - file + description: favicon file responses: - '200': - description: OK + '201': + description: Created content: application/json: schema: - $ref: '#/components/schemas/EmailDomainResponse' + $ref: '#/components/schemas/ImageUploadResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -5803,17 +7741,18 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.email-domains.manage + - apiToken: [] + - oauth2: + - okta.brands.manage tags: - - EmailDomain + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete an Email Domain - description: Deletes an Email Domain by `emailDomainId`. - operationId: deleteEmailDomain - parameters: - - $ref: '#/components/parameters/pathEmailDomainId' + summary: Delete the Favicon + description: Deletes a Theme favicon. The theme will use the default Okta favicon. + operationId: deleteBrandThemeFavicon responses: '204': description: No Content @@ -5825,27 +7764,44 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.email-domains.manage + - apiToken: [] + - oauth2: + - okta.brands.manage tags: - - EmailDomain - /api/v1/email-domains/{emailDomainId}/brands: - get: - summary: List all brands linked to an email domain - description: List all brands linked to an email domain. - operationId: listEmailDomainBrands - parameters: - - $ref: '#/components/parameters/pathEmailDomainId' + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}/themes/{themeId}/logo: + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathThemeId' + post: + summary: Upload the Logo + description: Uploads and replaces the logo for the theme. The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling. + operationId: uploadBrandThemeLogo + requestBody: + content: + multipart/form-data: + schema: + description: The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling. + type: object + properties: + file: + type: string + format: binary + required: + - file + description: logo file responses: '200': - description: OK + description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/Brand' + $ref: '#/components/schemas/ImageUploadResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5853,25 +7809,22 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.email-domains.read + - apiToken: [] + - oauth2: + - okta.brands.manage tags: - - EmailDomain - /api/v1/email-domains/{emailDomainId}/verify: - post: - summary: Verify Email Domain - description: Verifies the Email Domain by `id`. - operationId: verifyEmailDomain - parameters: - - $ref: '#/components/parameters/pathEmailDomainId' + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the Logo + description: Deletes a Theme logo. The theme will use the default Okta logo. + operationId: deleteBrandThemeLogo responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/EmailDomainResponse' + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5879,83 +7832,116 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.email-domains.manage + - apiToken: [] + - oauth2: + - okta.brands.manage tags: - - EmailDomain - /api/v1/eventHooks: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/captchas: get: - summary: List all Event Hooks - description: Success - operationId: listEventHooks + summary: List all CAPTCHA Instances + description: Lists all CAPTCHA instances with pagination support. A subset of CAPTCHA instances can be returned that match a supported filter expression or query. + operationId: listCaptchaInstances responses: '200': - description: Success + description: OK content: application/json: schema: type: array items: - $ref: '#/components/schemas/EventHook' + $ref: '#/components/schemas/CAPTCHAInstance' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.eventHooks.read + - apiToken: [] + - oauth2: + - okta.captchas.read tags: - - EventHook + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: - summary: Create an Event Hook - description: Success - operationId: createEventHook - x-codegen-request-body-name: eventHook + summary: Create a CAPTCHA instance + description: Creates a new CAPTCHA instance. Currently, an org can only configure a single CAPTCHA instance. + operationId: createCaptchaInstance + x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/EventHook' + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' required: true responses: - '200': - description: Success + '201': + description: Created content: application/json: schema: - $ref: '#/components/schemas/EventHook' + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.eventHooks.manage - tags: - - EventHook - /api/v1/eventHooks/{eventHookId}: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + Error Limit of One CAPTCHA instance per org: + $ref: '#/components/examples/ErrorCAPTCHALimitOfOne' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.manage + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/captchas/{captchaId}: + parameters: + - $ref: '#/components/parameters/pathCaptchaId' get: - summary: Retrieve an Event Hook - description: Success - operationId: getEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string + summary: Retrieve a CAPTCHA Instance + description: Retrieves the properties of a specified CAPTCHA instance + operationId: getCaptchaInstance responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/EventHook' + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5963,35 +7949,44 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.eventHooks.read + - apiToken: [] + - oauth2: + - okta.captchas.read tags: - - EventHook - put: - summary: Replace an Event Hook - description: Success - operationId: updateEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: eventHook + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Update a CAPTCHA Instance + description: Partially updates the properties of a specified CAPTCHA instance + operationId: updateCaptchaInstance + x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/EventHook' + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' required: true responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/EventHook' + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -6001,55 +7996,46 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.eventHooks.manage - tags: - - EventHook - delete: - summary: Delete an Event Hook - description: Success - operationId: deleteEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string - responses: - '204': - description: No Content - content: {} - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.eventHooks.manage + - apiToken: [] + - oauth2: + - okta.captchas.manage tags: - - EventHook - /api/v1/eventHooks/{eventHookId}/lifecycle/activate: - post: - summary: Activate an Event Hook - description: Success - operationId: activateEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a CAPTCHA Instance + description: Replaces the properties for a specified CAPTCHA instance + operationId: replaceCaptchaInstance + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' + required: true responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/EventHook' + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6057,113 +8043,211 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.eventHooks.manage + - apiToken: [] + - oauth2: + - okta.captchas.manage tags: - - EventHook - /api/v1/eventHooks/{eventHookId}/lifecycle/deactivate: - post: - summary: Deactivate an Event Hook - description: Success - operationId: deactivateEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a CAPTCHA Instance + description: |- + Deletes a specified CAPTCHA instance + > **Note:** If your CAPTCHA instance is still associated with your org, the request fails. You must first update your Org-wide CAPTCHA settings to remove the CAPTCHA instance. + operationId: deleteCaptchaInstance responses: - '200': - description: Success + '204': + description: No Content + '403': + description: Forbidden + headers: {} content: application/json: schema: - $ref: '#/components/schemas/EventHook' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + Cannot remove CAPTCHA in use: + $ref: '#/components/examples/ErrorCAPTCHAOrgWideSetting' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.eventHooks.manage + - apiToken: [] + - oauth2: + - okta.captchas.manage tags: - - EventHook - /api/v1/eventHooks/{eventHookId}/lifecycle/verify: - post: - summary: Verify an Event Hook - description: Success - operationId: verifyEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/device-assurances: + get: + summary: List all device assurance policies + description: Lists all device assurance policies + operationId: listDeviceAssurancePolicies responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/EventHook' + type: array + items: + $ref: '#/components/schemas/DeviceAssurance' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.eventHooks.manage + - apiToken: [] + - oauth2: + - okta.deviceAssurance.read tags: - - EventHook - /api/v1/features: - get: - summary: List all Features - description: Success - operationId: listFeatures + - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create a device assurance policy + description: Creates a new device assurance policy + operationId: createDeviceAssurancePolicy + x-codegen-request-body-name: deviceAssurance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DeviceAssurance' + examples: + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidRequest' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosRequest' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSRequest' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsRequest' + ChromeOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest' + MacOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest' + WindowsWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest' + required: true responses: '200': - description: Success + description: OK content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/Feature' + $ref: '#/components/schemas/DeviceAssurance' + examples: + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidResponse' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosResponse' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSResponse' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsResponse' + ChromeOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse' + MacOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' + WindowsWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.features.read + - apiToken: [] + - oauth2: + - okta.deviceAssurance.manage tags: - - Feature - /api/v1/features/{featureId}: + - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/device-assurances/{deviceAssuranceId}: + parameters: + - $ref: '#/components/parameters/pathDeviceAssuranceId' get: - summary: Retrieve a Feature - description: Success - operationId: getFeature - parameters: - - name: featureId - in: path - required: true - schema: - type: string + summary: Retrieve a device assurance policy + description: Retrieves a device assurance policy by `deviceAssuranceId` + operationId: getDeviceAssurancePolicy responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/Feature' + $ref: '#/components/schemas/DeviceAssurance' + examples: + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidResponse' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosResponse' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSResponse' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsResponse' + ChromeOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse' + MacOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' + WindowsWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6171,31 +8255,90 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.features.read + - apiToken: [] + - oauth2: + - okta.deviceAssurance.read tags: - - Feature - /api/v1/features/{featureId}/dependencies: - get: - summary: List all Dependencies - description: Success - operationId: listFeatureDependencies - parameters: - - name: featureId - in: path - required: true - schema: - type: string + - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a device assurance policy + description: Replaces a device assurance policy by `deviceAssuranceId` + operationId: replaceDeviceAssurancePolicy + x-codegen-request-body-name: deviceAssurance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DeviceAssurance' + examples: + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidRequest' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosRequest' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSRequest' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsRequest' + ChromeOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest' + MacOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest' + WindowsWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest' + required: true responses: '200': - description: Success + description: OK content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/Feature' + $ref: '#/components/schemas/DeviceAssurance' + examples: + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidResponse' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosResponse' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSResponse' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsResponse' + ChromeOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse' + MacOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' + WindowsWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6203,264 +8346,262 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.features.read + - apiToken: [] + - oauth2: + - okta.deviceAssurance.manage tags: - - Feature - /api/v1/features/{featureId}/dependents: - get: - summary: List all Dependents - description: Success - operationId: listFeatureDependents - parameters: - - name: featureId - in: path - required: true - schema: - type: string + - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a device assurance policy + description: Deletes a device assurance policy by `deviceAssuranceId`. If the device assurance policy is currently being used in the org Authentication Policies, the delete will not be allowed. + operationId: deleteDeviceAssurancePolicy responses: - '200': - description: Success - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/Feature' + '204': + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.features.read - tags: - - Feature - /api/v1/features/{featureId}/{lifecycle}: - post: - summary: Update a Feature Lifecycle - description: Success - operationId: updateFeatureLifecycle - parameters: - - name: featureId - in: path - required: true - schema: - type: string - - name: lifecycle - in: path - required: true - schema: - type: string - - name: mode - in: query - schema: - type: string - responses: - '200': - description: Success + '409': + description: Conflict + headers: {} content: application/json: schema: - $ref: '#/components/schemas/Feature' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' + $ref: '#/components/schemas/Error' + examples: + ErrorDeviceAssuranceInUse: + $ref: '#/components/examples/ErrorDeviceAssuranceInUse' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.features.manage + - apiToken: [] + - oauth2: + - okta.deviceAssurance.manage tags: - - Feature - /api/v1/groups: + - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/device-checks/{deviceCheckId}: + parameters: + - $ref: '#/components/parameters/pathDeviceCheckId' + /api/v1/devices: get: - summary: List all Groups - description: Enumerates groups in your organization with pagination. A subset of groups can be returned that match a supported filter expression or query. - operationId: listGroups + summary: List all Devices + description: |- + Lists all devices with pagination support. + You can return a subset of Devices that match a supported search criteria using the `search` query parameter. + Searches for devices based on the properties specified in the `search` parameter conforming SCIM filter specifications (case-insensitive). This data is eventually consistent. The API returns different results depending on specified queries in the request. Empty list is returned if no objects match `search` request. + > **Note:** Listing devices with `search` should not be used as a part of any critical flows—such as authentication or updates—to prevent potential data loss. `search` results may not reflect the latest information, as this endpoint uses a search index which may not be up-to-date with recent updates to the object.
Don't use search results directly for record updates, as the data might be stale and therefore overwrite newer data, resulting in data loss.
Use an `id` lookup for records that you update to ensure your results contain the latest data. + This operation requires [URL encoding](https://www.w3.org/TR/html4/interact/forms.html#h-17.13.4.1). For example, `search=profile.displayName eq "Bob"` is encoded as `search=profile.displayName%20eq%20%22Bob%22`. + operationId: listDevices parameters: - - name: q - in: query - description: Searches the name property of groups for matching value - schema: - type: string - - name: search - in: query - description: Filter expression for groups - schema: - type: string - name: after in: query - description: Specifies the pagination cursor for the next page of groups schema: type: string + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination) for more information. + example: 200u3des4afA47rYJu1d7 - name: limit in: query - description: Specifies the number of group results in a page schema: type: integer - format: int32 - default: 10000 + minimum: 1 + maximum: 200 + default: 200 + example: 20 + description: A limit on the number of objects to return (recommend `20`) + - name: search + in: query + description: A SCIM filter expression that filters the results. Searches include all Device `profile` properties and the Device `id`, `status`, and `lastUpdated` properties. + schema: + type: string + example: lastUpdated gt "2019-06-01T09:00:00.000Z" + examples: + Devices that have a `status` of `ACTIVE`: + value: status eq "ACTIVE" + Devices last updated after a specific timestamp: + value: lastUpdated gt "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + Devices with a specified `id`: + value: id eq "guo4a5u7JHHhjXrMK0g4" + Devices that have a `displayName` of `Bob`: + value: profile.displayName eq "Bob" + Devices that have an `platform` of `WINDOWS`: + value: profile.platform eq "WINDOWS" + Devices whose `sid` starts with `S-1`: + value: profile.sid sw "S-1" - name: expand in: query - description: If specified, it causes additional metadata to be included in the response. + description: Includes associated user details and management status for the device in the `_embedded` attribute schema: type: string + example: userSummary + enum: + - user + - userSummary + x-enumDescriptions: + user: Lists full details for associated users + userSummary: Lists summaries for associated users + examples: + UserFullDetails: + summary: Get a detailed list of associated users + value: user + UserSummaries: + summary: Get the list of associated user summaries + value: userSummary responses: '200': - description: Success + description: OK content: application/json: schema: type: array items: - $ref: '#/components/schemas/Group' + $ref: '#/components/schemas/DeviceList' + examples: + APIDevicesResponseUserSummaryExample: + type: array + $ref: '#/components/examples/APIDevicesListAllUserSummaryResponse' + APIDevicesResponseExample: + type: array + $ref: '#/components/examples/APIDevicesListAllResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.read + - apiToken: [] + - oauth2: + - okta.devices.read tags: - - Group - post: - summary: Create a Group - description: Adds a new group with `OKTA_GROUP` type to your organization. - operationId: createGroup - x-codegen-request-body-name: group - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Group' - required: true + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/devices/{deviceId}: + parameters: + - $ref: '#/components/parameters/pathDeviceId' + get: + summary: Retrieve a Device + description: Retrieves a device by `deviceId` + operationId: getDevice responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/Group' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/Device' + examples: + APIDevicesResponseExample: + $ref: '#/components/examples/DeviceResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.manage + - apiToken: [] + - oauth2: + - okta.devices.read tags: - - Group - /api/v1/groups/rules: - get: - summary: List all Group Rules - description: Lists all group rules for your organization. - operationId: listGroupRules - parameters: - - name: limit - in: query - description: Specifies the number of rule results in a page - schema: - type: integer - format: int32 - default: 50 - - name: after - in: query - description: Specifies the pagination cursor for the next page of rules - schema: - type: string - - name: search - in: query - description: Specifies the keyword to search fules for - schema: - type: string - - name: expand - in: query - description: If specified as `groupIdToGroupNameMap`, then show group names - schema: - type: string - x-okta-added-version: 1.3.0 + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a Device + description: |- + Deletes (permanently) a device by `deviceId` if it has a status of `DEACTIVATED`. You can transition the device to `DEACTIVATED` status using the [Deactivate a Device](/openapi/okta-management/management/tag/Device/#tag/Device/operation/deactivateDevice) endpoint. + This request is destructive and deletes all of the profile data related to the device. Once deleted, device data can't be recovered. However, reenrollment creates a new device record. + > **Note:** Attempts to delete a device that isn't in a `DEACTIVATED` state raise an error. + operationId: deleteDevice responses: - '200': - description: Success + '204': + description: No Content + '403': + description: Forbidden + headers: {} content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/GroupRule' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.read + - apiToken: [] + - oauth2: + - okta.devices.manage tags: - - Group + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/devices/{deviceId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathDeviceId' post: - summary: Create a Group Rule - description: Creates a group rule to dynamically add users to the specified group if they match the condition - operationId: createGroupRule - x-codegen-request-body-name: groupRule - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/GroupRule' - required: true + summary: Activate a Device + description: |- + Activates a Device by setting its status to ACTIVE by `deviceId`. + Activated devices are used to create and delete Device user links. + operationId: activateDevice responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/GroupRule' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + '204': + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.manage + - apiToken: [] + - oauth2: + - okta.devices.manage tags: - - Group - /api/v1/groups/rules/{ruleId}: - get: - summary: Retrieve a Group Rule - description: Fetches a specific group rule by id from your organization - operationId: getGroupRule - parameters: - - name: ruleId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/devices/{deviceId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathDeviceId' + post: + summary: Deactivate a Device + description: |- + Deactivates a Device by setting its status to DEACTIVATED by `deviceId`. + Deactivation causes a Device to lose all device user links. + Set the Device status to DEACTIVATED before deleting it. + > **Note:** When deactivating a Device, keep in mind the following: + - Device deactivation is a destructive operation for device factors and client certificates. Device reenrollment using Okta Verify allows end users to set up new factors on the device. + - Device deletion removes the device record from Okta. Reenrollment creates a new device record. + operationId: deactivateDevice responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/GroupRule' + '204': + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6468,37 +8609,30 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.read + - apiToken: [] + - oauth2: + - okta.devices.manage tags: - - Group - put: - summary: Replace a Group Rule - description: Updates a group rule. Only `INACTIVE` rules can be updated. - operationId: updateGroupRule - parameters: - - name: ruleId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: groupRule - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/GroupRule' - required: true + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/devices/{deviceId}/lifecycle/suspend: + parameters: + - $ref: '#/components/parameters/pathDeviceId' + post: + summary: Suspend a Device + description: |- + Suspends a Device by setting its status to SUSPENDED. + Use suspended devices to create and delete device user links. + You can only unsuspend or deactivate suspended devices. + > **Note:** SUSPENDED status is meant to be temporary, so it isn't destructive. + operationId: suspendDevice responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/GroupRule' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + '204': + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6506,30 +8640,28 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.manage + - apiToken: [] + - oauth2: + - okta.devices.manage tags: - - Group - delete: - summary: Delete a group Rule - description: Removes a specific group rule by id from your organization - operationId: deleteGroupRule - parameters: - - name: ruleId - in: path - required: true - schema: - type: string - - name: removeUsers - in: query - description: Indicates whether to keep or remove users from groups assigned by this rule. - schema: - type: boolean + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/devices/{deviceId}/lifecycle/unsuspend: + parameters: + - $ref: '#/components/parameters/pathDeviceId' + post: + summary: Unsuspend a Device + description: |- + Unsuspends a Device by returning its `status` to ACTIVE. + >**Note:** Only devices with a SUSPENDED status can be unsuspended. + operationId: unsuspendDevice responses: - '202': - description: Accepted - content: {} + '204': + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6537,26 +8669,36 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.manage + - apiToken: [] + - oauth2: + - okta.devices.manage tags: - - Group - /api/v1/groups/rules/{ruleId}/lifecycle/activate: - post: - summary: Activate a Group Rule - description: Activates a specific group rule by id from your organization - operationId: activateGroupRule - parameters: - - name: ruleId - in: path - required: true - schema: - type: string + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/devices/{deviceId}/users: + parameters: + - $ref: '#/components/parameters/pathDeviceId' + get: + summary: List all Users for a Device + description: Lists all Users for a Device by `deviceId` + operationId: listDeviceUsers responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/DeviceUser' + examples: + APIDevicesListAllUsersResponseExample: + summary: List all users for a specific device + $ref: '#/components/examples/APIDevicesListAllUsersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6564,56 +8706,130 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.manage + - apiToken: [] + - oauth2: + - okta.devices.read tags: - - Group - /api/v1/groups/rules/{ruleId}/lifecycle/deactivate: + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/directories/{appInstanceId}/groups/modify: + parameters: + - $ref: '#/components/parameters/appInstanceId' post: - summary: Deactivate a Group Rule - description: Deactivates a specific group rule by id from your organization - operationId: deactivateGroupRule - parameters: - - name: ruleId - in: path - required: true - schema: - type: string + summary: Update an AD Group membership + description: Updates an AD Group membership directly in AD + operationId: updateADGroupMembership + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AgentAction' + required: true responses: - '204': - description: No Content - content: {} + '200': + description: OK + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' + '502': + $ref: '#/components/responses/Error502NoConnectedAgents' + '504': + $ref: '#/components/responses/Error504AgentTimeOut' + security: + - oauth2: + - okta.directories.groups.manage + tags: + - DirectoriesIntegration + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/domains: + get: + summary: List all Custom Domains + description: Lists all verified custom domains for the org + operationId: listCustomDomains + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/DomainListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.manage + - apiToken: [] + - oauth2: + - okta.domains.read tags: - - Group - /api/v1/groups/{groupId}: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Custom Domain + description: Creates your custom domain + operationId: createCustomDomain + x-codegen-request-body-name: domain + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DomainRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/DomainResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.domains.manage + tags: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/domains/{domainId}: + parameters: + - $ref: '#/components/parameters/pathDomainId' get: - summary: List all Group Rules - description: Fetches a group from your organization. - operationId: getGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string + summary: Retrieve a Custom Domain + description: Retrieves a custom domain by `domainId` + operationId: getCustomDomain responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/Group' + $ref: '#/components/schemas/DomainResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6621,27 +8837,23 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.read + - apiToken: [] + - oauth2: + - okta.domains.read tags: - - Group + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace a Group - description: Updates the profile for a group with `OKTA_GROUP` type from your organization. - operationId: updateGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: group + summary: Replace a Custom Domain's Brand + description: Replaces a custom domain's brand + operationId: replaceCustomDomain requestBody: content: application/json: schema: - $ref: '#/components/schemas/Group' + $ref: '#/components/schemas/UpdateDomain' required: true responses: '200': @@ -6649,7 +8861,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Group' + $ref: '#/components/schemas/DomainResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -6659,21 +8871,18 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.manage + - apiToken: [] + - oauth2: + - okta.domains.manage tags: - - Group + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a Group - description: Removes a group with `OKTA_GROUP` type from your organization. - operationId: deleteGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string + summary: Delete a Custom Domain + description: Deletes a custom domain by `domainId` + operationId: deleteCustomDomain responses: '204': description: No Content @@ -6685,43 +8894,68 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.manage + - apiToken: [] + - oauth2: + - okta.domains.manage tags: - - Group - /api/v1/groups/{groupId}/apps: - get: - summary: List all Assigned Applications - description: Enumerates all applications that are assigned to a group. - operationId: listAssignedApplicationsForGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: after - in: query - description: Specifies the pagination cursor for the next page of apps - schema: - type: string - - name: limit - in: query - description: Specifies the number of app results for a page - schema: - type: integer - format: int32 - default: 20 + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/domains/{domainId}/certificate: + parameters: + - $ref: '#/components/parameters/pathDomainId' + put: + summary: Upsert the Custom Domain's Certificate + description: |- + Upserts (creates or renews) the `MANUAL` certificate for the custom domain + + > **Notes:** + > * If the existing `certificateSourceType` is `OKTA_MANAGED`, this operation changes the source type to `MANUAL`. Okta no longer manages and renews certificates for this domain after you provide a user-managed certificate. + > * Okta supports TLS certificates and private keys that are PEM-encoded and 2048, 3072, or 4096 bits. See the [Custom domain guide](https://developer.okta.com/docs/guides/custom-url-domain/main/) for more details. + operationId: upsertCertificate + x-codegen-request-body-name: certificate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DomainCertificate' + required: true + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.domains.manage + tags: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/domains/{domainId}/verify: + parameters: + - $ref: '#/components/parameters/pathDomainId' + post: + summary: Verify a Custom Domain + description: Verifies the custom domain and validity of DNS records by `domainId`. Furthermore, if the `certificateSourceType` in the domain is `OKTA_MANAGED`, then an attempt is made to obtain and install a certificate. After a certificate is obtained and installed by Okta, Okta manages the certificate including certificate renewal. + operationId: verifyDomain responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/Application' + $ref: '#/components/schemas/DomainResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6729,67 +8963,62 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.read + - apiToken: [] + - oauth2: + - okta.domains.manage tags: - - Group - /api/v1/groups/{groupId}/roles: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/dr/status/{domain}: + parameters: + - $ref: '#/components/parameters/domain' + /api/v1/email-domains: + parameters: + - $ref: '#/components/parameters/queryExpandEmailDomain' get: - summary: List all Assigned Roles - description: Success - operationId: listGroupAssignedRoles - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + summary: List all Email Domains + description: Lists all the Email Domains in your org + operationId: listEmailDomains responses: '200': - description: Success + description: OK content: application/json: schema: type: array items: - $ref: '#/components/schemas/Role' + $ref: '#/components/schemas/EmailDomainResponseWithEmbedded' + examples: + List email domain response: + $ref: '#/components/examples/EmailDomainResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.read + - apiToken: [] + - oauth2: + - okta.emailDomains.read tags: - - Group + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Assign a Role - description: Assigns a Role to a Group - operationId: assignRoleToGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: disableNotifications - in: query - schema: - type: boolean - x-codegen-request-body-name: assignRoleRequest + summary: Create an Email Domain + description: Creates an Email Domain in your org + operationId: createEmailDomain + x-codegen-request-body-name: emailDomain requestBody: content: application/json: schema: - $ref: '#/components/schemas/AssignRoleRequest' + $ref: '#/components/schemas/EmailDomain' + examples: + Create email domain request: + $ref: '#/components/examples/CreateEmailDomainRequest' required: true responses: '200': @@ -6797,47 +9026,54 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Role' - '201': - description: Success - content: {} + $ref: '#/components/schemas/EmailDomainResponse' + examples: + Create email domain response: + $ref: '#/components/examples/EmailDomainResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage - tags: - - Group - /api/v1/groups/{groupId}/roles/{roleId}: + '409': + description: Conflict + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Email domain already exists: + $ref: '#/components/examples/ErrorEmailDomainAlreadyExists' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailDomains.manage + tags: + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/email-domains/{emailDomainId}: + parameters: + - $ref: '#/components/parameters/pathEmailDomainId' + - $ref: '#/components/parameters/queryExpandEmailDomain' get: - summary: Retrieve a Role - description: Success - operationId: getRole - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string + summary: Retrieve an Email Domain + description: Retrieves an Email Domain by `emailDomainId` + operationId: getEmailDomain responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/Role' + $ref: '#/components/schemas/EmailDomainResponseWithEmbedded' + examples: + Retrieve email domain response: + $ref: '#/components/examples/EmailDomainResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6845,30 +9081,72 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.read + - apiToken: [] + - oauth2: + - okta.emailDomains.read tags: - - Group + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an Email Domain + description: Replaces associated username and sender display name by `emailDomainId` + operationId: replaceEmailDomain + x-codegen-request-body-name: updateEmailDomain + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateEmailDomain' + examples: + Update email domain request: + $ref: '#/components/examples/UpdateEmailDomainRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EmailDomainResponse' + examples: + Update email domain response: + $ref: '#/components/examples/UpdatedEmailDomainResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailDomains.manage + tags: + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a Role - description: Unassigns a Role from a Group - operationId: removeRoleFromGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string + summary: Delete an Email Domain + description: Deletes an Email Domain by `emailDomainId` + operationId: deleteEmailDomain responses: '204': description: No Content content: {} + '400': + description: Unable to delete custom email domain due to mail provider specific restrictions + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Email domain in use: + $ref: '#/components/examples/ErrorEmailDomainInUse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6876,46 +9154,42 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.emailDomains.manage tags: - - Group - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps: - get: - summary: List all Application Targets for an Application Administrator Role - description: Lists all App targets for an `APP_ADMIN` Role assigned to a Group. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID. - operationId: listApplicationTargetsForApplicationAdministratorRoleForGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: 20 + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/email-domains/{emailDomainId}/verify: + parameters: + - $ref: '#/components/parameters/pathEmailDomainId' + post: + summary: Verify an Email Domain + description: Verifies an Email Domain by `emailDomainId` + operationId: verifyEmailDomain responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/CatalogApplication' + $ref: '#/components/schemas/EmailDomainResponse' + examples: + Verified email domain response: + $ref: '#/components/examples/VerifiedEmailDomainResponse' + '400': + description: Email domain could not be verified by mail provider + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Email domain could not be verified: + $ref: '#/components/examples/ErrorEmailDomainNotVerified' + Email domain invalid status: + $ref: '#/components/examples/ErrorEmailDomainInvalidStatus' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6923,36 +9197,88 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.read + - apiToken: [] + - oauth2: + - okta.emailDomains.manage tags: - - Group - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}: - put: - summary: Assign an Application Target to Administrator Role - description: Success - operationId: addApplicationTargetToAdminRoleGivenToGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/email-servers: + get: + summary: List all enrolled SMTP servers + description: Lists all the enrolled custom SMTP server configurations + operationId: listEmailServers responses: '200': - description: Success - content: {} + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.read + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create a custom SMTP server + description: Creates a custom email SMTP server configuration for your org + operationId: createEmailServer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerPost' + responses: + '201': + description: Successfully enrolled server credentials + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.manage + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/email-servers/{emailServerId}: + parameters: + - $ref: '#/components/parameters/pathEmailServerId' + get: + summary: Retrieve an SMTP Server configuration + description: Retrieves the specified custom SMTP server configuration + operationId: getEmailServer + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6960,35 +9286,34 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.emailServers.read tags: - - Group - delete: - summary: Delete an Application Target from Application Administrator Role - description: Success - operationId: removeApplicationTargetFromApplicationAdministratorRoleGivenToGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + patch: + summary: Update an SMTP Server configuration + description: Updates the specified custom SMTP server configuration + operationId: updateEmailServer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerRequest' responses: - '204': - description: No Content - content: {} + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6996,41 +9321,23 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.emailServers.manage tags: - - Group - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}/{applicationId}: - put: - summary: Assign an Application Instance Target to Application Administrator Role - description: Add App Instance Target to App Administrator Role given to a Group - operationId: addApplicationInstanceTargetToAppAdminRoleGivenToGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string - - name: applicationId - in: path - required: true - schema: - type: string + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete an SMTP Server configuration + description: Deletes the specified custom SMTP server configuration + operationId: deleteEmailServer responses: '204': - description: No Content - content: {} + description: No content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7038,40 +9345,33 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.emailServers.manage tags: - - Group - delete: - summary: Delete an Application Instance Target to Application Administrator Role - description: Remove App Instance Target to App Administrator Role given to a Group - operationId: removeApplicationTargetFromAdministratorRoleGivenToGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string - - name: applicationId - in: path - required: true - schema: - type: string + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/email-servers/{emailServerId}/test: + parameters: + - $ref: '#/components/parameters/pathEmailServerId' + post: + summary: Test an SMTP Server configuration + description: Tests the specified custom SMTP Server configuration + operationId: testEmailServer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailTestAddresses' responses: '204': - description: No Content - content: {} + description: No content + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7079,37 +9379,21 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.emailServers.manage tags: - - Group - /api/v1/groups/{groupId}/roles/{roleId}/targets/groups: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/eventHooks: get: - summary: List all Group Targets for a Group Role - description: Enumerates group targets for a group role. - operationId: listGroupTargetsForGroupRole - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: 20 + summary: List all Event Hooks + description: Lists all event hooks + operationId: listEventHooks responses: '200': description: Success @@ -7118,124 +9402,94 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Group' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.read - tags: - - Group - /api/v1/groups/{groupId}/roles/{roleId}/targets/groups/{targetGroupId}: - put: - summary: Assign a Group Target for Group Role - description: Enumerates group targets for a group role. - operationId: addGroupTargetToGroupAdministratorRoleForGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: targetGroupId - in: path - required: true - schema: - type: string - responses: - '204': - description: No Content - content: {} + $ref: '#/components/schemas/EventHook' + examples: + RetrieveAllEventHooks: + $ref: '#/components/examples/RetrieveAllEventHooks' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.eventHooks.read tags: - - Group - delete: - summary: Delete a Group Target for Group Role - description: remove group target for a group role. - operationId: removeGroupTargetFromGroupAdministratorRoleGivenToGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: targetGroupId - in: path - required: true - schema: - type: string + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an Event Hook + description: |- + Creates a new event hook for your organization in `ACTIVE` status. You pass an event hook object in the JSON payload + of your request. That object represents the set of required information about the event hook you're registering, including: + * The URI of your external service + * The [events](https://developer.okta.com/docs/reference/api/event-types/) in Okta you want to subscribe to + * An optional event hook filter that can reduce the number of event hook calls. This is a self-service Early Access (EA) feature. + See [Create an event hook filter](https://developer.okta.com/docs/concepts/event-hooks/#create-an-event-hook-filter). + + Additionally, you can specify a secret API key for Okta to pass to your external service endpoint for security verification. Note that the API key you set here is unrelated to the Okta API token + you must supply when making calls to Okta APIs. Optionally, you can specify extra headers that Okta passes to your external + service with each call. + Your external service must use a valid HTTPS endpoint. + operationId: createEventHook + x-codegen-request-body-name: eventHook + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + CreateAnEventHook: + $ref: '#/components/examples/CreateAnEventHook' + CreateAnEventHookWithFilter: + $ref: '#/components/examples/CreateAnEventHookWithFilter' + required: true responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + CreateAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' + CreateAnEventHookWithFilter: + $ref: '#/components/examples/RetrieveAnEventHookWithFilter' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.eventHooks.manage tags: - - Group - /api/v1/groups/{groupId}/users: + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/eventHooks/{eventHookId}: + parameters: + - $ref: '#/components/parameters/pathEventHookId' get: - summary: List all Member Users - description: Enumerates all users that are a member of a group. - operationId: listGroupUsers - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: after - in: query - description: Specifies the pagination cursor for the next page of users - schema: - type: string - - name: limit - in: query - description: Specifies the number of user results in a page - schema: - type: integer - format: int32 - default: 1000 + summary: Retrieve an Event Hook + description: Retrieves an event hook + operationId: getEventHook responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/User' + $ref: '#/components/schemas/EventHook' + examples: + RetrieveAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7243,31 +9497,44 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.read + - apiToken: [] + - oauth2: + - okta.eventHooks.read tags: - - Group - /api/v1/groups/{groupId}/users/{userId}: + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Assign a User - description: Adds a user to a group with 'OKTA_GROUP' type. - operationId: addUserToGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string + summary: Replace an Event Hook + description: |- + Replaces an event hook. Okta validates the new properties before replacing the existing values. + Some event hook properties are immutable and can't be updated. Refer to the parameter description in the request body schema. + + >**Note:** Updating the `channel` property requires you to verify the hook again. + operationId: replaceEventHook + x-codegen-request-body-name: eventHook + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + ReplaceAnEventHook: + $ref: '#/components/examples/ReplaceAnEventHookWithFilter' + required: true responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + ReplaceAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHookWithFilter' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7275,26 +9542,20 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.manage + - apiToken: [] + - oauth2: + - okta.eventHooks.manage tags: - - Group + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a User - description: Removes a user from a group with 'OKTA_GROUP' type. - operationId: removeUserFromGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string + summary: Delete an Event Hook + description: |- + Deletes the event hook that matches the provided `id`. After deletion, the event hook is unrecoverable. + As a safety precaution, you can only delete event hooks with a status of `INACTIVE`. + operationId: deleteEventHook responses: '204': description: No Content @@ -7306,199 +9567,167 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.groups.manage + - apiToken: [] + - oauth2: + - okta.eventHooks.manage tags: - - Group - /api/v1/idps: - get: - summary: List all Identity Providers - description: Enumerates IdPs in your organization with pagination. A subset of IdPs can be returned that match a supported filter expression or query. - operationId: listIdentityProviders - parameters: - - name: q - in: query - description: Searches the name property of IdPs for matching value - schema: - type: string - - name: after - in: query - description: Specifies the pagination cursor for the next page of IdPs - schema: - type: string - - name: limit - in: query - description: Specifies the number of IdP results in a page - schema: - type: integer - format: int32 - default: 20 - - name: type - in: query - description: Filters IdPs by type - schema: - type: string + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/eventHooks/{eventHookId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathEventHookId' + post: + summary: Activate an Event Hook + description: Activates the event hook that matches the provided `id` + operationId: activateEventHook responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/IdentityProvider' + $ref: '#/components/schemas/EventHook' + examples: + ActivateAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.read + - apiToken: [] + - oauth2: + - okta.eventHooks.manage tags: - - IdentityProvider + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/eventHooks/{eventHookId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathEventHookId' post: - summary: Create an Identity Provider - description: Adds a new IdP to your organization. - operationId: createIdentityProvider - x-codegen-request-body-name: identityProvider - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProvider' - required: true + summary: Deactivate an Event Hook + description: Deactivates the event hook that matches the provided `id` + operationId: deactivateEventHook responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/IdentityProvider' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/EventHook' + examples: + DeactivateAnEventHook: + $ref: '#/components/examples/RetrieveADeactivatedEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.eventHooks.manage tags: - - IdentityProvider - /api/v1/idps/credentials/keys: - get: - summary: List all Credential Keys - description: Enumerates IdP key credentials. - operationId: listIdentityProviderKeys - parameters: - - name: after - in: query - description: Specifies the pagination cursor for the next page of keys - schema: - type: string - - name: limit - in: query - description: Specifies the number of key results in a page - schema: - type: integer - format: int32 - default: 20 + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/eventHooks/{eventHookId}/lifecycle/verify: + parameters: + - $ref: '#/components/parameters/pathEventHookId' + post: + summary: Verify an Event Hook + description: |- + Verifies that the event hook matches the provided `eventHookId`. To verify ownership, your endpoint must send information back to Okta in JSON format. See [Event hooks](https://developer.okta.com/docs/concepts/event-hooks/#one-time-verification-request). + + Only `ACTIVE` and `VERIFIED` event hooks can receive events from Okta. + + If a response is not received within 3 seconds, the outbound request times out. One retry is attempted after a timeout or error response. + If a successful response still isn't received, this operation returns a 400 error with more information about the failure. + operationId: verifyEventHook responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/EventHook' + examples: + VerifyAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.read + - apiToken: [] + - oauth2: + - okta.eventHooks.manage tags: - - IdentityProvider - post: - summary: Create an X.509 Certificate Public Key - description: Adds a new X.509 certificate credential to the IdP key store. - operationId: createIdentityProviderKey - x-codegen-request-body-name: jsonWebKey - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - required: true + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/features: + get: + summary: List all Features + description: Lists all self-service features for your org + operationId: listFeatures responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + type: array + items: + $ref: '#/components/schemas/Feature' + examples: + FeaturesList: + summary: List all self-service features for your org + $ref: '#/components/examples/ListFeaturesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.features.read tags: - - IdentityProvider - /api/v1/idps/credentials/keys/{keyId}: + - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/features/{featureId}: + parameters: + - $ref: '#/components/parameters/pathFeatureId' get: - summary: Retrieve an Credential Key - description: Gets a specific IdP Key Credential by `kid` - operationId: getIdentityProviderKey - parameters: - - name: keyId - in: path - required: true - schema: - type: string + summary: Retrieve a Feature + description: Retrieves a feature by ID + operationId: getFeature responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.read - tags: - - IdentityProvider - delete: - summary: Delete a Signing Credential Key - description: Deletes a specific IdP Key Credential by `kid` if it is not currently being used by an Active or Inactive IdP. - operationId: deleteIdentityProviderKey - parameters: - - name: keyId - in: path - required: true - schema: - type: string - responses: - '204': - description: No Content - content: {} + $ref: '#/components/schemas/Feature' + examples: + FeaturesRetrieve: + summary: Retrieve a Feature by ID + $ref: '#/components/examples/RetrieveFeaturesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7506,29 +9735,37 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.features.read tags: - - IdentityProvider - /api/v1/idps/{idpId}: + - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/features/{featureId}/dependencies: + parameters: + - $ref: '#/components/parameters/pathFeatureId' get: - summary: Retrieve an Identity Provider - description: Fetches an IdP by `id`. - operationId: getIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string + summary: List all dependencies + description: |- + Lists all feature dependencies for a specified feature. + + A feature's dependencies are the features that it requires to be enabled in order for itself to be enabled. + operationId: listFeatureDependencies responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/IdentityProvider' + type: array + items: + $ref: '#/components/schemas/Feature' + examples: + FeaturesDependenciesList: + summary: List all Dependencies + $ref: '#/components/examples/ListFeatureDependenciesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7536,37 +9773,37 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.read + - apiToken: [] + - oauth2: + - okta.features.read tags: - - IdentityProvider - put: - summary: Replace an Identity Provider - description: Updates the configuration for an IdP. - operationId: updateIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: identityProvider - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProvider' - required: true + - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/features/{featureId}/dependents: + parameters: + - $ref: '#/components/parameters/pathFeatureId' + get: + summary: List all dependents + description: |- + Lists all feature dependents for the specified feature. + + A feature's dependents are the features that need to be disabled in order for the feature itself to be disabled. + operationId: listFeatureDependents responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/IdentityProvider' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + type: array + items: + $ref: '#/components/schemas/Feature' + examples: + FeaturesDependentsList: + summary: List all feature dependents for the specified feature + $ref: '#/components/examples/ListFeatureDependentsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7574,25 +9811,50 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.features.read tags: - - IdentityProvider - delete: - summary: Delete an Identity Provider - description: Removes an IdP from your organization. - operationId: deleteIdentityProvider + - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/features/{featureId}/{lifecycle}: + parameters: + - $ref: '#/components/parameters/pathFeatureId' + - $ref: '#/components/parameters/pathLifecycle' + post: + summary: Update a Feature lifecycle + description: |- + Updates a feature's lifecycle status. Use this endpoint to enable or disable a feature for your org. + + Use the `mode=force` parameter to override dependency restrictions for a particular feature. Normally, you can't enable a feature if it has one or more dependencies that aren't enabled. + + When you use the `mode=force` parameter while enabling a feature, Okta first tries to enable any disabled features that this feature may have as dependencies. If you don't pass the `mode=force` parameter and the feature has dependencies that need to be enabled before the feature is enabled, a 400 error is returned. + + When you use the `mode=force` parameter while disabling a feature, Okta first tries to disable any enabled features that this feature may have as dependents. If you don't pass the `mode=force` parameter and the feature has dependents that need to be disabled before the feature is disabled, a 400 error is returned. + + The following chart shows the different state transitions for a feature. + + ![State transitions of a feature](../../../../../images/features/update-ssfeat-flowchart.png '#width=500px;') + operationId: updateFeatureLifecycle parameters: - - name: idpId - in: path - required: true + - name: mode + in: query + description: Indicates if you want to force enable or disable a feature. Supported value is `force`. schema: type: string responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Feature' + examples: + FeaturesUpdate: + summary: Update the feature lifecycle status + $ref: '#/components/examples/UpdateFeatureLifecycleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7600,213 +9862,302 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.features.manage tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/csrs: + - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/first-party-app-settings/{appName}: + parameters: + - $ref: '#/components/parameters/pathFirstPartyAppName' get: - summary: List all Certificate Signing Requests - description: Enumerates Certificate Signing Requests for an IdP - operationId: listCsrsForIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string + summary: Retrieve the Okta Application Settings + description: Retrieves the settings for an Okta app (also known as an Okta first-party app) + operationId: getFirstPartyAppSettings responses: '200': - description: Success + description: OK content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/Csr' + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.read + - apiToken: [] + - oauth2: + - okta.apps.read tags: - - IdentityProvider - post: - summary: Generate a Certificate Signing Request - description: Generates a new key pair and returns a Certificate Signing Request for it. - operationId: generateCsrForIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: metadata + - OktaApplicationSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Okta Application Settings + description: Replaces the settings for an Okta app (also known as an Okta first-party app) + operationId: replaceFirstPartyAppSettings requestBody: content: application/json: schema: - $ref: '#/components/schemas/CsrMetadata' + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' required: true responses: - '201': - description: Created + '200': + description: Success content: application/json: schema: - $ref: '#/components/schemas/Csr' + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage - tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/csrs/{csrId}: - get: - summary: Retrieve a Certificate Signing Request - description: Gets a specific Certificate Signing Request model by id - operationId: getCsrForIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: csrId - in: path - required: true - schema: - type: string - responses: - '200': - description: Success + description: Forbidden content: application/json: schema: - $ref: '#/components/schemas/Csr' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.read + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - IdentityProvider - delete: - summary: Revoke a Certificate Signing Request - description: Revoke a Certificate Signing Request and delete the key pair from the IdP - operationId: revokeCsrForIdentityProvider + - OktaApplicationSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups: + get: + summary: List all Groups + description: |- + Lists all Groups with pagination support. + + The number of Groups returned depends on the specified [`limit`](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!in=query&path=limit&t=request), if you have a search, filter, and/or query parameter set, and if that parameter is not null. We recommend using a limit less than or equal to 200. + + A subset of Groups can be returned that match a supported filter expression, query, or search criteria. + + > **Note:** Results from the filter or query parameter are driven from an eventually consistent datasource. The synchronization lag is typically less than one second. + See [Filtering](https://developer.okta.com/docs/api/#filter) for more information on expressions. + operationId: listGroups parameters: - - name: idpId - in: path - required: true + - name: q + in: query + description: |- + Finds a Group that matches the `name` property + > **Note:** Paging and searching are currently mutually exclusive. You can't page a query. The default limit for a query is 300 results. Query is intended for an auto-complete picker use case where users refine their search string to constrain the results. schema: type: string - - name: csrId - in: path - required: true + example: West&limit=10 + - name: filter + in: query + description: |- + [Filter expression](https://developer.okta.com/docs/reference/core-okta-api/#filter) for Groups + > **Note:** All filters must be [URL encoded](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. + schema: + type: string + examples: + filterById: + value: id eq "00g1emaKYZTWRYYRRTSK" + summary: Filter group with a specific ID + filterByType: + value: type eq "OKTA_GROUP" + summary: Filter groups that are of the type `OKTA_GROUP` + filterByTypeAndProfileLastUpdatedAfterDate: + value: type eq "OKTA_GROUP" and lastUpdated gt "2016-11-11T00:00:00.000Z" + summary: Filter groups that are of the type `OKTA_GROUP` with Profile updated after 11/11/2015 + filterByTypeAndProfileOrMembershipUpdatedBeforeDate: + value: type eq "OKTA_GROUP" and (lastUpdated lt "2015-11-11T00:00:00.000Z" or lastMembershipUpdated lt "2015-11-11T00:00:00.000Z") + summary: Filter groups that are of the type `OKTA_GROUP` with Profile or memberships updated before 11/11/2015 + - name: after + in: query + description: Specifies the pagination cursor for the next page of Groups. The `after` cursor should be treated as an opaque value and obtained through the next link relation. See [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + - name: limit + in: query + description: |- + Specifies the number of Group results in a page. + + Don't write code that depends on the default or maximum value, as it might change. If you receive an `HTTP 500` status code, you likely exceeded the request timeout. Retry your request with a smaller `limit` and [page the results](https://developer.okta.com/docs/api/#pagination). + + The Okta default Everyone group isn't returned for users with a Group Admin role. + + >**Note:** We strongly encourage using a limit that's less than or equal to 200. Any number greater than 200 affects performance and accuracy. + schema: + type: integer + format: int32 + maximum: 10000 + - name: expand + in: query + description: If specified, additional metadata is included in the response. Possible values are `stats` and `app`. + schema: + type: string + - name: search + in: query + description: |- + Searches for groups with a supported [filtering](https://developer.okta.com/docs/reference/core-okta-api/#filter) expression for all attributes except for `_embedded`, `_links`, and `objectClass`. + + Search currently performs a `startsWith` match but it should be considered an implementation detail and might change without notice in the future. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). + + Using search requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding), for example, `search=type eq "OKTA_GROUP"` is encoded as `search=type+eq+%22OKTA_GROUP%22`. + + This operation searches many properties: + * Any group profile property, including imported app group profile properties. + * The top-level properties `id`, `created`, `lastMembershipUpdated`, `lastUpdated`, and `type`. + * The [source](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links/source&t=response) of groups with type of `APP_GROUP`, accessed as `source.id`. + You can also use `sortBy` and `sortOrder` parameters. + schema: + type: string + examples: + searchByType: + value: type eq "APP_GROUP" + summary: Search for Groups that have a type of `APP_GROUP` + searchByLastMembershipUpdatedAfterDate: + value: lastMembershipUpdated gt "2014-01-01T00:00:00.000Z" + summary: Search for Groups whose memberships were last updated after a specific timestamp + searchById: + value: id eq "00gak46y5hydV6NdM0g4" + summary: Search for Groups with the specified ID (`00gak46y5hydV6NdM0g4`) + searchByProfileName: + value: profile.name eq "West Coast Users" + summary: Search for Groups that have a `name` of `West Coast Users` + searchBySamAccountName: + value: profile.samAccountName sw "West Coast" + summary: Search for Groups whose `samAccountName` starts with `West Coast` + searchBySourceId: + value: source.id eq "0oa2v0el0gP90aqjJ0g7" + summary: Search for Groups that have the source app with a specified `source.id` (`0oa2v0el0gP90aqjJ0g7`) + searchByIdTypeAndCreationDate: + value: type eq "APP_GROUP" and (created lt "2014-01-01T00:00:00.000Z" and source.id eq "0oa2v0el0gP90aqjJ0g7") + summary: List groups of type `APP_GROUP` that were created before 01/01/2014 and whose source app has the ID 0oa2v0el0gP90aqjJ0g7 + - name: sortBy + in: query + description: Specifies field to sort by **(for search queries only)**. `sortBy` can be any single property, for example `sortBy=profile.name`. + schema: + type: string + example: lastUpdated + - name: sortOrder + in: query + description: 'Specifies sort order: `asc` or `desc` (for search queries only). This parameter is ignored if if `sortBy` is not present. Groups with the same value for the `sortBy` property will be ordered by `id`' schema: type: string + default: asc responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Group' + examples: + ListGroupExample: + $ref: '#/components/examples/list-groups-examples' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.groups.read tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/csrs/{csrId}/lifecycle/publish: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Publish a Certificate Signing Request - description: Update the Certificate Signing Request with a signed X.509 certificate and add it into the signing key credentials for the IdP. - operationId: publishCsrForIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: csrId - in: path - required: true - schema: - type: string + summary: Add a Group + description: |- + Adds a new Group with the `OKTA_GROUP` type to your org + > **Note:** App import operations are responsible for syncing Groups with `APP_GROUP` type such as Active Directory Groups. See + [About groups](https://help.okta.com/okta_help.htm?id=Directory_Groups). + operationId: addGroup + x-codegen-request-body-name: group requestBody: - required: true content: - application/x-x509-ca-cert: - schema: - type: string - format: binary - x-okta-operationId: publishBinaryCerCertForIdentityProvider - application/pkix-cert: - schema: - type: string - format: binary - x-okta-operationId: publishBinaryDerCertForIdentityProvider - application/x-pem-file: + application/json: schema: - type: string - format: binary - x-okta-operationId: publishBinaryPemCertForIdentityProvider + properties: + profile: + $ref: '#/components/schemas/OktaUserGroupProfile' + required: true responses: - '201': - description: Created + '200': + description: Success content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.groups.manage tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/keys: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/rules: get: - summary: List all Signing Credential Keys - description: Enumerates signing key credentials for an IdP - operationId: listIdentityProviderSigningKeys + summary: List all Group rules + description: Lists all Group rules for your org + operationId: listGroupRules parameters: - - name: idpId - in: path - required: true + - name: limit + in: query + description: Specifies the number of rule results in a page + schema: + type: integer + format: int32 + default: 50 + minimum: 1 + maximum: 200 + - name: after + in: query + description: Specifies the pagination cursor for the next page of rules + schema: + type: string + - name: search + in: query + description: Specifies the keyword to search rules for + schema: + type: string + - name: expand + in: query + description: If specified as `groupIdToGroupNameMap`, then displays group names schema: type: string + x-okta-added-version: 1.3.0 responses: '200': description: Success @@ -7815,70 +10166,75 @@ paths: schema: type: array items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/GroupRule' + examples: + ListGroupRulesExample: + $ref: '#/components/examples/list-group-rules-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.read + - apiToken: [] + - oauth2: + - okta.groups.read tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/keys/generate: + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Generate a new Signing Credential Key - description: Generates a new X.509 certificate for an IdP signing key credential to be used for signing assertions sent to the IdP - operationId: generateIdentityProviderSigningKey - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: validityYears - in: query - description: expiry of the IdP Key Credential - required: true - schema: - type: integer - format: int32 + summary: Create a Group rule + description: |- + Creates a Group rule to dynamically add Users to the specified Group if they match the condition + > **Note:** Group rules are created with the status set to `'INACTIVE'`. + operationId: createGroupRule + x-codegen-request-body-name: groupRule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateGroupRuleRequest' + examples: + GroupRuleExample: + $ref: '#/components/examples/create-group-rule-request-example' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.groups.manage tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/keys/{keyId}: + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/rules/{groupRuleId}: + parameters: + - $ref: '#/components/parameters/pathGroupRuleId' get: - summary: Retrieve a Signing Credential Key - description: Gets a specific IdP Key Credential by `kid` - operationId: getIdentityProviderSigningKey + summary: Retrieve a Group rule + description: Retrieves a specific Group rule by ID from your org + operationId: getGroupRule parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: keyId - in: path - required: true + - name: expand + in: query + description: If specified as `groupIdToGroupNameMap`, then show Group names schema: type: string responses: @@ -7887,7 +10243,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7895,39 +10254,41 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.read + - apiToken: [] + - oauth2: + - okta.groups.read tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/keys/{keyId}/clone: - post: - summary: Clone a Signing Credential Key - description: Clones a X.509 certificate for an IdP signing key credential from a source IdP to target IdP - operationId: cloneIdentityProviderKey - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: keyId - in: path - required: true - schema: - type: string - - name: targetIdpId - in: query - required: true - schema: - type: string + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Group rule + description: |- + Replaces a Group rule + > **Notes:** You only can update rules with a Group whose status is set to `'INACTIVE'`. + > + > You currently can't update the `action` section. + operationId: replaceGroupRule + x-codegen-request-body-name: groupRule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' + required: true responses: - '201': - description: Created + '200': + description: Success content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/GroupRule' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7935,29 +10296,29 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.groups.manage tags: - - IdentityProvider - /api/v1/idps/{idpId}/lifecycle/activate: - post: - summary: Activate an Identity Provider - description: Activates an inactive IdP. - operationId: activateIdentityProvider + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a Group Rule + description: Deletes a specific group rule by `groupRuleId` + operationId: deleteGroupRule parameters: - - name: idpId - in: path - required: true + - name: removeUsers + in: query + description: If set to `true`, removes Users from Groups assigned by this rule schema: - type: string + type: boolean + default: false responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProvider' + '202': + description: Accepted + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7965,61 +10326,51 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.groups.manage tags: - - IdentityProvider - /api/v1/idps/{idpId}/lifecycle/deactivate: + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/rules/{groupRuleId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathGroupRuleId' post: - summary: Deactivate an Identity Provider - description: Deactivates an active IdP. - operationId: deactivateIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string + summary: Activate a Group Rule + description: Activates a specific Group rule by ID from your org + operationId: activateGroupRule responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProvider' - '403': + '204': + description: No Content + content: {} + '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.groups.manage tags: - - IdentityProvider - /api/v1/idps/{idpId}/users: - get: - summary: List all Users - description: Find all the users linked to an identity provider - operationId: listIdentityProviderApplicationUsers - parameters: - - name: idpId - in: path - required: true - schema: - type: string + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/rules/{groupRuleId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathGroupRuleId' + post: + summary: Deactivate a Group Rule + description: Deactivates a specific Group rule by ID from your org + operationId: deactivateGroupRule responses: - '200': - description: Success - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/IdentityProviderApplicationUser' + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -8027,34 +10378,31 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.read + - apiToken: [] + - oauth2: + - okta.groups.manage tags: - - IdentityProvider - /api/v1/idps/{idpId}/users/{userId}: + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' get: - summary: Retrieve a User - description: Fetches a linked IdP user by ID - operationId: getIdentityProviderApplicationUser - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string + summary: Retrieve a Group + description: Retrieves a specific Group by `id` from your org + operationId: getGroup responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/IdentityProviderApplicationUser' + $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -8062,32 +10410,30 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.read + - apiToken: [] + - oauth2: + - okta.groups.read tags: - - IdentityProvider - post: - summary: Link a User to a Social IdP - description: Links an Okta user to an existing Social Identity Provider. This does not support the SAML2 Identity Provider Type - operationId: linkUserToIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: userIdentityProviderLinkRequest + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Group + description: |- + Replaces the profile for a Group of `OKTA_GROUP` type from your org + > **Note :** You only can modify profiles for groups of the `OKTA_GROUP` type. + > + > App imports are responsible for updating profiles for groups of the `APP_GROUP` type, such as Active Directory groups. + operationId: replaceGroup + x-codegen-request-body-name: group requestBody: content: application/json: schema: - $ref: '#/components/schemas/UserIdentityProviderLinkRequest' + properties: + profile: + $ref: '#/components/schemas/OktaUserGroupProfile' required: true responses: '200': @@ -8095,7 +10441,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/IdentityProviderApplicationUser' + $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -8105,26 +10454,20 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.groups.manage tags: - - IdentityProvider + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unlink a User from IdP - description: Removes the link between the Okta user and the IdP user. - operationId: unlinkUserFromIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string + summary: Delete a Group + description: |- + Deletes a Group of the `OKTA_GROUP` or `APP_GROUP` type from your org + > **Note:** You can't remove Groups of type `APP_GROUP` if they are used in a group push mapping. + operationId: deleteGroup responses: '204': description: No Content @@ -8136,27 +10479,34 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.manage + - apiToken: [] + - oauth2: + - okta.groups.manage tags: - - IdentityProvider - /api/v1/idps/{idpId}/users/{userId}/credentials/tokens: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/apps: + parameters: + - $ref: '#/components/parameters/pathGroupId' get: - summary: List all Tokens from a OIDC Identity Provider - description: Fetches the tokens minted by the Social Authentication Provider when the user authenticates with Okta via Social Auth. - operationId: listSocialAuthTokens + summary: List all Assigned Applications + description: Lists all apps that are assigned to a Group. See [Application Groups API](/openapi/okta-management/management/tag/ApplicationGroups/). + operationId: listAssignedApplicationsForGroup parameters: - - name: idpId - in: path - required: true + - name: after + in: query + description: Specifies the pagination cursor for the next page of apps schema: type: string - - name: userId - in: path - required: true + - name: limit + in: query + description: Specifies the number of app results for a page schema: - type: string + type: integer + format: int32 + default: 20 responses: '200': description: Success @@ -8165,7 +10515,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/SocialAuthToken' + $ref: '#/components/schemas/Application' + examples: + ListAppsExample: + $ref: '#/components/examples/list-apps-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -8173,21 +10526,39 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.idps.read + - apiToken: [] + - oauth2: + - okta.groups.read tags: - - IdentityProvider - /api/v1/inlineHooks: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/owners: + parameters: + - $ref: '#/components/parameters/pathGroupId' get: - summary: List all Inline Hooks - description: Success - operationId: listInlineHooks + summary: List all Group Owners + description: Lists all owners for a specific group + operationId: listGroupOwners parameters: - - name: type + - name: search + in: query + description: SCIM Filter expression for group owners. Allows to filter owners by type. + schema: + type: string + - name: after in: query + description: Specifies the pagination cursor for the next page of owners schema: type: string + - name: limit + in: query + description: Specifies the number of owner results in a page + schema: + type: integer + format: int32 + default: 1000 responses: '200': description: Success @@ -8196,65 +10567,123 @@ paths: schema: type: array items: - $ref: '#/components/schemas/InlineHook' + $ref: '#/components/schemas/GroupOwner' + examples: + ListsOneOwnerOfaGroup: + $ref: '#/components/examples/ListsOwnerOneResponse' + ListsMultipleOwnersOfaGroup: + $ref: '#/components/examples/ListsOwnersMultipleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.inlineHooks.read + - apiToken: [] + - oauth2: + - okta.groups.read tags: - - InlineHook + - GroupOwner + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create an Inline Hook - description: Success - operationId: createInlineHook - x-codegen-request-body-name: inlineHook + summary: Assign a Group Owner + description: Assigns a group owner + operationId: assignGroupOwner + parameters: + - $ref: '#/components/parameters/pathGroupId' requestBody: content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + $ref: '#/components/schemas/AssignGroupOwnerRequestBody' + examples: + AssignAGroupOwner: + $ref: '#/components/examples/AssignGroupOwnerRequest' required: true responses: - '200': + '201': description: Success content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + $ref: '#/components/schemas/GroupOwner' + examples: + AssignAGroupOwner: + $ref: '#/components/examples/AssignGroupOwnerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.groups.manage tags: - - InlineHook - /api/v1/inlineHooks/{inlineHookId}: + - GroupOwner + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/owners/{ownerId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathOwnerId' + delete: + summary: Delete a Group Owner + description: Deletes a group owner from a specific group + operationId: deleteGroupOwner + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - GroupOwner + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles: + parameters: + - $ref: '#/components/parameters/pathGroupId' get: - summary: Retrieve an Inline Hook - description: Gets an inline hook by ID - operationId: getInlineHook + summary: List all Group Role Assignments + description: Lists all assigned roles of a Group by `groupId` + operationId: listGroupAssignedRoles parameters: - - name: inlineHookId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/pathQueryRoleExpand' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + type: array + items: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponseGroup' + Custom Roles: + $ref: '#/components/examples/CustomRolesListResponseGroup' + IAM-Based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponseGroup' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -8262,27 +10691,40 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.inlineHooks.read + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - InlineHook - put: - summary: Replace an Inline Hook - description: Updates an inline hook by ID - operationId: updateInlineHook + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Assign a Role to a Group + description: |- + Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a Group. + + You can also assign a custom role to a Group, but the preferred method to assign a custom role to a Group is to create a binding between the Custom Role, the Resource Set, and the Group. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + > **Notes:** + > * The request payload is different for standard and custom role assignments. + > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. + operationId: assignRoleToGroup parameters: - - name: inlineHookId - in: path - required: true + - name: disableNotifications + in: query + description: Grants the Group third-party admin status when set to `true` schema: - type: string - x-codegen-request-body-name: inlineHook + type: boolean + default: false + x-codegen-request-body-name: assignRoleRequest requestBody: content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + oneOf: + - $ref: '#/components/schemas/StandardRoleAssignmentSchema' + - $ref: '#/components/schemas/CustomRoleAssignmentSchema' required: true responses: '200': @@ -8290,7 +10732,19 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/CreateStandardRoleAssignmentResponseGroup' + Custom Roles: + $ref: '#/components/examples/CreateCustomRoleResponseGroup' + IAM-based Standard Roles: + $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup' + '201': + description: Success + content: {} '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -8300,21 +10754,57 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - InlineHook + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: Retrieve a Group Role Assignment + description: Retrieves a Role assigned to a Group (identified by the `groupId`). The `roleAssignmentId` is the unique identifier for either a standard role Group Assignment object or a custom role Resource Set Binding object. + operationId: getGroupAssignedRole + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/CreateStandardRoleAssignmentResponseGroup' + Custom Roles: + $ref: '#/components/examples/CreateCustomRoleResponseGroup' + IAM-based Standard Roles: + $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete an Inline Hook - description: Deletes the Inline Hook matching the provided id. Once deleted, the Inline Hook is unrecoverable. As a safety precaution, only Inline Hooks with a status of INACTIVE are eligible for deletion. - operationId: deleteInlineHook - parameters: - - name: inlineHookId - in: path - required: true - schema: - type: string + summary: Unassign a Group Role + description: Unassigns a Role Assignment (identified by `roleAssignmentId`) from a Group (identified by the `groupId`) + operationId: unassignRoleFromGroup responses: '204': description: No Content @@ -8326,38 +10816,42 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - InlineHook - /api/v1/inlineHooks/{inlineHookId}/execute: - post: - summary: Execute an Inline Hook - description: Executes the Inline Hook matching the provided inlineHookId using the request body as the input. This will send the provided data through the Channel and return a response if it matches the correct data contract. This execution endpoint should only be used for testing purposes. - operationId: executeInlineHook + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: List all Group Role Application Targets + description: Lists all app targets for an `APP_ADMIN` Role Assignment to a Group. The response includes a list of OIN-cataloged apps or app instances. The response payload for an app instance contains the `id` property, but an OIN-cataloged app doesn't. + operationId: listApplicationTargetsForApplicationAdministratorRoleForGroup parameters: - - name: inlineHookId - in: path - required: true + - name: after + in: query schema: type: string - x-codegen-request-body-name: payloadData - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHookPayload' - required: true + - name: limit + in: query + schema: + type: integer + format: int32 + default: 20 responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/InlineHookResponse' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + type: array + items: + $ref: '#/components/schemas/CatalogApplication' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -8365,88 +10859,137 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - InlineHook - /api/v1/inlineHooks/{inlineHookId}/lifecycle/activate: - post: - summary: Activate an Inline Hook - description: Activates the Inline Hook matching the provided id - operationId: activateInlineHook - parameters: - - name: inlineHookId - in: path - required: true - schema: - type: string + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + put: + summary: Assign an Group Role Application Target + description: Assigns an OIN app target to an `APP_ADMIN` Role Assignment to a Group. When you assign the first OIN app target, you reduce the scope of the Role Assignment. The Role no longer applies to all app targets but applies only to the specified target. An OIN app target that's assigned to the Role overrides any existing instance targets of the OIN app. For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app with `facebook` for `appName` makes that user the administrator for all Facebook instances. + operationId: assignAppTargetToAdminRoleForGroup responses: '200': description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHook' + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - InlineHook - /api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate: - post: - summary: Deactivate an Inline Hook - description: Deactivates the Inline Hook matching the provided id - operationId: deactivateInlineHook - parameters: - - name: inlineHookId - in: path - required: true - schema: - type: string + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a Group Role Application Target + description: | + Unassigns an OIN app target from an `APP_ADMIN` Role Assignment to a Group + + > **Note:** You can't remove the last app target from a Role Assignment, since this causes an exception. + > If you need a Role Assignment that applies to all apps, delete the `APP_ADMIN` Role Assignment and recreate a new one. See [Unassign a Group Role](/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup). + operationId: unassignAppTargetToAdminRoleForGroup responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHook' + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - InlineHook - /api/v1/logs: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + - $ref: '#/components/parameters/pathAppId' + put: + summary: Assign an Group Role Application Instance Target + description: |- + Assigns an app instance target to an `APP_ADMIN` Role Assignment to a Group. When you assign the first OIN app or app instance target, you reduce the scope of the Role Assignment. The Role no longer applies to all app targets, but applies only to the specified target. + > **Note:** You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app. For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app. + operationId: assignAppInstanceTargetToAppAdminRoleForGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign an Group Role Application Instance Target + description: |- + Unassigns an app instance target from an `APP_ADMIN` Role Assignment to a Group + > **Note:** You can't remove the last app instance target from a Role Assignment since this causes an exception. > If you need a Role Assignment that applies to all apps, delete the `APP_ADMIN` Role Assignment and recreate a new one. See [Unassign a Group Role](/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup). + operationId: unassignAppInstanceTargetToAppAdminRoleForGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: List all System Log Events - description: The Okta System Log API provides read access to your organization’s system log. This API provides more functionality than the Events API - operationId: getLogs + summary: List all Group Role Group Targets + description: | + Lists all Group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group. + If the Role isn't scoped to specific Group targets, an empty array `[]` is returned. + operationId: listGroupTargetsForGroupRole parameters: - - name: since - in: query - schema: - type: string - format: date-time - - name: until - in: query - schema: - type: string - format: date-time - - name: filter - in: query - schema: - type: string - - name: q + - name: after in: query schema: type: string @@ -8454,16 +10997,8 @@ paths: in: query schema: type: integer - default: 100 - - name: sortOrder - in: query - schema: - type: string - default: ASCENDING - - name: after - in: query - schema: - type: string + format: int32 + default: 20 responses: '200': description: Success @@ -8472,42 +11007,94 @@ paths: schema: type: array items: - $ref: '#/components/schemas/LogEvent' + $ref: '#/components/schemas/Group' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.logs.read + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - SystemLog - /api/v1/mappings: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups/{targetGroupId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathTargetGroupId' + put: + summary: Assign a Group Role Group Target + description: | + Assigns a Group target to a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group. + When you assign the first Group target, you reduce the scope of the Role Assignment. The Role no longer applies to all targets but applies only to the specified target. + operationId: assignGroupTargetToGroupAdminRole + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a Group Role Group Target + description: Unassigns a Group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group. + operationId: unassignGroupTargetFromGroupAdminRole + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/users: + parameters: + - $ref: '#/components/parameters/pathGroupId' get: - summary: List all Profile Mappings - description: Enumerates Profile Mappings in your organization with pagination. - operationId: listProfileMappings + summary: List all Member Users + description: |- + Lists all users that are a member of a Group. + + The default user limit is set to a very high number due to historical reasons that are no longer valid for most orgs. This will change in a future version of this API. The recommended page limit is now `limit=200`. + operationId: listGroupUsers parameters: - - name: after - in: query - schema: - type: string + - $ref: '#/components/parameters/queryAfter' - name: limit in: query + description: Specifies the number of user results in a page schema: type: integer format: int32 - default: -1 - - name: sourceId - in: query - schema: - type: string - - name: targetId - in: query - schema: - type: string - default: '' + default: 1000 responses: '200': description: Success @@ -8516,63 +11103,133 @@ paths: schema: type: array items: - $ref: '#/components/schemas/ProfileMapping' + $ref: '#/components/schemas/User' + examples: + ListMemberUserResponse: + $ref: '#/components/examples/ListUsersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.profileMappings.read + - apiToken: [] + - oauth2: + - okta.groups.read tags: - - ProfileMapping - /api/v1/mappings/{mappingId}: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/users/{userId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathUserId' + put: + summary: Assign a User to a Group + description: |- + Assigns a User to a Group with the `OKTA_GROUP` type + > **Note:** You only can modify memberships for Groups of the `OKTA_GROUP` type. App imports are responsible for managing group memberships for Groups of the `APP_GROUP` type, such as Active Directory groups. + operationId: assignUserToGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a User from a Group + description: |- + Unassigns a User from a Group with the `OKTA_GROUP` type + > **Note:** You only can modify memberships for groups of the `OKTA_GROUP` type. + > + > App imports are responsible for managing group memberships for groups of the `APP_GROUP` type, such as Active Directory groups. + operationId: unassignUserFromGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/hook-keys: get: - summary: Retrieve a Profile Mapping - description: Fetches a single Profile Mapping referenced by its ID. - operationId: getProfileMapping - parameters: - - name: mappingId - in: path - required: true - schema: - type: string + summary: List all keys + description: Lists all keys + operationId: listHookKeys responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/ProfileMapping' + type: array + items: + $ref: '#/components/schemas/HookKey' + examples: + ResponseExample: + $ref: '#/components/examples/ListAllKeysResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.profileMappings.read + - apiToken: [] + - oauth2: + - okta.inlineHooks.read tags: - - ProfileMapping + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update a Profile Mapping - description: Updates an existing Profile Mapping by adding, updating, or removing one or many Property Mappings. - operationId: updateProfileMapping - parameters: - - name: mappingId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: profileMapping + summary: Create a key + description: |- + Creates a key for use with other parts of the application, such as inline hooks + + > **Note:** Use the key name to access this key for inline hook operations. + + The total number of keys that you can create in an Okta org is limited to 50. + + The response is a [Key object](https://developer.okta.com/docs/reference/api/hook-keys/#key-object) that represents the + key that you create. The `id` property in the response serves as the unique ID for the key, which you can specify when + invoking other CRUD operations. The `keyId` provided in the response is the alias of the public key that you can use to get + details of the public key data in a separate call. + + > **Note:** The keyId is the alias of the public key that you can use to retrieve the public key. + operationId: createHookKey + x-codegen-request-body-name: keyRequest requestBody: content: application/json: schema: - $ref: '#/components/schemas/ProfileMapping' + $ref: '#/components/schemas/KeyRequest' required: true responses: '200': @@ -8580,65 +11237,86 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/ProfileMapping' + $ref: '#/components/schemas/DetailedHookKeyInstance' + examples: + ResponseExample: + $ref: '#/components/examples/CreateHookKeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.profileMappings.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - ProfileMapping - /api/v1/meta/layouts/apps/{appName}: + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/hook-keys/public/{keyId}: + parameters: + - $ref: '#/components/parameters/pathPublicKeyId' get: - summary: Retrieve the UI Layout for an Application - description: Takes an Application name as an input parameter and retrieves the App Instance page Layout for that Application. - operationId: getApplicationLayout - parameters: - - name: appName - in: path - required: true - schema: - type: string + summary: Retrieve a public key + description: |- + Retrieves a public key by `keyId` + + >**Note:** keyId is the alias of the public key. + operationId: getPublicKey responses: '200': - description: successful operation + description: Success content: application/json: schema: - $ref: '#/components/schemas/ApplicationLayout' + $ref: '#/components/schemas/_embedded' + examples: + ResponseExample: + $ref: '#/components/examples/RetrievePublicKeyResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.schemas.read + - apiToken: [] + - oauth2: + - okta.inlineHooks.read tags: - - Schema - /api/v1/meta/schemas/apps/{appInstanceId}/default: + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/hook-keys/{id}: + parameters: + - $ref: '#/components/parameters/pathHookKeyId' get: - summary: Retrieve the default Application User Schema for an Application - description: Fetches the Schema for an App User - operationId: getApplicationUserSchema + summary: Retrieve a key by ID + description: |- + Retrieves the public portion of the Key object using the `id` parameter + + >**Note:** The `?expand=publickey` query parameter optionally returns the full object including the details of the public key in the response body's `_embedded` property. + operationId: getHookKey parameters: - - name: appInstanceId + - name: id + description: A valid key ID in: path - required: true schema: type: string responses: '200': - description: successful operation + description: Success content: application/json: schema: - $ref: '#/components/schemas/UserSchema' + $ref: '#/components/schemas/HookKey' + examples: + ResponseExample: + $ref: '#/components/examples/RetrieveKeyResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -8646,35 +11324,40 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.schemas.read + - apiToken: [] + - oauth2: + - okta.inlineHooks.read tags: - - Schema - post: - summary: Update the default Application User Schema for an Application - description: Partial updates on the User Profile properties of the Application User Schema. - operationId: updateApplicationUserProfile - parameters: - - name: appInstanceId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: body + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a key + description: |- + Replaces a key by `id` + + This request replaces existing properties after passing validation. + + > **Note:** The only parameter that you can update is the name of the key, which must be unique at all times. + operationId: replaceHookKey + x-codegen-request-body-name: keyRequest requestBody: content: application/json: schema: - $ref: '#/components/schemas/UserSchema' - required: false + $ref: '#/components/schemas/KeyRequest' + required: true responses: '200': - description: successful operation + description: Success content: application/json: schema: - $ref: '#/components/schemas/UserSchema' + $ref: '#/components/schemas/DetailedHookKeyInstance' + examples: + ResponseExample: + $ref: '#/components/examples/ReplaceKeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -8684,104 +11367,146 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.schemas.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - Schema - /api/v1/meta/schemas/group/default: - get: - summary: Retrieve the default Group Schema - description: Fetches the group schema - operationId: getGroupSchema - parameters: [] + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a key + description: | + Deletes a key by `id`. After being deleted, the key is unrecoverable. + + As a safety precaution, only keys that aren't being used are eligible for deletion. + operationId: deleteHookKey responses: - '200': - description: successful operation - content: - application/json: - schema: - $ref: '#/components/schemas/GroupSchema' + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.schemas.read + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - Schema - post: - summary: Update the default Group Schema - description: Updates, adds or removes one or more custom Group Profile properties in the schema - operationId: updateGroupSchema - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/GroupSchema' + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/assignees/users: + get: + summary: List all Users with Role Assignments + description: Lists all users with Role Assignments + operationId: listUsersWithRoleAssignments + parameters: + - name: after + description: Specifies the pagination cursor for the next page of targets + in: query + schema: + type: string + required: false + - name: limit + in: query + description: Specifies the number of results returned. Defaults to `100`. + schema: + type: integer + format: int32 + default: 100 + required: false responses: '200': - description: successful operation + description: Success content: application/json: schema: - $ref: '#/components/schemas/GroupSchema' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/RoleAssignedUsers' + examples: + User List: + $ref: '#/components/examples/RoleAssignedUsersResponseExample' '403': - $ref: '#/components/responses/ErrorAccessDenied403' + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.schemas.manage + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - Schema - /api/v1/meta/schemas/user/linkedObjects: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/governance/bundles: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] get: - summary: List all Linked Object Definitions - description: Success - operationId: listLinkedObjectDefinitions + summary: List all Governance Bundles for the Admin Console + description: Lists all Governance Bundles for the Admin Console in your org + operationId: listGovernanceBundles + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' responses: '200': - description: Success + description: OK content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/LinkedObject' + $ref: '#/components/schemas/GovernanceBundlesResponse' + examples: + GovernanceBundlesResponse: + $ref: '#/components/examples/GovernanceBundlesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.linkedObjects.read + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - LinkedObject + - GovernanceBundle post: - summary: Create a Linked Object Definition - description: Success - operationId: addLinkedObjectDefinition - x-codegen-request-body-name: linkedObject + summary: Create a Governance Bundle for the Admin Console in RAMP + description: Creates a Governance Bundle for the Admin Console in RAMP + operationId: createGovernanceBundle requestBody: content: application/json: schema: - $ref: '#/components/schemas/LinkedObject' + $ref: '#/components/schemas/GovernanceBundleCreateRequest' + examples: + GovernanceBundleCreateRequestStandardRole: + $ref: '#/components/examples/GovernanceBundleCreateRequestStandardRole' + GovernanceBundleCreateRequestScopedStandardRole: + $ref: '#/components/examples/GovernanceBundleCreateRequestScopedStandardRole' + GovernanceBundleCreateRequestCustomRole: + $ref: '#/components/examples/GovernanceBundleCreateRequestCustomRole' required: true responses: - '201': - description: Created + '200': + description: Success content: application/json: schema: - $ref: '#/components/schemas/LinkedObject' + $ref: '#/components/schemas/GovernanceBundle' + examples: + createGovernanceBundleResponse: + $ref: '#/components/examples/GovernanceBundle' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -8789,235 +11514,297 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.linkedObjects.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - LinkedObject - /api/v1/meta/schemas/user/linkedObjects/{linkedObjectName}: + - GovernanceBundle + /api/v1/iam/governance/bundles/{bundleId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' get: - summary: Retrieve a Linked Object Definition - description: Success - operationId: getLinkedObjectDefinition - parameters: - - name: linkedObjectName - in: path - required: true - schema: - type: string + summary: Retrieve a Governance Bundle from RAMP + description: Retrieves a Governance Bundle from RAMP + operationId: getGovernanceBundle + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundle' + examples: + GovernanceBundle: + $ref: '#/components/examples/GovernanceBundle' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + put: + summary: Replace a Governance Bundle in RAMP + description: Replaces a Governance Bundle in RAMP + operationId: replaceGovernanceBundle + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundleUpdateRequest' + examples: + GovernanceBundleUpdateRequestStandardRole: + $ref: '#/components/examples/GovernanceBundleUpdateRequestStandardRole' + GovernanceBundleUpdateRequestScopedStandardRole: + $ref: '#/components/examples/GovernanceBundleUpdateRequestScopedStandardRole' + GovernanceBundleUpdateRequestCustomRole: + $ref: '#/components/examples/GovernanceBundleUpdateRequestCustomRole' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/LinkedObject' + $ref: '#/components/schemas/GovernanceBundle' + examples: + GovernanceBundle: + $ref: '#/components/examples/GovernanceBundle' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.linkedObjects.read + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - LinkedObject + - GovernanceBundle delete: - summary: Delete a Linked Object Definition - description: Success - operationId: deleteLinkedObjectDefinition - parameters: - - name: linkedObjectName - in: path - required: true - schema: - type: string + summary: Delete a Governance Bundle from RAMP + description: Deletes a Governance Bundle from RAMP + operationId: deleteGovernanceBundle responses: '204': description: No Content - content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.linkedObjects.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - LinkedObject - /api/v1/meta/schemas/user/{schemaId}: + - GovernanceBundle + /api/v1/iam/governance/bundles/{bundleId}/entitlements: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' get: - summary: Retrieve a User Schema - description: Fetches the schema for a Schema Id. - operationId: getUserSchema + summary: List all Entitlements for a Governance Bundle + description: Lists all Entitlements specific to a Governance Bundle + operationId: listBundleEntitlements parameters: - - name: schemaId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/UserSchema' + $ref: '#/components/schemas/BundleEntitlementsResponse' + examples: + BundleEntitlementsResponse: + $ref: '#/components/examples/BundleEntitlementsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.schemas.read + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - Schema - post: - summary: Update a User Schema - description: Partial updates on the User Profile properties of the user schema. - operationId: updateUserProfile + - GovernanceBundle + /api/v1/iam/governance/bundles/{bundleId}/entitlements/{entitlementId}/values: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' + - $ref: '#/components/parameters/pathEntitlementId' + get: + summary: List all Entitlement Values for a Bundle Entitlement + description: Lists all Entitlement Values specific to a Bundle Entitlement + operationId: listBundleEntitlementValues parameters: - - name: schemaId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: userSchema - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/UserSchema' - required: true + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/UserSchema' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/EntitlementValuesResponse' + examples: + EntitlementValuesResponse: + $ref: '#/components/examples/EntitlementValuesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.schemas.manage + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - Schema - /api/v1/meta/types/user: + - GovernanceBundle + /api/v1/iam/governance/optIn: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] get: - summary: List all User Types - description: Fetches all User Types in your org - operationId: listUserTypes + summary: Retrieve the opt-in status from RAMP + description: Retrieves the opt-in status of the Admin Console from RAMP + operationId: getOptInStatus responses: '200': - description: Success + description: OK content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/UserType' + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptInStatusResponse: + $ref: '#/components/examples/OptInStatusResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.userTypes.read + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - UserType + - GovernanceBundle post: - summary: Create a User Type - description: Creates a new User Type. A default User Type is automatically created along with your org, and you may add another 9 User Types for a maximum of 10. - operationId: createUserType - x-codegen-request-body-name: userType - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/UserType' - required: true + summary: Opt in the Admin Console to RAMP + description: Opts in the Admin Console to RAMP + operationId: optIn responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/UserType' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptInStatusResponse: + $ref: '#/components/examples/OptInStatusResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.userTypes.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - UserType - /api/v1/meta/types/user/{typeId}: + - GovernanceBundle + /api/v1/iam/governance/optOut: + post: + summary: Opt out the Admin Console from RAMP + description: Opts out the Admin Console from RAMP + operationId: optOut + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptOutStatusResponse: + $ref: '#/components/examples/OptOutStatusResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/iam/resource-sets: get: - summary: Retrieve a User Type - description: Fetches a User Type by ID. The special identifier `default` may be used to fetch the default User Type. - operationId: getUserType + summary: List all Resource Sets + description: Lists all Resource Sets with pagination support + operationId: listResourceSets parameters: - - name: typeId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/queryAfter' responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/UserType' + $ref: '#/components/schemas/ResourceSets' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.userTypes.read + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - UserType + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update a User Type - description: Updates an existing User Type - operationId: updateUserType - parameters: - - name: typeId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: userType + summary: Create a Resource Set + description: |- + Creates a new Resource Set. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources). + + > **Note:** The maximum number of `resources` allowed in a Resource Set object is 1000. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn). + operationId: createResourceSet + x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/UserType' + $ref: '#/components/schemas/CreateResourceSetRequest' + examples: + Example Request: + $ref: '#/components/examples/ResourceSetRequest' required: true responses: '200': @@ -9025,9 +11812,49 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/UserType' + $ref: '#/components/schemas/ResourceSet' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}: + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + get: + summary: Retrieve a Resource Set + description: Retrieves a Resource Set by `resourceSetIdOrLabel` + operationId: getResourceSet + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSet' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9035,35 +11862,38 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.userTypes.manage + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - UserType + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace a User Type - description: Replace an existing User Type - operationId: replaceUserType - parameters: - - name: typeId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: userType + summary: Replace a Resource Set + description: Replaces the label and description of a Resource Set + operationId: replaceResourceSet + x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/UserType' + $ref: '#/components/schemas/ResourceSet' + examples: + Example Request: + $ref: '#/components/examples/ReplaceResourceSetRequest' required: true responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/UserType' + $ref: '#/components/schemas/ResourceSet' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -9073,161 +11903,209 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.userTypes.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - UserType + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a User Type - description: Deletes a User Type permanently. This operation is not permitted for the default type, nor for any User Type that has existing users - operationId: deleteUserType - parameters: - - name: typeId - in: path - required: true - schema: - type: string + summary: Delete a Resource Set + description: Deletes a Resource Set by `resourceSetIdOrLabel` + operationId: deleteResourceSet responses: '204': description: No Content - content: {} '403': - $ref: '#/components/responses/ErrorAccessDenied403' + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.userTypes.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - UserType - /api/v1/org: + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings: + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' get: - summary: Retrieve the Org Settings - description: Get settings of your organization. - operationId: getOrgSettings - parameters: [] + summary: List all Role Resource Set Bindings + description: Lists all Bindings for a Resource Set with pagination support + operationId: listBindings + parameters: + - $ref: '#/components/parameters/queryAfter' responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/OrgSetting' + $ref: '#/components/schemas/ResourceSetBindings' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetBindingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.read + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - OrgSetting + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update the Org Settings - description: Partial update settings of your organization. - operationId: partialUpdateOrgSetting + summary: Create a Role Resource Set Binding + description: Creates a Binding for the Resource Set, Custom Role, and members (Users or Groups) + operationId: createResourceSetBinding + x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/OrgSetting' + $ref: '#/components/schemas/ResourceSetBindingCreateRequest' + examples: + Example Request: + $ref: '#/components/examples/ResourceSetBindingCreateRequestExample' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OrgSetting' + $ref: '#/components/schemas/ResourceSetBindingResponse' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetBindingResponseExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': - $ref: '#/components/responses/ErrorAccessDenied403' + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - OrgSetting - put: - summary: Replace the Org Settings - description: Update settings of your organization. - operationId: updateOrgSetting - x-codegen-request-body-name: orgSetting - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/OrgSetting' - required: true + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}: + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + - $ref: '#/components/parameters/pathRoleIdOrLabel' + get: + summary: Retrieve a Role Resource Set Binding + description: Retrieves the Binding of a Role (identified by `roleIdOrLabel`) in a Resource Set (identified by `resourceSetIdOrLabel`) + operationId: getBinding responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/OrgSetting' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/ResourceSetBindingResponse' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetBindingResponseWithIdExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.manage + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - OrgSetting - /api/v1/org/contacts: - get: - summary: Retrieve the Org Contact Types - description: Gets Contact Types of your organization. - operationId: getOrgContactTypes - parameters: [] + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a Role Resource Set Binding + description: Deletes a Binding of a Role (identified by `roleIdOrLabel`) and a Resource Set (identified by `resourceSetIdOrLabel`) + operationId: deleteBinding responses: - '200': - description: Success + '204': + description: No Content + '403': + description: Forbidden + headers: {} content: application/json: schema: - items: - $ref: '#/components/schemas/OrgContactTypeObj' - type: array - '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.read + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - OrgSetting - /api/v1/org/contacts/{contactType}: + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members: + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + - $ref: '#/components/parameters/pathRoleIdOrLabel' get: - summary: Retrieve the User of the Contact Type - description: Retrieves the URL of the User associated with the specified Contact Type. - operationId: getOrgContactUser + summary: List all Role Resource Set Binding Members + description: Lists all members of a Role Resource Set Binding with pagination support + operationId: listMembersOfBinding parameters: - - in: path - name: contactType - required: true - schema: - type: string + - $ref: '#/components/parameters/queryAfter' responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/OrgContactUser' + $ref: '#/components/schemas/ResourceSetBindingMembers' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetBindingMembersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9235,27 +12113,27 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.read + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - OrgSetting - put: - summary: Replace the User of the Contact Type - description: Updates the User associated with the specified Contact Type. - operationId: updateOrgContactUser - parameters: - - in: path - name: contactType - required: true - schema: - type: string - x-codegen-request-body-name: orgContactUser + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + patch: + summary: Add more Role Resource Set Binding Members + description: Adds more members to a Role Resource Set Binding + operationId: addMembersToBinding + x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/OrgContactUser' + $ref: '#/components/schemas/ResourceSetBindingAddMembersRequest' + examples: + Example Request: + $ref: '#/components/examples/ResourceSetBindingAddMembersRequestExample' required: true responses: '200': @@ -9263,9 +12141,53 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/OrgContactUser' + $ref: '#/components/schemas/ResourceSetBindingResponse' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetBindingResponseExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members/{memberId}: + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + - $ref: '#/components/parameters/pathRoleIdOrLabel' + - $ref: '#/components/parameters/pathMemberId' + get: + summary: Retrieve a Role Resource Set Binding Member + description: Retrieves a Member (identified by `memberId`) that belongs to a Role Resource Set Binding + operationId: getMemberOfBinding + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetBindingMember' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetBindingMemberResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9273,454 +12195,536 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.manage + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - OrgSetting - /api/v1/org/email/bounces/remove-list: - post: - summary: Remove Emails from Email Provider Bounce List - description: A list of email addresses to be removed from the set of email addresses that are bounced. - operationId: bulkRemoveEmailAddressBounces - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/BouncesRemoveListObj' - examples: - example-1: - value: - emailAddresses: - - name@company.com - - unknown.email@okta.com - - name@okta@com + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a Role Resource Set Bindiing Member + description: Unassigns a Member (identified by `memberId`) from a Role Resource Set Binding + operationId: unassignMemberFromBinding + x-codegen-request-body-name: instance responses: - '200': - description: Removes the provided list of emails from the set of email addresses that are bounced so that the provider resumes sending emails to those addresses. + '204': + description: No Content + '403': + description: Forbidden + headers: {} content: application/json: schema: - $ref: '#/components/schemas/BouncesRemoveListResult' + $ref: '#/components/schemas/Error' examples: - example-1: - value: - errors: - - emailAddress: unknown.email@okta.com - reason: This email address does not belong to any user in your organization. - - emailAddress: name@okta@com - reason: Invalid email address. The provided email address failed validation against RFC 3696. - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.manage - tags: - - OrgSetting - /api/v1/org/logo: - post: - summary: Upload the Org Logo - description: Updates the logo for your organization. - operationId: updateOrgLogo - requestBody: - content: - multipart/form-data: - schema: - description: The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling. - type: object - properties: - file: - type: string - format: binary - required: - - file - description: logo file - responses: - '201': - description: Created - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.apps.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - OrgSetting - /api/v1/org/preferences: + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources: + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' get: - summary: Retrieve the Org Preferences - description: Gets preferences of your organization. - operationId: getOrgPreferences - parameters: [] + summary: List all Resource Set Resources + description: Lists all Resources for the Resource Set + operationId: listResourceSetResources responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/OrgPreferences' + $ref: '#/components/schemas/ResourceSetResources' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResourcesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.read + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - OrgSetting - /api/v1/org/preferences/hideEndUserFooter: - post: - summary: Update the Preference to Hide the Okta Dashboard Footer - description: Hide the Okta UI footer for all end users of your organization. - operationId: hideOktaUIFooter - parameters: [] + - RoleCResourceSetResource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + patch: + summary: Add more Resources to a Resource Set + description: Adds more Resources to a Resource Set + operationId: addResourceSetResources + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetResourcePatchRequest' + examples: + Example Request: + $ref: '#/components/examples/ResourceSetResourcePatchRequestExample' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OrgPreferences' + $ref: '#/components/schemas/ResourceSet' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': - $ref: '#/components/responses/ErrorAccessDenied403' + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - OrgSetting - /api/v1/org/preferences/showEndUserFooter: - post: - summary: Update the Preference to Show the Okta Dashboard Footer - description: Makes the Okta UI footer visible for all end users of your organization. - operationId: showOktaUIFooter - parameters: [] + - RoleCResourceSetResource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources/{resourceId}: + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + - $ref: '#/components/parameters/pathResourceId' + delete: + summary: Delete a Resource Set Resource + description: Deletes a Resource (identified by `resourceId`) from a Resource Set + operationId: deleteResourceSetResource responses: - '200': - description: Success + '204': + description: No Content + '403': + description: Forbidden + headers: {} content: application/json: schema: - $ref: '#/components/schemas/OrgPreferences' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - OrgSetting - /api/v1/org/privacy/oktaCommunication: + - RoleCResourceSetResource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/roles: get: - summary: Retreive the Okta Communication Settings - description: Gets Okta Communication Settings of your organization. - operationId: getOktaCommunicationSettings - parameters: [] + summary: List all Custom Roles + description: Lists all Custom Roles with pagination support + operationId: listRoles + parameters: + - $ref: '#/components/parameters/queryAfter' responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/OrgOktaCommunicationSetting' + $ref: '#/components/schemas/IamRoles' + examples: + Example Response: + $ref: '#/components/examples/RolesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.read + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - OrgSetting - /api/v1/org/privacy/oktaCommunication/optIn: + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Opt in all Users to Okta Communication emails - description: Opts in all users of this org to Okta Communication emails. - operationId: optInUsersToOktaCommunicationEmails - parameters: [] + summary: Create a Custom Role + description: Creates a Custom Role + operationId: createRole + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateIamRoleRequest' + examples: + Example Request: + $ref: '#/components/examples/RoleRequest' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OrgOktaCommunicationSetting' + $ref: '#/components/schemas/IamRole' + examples: + Example Response: + $ref: '#/components/examples/RoleResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': - $ref: '#/components/responses/ErrorAccessDenied403' + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - OrgSetting - /api/v1/org/privacy/oktaCommunication/optOut: - post: - summary: Opt out all Users from Okta Communication emails - description: Opts out all users of this org from Okta Communication emails. - operationId: optOutUsersFromOktaCommunicationEmails - parameters: [] + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/roles/{roleIdOrLabel}: + parameters: + - $ref: '#/components/parameters/pathRoleIdOrLabel' + get: + summary: Retrieve a Role + description: Retrieves a role by `roleIdOrLabel` + operationId: getRole responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/OrgOktaCommunicationSetting' + $ref: '#/components/schemas/IamRole' + examples: + Example Response: + $ref: '#/components/examples/RoleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.manage + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - OrgSetting - /api/v1/org/privacy/oktaSupport: - get: - summary: Retrieve the Okta Support Settings - description: Gets Okta Support Settings of your organization. - operationId: getOrgOktaSupportSettings - parameters: [] + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Custom Role + description: Replaces the label and description for a Custom Role by `roleIdOrLabel` + operationId: replaceRole + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateIamRoleRequest' + examples: + Example Request: + $ref: '#/components/examples/ReplaceRoleRequest' + required: true responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + $ref: '#/components/schemas/IamRole' + examples: + Example Response: + $ref: '#/components/examples/RoleResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.read + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - OrgSetting - /api/v1/org/privacy/oktaSupport/extend: - post: - summary: Extend Okta Support Access - description: Extends the length of time that Okta Support can access your org by 24 hours. This means that 24 hours are added to the remaining access time. - operationId: extendOktaSupport - parameters: [] + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a Custom Role + description: Deletes a Custom Role by `roleIdOrLabel` + operationId: deleteRole responses: - '200': - description: Success + '204': + description: No Content + '403': + description: Forbidden + headers: {} content: application/json: schema: - $ref: '#/components/schemas/OrgOktaSupportSettingsObj' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - OrgSetting - /api/v1/org/privacy/oktaSupport/grant: - post: - summary: Grant Okta Support Access to your Org - description: Enables you to temporarily allow Okta Support to access your org as an administrator for eight hours. - operationId: grantOktaSupport - parameters: [] + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/roles/{roleIdOrLabel}/permissions: + parameters: + - $ref: '#/components/parameters/pathRoleIdOrLabel' + get: + summary: List all Custom Role Permissions + description: Lists all permissions for a Custom Role by `roleIdOrLabel` + operationId: listRolePermissions responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + $ref: '#/components/schemas/Permissions' + examples: + Example Response: + $ref: '#/components/examples/PermissionsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.manage + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - OrgSetting - /api/v1/org/privacy/oktaSupport/revoke: - post: - summary: Revoke Okta Support Access - description: Revokes Okta Support access to your organization. - operationId: revokeOktaSupport - parameters: [] + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/roles/{roleIdOrLabel}/permissions/{permissionType}: + parameters: + - $ref: '#/components/parameters/pathRoleIdOrLabel' + - $ref: '#/components/parameters/pathPermissionType' + get: + summary: Retrieve a Custom Role Permission + description: Retrieves a permission (identified by `permissionType`) for a Custom Role + operationId: getRolePermission responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + $ref: '#/components/schemas/Permission' + examples: + Example Response without conditions: + $ref: '#/components/examples/PermissionResponse' + Example Response with conditions: + $ref: '#/components/examples/PermissionResponseWithConditions' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.orgs.manage + - apiToken: [] + - oauth2: + - okta.roles.read tags: - - OrgSetting - /api/v1/policies: - get: - summary: List all Policies - description: Gets all policies with the specified type. - operationId: listPolicies - parameters: - - name: type - in: query - required: true - schema: - type: string - - name: status - in: query - schema: - type: string - - name: expand - in: query - schema: - type: string - default: '' + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Custom Role Permission + description: Creates a permission (specified by `permissionType`) for a Custom Role + operationId: createRolePermission + x-codegen-request-body-name: instance + requestBody: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' + examples: + Example Request with include: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude' + Example Request with exclude: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude' + required: false responses: - '200': - description: Success - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/Policy' + '204': + description: No Content + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.read + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - Policy - post: - summary: Create a Policy - description: Creates a policy. - operationId: createPolicy - parameters: - - name: activate - in: query - schema: - type: boolean - default: true - x-codegen-request-body-name: policy + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Replace a Custom Role Permission + description: Replaces a permission (specified by `permissionType`) for a Custom Role + operationId: replaceRolePermission + x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/Policy' - required: true + $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' + examples: + Example Request with include: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude' + Example Request with exclude: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude' + required: false responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/Policy' + $ref: '#/components/schemas/Permission' + examples: + Example Response: + $ref: '#/components/examples/PermissionResponseWithConditions' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.manage + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - Policy - /api/v1/policies/{policyId}: - get: - summary: Retrieve a Policy - description: Gets a policy. - operationId: getPolicy - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string - default: '' + - RoleECustomPermission + delete: + summary: Delete a Custom Role Permission + description: Deletes a permission (identified by `permissionType`) from a Custom Role + operationId: deleteRolePermission responses: - '200': - description: Success + '204': + description: No Content + '403': + description: Forbidden + headers: {} content: application/json: schema: - $ref: '#/components/schemas/Policy' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.read + - apiToken: [] + - oauth2: + - okta.roles.manage tags: - - Policy - put: - summary: Replace a Policy - description: Updates a policy. - operationId: updatePolicy - parameters: - - name: policyId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: policy - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Policy' - required: true + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/identity-sources/{identitySourceId}/sessions: + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + get: + summary: List all Identity Source Sessions + description: Lists all Identity Source Sessions for the given Identity Source instance + operationId: listIdentitySourceSessions responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/Policy' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + type: array + items: + $ref: '#/components/schemas/IdentitySourceSession' + examples: + sessionsList: + $ref: '#/components/examples/ListSessionsResponseForGetSessions' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9728,24 +12732,29 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.manage + - apiToken: [] + - oauth2: + - okta.identitySources.read tags: - - Policy - delete: - summary: Delete a Policy - description: Removes a policy. - operationId: deletePolicy - parameters: - - name: policyId - in: path - required: true - schema: - type: string + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Create an Identity Source Session + description: Creates an Identity Source Session for the given Identity Source instance + operationId: createIdentitySourceSession responses: - '204': - description: No Content + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentitySourceSession' + examples: + session: + $ref: '#/components/examples/GetSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9753,31 +12762,33 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.manage + - apiToken: [] + - oauth2: + - okta.identitySources.manage tags: - - Policy - /api/v1/policies/{policyId}/clone: - post: - summary: Clone an existing policy - description: Clones an existing policy. - operationId: clonePolicy - parameters: - - name: policyId - in: path - required: true - schema: - type: string + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}: + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' + get: + summary: Retrieve an Identity Source Session + description: Retrieves an Identity Source Session for a given Identity Source ID and session ID + operationId: getIdentitySourceSession responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/Policy' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/IdentitySourceSession' + examples: + session: + $ref: '#/components/examples/GetSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9785,26 +12796,22 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.manage + - apiToken: [] + - oauth2: + - okta.identitySources.read tags: - - Policy - /api/v1/policies/{policyId}/lifecycle/activate: - post: - summary: Activate a Policy - description: Activates a policy. - operationId: activatePolicy - parameters: - - name: policyId - in: path - required: true - schema: - type: string + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + delete: + summary: Delete an Identity Source Session + description: Deletes an Identity Source Session for a given `identitySourceId` and `sessionId` + operationId: deleteIdentitySourceSession responses: '204': description: No Content - content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9812,26 +12819,36 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.manage + - apiToken: [] + - oauth2: + - okta.identitySources.manage tags: - - Policy - /api/v1/policies/{policyId}/lifecycle/deactivate: + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-delete: + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: - summary: Deactivate a Policy - description: Deactivates a policy. - operationId: deactivatePolicy - parameters: - - name: policyId - in: path - required: true - schema: - type: string + summary: Upload the data to be deleted in Okta + description: Uploads external IDs of entities that need to be deleted in Okta from the Identity Source for the given session + operationId: uploadIdentitySourceDataForDelete + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BulkDeleteRequestBody' + examples: + bulkDeletePayload: + $ref: '#/components/examples/bulkDeletePayload' responses: - '204': - description: No Content - content: {} + '202': + description: Accepted + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9839,31 +12856,36 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.manage + - apiToken: [] + - oauth2: + - okta.identitySources.manage tags: - - Policy - /api/v1/policies/{policyId}/rules: - get: - summary: List all Policy Rules - description: Enumerates all policy rules. - operationId: listPolicyRules - parameters: - - name: policyId - in: path - required: true - schema: - type: string + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-upsert: + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' + post: + summary: Upload the data to be upserted in Okta + description: Uploads entities that need to be inserted or updated in Okta from the Identity Source for the given session + operationId: uploadIdentitySourceDataForUpsert + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BulkUpsertRequestBody' + examples: + bulkUpsertPayload: + $ref: '#/components/examples/bulkUpsertPayload' responses: - '200': - description: Success - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/PolicyRule' + '202': + description: Accepted + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9871,37 +12893,33 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.read + - apiToken: [] + - oauth2: + - okta.identitySources.manage tags: - - Policy + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/start-import: + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: - summary: Create a Policy Rule - description: Creates a policy rule. - operationId: createPolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: policyRule - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/PolicyRule' - required: true + summary: Start the import from the Identity Source + description: Starts the import from the Identity Source described by the uploaded bulk operations + operationId: startImportFromIdentitySource responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/PolicyRule' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/IdentitySourceSession' + examples: + triggeredSession: + $ref: '#/components/examples/TriggerSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9909,67 +12927,110 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.manage + - apiToken: [] + - oauth2: + - okta.identitySources.manage tags: - - Policy - /api/v1/policies/{policyId}/rules/{ruleId}: + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/idps: get: - summary: Retrieve a Policy Rule - description: Gets a policy rule. - operationId: getPolicyRule + summary: List all Identity Providers + description: Lists all identity provider integrations with pagination. A subset of IdPs can be returned that match a supported filter expression or query. + operationId: listIdentityProviders parameters: - - name: policyId - in: path - required: true + - name: q + in: query + description: Searches the `name` property of IdPs for matching value schema: type: string - - name: ruleId - in: path - required: true + example: Example SAML + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + - name: type + in: query + description: Filters IdPs by `type` schema: - type: string + $ref: '#/components/schemas/IdentityProviderType' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/PolicyRule' + type: array + items: + $ref: '#/components/schemas/IdentityProvider' + examples: + MultipleIdPsResponse: + $ref: '#/components/examples/MultipleIdPsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.read + - apiToken: [] + - oauth2: + - okta.idps.read tags: - - Policy - put: - summary: Replace a Policy Rule - description: Updates a policy rule. - operationId: updatePolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: policyRule + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an Identity Provider + description: |- + Creates a new Identity Provider integration. + + #### SAML 2.0 Identity Provider + + You must first add the IdP's signature certificate to the IdP key store before you can add a SAML 2.0 IdP with a `kid` credential reference. + + Don't use `fromURI` to automatically redirect a user to a particular app after successfully authenticating with a third-party IdP. Instead, use SAML deep links. Using `fromURI` isn't tested or supported. For more information about using deep links when signing users in using an SP-initiated flow, see [Understanding SP-Initiated Login flow](https://developer.okta.com/docs/concepts/saml/#understanding-sp-initiated-login-flow). + + Use SAML deep links to automatically redirect the user to an app after successfully authenticating with a third-party IdP. To use deep links, assemble these three parts into a URL: + + * SP ACS URL
+ For example: `https://${yourOktaDomain}/sso/saml2/:idpId` + * The app to which the user is automatically redirected after successfully authenticating with the IdP
+ For example: `/app/:app-location/:appId/sso/saml` + * Optionally, if the app is an outbound SAML app, you can specify the `relayState` passed to it.
+ For example: `?RelayState=:anyUrlEncodedValue` + + The deep link for the above three parts is:
+ `https://${yourOktaDomain}/sso/saml2/:idpId/app/:app-location/:appId/sso/saml?RelayState=:anyUrlEncodedValue` + + #### Smart Card X509 Identity Provider + + You must first add the IdP's server certificate to the IdP key store before you can add a Smart Card `X509` IdP with a `kid` credential reference. + You need to upload the whole trust chain as a single key using the [Key Store API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderKeys/#tag/IdentityProviderKeys/operation/createIdentityProviderKey). + Depending on the information stored in the smart card, select the proper [template](https://developer.okta.com/docs/reference/okta-expression-language/#idp-user-profile) `idpuser.subjectAltNameEmail` or `idpuser.subjectAltNameUpn`. + operationId: createIdentityProvider + x-codegen-request-body-name: identityProvider requestBody: + description: IdP settings content: application/json: schema: - $ref: '#/components/schemas/PolicyRule' + $ref: '#/components/schemas/IdentityProvider' + examples: + CreateGenericOidcIdPRequest: + $ref: '#/components/examples/CreateGenericOidcIdPRequest' + CreateSamlIdPRequest: + $ref: '#/components/examples/CreateSamlIdPRequest' + CreateAppleIdPRequest: + $ref: '#/components/examples/CreateAppleIdPRequest' + CreateFacebookIdPRequest: + $ref: '#/components/examples/CreateFacebookIdPRequest' + CreateGoogleIdPRequest: + $ref: '#/components/examples/CreateGoogleIdPRequest' + CreateMicrosoftIdPRequest: + $ref: '#/components/examples/CreateMicrosoftIdPRequest' + CreateSmartCardIdPRequest: + $ref: '#/components/examples/CreateSmartCardIdPRequest' required: true responses: '200': @@ -9977,182 +13038,164 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/PolicyRule' + $ref: '#/components/schemas/IdentityProvider' + examples: + CreateGenericOidcIdpResponse: + $ref: '#/components/examples/GenericOidcIdpResponse' + CreateSamlIdPResponse: + $ref: '#/components/examples/SamlIdPResponse' + CreateAppleIdPResponse: + $ref: '#/components/examples/AppleIdPResponse' + CreateFacebookIdPResponse: + $ref: '#/components/examples/FacebookIdPResponse' + CreateGoogleIdPResponse: + $ref: '#/components/examples/GoogleIdPResponse' + CreateMicrosoftIdPResponse: + $ref: '#/components/examples/MicrosoftIdPResponse' + CreateSmartCardIdPResponse: + $ref: '#/components/examples/SmartCardIdPResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.manage - tags: - - Policy - delete: - summary: Delete a Policy Rule - description: Removes a policy rule. - operationId: deletePolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string - responses: - '204': - description: No Content - content: {} - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.manage + - apiToken: [] + - oauth2: + - okta.idps.manage tags: - - Policy - /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/activate: - post: - summary: Activate a Policy Rule - description: Activates a policy rule. - operationId: activatePolicyRule + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/credentials/keys: + get: + summary: List all IdP Key Credentials + description: Lists all IdP Key Credentials + operationId: listIdentityProviderKeys parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' responses: - '204': - description: No Content + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + ListIdPKeyCredentialsResponse: + $ref: '#/components/examples/MultipleIdPKeyCredentialsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.manage + - apiToken: [] + - oauth2: + - okta.idps.read tags: - - Policy - /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Deactivate a Policy Rule - description: Deactivates a policy rule. - operationId: deactivatePolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string + summary: Create an IdP Key Credential + description: |- + Creates a new X.509 certificate credential in the IdP key store + > **Note:** RSA-based certificates are supported for all IdP types. Okta currently supports EC-based certificates only for the `X509` IdP type. For EC-based certificates we support only P-256, P-384, and P-521 curves. + operationId: createIdentityProviderKey + x-codegen-request-body-name: jsonWebKey + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/IdPCertificateCredential' + required: true responses: - '204': - description: No Content + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.policies.manage + - apiToken: [] + - oauth2: + - okta.idps.manage tags: - - Policy - /api/v1/principal-rate-limits: + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/credentials/keys/{kid}: + parameters: + - $ref: '#/components/parameters/pathKid' get: - summary: List all Principal Rate Limits - description: Lists all Principal Rate Limit entities considering the provided parameters. - operationId: listPrincipalRateLimitEntities - parameters: - - name: filter - in: query - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: 20 - maximum: 50 + summary: Retrieve an IdP Key Credential + description: Retrieves a specific IdP Key Credential by `kid` + operationId: getIdentityProviderKey responses: '200': - description: OK + description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/PrincipalRateLimitEntity' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.principalRateLimits.read + - apiToken: [] + - oauth2: + - okta.idps.read tags: - - PrincipalRateLimit - post: - summary: Create a Principal Rate Limit - description: Adds a new Principal Rate Limit entity to your organization. In the current release, we only allow one Principal Rate Limit entity per org and principal. - operationId: createPrincipalRateLimitEntity - x-codegen-request-body-name: entity + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an IdP Key Credential + description: Replaces an IdP Key Credential by `kid` + operationId: replaceIdentityProviderKey requestBody: + description: Updated IdP Key Credential content: application/json: schema: - $ref: '#/components/schemas/PrincipalRateLimitEntity' + $ref: '#/components/schemas/IdPKeyCredential' examples: - SSWSToken: - $ref: '#/components/examples/PrincipalRateLimitEntityRequestSSWSToken' - EmptyPercentages: - $ref: '#/components/examples/PrincipalRateLimitEntityRequestEmptyPercentages' + IdPKeyCredentialRequest: + $ref: '#/components/examples/IdPKeyCredentialRequest' required: true responses: - '201': - description: Created + '200': + description: Success content: application/json: schema: - $ref: '#/components/schemas/PrincipalRateLimitEntity' + $ref: '#/components/schemas/IdPKeyCredential' examples: - SSWSToken: - $ref: '#/components/examples/PrincipalRateLimitEntityResponseSSWSToken' + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -10162,28 +13205,56 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.principalRateLimits.manage + - apiToken: [] + - oauth2: + - okta.idps.manage tags: - - PrincipalRateLimit - /api/v1/principal-rate-limits/{principalRateLimitId}: + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an IdP Key Credential + description: Deletes a specific IdP Key Credential by `kid` if it isn't currently being used by an active or inactive IdP + operationId: deleteIdentityProviderKey + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}: parameters: - - $ref: '#/components/parameters/pathPrincipalRateLimitId' + - $ref: '#/components/parameters/pathIdpId' get: - summary: Retrieve a Principal Rate Limit - description: Fetches a Principal Rate Limit entity by `principalRateLimitId`. - operationId: getPrincipalRateLimitEntity + summary: Retrieve an Identity Provider + description: Retrieves an identity provider integration by `idpId` + operationId: getIdentityProvider responses: '200': - description: OK + description: Success content: application/json: schema: - $ref: '#/components/schemas/PrincipalRateLimitEntity' + $ref: '#/components/schemas/IdentityProvider' examples: - SSWSToken: - $ref: '#/components/examples/PrincipalRateLimitEntityResponseSSWSToken' + GenericOidcIdpResponse: + $ref: '#/components/examples/GenericOidcIdpResponse' + SamlIdPResponse: + $ref: '#/components/examples/SamlIdPResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10191,37 +13262,39 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.principalRateLimits.read + - apiToken: [] + - oauth2: + - okta.idps.read tags: - - PrincipalRateLimit + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace a Principal Rate Limit - description: Update a Principal Rate Limit entity by `principalRateLimitId`. - operationId: updatePrincipalRateLimitEntity - x-codegen-request-body-name: entity + summary: Replace an Identity Provider + description: Replaces an identity provider integration by `idpId` + operationId: replaceIdentityProvider + x-codegen-request-body-name: identityProvider requestBody: + description: Updated configuration for the IdP content: application/json: schema: - $ref: '#/components/schemas/PrincipalRateLimitEntity' + $ref: '#/components/schemas/IdentityProvider' examples: - SSWSToken: - $ref: '#/components/examples/PrincipalRateLimitEntityRequestSSWSToken' - EmptyPercentages: - $ref: '#/components/examples/PrincipalRateLimitEntityRequestEmptyPercentages' + ReplaceIdPRequest: + $ref: '#/components/examples/ReplaceIdPRequestResponse' required: true responses: '200': - description: OK + description: Success content: application/json: schema: - $ref: '#/components/schemas/PrincipalRateLimitEntity' + $ref: '#/components/schemas/IdentityProvider' examples: - SSWSToken: - $ref: '#/components/examples/PrincipalRateLimitEntityResponseSSWSToken' + ReplaceIdPResponse: + $ref: '#/components/examples/ReplaceIdPRequestResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -10231,100 +13304,144 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.principalRateLimits.manage + - apiToken: [] + - oauth2: + - okta.idps.manage tags: - - PrincipalRateLimit - /api/v1/push-providers: - get: - summary: List all Push Providers - description: Enumerates push providers in your organization. - operationId: listPushProviders - parameters: - - name: type - in: query - description: Filters push providers by `providerType` - schema: - $ref: '#/components/schemas/ProviderType' + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an Identity Provider + description: |- + Deletes an identity provider integration by `idpId` + * All existing IdP users are unlinked with the highest order profile source taking precedence for each IdP user. + * Unlinked users keep their existing authentication provider such as `FEDERATION` or `SOCIAL`. + operationId: deleteIdentityProvider + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/csrs: + parameters: + - $ref: '#/components/parameters/pathIdpId' + get: + summary: List all Certificate Signing Requests + description: Lists all Certificate Signing Requests for an IdP + operationId: listCsrsForIdentityProvider responses: '200': - description: OK + description: Success content: application/json: schema: type: array items: - $ref: '#/components/schemas/PushProvider' + $ref: '#/components/schemas/IdPCsr' + examples: + MultipleIdPCsrsResponse: + $ref: '#/components/examples/MultipleIdPCsrsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.pushProviders.read + - apiToken: [] + - oauth2: + - okta.idps.read tags: - - PushProvider + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a Push Provider - description: Adds a new push provider to your organization. - operationId: createPushProvider - x-codegen-request-body-name: pushProvider + summary: Generate a Certificate Signing Request + description: |- + Generates a new key pair and returns a Certificate Signing Request (CSR) for it + > **Note:** The private key isn't listed in the [Signing Key Credentials for IdP](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderSigningKeys/#tag/IdentityProviderSigningKeys/operation/listIdentityProviderSigningKeys) until it's published. + operationId: generateCsrForIdentityProvider + x-codegen-request-body-name: metadata requestBody: content: application/json: schema: - $ref: '#/components/schemas/PushProvider' - examples: - APNs: - $ref: '#/components/examples/PushProviderAPNsRequest' - FCM: - $ref: '#/components/examples/PushProviderFCMRequest' + $ref: '#/components/schemas/CsrMetadata' required: true responses: - '200': - description: OK + '201': + description: Created content: application/json: schema: - $ref: '#/components/schemas/PushProvider' + $ref: '#/components/schemas/IdPCsr' examples: - APNs: - $ref: '#/components/examples/PushProviderAPNsResponse' - FCM: - $ref: '#/components/examples/PushProviderFCMResponse' + CsrJsonResponse: + $ref: '#/components/examples/CsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/IdPCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/CsrPkcs10Response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.pushProviders.manage + - apiToken: [] + - oauth2: + - okta.idps.manage tags: - - PushProvider - /api/v1/push-providers/{pushProviderId}: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathIdpCsrId' get: - summary: Retrieve a Push Provider - description: Fetches a push provider by `pushProviderId`. - operationId: getPushProvider - parameters: - - $ref: '#/components/parameters/pathPushProviderId' + summary: Retrieve a Certificate Signing Request + description: Retrieves a specific Certificate Signing Request by `id` + operationId: getCsrForIdentityProvider responses: '200': - description: OK + description: Success content: application/json: schema: - $ref: '#/components/schemas/PushProvider' + $ref: '#/components/schemas/IdPCsr' examples: - APNs: - $ref: '#/components/examples/PushProviderAPNsResponse' - FCM: - $ref: '#/components/examples/PushProviderFCMResponse' + CsrJsonResponse: + $ref: '#/components/examples/CsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/IdPCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/CsrPkcs10Response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10332,284 +13449,443 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.pushProviders.read + - apiToken: [] + - oauth2: + - okta.idps.read tags: - - PushProvider - put: - summary: Replace a Push Provider - description: Updates a push provider by `pushProviderId`. - operationId: updatePushProvider - parameters: - - $ref: '#/components/parameters/pathPushProviderId' - x-codegen-request-body-name: pushProvider + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke a Certificate Signing Request + description: Revokes a CSR and deletes the key pair from the IdP + operationId: revokeCsrForIdentityProvider + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}/lifecycle/publish: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathIdpCsrId' + post: + summary: Publish a Certificate Signing Request + description: |- + Publishes the CSR with a signed X.509 certificate and adds it into the signing Key Credentials for the IdP + > **Notes:** + > * Publishing a certificate completes the lifecycle of the CSR, and it's no longer accessible. + > * If the validity period of the certificate is less than 90 days, a 400 error response is returned. + operationId: publishCsrForIdentityProvider requestBody: + required: true content: - application/json: + application/pkix-cert: schema: - $ref: '#/components/schemas/PushProvider' - examples: - APNs: - $ref: '#/components/examples/PushProviderAPNsRequest' - FCM: - $ref: '#/components/examples/PushProviderFCMRequest' - required: true + type: string + format: binary + description: |- + X.509 certificate in `DER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q== + x-okta-operationId: publishBinaryDerCertForIdentityProvider + application/x-x509-ca-cert: + schema: + type: string + format: binary + description: |- + X.509 certificate in `CER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: '@certificate.cer' + x-okta-operationId: publishBinaryCerCertForIdentityProvider + application/x-pem-file: + schema: + type: string + format: binary + description: X.509 certificate in `PEM` format + example: '@certificate.pem' + x-okta-operationId: publishBinaryPemCertForIdentityProvider responses: - '200': - description: OK + '201': + description: Created content: application/json: schema: - $ref: '#/components/schemas/PushProvider' - examples: - APNs: - $ref: '#/components/examples/PushProviderAPNsResponse' - FCM: - $ref: '#/components/examples/PushProviderFCMResponse' + $ref: '#/components/schemas/IdPKeyCredential' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.pushProviders.manage - tags: - - PushProvider - delete: - summary: Delete a Push Provider - description: Delete a push provider by `pushProviderId`. If the push provider is currently being used in the org by a custom authenticator, the delete will not be allowed. - operationId: deletePushProvider - parameters: - - $ref: '#/components/parameters/pathPushProviderId' - responses: - '204': - description: No Content - '403': - $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' - '409': - description: Conflict - headers: {} - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - Cannot remove push provider in use by a custom app authenticator: - $ref: '#/components/examples/ErrorPushProviderUsedByCustomAppAuthenticator' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.pushProviders.manage + - apiToken: [] + - oauth2: + - okta.idps.manage tags: - - PushProvider - /api/v1/roles/{roleTypeOrRoleId}/subscriptions: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/keys: + parameters: + - $ref: '#/components/parameters/pathIdpId' get: - summary: List all Subscriptions of a Custom Role - description: When roleType List all subscriptions of a Role. Else when roleId List subscriptions of a Custom Role - operationId: listRoleSubscriptions - parameters: - - in: path - name: roleTypeOrRoleId - required: true - schema: - type: string + summary: List all signing Key Credentials for IdP + description: Lists all signing Key Credentials for an IdP + operationId: listIdentityProviderSigningKeys responses: '200': description: Success content: application/json: schema: - items: - $ref: '#/components/schemas/Subscription' type: array + items: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + MultipleIdPSigningKeyCredentialsResponse: + $ref: '#/components/examples/MultipleIdPSigningKeyCredentialsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.read + - apiToken: [] + - oauth2: + - okta.idps.read tags: - - Subscription - /api/v1/roles/{roleTypeOrRoleId}/subscriptions/{notificationType}: - get: - summary: List all Subscriptions of a Custom Role with a specific notification type - description: When roleType Get subscriptions of a Role with a specific notification type. Else when roleId Get subscription of a Custom Role with a specific notification type. - operationId: getRoleSubscriptionByNotificationType + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/keys/generate: + parameters: + - $ref: '#/components/parameters/pathIdpId' + post: + summary: Generate a new signing Key Credential for IdP + description: |- + Generates a new X.509 certificate for an IdP signing Key Credential to be used for signing assertions sent to the IdP. IdP signing keys are read-only. + > **Note:** To update an IdP with the newly generated Key Credential, [update your IdP](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider) using the returned key's `kid` in the [signing credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/credentials/signing/kid&t=request). + operationId: generateIdentityProviderSigningKey parameters: - - in: path - name: roleTypeOrRoleId - required: true - schema: - type: string - - in: path - name: notificationType + - name: validityYears + in: query + description: expiry of the IdP Key Credential required: true schema: - type: string + type: integer + format: int32 + minimum: 2 + maximum: 10 responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/Subscription' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.read + - apiToken: [] + - oauth2: + - okta.idps.manage tags: - - Subscription - /api/v1/roles/{roleTypeOrRoleId}/subscriptions/{notificationType}/subscribe: - post: - summary: Subscribe a Custom Role to a specific notification type - description: When roleType Subscribes a Role to a specific notification type. When you change the subscription status of a Role, it overrides the subscription of any individual user of that Role. Else when roleId Subscribes a Custom Role to a specific notification type. When you change the subscription status of a Custom Role, it overrides the subscription of any individual user of that Custom Role. - operationId: subscribeRoleSubscriptionByNotificationType - parameters: - - in: path - name: roleTypeOrRoleId - required: true - schema: - type: string - - in: path - name: notificationType - required: true - schema: - type: string + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/keys/{kid}: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathKid' + get: + summary: Retrieve a signing Key Credential for IdP + description: Retrieves a specific IdP Key Credential by `kid` + operationId: getIdentityProviderSigningKey responses: '200': description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.idps.read tags: - - Subscription - /api/v1/roles/{roleTypeOrRoleId}/subscriptions/{notificationType}/unsubscribe: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/keys/{kid}/clone: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathKid' post: - summary: Unsubscribe a Custom Role from a specific notification type - description: When roleType Unsubscribes a Role from a specific notification type. When you change the subscription status of a Role, it overrides the subscription of any individual user of that Role. Else when roleId Unsubscribes a Custom Role from a specific notification type. When you change the subscription status of a Custom Role, it overrides the subscription of any individual user of that Custom Role. - operationId: unsubscribeRoleSubscriptionByNotificationType + summary: Clone a signing Key Credential for IdP + description: |- + Clones an X.509 certificate for an IdP signing Key Credential from a source IdP to target IdP + > **Caution:** Sharing certificates isn't a recommended security practice. + + > **Note:** If the key is already present in the list of Key Credentials for the target IdP, you receive a 400 error response. + operationId: cloneIdentityProviderKey parameters: - - in: path - name: roleTypeOrRoleId - required: true - schema: - type: string - - in: path - name: notificationType + - name: targetIdpId + in: query required: true + description: '`id` of the target IdP' schema: type: string responses: - '200': - description: Success + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.idps.manage tags: - - Subscription - /api/v1/sessions: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathIdpId' post: - summary: Create a Session with Session Token - description: Creates a new session for a user with a valid session token. Use this API if, for example, you want to set the session cookie yourself instead of allowing Okta to set it, or want to hold the session ID in order to delete a session via the API instead of visiting the logout URL. - operationId: createSession - x-codegen-request-body-name: createSessionRequest - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/CreateSessionRequest' - required: true + summary: Activate an Identity Provider + description: Activates an inactive IdP + operationId: activateIdentityProvider responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/Session' - '400': - description: Bad Request + $ref: '#/components/schemas/IdentityProvider' + examples: + ActivateIdPResponse: + $ref: '#/components/examples/ActivateIdPResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] + - apiToken: [] + - oauth2: + - okta.idps.manage tags: - - Session - /api/v1/sessions/{sessionId}: + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathIdpId' + post: + summary: Deactivate an Identity Provider + description: Deactivates an active IdP + operationId: deactivateIdentityProvider + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProvider' + examples: + DeactivateIdPResponse: + $ref: '#/components/examples/DeactivateIdPResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/users: + parameters: + - $ref: '#/components/parameters/pathIdpId' get: - summary: Retrieve a Session - description: Get details about a session. - operationId: getSession + summary: List all Users for IdP + description: Lists all the Users linked to an Identity Provider + operationId: listIdentityProviderApplicationUsers parameters: - - name: sessionId - in: path - required: true + - $ref: '#/components/parameters/queryFilter' + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + - name: expand + in: query + description: Expand user data schema: type: string + example: user responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/Session' + type: array + items: + $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + ListIdPUsersResponse: + $ref: '#/components/examples/ListIdPUsersResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/users/{userId}: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathUserId' + get: + summary: Retrieve a User for IdP + description: Retrieves a linked IdP User by ID + operationId: getIdentityProviderApplicationUser + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + IdPAppUserResponse: + $ref: '#/components/examples/IdPAppUserResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Link a User to IdP + description: |- + Links an Okta User to an existing SAML or social Identity Provider. + + The SAML Identity Provider must have `honorPersistentNameId` set to `true` to use this API. + The [Name Identifier Format](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/settings&t=request) of the incoming assertion must be `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`. + operationId: linkUserToIdentityProvider + x-codegen-request-body-name: userIdentityProviderLinkRequest + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserIdentityProviderLinkRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + LinkIdPAppUserResponse: + $ref: '#/components/examples/LinkIdPAppUserResponse' '400': - description: Bad Request + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.sessions.read + - apiToken: [] + - oauth2: + - okta.users.manage tags: - - Session + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a Session - description: End a session. - operationId: endSession - parameters: - - name: sessionId - in: path - required: true - schema: - type: string + summary: Unlink a User from IdP + description: Unlinks the Okta User and the IdP User. The next time the User federates into Okta through this IdP, they have to re-link their account according to the account link policy. + operationId: unlinkUserFromIdentityProvider responses: '204': description: No Content @@ -10621,51 +13897,70 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.sessions.manage + - apiToken: [] + - oauth2: + - okta.idps.manage tags: - - Session - /api/v1/sessions/{sessionId}/lifecycle/refresh: - post: - summary: Refresh a Session - description: Refresh a session. - operationId: refreshSession - parameters: - - name: sessionId - in: path - required: true - schema: - type: string + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/users/{userId}/credentials/tokens: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all Tokens from OIDC IdP + description: |- + Lists the tokens minted by the Social Authentication Provider when the user authenticates with Okta via Social Auth. + + Okta doesn't import all the User information from a social provider. If the app needs information that isn't imported, it can get the User token from this endpoint. Then the app can make an API call to the social provider with the token to request the additional information. + operationId: listSocialAuthTokens responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/Session' + type: array + items: + $ref: '#/components/schemas/SocialAuthToken' + examples: + SocialAuthTokensResponse: + $ref: '#/components/examples/SocialAuthTokensResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.sessions.manage + - apiToken: [] + - oauth2: + - okta.idps.read tags: - - Session - /api/v1/templates/sms: + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/inlineHooks: get: - summary: List all SMS Templates - description: Enumerates custom SMS templates in your organization. A subset of templates can be returned that match a template type. - operationId: listSmsTemplates + summary: List all inline hooks + description: |- + Lists all inline hooks or all inline hooks of a specific type. + + When listing a specific inline hook, you need to specify its type. The following types are currently supported: + | Type Value | Name | + |------------------------------------|----------------------------------------------------------------| + | `com.okta.import.transform` | [User import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createUserImportInlineHook) | + | `com.okta.oauth2.tokens.transform` | [Token inline hook]((/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTokenInlineHook) | + | `com.okta.saml.tokens.transform` | [SAML assertion inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createSAMLAssertionInlineHook) | + | `com.okta.telephony.provider` | [Telephony inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTelephonyInlineHook) | + | `com.okta.user.credential.password.import` | [Password import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook)| + | `com.okta.user.pre-registration` | [Registration inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook) | + operationId: listInlineHooks parameters: - - name: templateType - in: query - schema: - $ref: '#/components/schemas/SmsTemplateType' + - $ref: '#/components/parameters/inlineHookType' responses: '200': description: Success @@ -10674,27 +13969,64 @@ paths: schema: type: array items: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/InlineHook' + examples: + InlineHooktMgmtListAllexample: + $ref: '#/components/examples/InlineHooktMgmtListAllexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.read + - apiToken: [] + - oauth2: + - okta.inlineHooks.read tags: - - Template + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create an SMS Template - description: Adds a new custom SMS template to your organization. - operationId: createSmsTemplate - x-codegen-request-body-name: smsTemplate + summary: Create an inline hook + description: |- + Creates an inline hook + + This endpoint creates an inline hook for your org in an `ACTIVE` status. You need to pass an inline hooks object in the JSON payload of your request. + That object represents the set of required information about the inline hook that you're registering, including: + + * The URI of your external service endpoint + * The type of inline hook you're registering + * The type of authentication you're registering + + There are two authentication options that you can configure for your inline hook: HTTP headers and OAuth 2.0 tokens. + + HTTP headers let you specify a secret API key that you want Okta to pass to your external service endpoint (so that your external service can check for its presence as a security measure). + + >**Note:** The API key that you set here is unrelated to the Okta API token you must supply when making calls to Okta APIs. + + You can also optionally specify extra headers that you want Okta to pass to your external service with each call. + + To configure HTTP header authentication, see parameters for the `config` object. + + OAuth 2.0 tokens provide enhanced security between Okta and your external service. You can configure these tokens for the following types—client secret and private key. + + >**Note:** Your external service's endpoint needs to be a valid HTTPS endpoint. The URI you specify should always begin with `https://`. + + The total number of inline hooks that you can create in an Okta org is limited to 50, which is a combined total for any combination of inline hook types. + operationId: createInlineHook + x-codegen-request-body-name: inlineHookCreate requestBody: content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/InlineHookCreate' + examples: + CreateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtCreateHTTPRequest' + CreateInlineHookOAuthClientSecret: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthClientSecretRequest' + CreateInlineHookOAuthPrivateKey: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthPrivateKeyRequest' required: true responses: '200': @@ -10702,7 +14034,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/InlineHookCreateResponse' + examples: + CreateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtCreateHTTPResponse' + CreateInlineHookOAuthClientSecret: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthClientSecretResponse' + CreateInlineHookOAuthPrivateKey: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthPrivateKeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -10710,29 +14049,35 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - Template - /api/v1/templates/sms/{templateId}: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/inlineHooks/{inlineHookId}: + parameters: + - $ref: '#/components/parameters/pathInlineHookId' get: - summary: Retrieve an SMS Template - description: Fetches a specific template by `id` - operationId: getSmsTemplate - parameters: - - name: templateId - in: path - required: true - schema: - type: string + summary: Retrieve an Inline Hook + description: Retrieves an inline hook by `inlineHookId` + operationId: getInlineHook responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/InlineHook' + examples: + InlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtHTTPexample' + InlineHookOAuthClientSecret: + $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample' + InlineHookOAuthPrivateKey: + $ref: '#/components/examples/InlineHookMgmtOauthPKJexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10740,27 +14085,27 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.read + - apiToken: [] + - oauth2: + - okta.inlineHooks.read tags: - - Template + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update an SMS Template - description: 'Updates only some of the SMS template properties:' - operationId: partialUpdateSmsTemplate - parameters: - - name: templateId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: smsTemplate + summary: Update an Inline Hook + description: Updates an inline hook by `inlineHookId` + operationId: updateInlineHook + x-codegen-request-body-name: inlineHook requestBody: content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/InlineHookReplace' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest' required: true responses: '200': @@ -10768,7 +14113,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/InlineHook' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -10778,27 +14126,30 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - Template + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace an SMS Template - description: Updates the SMS template. - operationId: updateSmsTemplate - parameters: - - name: templateId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: smsTemplate + summary: Replace an inline hook + description: |- + Replaces an inline hook by `inlineHookId`. The submitted inline hook properties replace the existing properties after passing validation. + + >**Note:** Some properties are immutable and can't be updated. + operationId: replaceInlineHook + x-codegen-request-body-name: inlineHook requestBody: content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/InlineHookReplace' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest' required: true responses: '200': @@ -10806,7 +14157,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/InlineHook' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -10816,21 +14170,18 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - Template + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete an SMS Template - description: Removes an SMS template. - operationId: deleteSmsTemplate - parameters: - - name: templateId - in: path - required: true - schema: - type: string + summary: Delete an inline hook + description: Deletes an inline hook by `inlineHookId`. After it's deleted, the inline hook is unrecoverable. As a safety precaution, only inline hooks with a status of `INACTIVE` are eligible for deletion. + operationId: deleteInlineHook responses: '204': description: No Content @@ -10842,116 +14193,215 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.templates.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - Template - /api/v1/threats/configuration: - get: - summary: Retrieve the ThreatInsight Configuration - description: Gets current ThreatInsight configuration - operationId: getCurrentConfiguration + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/inlineHooks/{inlineHookId}/execute: + parameters: + - $ref: '#/components/parameters/pathInlineHookId' + post: + summary: Execute an inline hook + description: |- + Executes the inline hook that matches the provided `inlineHookId` by using the request body as the input. This inline hook sends the provided + data through the `channel` object and returns a response if it matches the correct data contract. Otherwise it returns an error. You need to + construct a JSON payload that matches the payloads that Okta would send to your external service for this inline hook type. + + A timeout of three seconds is enforced on all outbound requests, with one retry in the event of a timeout or an error response from the remote system. + If a successful response isn't received after the request, a 400 error is returned with more information about what failed. + + >**Note:** This execution endpoint isn't tied to any other functionality in Okta, and you should only use it for testing purposes. + operationId: executeInlineHook + x-codegen-request-body-name: payloadData + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/PasswordImportRequestExecute' + - $ref: '#/components/schemas/TelephonyRequestExecute' + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + - $ref: '#/components/schemas/TokenRequest' + - $ref: '#/components/schemas/SAMLPayloadExecute' + - $ref: '#/components/schemas/UserImportRequestExecute' + examples: + PasswordImportPayloadExample: + $ref: '#/components/examples/PasswordImportPayloadExample' + TelephonyPayloadExample: + $ref: '#/components/examples/TelephonyPayloadExample' + ProfileEnrollmentRequest: + $ref: '#/components/examples/ProfileEnrollmentRequest' + TokenPayLoadExample: + $ref: '#/components/examples/TokenPayLoadExample' + SAMLPayloadExample: + $ref: '#/components/examples/SAMLPayLoadExample' + UserImportPayloadExample: + $ref: '#/components/examples/UserImportPayloadExample' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/ThreatInsightConfiguration' + oneOf: + - $ref: '#/components/schemas/PasswordImportResponse' + - $ref: '#/components/schemas/TelephonyResponse' + - $ref: '#/components/schemas/RegistrationInlineHookResponse' + - $ref: '#/components/schemas/TokenHookResponse' + - $ref: '#/components/schemas/SAMLHookResponse' + - $ref: '#/components/schemas/UserImportResponse' + examples: + PasswordImportPayloadExample: + $ref: '#/components/examples/PasswordImportVerifiedResponse' + TelephonyPayloadExample: + $ref: '#/components/examples/TelephonySuccessResponse' + ProfileEnrollmentRequest: + $ref: '#/components/examples/ProfileEnrollmentResponse' + TokenPayLoadExample: + $ref: '#/components/examples/TokenHookResponse' + SAMLPayloadExample: + $ref: '#/components/examples/SAMLHookResponseExample' + UserImportPayloadExample: + $ref: '#/components/examples/UserImportChangeAppUserProfileExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.threatInsights.read + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - ThreatInsight + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/inlineHooks/{inlineHookId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathInlineHookId' post: - summary: Update the ThreatInsight Configuration - description: Updates ThreatInsight configuration - operationId: updateConfiguration - x-codegen-request-body-name: threatInsightConfiguration - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/ThreatInsightConfiguration' - required: true + summary: Activate an Inline Hook + description: Activates the inline hook by `inlineHookId` + operationId: activateInlineHook responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/ThreatInsightConfiguration' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/InlineHook' + examples: + ActivateAnInlineHook: + $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.threatInsights.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - ThreatInsight - /api/v1/trustedOrigins: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathInlineHookId' + post: + summary: Deactivate an Inline Hook + description: Deactivates the inline hook by `inlineHookId` + operationId: deactivateInlineHook + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHook' + examples: + DeactivateAnInlineHook: + $ref: '#/components/examples/InlineHookMgmtHTTPexampleDeactivate' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/logStreams: get: - summary: List all Trusted Origins - description: Success - operationId: listOrigins + summary: List all Log Streams + description: Lists all Log Stream objects in your org. You can request a paginated list or a subset of Log Streams that match a supported filter expression. + operationId: listLogStreams parameters: - - name: q - in: query - schema: - type: string + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' - name: filter in: query + description: An expression that [filters](/#filter) the returned objects. You can only use the `eq` operator on either the `status` or `type` properties in the filter expression. schema: type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: -1 + example: type eq "aws_eventbridge" responses: '200': - description: Success + description: OK content: application/json: schema: type: array items: - $ref: '#/components/schemas/TrustedOrigin' + $ref: '#/components/schemas/LogStream' + examples: + ExampleGetAllResponse: + $ref: '#/components/examples/LogStreamGetAllResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.trustedOrigins.read + - apiToken: [] + - oauth2: + - okta.logStreams.read tags: - - TrustedOrigin + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] post: - summary: Create a Trusted Origin - description: Success - operationId: createOrigin - x-codegen-request-body-name: trustedOrigin + summary: Create a Log Stream + description: Creates a new Log Stream object + operationId: createLogStream + x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/TrustedOrigin' + $ref: '#/components/schemas/LogStream' + examples: + LogStreamPostRequestExample: + $ref: '#/components/examples/LogStreamPostRequest' required: true responses: '200': @@ -10959,37 +14409,50 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/TrustedOrigin' + $ref: '#/components/schemas/LogStream' + examples: + LogStreamPostResponseExample: + $ref: '#/components/examples/LogStreamPostResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': - $ref: '#/components/responses/ErrorAccessDenied403' + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.trustedOrigins.manage + - apiToken: [] + - oauth2: + - okta.logStreams.manage tags: - - TrustedOrigin - /api/v1/trustedOrigins/{trustedOriginId}: + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/logStreams/{logStreamId}: + parameters: + - $ref: '#/components/parameters/pathLogStreamId' get: - summary: Retrieve a Trusted Origin - description: Success - operationId: getOrigin - parameters: - - name: trustedOriginId - in: path - required: true - schema: - type: string + summary: Retrieve a Log Stream + description: Retrieves a Log Stream object by ID + operationId: getLogStream responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/TrustedOrigin' + $ref: '#/components/schemas/LogStream' + examples: + LogStreamGetRequestExample: + $ref: '#/components/examples/LogStreamPostResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10997,35 +14460,48 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.trustedOrigins.read + - apiToken: [] + - oauth2: + - okta.logStreams.read tags: - - TrustedOrigin + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] put: - summary: Replace a Trusted Origin - description: Success - operationId: updateOrigin - parameters: - - name: trustedOriginId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: trustedOrigin + summary: Replace a Log Stream + description: |- + Replaces the Log Stream object properties for a given ID. + + This operation is typically used to update the configuration of a Log Stream. + Depending on the type of Log Stream you want to update, certain properties can't be modified after the Log Stream is initially created. + Use the [Retrieve the Log Stream Schema for the schema type](/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/getLogStreamSchema) request to determine which properties you can update for the specific Log Stream type. + Log Stream properties with the `"writeOnce" : true` attribute can't be updated after creation. + You must still specify these `writeOnce` properties in the request body with the original values in the PUT request. + + > **Note:** You don't have to specify properties that have both the `"writeOnce": true` and the `"writeOnly": true` attributes in the PUT request body. These property values are ignored even if you add them in the PUT request body. + operationId: replaceLogStream + x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/TrustedOrigin' + $ref: '#/components/schemas/LogStreamPutSchema' + examples: + LogStreamPutRequestExample: + $ref: '#/components/examples/LogStreamPutRequest' required: true responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/TrustedOrigin' + $ref: '#/components/schemas/LogStream' + examples: + LogStreamPostResponseExample: + $ref: '#/components/examples/LogStreamPutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11035,55 +14511,63 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.trustedOrigins.manage + - apiToken: [] + - oauth2: + - okta.logStreams.manage tags: - - TrustedOrigin + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] delete: - summary: Delete a Trusted Origin - description: Success - operationId: deleteOrigin - parameters: - - name: trustedOriginId - in: path - required: true - schema: - type: string + summary: Delete a Log Stream + description: Deletes a Log Stream object from your org by ID + operationId: deleteLogStream responses: '204': - description: Success - content: {} + description: No Content '403': - $ref: '#/components/responses/ErrorAccessDenied403' + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.trustedOrigins.manage + - apiToken: [] + - oauth2: + - okta.logStreams.manage tags: - - TrustedOrigin - /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/activate: + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/logStreams/{logStreamId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathLogStreamId' post: - summary: Activate a Trusted Origin - description: Success - operationId: activateOrigin - parameters: - - name: trustedOriginId - in: path - required: true - schema: - type: string + summary: Activate a Log Stream + description: Activates a log stream by `logStreamId` + operationId: activateLogStream responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/TrustedOrigin' + $ref: '#/components/schemas/LogStream' + examples: + LogStreamActivateResponseExample: + $ref: '#/components/examples/LogStreamActivateResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11091,29 +14575,32 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.trustedOrigins.manage + - apiToken: [] + - oauth2: + - okta.logStreams.manage tags: - - TrustedOrigin - /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/deactivate: + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/logStreams/{logStreamId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathLogStreamId' post: - summary: Deactivate a Trusted Origin - description: Success - operationId: deactivateOrigin - parameters: - - name: trustedOriginId - in: path - required: true - schema: - type: string + summary: Deactivate a Log Stream + description: Deactivates a log stream by `logStreamId` + operationId: deactivateLogStream responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/TrustedOrigin' + $ref: '#/components/schemas/LogStream' + examples: + LogStreamDeactivateResponseExample: + $ref: '#/components/examples/LogStreamDeactivateResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11121,48 +14608,69 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.trustedOrigins.manage + - apiToken: [] + - oauth2: + - okta.logStreams.manage tags: - - TrustedOrigin - /api/v1/users: + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/logs: get: - summary: List all Users - description: Lists users in your organization with pagination in most cases. A subset of users can be returned that match a supported filter expression or search criteria. - operationId: listUsers + summary: List all System Log Events + description: Lists all System Log Events + operationId: listLogEvents parameters: - - $ref: '#/components/parameters/queryAfter' - - name: q + - name: since + description: Filters the lower time bound of the log events `published` property for bounded queries or persistence time for polling queries in: query - description: Finds a user that matches firstName, lastName, and email properties schema: type: string - - name: limit + format: ISO 8601 compliant timestamp + default: 7 days prior to until + - name: until + description: Filters the upper time bound of the log events `published` property for bounded queries or persistence time for polling queries. in: query - description: Specifies the number of results returned. Defaults to 10 if `q` is provided. schema: - type: integer - format: int32 - default: 200 - - name: filter + type: string + format: ISO 8601 compliant timestamp + default: current time + - name: after + description: Retrieves the next page of results. Okta returns a link in the HTTP Header (`rel=next`) that includes the after query parameter in: query - description: Filters users with a supported expression for a subset of properties schema: type: string - - name: search + format: Opaque token + - name: filter + description: Filter expression that filters the results. All operators except [ ] are supported. See [Filter](https://developer.okta.com/docs/api/#filter). in: query - description: Searches for users with a supported filtering expression for most properties schema: type: string - - name: sortBy + format: SCIM Filter expression + - name: q + description: Filters log events results by one or more case insensitive keywords. in: query schema: type: string + format: URL encoded string. Max length is 40 characters per keyword, with a maximum of 10 keyword filters per query (before encoding) + - name: limit + description: Sets the number of results that are returned in the response + in: query + schema: + type: integer + format: Integer between 0 and 1000 + default: 100 - name: sortOrder + description: The order of the returned events that are sorted by the `published` property in: query schema: type: string + enum: + - ASCENDING + - DESCENDING + default: ASCENDING responses: '200': description: Success @@ -11171,113 +14679,104 @@ paths: schema: type: array items: - $ref: '#/components/schemas/User' + $ref: '#/components/schemas/LogEvent' examples: - User List: - $ref: '#/components/examples/ListUsersResponse' + ListLogs: + $ref: '#/components/examples/ListLogs' + LogTargetChangeDetails: + $ref: '#/components/examples/LogTargetChangeDetails' '403': - description: Forbidden - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.logs.read tags: - - User - post: - summary: Create a User - description: Creates a new user in your Okta organization with or without credentials. - operationId: createUser + - SystemLog + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/mappings: + get: + summary: List all Profile Mappings + description: |- + Lists all profile mappings in your organization with [pagination](https://developer.okta.com/docs/api/#pagination). You can return a subset of profile mappings that match a supported `sourceId` and/or `targetId`. + The results are [paginated](/#pagination) according to the limit parameter. If there are multiple pages of results, the Link header contains a `next` link that should be treated as an opaque value (follow it, don't parse it). + + The response is a collection of profile mappings that include a subset of the profile mapping object's parameters. The profile mapping object describes + the properties mapping between an Okta User and an App User Profile using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). + operationId: listProfileMappings parameters: - - name: activate + - name: after in: query - description: Executes activation lifecycle operation when creating the user + description: Mapping `id` that specifies the pagination cursor for the next page of mappings schema: - type: boolean - default: true - - name: provider - in: query - description: Indicates whether to create a user with a specified authentication provider + type: string + - name: limit + in: query + description: Specifies the number of results per page (maximum 200) schema: - type: boolean - default: false - - name: nextLogin + type: integer + format: int32 + default: 20 + - name: sourceId in: query - description: With activate=true, set nextLogin to "changePassword" to have the password be EXPIRED, so user must change it the next time they log in. + description: The UserType or App Instance `id` that acts as the source of expressions in a mapping. If this parameter is included, all returned mappings have this as their `source.id`. schema: - $ref: '#/components/schemas/UserNextLogin' - x-okta-added-version: 0.14.0 - x-codegen-request-body-name: body - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/CreateUserRequest' - required: true + type: string + - name: targetId + in: query + description: The UserType or App Instance `id` that acts as the target of expressions in a mapping. If this parameter is included, all returned mappings have this as their `target.id`. + schema: + type: string responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/User' - '400': - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + type: array + items: + $ref: '#/components/schemas/ListProfileMappings' examples: - Create user with too many groups specified: - $ref: '#/components/examples/ErrorCreateUserWithTooManyManyGroupsResponse' - Create user with expired password and activate set to `false`: - $ref: '#/components/examples/ErrorCreateUserWithExpiredPasswordWithoutActivation' - Create user with expired password and `null` password: - $ref: '#/components/examples/ErrorCreateUserWithExpiredPasswordWithNullPassword' + MappingList: + summary: List all Profile Mappings response + $ref: '#/components/examples/ListMappingsResponse' '403': - description: Forbidden - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.profileMappings.read tags: - - User - /api/v1/users/{associatedUserId}/linkedObjects/{primaryRelationshipName}/{primaryUserId}: - put: - summary: Create a Linked Object for two User - description: Sets a linked object for two users. - operationId: setLinkedObjectForUser - parameters: - - name: associatedUserId - in: path - required: true - schema: - type: string - - name: primaryRelationshipName - in: path - required: true - schema: - type: string - - name: primaryUserId - in: path - required: true - schema: - type: string + - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/mappings/{mappingId}: + parameters: + - $ref: '#/components/parameters/pathMappingId' + get: + summary: Retrieve a Profile Mapping + description: Retrieves a single Profile Mapping referenced by its ID + operationId: getProfileMapping responses: - '204': + '200': description: Success - content: {} + content: + application/json: + schema: + $ref: '#/components/schemas/ProfileMapping' + examples: + MappingRetrieve: + summary: Retrieve a single Profile Mapping + $ref: '#/components/examples/RetrieveMappingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11285,207 +14784,387 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.profileMappings.read tags: - - User - /api/v1/users/{userId}: - get: - summary: Retrieve a User - description: Fetches a user from your Okta organization. - operationId: getUser - parameters: - - $ref: '#/components/parameters/pathUserId' + - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Update a Profile Mapping + description: Updates an existing profile mapping by adding, updating, or removing one or many property mappings + operationId: updateProfileMapping + x-codegen-request-body-name: profileMapping + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ProfileMappingRequest' + examples: + Addpropertymapping: + $ref: '#/components/examples/AddMappingBody' + Updatepropertymapping: + $ref: '#/components/examples/UpdateMappingBody' + Removepropertymapping: + $ref: '#/components/examples/RemoveMappingBody' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/User' + $ref: '#/components/schemas/ProfileMapping' + examples: + Addpropertymapping: + summary: Update an existing profile mapping by adding one or more properties + $ref: '#/components/examples/AddMappingResponse' + Updatepropertymapping: + summary: Update an existing profile mapping by updating one or more properties + $ref: '#/components/examples/UpdateMappingResponse' + Removepropertymapping: + summary: Update an existing profile mapping by removing one or more properties + $ref: '#/components/examples/RemoveMappingResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': - description: Forbidden - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.profileMappings.manage + tags: + - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/meta/layouts/apps/{appName}: + parameters: + - $ref: '#/components/parameters/pathAppName' + /api/v1/meta/layouts/apps/{appName}/sections/{section}/{operation}: + parameters: + - $ref: '#/components/parameters/pathAppName' + - $ref: '#/components/parameters/pathSection' + - $ref: '#/components/parameters/pathOperation' + /api/v1/meta/schemas/apps/{appId}/default: + parameters: + - $ref: '#/components/parameters/pathAppId' + get: + summary: Retrieve the default App User Schema for an App + description: |- + Retrieves the default Schema for an App User. + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to apps. All users assigned to a given app use the same App User Schema. Therefore, unlike the User Schema operations, the App User Schema operations all specify `default` and don't accept a Schema ID. + operationId: getApplicationUserSchema + responses: + '200': + description: successful operation content: application/json: schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/schemas/UserSchema' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.schemas.read tags: - - User + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update a User - description: Fetch a user by `id`, `login`, or `login shortname` if the short name is unambiguous. - operationId: partialUpdateUser - parameters: - - $ref: '#/components/parameters/pathUserId' - - name: strict - in: query - schema: - type: boolean - x-codegen-request-body-name: user + summary: Update the App User Profile Schema for an App + description: |- + Updates the App User Schema. This updates, adds, or removes one or more custom profile properties or the nullability of a base property in the App User Schema for an app. Changing a base property's nullability (for example, the value of its `required` field) is allowed only if it is nullable in the default predefined Schema for the App. + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to apps. All users assigned to a given app use the same App User Schema. Therefore, unlike the User Schema operations, the App User Schema operations all specify `default` and don't accept a Schema ID. + operationId: updateApplicationUserProfile + x-codegen-request-body-name: body requestBody: content: application/json: schema: - $ref: '#/components/schemas/UpdateUserRequest' - required: true + $ref: '#/components/schemas/UserSchema' + examples: + Add a custom property to the app user schema: + $ref: '#/components/examples/AppUserSchemaAddRequest' + required: false responses: '200': - description: Success + description: successful operation content: application/json: schema: - $ref: '#/components/schemas/User' + $ref: '#/components/schemas/UserSchema' + examples: + Response with a subset of properties for brevity: + $ref: '#/components/examples/AppUserSchemaResponse' '400': - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': - description: Forbidden - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.schemas.manage + tags: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/meta/schemas/group/default: + get: + summary: Retrieve the default Group Schema + description: |- + Retrieves the Group Schema + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to groups. All groups use the same Group Schema. Unlike User Schema operations, Group Schema operations all specify `default` and don't accept a Schema ID. + operationId: getGroupSchema + parameters: [] + responses: + '200': + description: successful operation content: application/json: schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/schemas/GroupSchema' + examples: + Response with a subset of properties for brevity: + $ref: '#/components/examples/GroupSchemaResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.schemas.read tags: - - User - put: - summary: Replace a User - description: Update a user's profile and/or credentials using strict-update semantics. - operationId: updateUser - parameters: - - $ref: '#/components/parameters/pathUserId' - - name: strict - in: query - schema: - type: boolean - x-okta-added-version: 1.10.0 - x-codegen-request-body-name: user + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update the Group Profile Schema + description: |- + Updates the Group Profile schema. This updates, adds, or removes one or more custom profile properties in a Group Schema. Currently Okta does not support changing base Group Profile properties. + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to groups. All groups use the same Group Schema. Unlike User Schema operations, Group Schema operations all specify `default` and don't accept a Schema ID. + + **Note:** Since POST is interpreted as a partial update, you must set properties explicitly to null to remove them from the Schema. + operationId: updateGroupSchema requestBody: content: application/json: schema: - $ref: '#/components/schemas/UpdateUserRequest' - required: true + $ref: '#/components/schemas/GroupSchema' + examples: + Add a custom property to the group schema: + $ref: '#/components/examples/GroupSchemaAddRequest' responses: '200': - description: Success + description: successful operation content: application/json: schema: - $ref: '#/components/schemas/User' + $ref: '#/components/schemas/GroupSchema' + example: + Response with a subset of properties for brevity: + $ref: '#/components/examples/GroupSchemaResponse' '400': - description: Bad Request + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.schemas.manage + tags: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/meta/schemas/logStream: + get: + summary: List the Log Stream Schemas + description: Lists the Schema for all Log Stream types visible for this org + operationId: listLogStreamSchemas + responses: + '200': + description: successful operation content: application/json: schema: - $ref: '#/components/schemas/Error' + type: array + items: + $ref: '#/components/schemas/LogStreamSchema' + examples: + All log stream schemas for your org: + $ref: '#/components/examples/LogStreamSchemaList' '403': - description: Forbidden + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.logStreams.read + tags: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/meta/schemas/logStream/{logStreamType}: + parameters: + - $ref: '#/components/parameters/pathLogStreamType' + get: + summary: Retrieve the Log Stream Schema for the schema type + description: Retrieves the Schema for a Log Stream type. The `logStreamType` element in the URL specifies the Log Stream type, which is either `aws_eventbridge` or `splunk_cloud_logstreaming`. Use the `aws_eventbridge` literal to retrieve the AWS EventBridge type schema, and use the `splunk_cloud_logstreaming` literal retrieve the Splunk Cloud type schema. + operationId: getLogStreamSchema + responses: + '200': + description: successful operation content: application/json: schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/schemas/LogStreamSchema' + examples: + Schema for type `aws_eventbridge`: + $ref: '#/components/examples/LogStreamSchemaAws' + Schema for type `splunk_cloud_logstreaming`: + $ref: '#/components/examples/LogStreamSchemaSplunk' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.logStreams.read tags: - - User - delete: - summary: Delete a User - description: Deletes a user permanently. This operation can only be performed on users that have a `DEPROVISIONED` status. **This action cannot be recovered!** - operationId: deactivateOrDeleteUser - parameters: - - $ref: '#/components/parameters/pathUserId' - - name: sendEmail - in: query - schema: - type: boolean - default: false - x-okta-added-version: 1.5.0 + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/meta/schemas/user/linkedObjects: + get: + summary: List all Linked Object Definitions + description: Lists all Linked Object definitions + operationId: listLinkedObjectDefinitions responses: - '204': - description: No Content - content: {} - '400': - description: Bad Request + '200': + description: Success content: application/json: schema: - $ref: '#/components/schemas/Error' + type: array + items: + $ref: '#/components/schemas/LinkedObject' + examples: + ListLinkedObjectsEx: + $ref: '#/components/examples/ListLinkedObjects' '403': - description: Forbidden + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.linkedObjects.read + tags: + - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Linked Object Definition + description: Creates a Linked Object definition + operationId: createLinkedObjectDefinition + x-codegen-request-body-name: linkedObject + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/LinkedObject' + examples: + CreateLinkedObjectRequestEx: + $ref: '#/components/examples/CreateLinkedObjectRequest' + required: true + responses: + '201': + description: Created content: application/json: schema: - $ref: '#/components/schemas/Error' - '404': - description: Not Found + $ref: '#/components/schemas/LinkedObject' + examples: + CreateLinkedObjectResponseEx: + $ref: '#/components/examples/CreateLinkedObjectResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '409': + description: Conflict content: application/json: schema: $ref: '#/components/schemas/Error' + examples: + ErrorInvalidLinkedObjectDefEx: + $ref: '#/components/examples/ErrorInvalidLinkedObjectDef' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.linkedObjects.manage tags: - - User - /api/v1/users/{userId}/appLinks: + - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/meta/schemas/user/linkedObjects/{linkedObjectName}: + parameters: + - $ref: '#/components/parameters/pathLinkedObjectName' get: - summary: List all Assigned Application Links - description: Fetches appLinks for all direct or indirect (via group membership) assigned applications. - operationId: listAppLinks - parameters: - - name: userId - in: path - required: true - schema: - type: string + summary: Retrieve a Linked Object Definition + description: Retrieves a Linked Object definition + operationId: getLinkedObjectDefinition responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/AppLink' + $ref: '#/components/schemas/LinkedObject' + examples: + CreateLinkedObjectResponseEx: + $ref: '#/components/examples/CreateLinkedObjectResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11493,31 +15172,22 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.linkedObjects.read tags: - - User - /api/v1/users/{userId}/clients: - get: - summary: List all Clients - description: Lists all client resources for which the specified user has grants or tokens. - operationId: listUserClients - parameters: - - name: userId - in: path - required: true - schema: - type: string + - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a Linked Object Definition + description: Deletes the Linked Object definition specified by either the `primary` or `associated` name. The entire definition is removed, regardless of which name that you specify. + operationId: deleteLinkedObjectDefinition responses: - '200': - description: Success - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/OAuth2Client' + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11525,50 +15195,31 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.linkedObjects.manage tags: - - User - /api/v1/users/{userId}/clients/{clientId}/grants: + - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/meta/schemas/user/{schemaId}: + parameters: + - $ref: '#/components/parameters/pathSchemaId' get: - summary: List all Grants for a Client - description: Lists all grants for a specified user and client - operationId: listGrantsForUserAndClient - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: 20 + summary: Retrieve a User Schema + description: Retrieves the Schema for a User Type + operationId: getUserSchema responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + $ref: '#/components/schemas/UserSchema' + examples: + Response with a subset of properties for brevity: + $ref: '#/components/examples/UserSchemaResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11576,30 +15227,43 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.schemas.read tags: - - User - delete: - summary: Revoke all Grants for a Client - description: Revokes all grants for the specified user and client - operationId: revokeGrantsForUserAndClient - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update a User Schema + description: |- + Updates a User Schema. This updates, adds, or removes one or more profile properties in a User Schema. + + Unlike custom User Profile properties, limited changes are allowed to base User Profile properties (permissions, nullability of the `firstName` and `lastName` properties, or pattern for `login`). A property cannot be removed from the default Schema if it is being referenced as a [matchAttribute](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/) in SAML2 IdPs. Currently, all validation of SAML assertions is only performed against the default user type. + operationId: updateUserProfile + x-codegen-request-body-name: userSchema + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserSchema' + examples: + Add a custom property to the user schema: + $ref: '#/components/examples/UserSchemaAddRequest' + required: true responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserSchema' + examples: + Response with a subset of properties for brevity: + $ref: '#/components/examples/UserSchemaResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11607,41 +15271,19 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.schemas.manage tags: - - User - /api/v1/users/{userId}/clients/{clientId}/tokens: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/meta/types/user: get: - summary: List all Refresh Tokens for a Client - description: Lists all refresh tokens issued for the specified User and Client. - operationId: listRefreshTokensForUserAndClient - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: 20 + summary: List all User Types + description: Lists all User Types in your org + operationId: listUserTypes responses: '200': description: Success @@ -11650,127 +15292,81 @@ paths: schema: type: array items: - $ref: '#/components/schemas/OAuth2RefreshToken' + $ref: '#/components/schemas/UserType' + examples: + ListsAllUserTypes: + $ref: '#/components/examples/ListsAllUserTypes' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.userTypes.read tags: - - User - delete: - summary: Revoke all Refresh Tokens for a Client - description: Revokes all refresh tokens issued for the specified User and Client. - operationId: revokeTokensForUserAndClient - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - responses: - '204': - description: No Content - content: {} - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage - tags: - - User - /api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}: - get: - summary: Retrieve a Refresh Token for a Client - description: Gets a refresh token issued for the specified User and Client. - operationId: getRefreshTokenForUserAndClient - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - default: 20 - - name: after - in: query - schema: - type: string + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a User Type + description: |- + Creates a new User Type. Okta automatically creates a `default` User Type for your org. You may add up to nine additional User Types. + > **Note**: New User Types are based on the current default schema template. Modifications to this schema do not automatically propagate to previously created User Types. + operationId: createUserType + x-codegen-request-body-name: userType + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserType' + examples: + CreateUserRequest: + $ref: '#/components/examples/CreateUserRequest' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2RefreshToken' + $ref: '#/components/schemas/UserType' + examples: + CreateUserResponse: + $ref: '#/components/examples/CreateUserResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.userTypes.manage tags: - - User - delete: - summary: Revoke a Token for a Client - description: Revokes the specified refresh token. - operationId: revokeTokenForUserAndClient - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/meta/types/user/{typeId}: + parameters: + - $ref: '#/components/parameters/pathTypeId' + get: + summary: Retrieve a User Type + description: Retrieves a User Type by ID. Use `default` to fetch the default User Type. + operationId: getUserType responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserType' + examples: + GetUserResponse: + $ref: '#/components/examples/GetUserResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11778,33 +15374,29 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.userTypes.read tags: - - User - /api/v1/users/{userId}/credentials/change_password: + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Change Password - description: Changes a user's password by validating the user's current password. This operation can only be performed on users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid password credential - operationId: changePassword - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: strict - in: query - schema: - type: boolean - x-okta-added-version: 1.10.0 - x-codegen-request-body-name: changePasswordRequest + summary: Update a User Type + description: |- + Updates an existing User Type. This operation is a partial update. + > **Note**: You can only update the `displayName` and `description` elements. The `name` of an existing User Type can't be changed. + operationId: updateUserType + x-codegen-request-body-name: userType requestBody: content: application/json: schema: - $ref: '#/components/schemas/ChangePasswordRequest' + $ref: '#/components/schemas/UserTypePostRequest' + examples: + UpdateUserTypePostRequest: + $ref: '#/components/examples/UpdateUserTypePostRequest' required: true responses: '200': @@ -11812,7 +15404,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/UserCredentials' + $ref: '#/components/schemas/UserType' + examples: + UpdateUserTypePutRequest: + $ref: '#/components/examples/UpdateUserTypePostResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11822,36 +15417,39 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.userTypes.manage tags: - - User - /api/v1/users/{userId}/credentials/change_recovery_question: - post: - summary: Change Recovery Question - description: Changes a user's recovery question & answer credential by validating the user's current password. This operation can only be performed on users in **STAGED**, **ACTIVE** or **RECOVERY** `status` that have a valid password credential - operationId: changeRecoveryQuestion - parameters: - - name: userId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: userCredentials + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a User Type + description: |- + Replaces an existing User Type. This operation is a full update. + > **Note**: The `name` of an existing User Type can't be changed, but must be part of the request body. You can only replace the `displayName` and `description` elements. + operationId: replaceUserType + x-codegen-request-body-name: userType requestBody: content: application/json: schema: - $ref: '#/components/schemas/UserCredentials' - required: true + $ref: '#/components/schemas/UserTypePutRequest' + examples: + ReplaceUserTypePutRequest: + $ref: '#/components/examples/ReplaceUserTypePutRequest' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/UserCredentials' + $ref: '#/components/schemas/UserType' + examples: + ReplaceUserTypePutResponse: + $ref: '#/components/examples/ReplaceUserTypePutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11861,112 +15459,131 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.userTypes.manage tags: - - User - /api/v1/users/{userId}/credentials/forgot_password: - post: - summary: Initiate Forgot Password - description: Initiate forgot password flow. Generates a one-time token (OTT) that can be used to reset a user's password. - operationId: forgotPassword - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: sendEmail - in: query - required: false - schema: - type: boolean - default: true + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a User Type + description: |- + Deletes a User Type permanently. + > **Note**: You can't delete the default User Type or a User Type that is currently assigned to users. + operationId: deleteUserType + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.userTypes.manage + tags: + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/meta/uischemas: + get: + summary: List all UI Schemas + description: Lists all UI Schemas in your org + operationId: listUISchemas responses: '200': - description: Reset url + description: Success content: application/json: schema: - $ref: '#/components/schemas/ForgotPasswordResponse' + type: array + items: + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UIISchemaList: + summary: Lists all UI Schemas response + $ref: '#/components/examples/ListUISchemaResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.uischemas.read tags: - - User - /api/v1/users/{userId}/credentials/forgot_password_recovery_question: + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: - summary: Reset Password with Recovery Question - description: Resets the user's password to the specified password if the provided answer to the recovery question is correct. - operationId: forgotPasswordSetNewPassword - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: sendEmail - in: query - required: false - schema: - type: boolean - default: true - x-codegen-request-body-name: userCredentials + summary: Create a UI Schema + description: Creates an input for an enrollment form + operationId: createUISchema + x-codegen-request-body-name: uischemabody requestBody: content: application/json: schema: - $ref: '#/components/schemas/UserCredentials' + $ref: '#/components/schemas/CreateUISchema' + examples: + UISchemaCreate: + $ref: '#/components/examples/CreateUISchemaBody' required: true responses: '200': - description: Credentials + description: Success content: application/json: schema: - $ref: '#/components/schemas/UserCredentials' + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UISchemaCreate: + $ref: '#/components/examples/CreateUISchemaResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.uischemas.manage tags: - - User - /api/v1/users/{userId}/factors: + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/meta/uischemas/{id}: + parameters: + - $ref: '#/components/parameters/UISchemaId' get: - summary: List all Factors - description: Enumerates all the enrolled factors for the specified user - operationId: listFactors - parameters: - - name: userId - in: path - required: true - schema: - type: string + summary: Retrieve a UI Schema + description: Retrieves a UI Schema by `id` + operationId: getUISchema responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/UserFactor' + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UISchemaRetrieve: + summary: Retrieves a UI Schema response + $ref: '#/components/examples/RetrieveUISchemaResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11974,51 +15591,29 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.uischemas.read tags: - - UserFactor - post: - summary: Enroll a Factor - description: Enrolls a user with a supported factor. - operationId: enrollFactor - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: updatePhone - in: query - schema: - type: boolean - default: false - - name: templateId - in: query - description: id of SMS template (only for SMS factor) - schema: - type: string - - name: tokenLifetimeSeconds - in: query - schema: - type: integer - format: int32 - default: 300 - x-okta-added-version: 1.3.0 - - name: activate - in: query - schema: - type: boolean - default: false - x-okta-added-version: 1.3.0 - x-codegen-request-body-name: body + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a UI Schema + description: Replaces a UI Schema by `id` + operationId: replaceUISchemas + x-codegen-request-body-name: updateUISchemaBody requestBody: - description: Factor content: application/json: schema: - $ref: '#/components/schemas/UserFactor' + $ref: '#/components/schemas/UpdateUISchema' + examples: + UISchemaPUT: + $ref: '#/components/examples/CreateUISchemaBody' required: true responses: '200': @@ -12026,7 +15621,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/UserFactor' + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UISchemaUpdate: + $ref: '#/components/examples/CreateUISchemaResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12036,31 +15634,26 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.uischemas.manage tags: - - UserFactor - /api/v1/users/{userId}/factors/catalog: - get: - summary: List all Supported Factors - description: Enumerates all the supported factors that can be enrolled for the specified user - operationId: listSupportedFactors - parameters: - - name: userId - in: path - required: true - schema: - type: string + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a UI Schema + description: Deletes a UI Schema by `id` + operationId: deleteUISchemas responses: - '200': - description: Success - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/UserFactor' + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12068,253 +15661,216 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.uischemas.manage tags: - - UserFactor - /api/v1/users/{userId}/factors/questions: + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/org: get: - summary: List all Supported Security Questions - description: Enumerates all available security questions for a user's `question` factor - operationId: listSupportedSecurityQuestions - parameters: - - name: userId - in: path - required: true - schema: - type: string + summary: Retrieve the Org General Settings + description: Retrieves the Org General Settings + operationId: getOrgSettings + parameters: [] responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/SecurityQuestion' + $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - UserFactor - /api/v1/users/{userId}/factors/{factorId}: - get: - summary: Retrieve a Factor - description: Fetches a factor for the specified user - operationId: getFactor - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: factorId - in: path - required: true - schema: - type: string + - OrgSettingGeneral + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update the Org General Settings + description: Updates partial Org General Settings + operationId: updateOrgSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/UpdateOrgSettingEx' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/UserFactor' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read - tags: - - UserFactor - delete: - summary: Delete a Factor - description: Unenrolls an existing factor for the specified user, allowing the user to enroll a new factor. - operationId: deleteFactor - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: factorId - in: path - required: true - schema: - type: string - - name: removeEnrollmentRecovery - in: query - schema: - type: boolean - default: false - responses: - '204': - description: No Content - content: {} + $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - UserFactor - /api/v1/users/{userId}/factors/{factorId}/lifecycle/activate: - post: - summary: Activate a Factor - description: The `sms` and `token:software:totp` factor types require activation to complete the enrollment process. - operationId: activateFactor - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: factorId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: body + - OrgSettingGeneral + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Org General Settings + description: Replaces the Org General Settings for your Okta org + operationId: replaceOrgSettings + x-codegen-request-body-name: orgSetting requestBody: content: application/json: schema: - $ref: '#/components/schemas/ActivateFactorRequest' - required: false + $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/UpdateOrgSettingEx' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/UserFactor' + $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - UserFactor - /api/v1/users/{userId}/factors/{factorId}/transactions/{transactionId}: + - OrgSettingGeneral + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/captcha: get: - summary: Retrieve a Factor Transaction Status - description: Polls factors verification transaction for status. - operationId: getFactorTransactionStatus - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: factorId - in: path - required: true - schema: - type: string - - name: transactionId - in: path - required: true - schema: - type: string + summary: Retrieve the Org-wide CAPTCHA Settings + description: |- + Retrieves the CAPTCHA settings object for your organization + > **Note**: If the current organization hasn't configured CAPTCHA Settings, the request returns an empty object. + operationId: getOrgCaptchaSettings responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/VerifyUserFactorResponse' + $ref: '#/components/schemas/OrgCAPTCHASettings' + examples: + configured: + $ref: '#/components/examples/OrgCAPTCHASettingsConfigured' + empty: + $ref: '#/components/examples/OrgCAPTCHASettingsEmpty' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.captchas.read tags: - - UserFactor - /api/v1/users/{userId}/factors/{factorId}/verify: - post: - summary: Verify an MFA Factor - description: Verifies an OTP for a `token` or `token:hardware` factor - operationId: verifyFactor - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: factorId - in: path - required: true - schema: - type: string - - name: templateId - in: query - schema: - type: string - - name: tokenLifetimeSeconds - in: query - schema: - type: integer - format: int32 - default: 300 - x-okta-added-version: 1.3.0 - - name: X-Forwarded-For - in: header - schema: - type: string - x-okta-added-version: 1.11.0 - - name: User-Agent - in: header - schema: - type: string - x-okta-added-version: 1.11.0 - - name: Accept-Language - in: header - schema: - type: string - x-codegen-request-body-name: body + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the Org-wide CAPTCHA Settings + description: |- + Replaces the CAPTCHA settings object for your organization + > **Note**: You can disable CAPTCHA for your organization by setting `captchaId` and `enabledPages` to `null`. + operationId: replacesOrgCaptchaSettings requestBody: content: application/json: schema: - $ref: '#/components/schemas/VerifyFactorRequest' - required: false + $ref: '#/components/schemas/OrgCAPTCHASettings' + examples: + Update: + $ref: '#/components/examples/OrgCAPTCHASettingsUpdate' + Disable: + $ref: '#/components/examples/OrgCAPTCHASettingsDisable' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/VerifyUserFactorResponse' + $ref: '#/components/schemas/OrgCAPTCHASettings' + examples: + Update: + $ref: '#/components/examples/OrgCAPTCHASettingsUpdated' + Disable: + $ref: '#/components/examples/OrgCAPTCHASettingsDisabled' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + description: Bad Request + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorCAPTCHAOrgWideSettingNull' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.manage + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete the Org-wide CAPTCHA Settings + description: Deletes the CAPTCHA settings object for your organization + operationId: deleteOrgCaptchaSettings + responses: + '204': + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12322,75 +15878,64 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.captchas.manage tags: - - UserFactor - /api/v1/users/{userId}/grants: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/org/contacts: get: - summary: List all User Grants - description: Lists all grants for the specified user - operationId: listUserGrants - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: scopeId - in: query - schema: - type: string - - name: expand - in: query - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: 20 + summary: List all Org Contact Types + description: Lists all Org Contact Types for your Okta org + operationId: listOrgContactTypes + parameters: [] responses: '200': description: Success content: application/json: schema: - type: array items: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + $ref: '#/components/schemas/OrgContactTypeObj' + type: array + examples: + orgContactTypeEx: + $ref: '#/components/examples/orgContactTypeResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - User - delete: - summary: Revoke all User Grants - description: Revokes all grants for a specified user - operationId: revokeUserGrants - parameters: - - name: userId - in: path - required: true - schema: - type: string + - OrgSettingContact + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/contacts/{contactType}: + parameters: + - $ref: '#/components/parameters/pathContactType' + get: + summary: Retrieve the Contact Type User + description: Retrieves the ID and the User resource associated with the specified Contact Type + operationId: getOrgContactUser responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgContactUser' + examples: + contactTypeUserEx: + $ref: '#/components/examples/orgContactUserResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12398,38 +15943,42 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - User - /api/v1/users/{userId}/grants/{grantId}: - get: - summary: Retrieve a User Grant - description: Gets a grant for the specified user - operationId: getUserGrant - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: grantId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + - OrgSettingContact + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Contact Type User + description: Replaces the User associated with the specified Contact Type + operationId: replaceOrgContactUser + x-codegen-request-body-name: orgContactUser + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgContactUser' + examples: + contactTypeUserEx: + summary: Contact User + value: + userId: 00ux3u0ujW1r5AfZC1d7 + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + $ref: '#/components/schemas/OrgContactUser' + examples: + contactTypeUserEx: + $ref: '#/components/examples/orgContactUserResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12437,53 +15986,132 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - delete: - summary: Revoke a User Grant - description: Revokes one grant for a specified user - operationId: revokeUserGrant - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: grantId - in: path - required: true - schema: - type: string + - OrgSettingContact + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/email/bounces/remove-list: + post: + summary: Remove Bounced Emails + description: | + Removes emails from an email service bounce list. + + The emails submitted in this operation are removed from the bounce list by an asynchronous job. + Any email address that passes validation is accepted for the removal process, even if there are other email addresses in the request that failed validation. + + > **Note:** If there are validation errors for all email addresses, a `200 OK` HTTP status is still returned. + operationId: bulkRemoveEmailAddressBounces + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BouncesRemoveListObj' + examples: + example-1: + summary: Request example + value: + emailAddresses: + - name@company.com + - unknown.email@okta.com + - name@okta@com responses: - '204': - description: No Content - content: {} + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/BouncesRemoveListResult' + examples: + example-1: + summary: Response example + value: + errors: + - emailAddress: unknown.email@okta.com + reason: This email address does not belong to any user in your organization. + - emailAddress: name@okta@com + reason: Invalid email address. The provided email address failed validation against RFC 3696. + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - /api/v1/users/{userId}/groups: + - EmailCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/factors/yubikey_token/tokens: + parameters: + - name: after + in: query + description: Specifies the pagination cursor for the next page of tokens + schema: + type: string + - name: expand + in: query + description: Embeds the [User](/openapi/okta-management/management/tag/User/) resource if the YubiKey Token is assigned to a user and `expand` is set to `user` + schema: + type: string + - name: filter + in: query + description: The expression used to filter tokens + schema: + type: string + enum: + - profile.email + - profile.serial + - activated + - user.id + - created + - status + - lastVerified + - name: forDownload + in: query + description: Returns tokens in a CSV to download instead of in the response. When you use this query parameter, the `limit` default changes to 1000. + schema: + type: boolean + default: false + - name: limit + in: query + description: Specifies the number of results per page + schema: + type: integer + default: 20 + maximum: 200 + - name: sortBy + in: query + description: The value of how the tokens are sorted + schema: + type: string + enum: + - profile.email + - profile.serial + - activated + - user.id + - created + - status + - lastVerified + - name: sortOrder + in: query + description: Specifies the sort order, either `ASC` or `DESC` + schema: + type: string + enum: + - ASC + - DESC get: - summary: List all Groups - description: Fetches the groups of which the user is a member. - operationId: listUserGroups - parameters: - - name: userId - in: path - required: true - schema: - type: string + summary: List all YubiKey OTP Tokens + description: Lists all YubiKey OTP Tokens + operationId: listYubikeyOtpTokens responses: '200': description: Success @@ -12492,7 +16120,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Group' + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + ListYubikeyOptTokensResponse: + $ref: '#/components/examples/ListYubikeyOptTokensResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12500,31 +16131,52 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: + - apiToken: [] + - oauth2: - okta.users.read tags: - - User - /api/v1/users/{userId}/idps: - get: - summary: List all Identity Providers - description: Lists the IdPs associated with the user. - operationId: listUserIdentityProviders - parameters: - - name: userId - in: path - required: true - schema: - type: string + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Upload a YubiKey OTP Seed + description: Uploads a seed for a user to enroll a YubiKey OTP + operationId: uploadYubikeyOtpTokenSeed + requestBody: + content: + application/json: + schema: + type: object + properties: + serialNumber: + type: string + description: The unique identifier assigned to each YubiKey device + publicId: + type: string + description: The Yubikey's public ID + privateId: + type: string + description: The Yubikey's private ID + aesKey: + type: string + description: The cryptographic key used in the AES algorithm to encrypt and decrypt YubiKey OTP + examples: + uploadYubikeyOtpSeedRequest: + $ref: '#/components/examples/UploadYubikeyTokenSeedRequest' + required: true responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/IdentityProvider' + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + yubikeyToken: + $ref: '#/components/examples/UploadYubikeyTokenSeedResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12532,36 +16184,38 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.users.manage tags: - - User - /api/v1/users/{userId}/lifecycle/activate: - post: - summary: Activate a User - description: Activates a user. This operation can only be performed on users with a `STAGED` status. Activation of a user is an asynchronous operation. The user will have the `transitioningToStatus` property with a value of `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation. The user will have a status of `ACTIVE` when the activation process is complete. - operationId: activateUser + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/factors/yubikey_token/tokens/{tokenId}: + parameters: + - $ref: '#/components/parameters/yubikeyTokenId' + get: + summary: Retrieve a YubiKey OTP Token + description: Retrieves the specified YubiKey OTP Token by `id` + operationId: getYubikeyOtpTokenById parameters: - - name: userId + - name: tokenId in: path required: true + description: The YubikeyOTP token ID schema: type: string - - name: sendEmail - in: query - description: Sends an activation email to the user if true - required: true - schema: - type: boolean - default: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/UserActivationToken' + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + Token: + $ref: '#/components/examples/GetYubikeyOptTokenResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12569,774 +16223,815 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.users.read tags: - - User - /api/v1/users/{userId}/lifecycle/deactivate: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/logo: post: - summary: Deactivate a User - description: 'Deactivates a user. This operation can only be performed on users that do not have a `DEPROVISIONED` status. While the asynchronous operation (triggered by HTTP header `Prefer: respond-async`) is proceeding the user''s `transitioningToStatus` property is `DEPROVISIONED`. The user''s status is `DEPROVISIONED` when the deactivation process is complete.' - operationId: deactivateUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: sendEmail - in: query - schema: - type: boolean - default: false - x-okta-added-version: 1.5.0 + summary: Upload the Org Logo + description: Uploads and replaces the logo for your organization + operationId: uploadOrgLogo + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + file: + type: string + format: binary + description: The file must be in PNG, JPG, or GIF format and less than 1 MB in size. For best results use landscape orientation, a transparent background, and a minimum size of 420px by 120px to prevent upscaling. + required: + - file + description: logo file responses: - '200': - description: OK - content: {} + '201': + description: Created + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.apps.manage tags: - - User - /api/v1/users/{userId}/lifecycle/expire_password: - post: - summary: Expire Password - description: This operation transitions the user to the status of `PASSWORD_EXPIRED` so that the user is required to change their password at their next login. - operationId: expirePassword - parameters: - - name: userId - in: path - required: true - schema: - type: string + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/orgSettings/thirdPartyAdminSetting: + get: + summary: Retrieve the Org Third-Party Admin Setting + description: Retrieves the Third-Party Admin Setting. See [Configure third-party administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) in the Okta product documentation. + operationId: getThirdPartyAdminSetting + parameters: [] responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/User' + $ref: '#/components/schemas/ThirdPartyAdminSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - User - /api/v1/users/{userId}/lifecycle/expire_password_with_temp_password: + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Expire Password and Set Temporary Password - description: This operation transitions the user to the status of `PASSWORD_EXPIRED` so that the user is required to change their password at their next login, and also sets the user's password to a temporary password returned in the response. - operationId: expirePasswordAndGetTemporaryPassword - parameters: - - name: userId - in: path - required: true - schema: - type: string + summary: Update the Org Third-Party Admin Setting + description: | + Updates the Third-Party Admin Setting. + This setting allows third-party admins to perform administrative actions in the Admin Console, but they can't do any of the following: + * Receive Okta admin email notifications + * Contact Okta support + * Sign in to the Okta Help Center + + See [Configure third-party administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) in the Okta product documentation. + operationId: updateThirdPartyAdminSetting + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ThirdPartyAdminSetting' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/TempPassword' + $ref: '#/components/schemas/ThirdPartyAdminSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - /api/v1/users/{userId}/lifecycle/reactivate: - post: - summary: Reactivate a User - description: Reactivates a user. This operation can only be performed on users with a `PROVISIONED` status. This operation restarts the activation workflow if for some reason the user activation was not completed when using the activationToken from [Activate User](#activate-user). - operationId: reactivateUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: sendEmail - in: query - description: Sends an activation email to the user if true - schema: - type: boolean - default: false + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/preferences: + get: + summary: Retrieve the Org Preferences + description: Retrieves preferences of your Okta org + operationId: getOrgPreferences + parameters: [] responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/UserActivationToken' + $ref: '#/components/schemas/OrgPreferences' + examples: + retrieveOrgPrefEx: + $ref: '#/components/examples/orgShowFooterPrefResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - User - /api/v1/users/{userId}/lifecycle/reset_factors: + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/preferences/hideEndUserFooter: post: - summary: Reset all Factors - description: This operation resets all factors for the specified user. All MFA factor enrollments returned to the unenrolled state. The user's status remains ACTIVE. This link is present only if the user is currently enrolled in one or more MFA factors. - operationId: resetFactors - parameters: - - name: userId - in: path - required: true - schema: - type: string + summary: Set the Hide Dashboard Footer Preference + description: Sets the preference to hide the Okta UI footer for all end users of your org + operationId: setOrgHideOktaUIFooter + parameters: [] responses: '200': - description: OK - content: {} + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgPreferences' + examples: + hideOrgPrefEx: + $ref: '#/components/examples/orgHideFooterPrefResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - /api/v1/users/{userId}/lifecycle/reset_password: + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/preferences/showEndUserFooter: post: - summary: Reset Password - description: Generates a one-time token (OTT) that can be used to reset a user's password. The OTT link can be automatically emailed to the user or returned to the API caller and distributed using a custom flow. - operationId: resetPassword - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: sendEmail - in: query - required: true - schema: - type: boolean + summary: Set the Show Dashboard Footer Preference + description: Sets the preference to show the Okta UI footer for all end users of your org + operationId: setOrgShowOktaUIFooter + parameters: [] responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/ResetPasswordToken' + $ref: '#/components/schemas/OrgPreferences' + examples: + showOrgPrefEx: + $ref: '#/components/examples/orgShowFooterPrefResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - /api/v1/users/{userId}/lifecycle/suspend: - post: - summary: Suspend a User - description: Suspends a user. This operation can only be performed on users with an `ACTIVE` status. The user will have a status of `SUSPENDED` when the process is complete. - operationId: suspendUser - parameters: - - name: userId - in: path - required: true - schema: - type: string + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/aerial: + get: + summary: Retrieve Okta Aerial consent for your Org + description: Retrieves the Okta Aerial consent grant details for your Org. Returns a 404 Not Found error if no consent has been granted. + operationId: getAerialConsent + parameters: [] responses: '200': - description: OK - content: {} + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentDetails' + examples: + example-read-grant-response: + $ref: '#/components/examples/AerialConsentDetails' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-no-already-present-response: + $ref: '#/components/examples/AerialGrantAlreadyPresentErrorResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - $ref: '#/components/responses/ErrorResourceNotFound404' + description: Consent hasn't been given and there are no grants to any Aerial Accounts + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-no-grant-found-response: + $ref: '#/components/examples/AerialGrantNotFoundResponse' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - /api/v1/users/{userId}/lifecycle/unlock: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/org/privacy/aerial/grant: post: - summary: Unlock a User - description: Unlocks a user with a `LOCKED_OUT` status and returns them to `ACTIVE` status. Users will be able to login with their current password. - operationId: unlockUser - parameters: - - name: userId - in: path - required: true - schema: - type: string + summary: Grant Okta Aerial access to your Org + description: Grants an Okta Aerial account access to your Org. If the org is a child org, consent is taken from the parent org. Grant calls directly to the child are not allowed. + operationId: grantAerialConsent + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsent' + examples: + example-grant-call: + description: Request body to grant an Okta Aerial account access to your Org + value: + accountId: 0200bs0617vvhv2v675mch1cukp responses: '200': description: Success - content: {} + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentDetails' + examples: + example-grant-success-response: + $ref: '#/components/examples/AerialConsentDetails' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-invalid-account-id: + $ref: '#/components/examples/AerialConsentInvalidAccountIdResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - /api/v1/users/{userId}/lifecycle/unsuspend: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/org/privacy/aerial/revoke: post: - summary: Unsuspend a User - description: Unsuspends a user and returns them to the `ACTIVE` state. This operation can only be performed on users that have a `SUSPENDED` status. - operationId: unsuspendUser - parameters: - - name: userId - in: path - required: true - schema: - type: string + summary: Revoke Okta Aerial access to your Org + description: Revokes access of an Okta Aerial account to your Org. The revoke operation will fail if the org has already been added to an Aerial account. + operationId: revokeAerialConsent + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsent' + examples: + example-revoke-request: + description: Request body for revoking an Okta Aerial account + value: + accountId: 0200bs0617vvhv2v675mch1cukp responses: '200': description: Success - content: {} + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentRevoked' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-org-is-linked: + $ref: '#/components/examples/AerialConsentOrgAlreadyLinkedResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - /api/v1/users/{userId}/linkedObjects/{relationshipName}: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/org/privacy/oktaCommunication: get: - summary: List all Linked Objects - description: Get linked objects for a user, relationshipName can be a primary or associated relationship name - operationId: getLinkedObjectsForUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: relationshipName - in: path - required: true - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: -1 + summary: Retrieve the Okta Communication Settings + description: Retrieves Okta Communication Settings of your org + operationId: getOktaCommunicationSettings + parameters: [] responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/ResponseLinks' + $ref: '#/components/schemas/OrgOktaCommunicationSetting' + examples: + retrieveOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptOutResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - User - delete: - summary: Delete a Linked Object - description: Delete linked objects for a user, relationshipName can be ONLY a primary relationship name - operationId: removeLinkedObjectForUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: relationshipName - in: path - required: true - schema: - type: string + - OrgSettingCommunication + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/oktaCommunication/optIn: + post: + summary: Opt in to Okta User Communication Emails + description: Opts in all users of this org to Okta communication emails + operationId: optInUsersToOktaCommunicationEmails + parameters: [] responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgOktaCommunicationSetting' + examples: + optInOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptInResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - /api/v1/users/{userId}/roles: - get: - summary: List all Assigned Roles - description: Lists all roles assigned to a user. - operationId: listAssignedRolesForUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + - OrgSettingCommunication + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/oktaCommunication/optOut: + post: + summary: Opt out of Okta User Communication Emails + description: Opts out all users of this org from Okta communication emails + operationId: optOutUsersFromOktaCommunicationEmails + parameters: [] responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/Role' + $ref: '#/components/schemas/OrgOktaCommunicationSetting' + examples: + optOutOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptOutResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.read + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User + - OrgSettingCommunication + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/oktaSupport: + get: + summary: Retrieve the Okta Support Settings + description: Retrieves Okta Support Settings for your org + operationId: getOrgOktaSupportSettings + parameters: [] + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + RetrieveOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/oktaSupport/extend: post: - summary: Assign a Role - description: Assigns a role to a user. - operationId: assignRoleToUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: disableNotifications - in: query - schema: - type: boolean - x-codegen-request-body-name: assignRoleRequest - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AssignRoleRequest' - required: true + summary: Extend Okta Support Access + description: Extends the length of time that Okta Support can access your org by 24 hours. This means that 24 hours are added to the remaining access time. + operationId: extendOktaSupport + parameters: [] responses: - '201': - description: Created + '200': + description: Success content: application/json: schema: - $ref: '#/components/schemas/Role' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + ExtendOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - /api/v1/users/{userId}/roles/{roleId}: - get: - summary: Retrieve a Role - description: Gets role that is assigned to user. - operationId: getUserRole - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/oktaSupport/grant: + post: + summary: Grant Okta Support Access + description: Grants Okta Support temporary access your org as an administrator for eight hours + operationId: grantOktaSupport + parameters: [] responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/Role' + $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + GrantOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.read + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - delete: - summary: Delete a Role - description: Unassigns a role from a user. - operationId: removeRoleFromUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/oktaSupport/revoke: + post: + summary: Revoke Okta Support Access + description: Revokes Okta Support access to your org + operationId: revokeOktaSupport + parameters: [] responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + RevokeOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsRevokeResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/settings/clientPrivilegesSetting: get: - summary: List all Application Targets for Application Administrator Role - description: Lists all App targets for an `APP_ADMIN` Role assigned to a User. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID. - operationId: listApplicationTargetsForApplicationAdministratorRoleForUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: 20 + summary: Retrieve the Default Public Client App Role Setting + description: Retrieves the org setting to assign the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) to new public client apps + operationId: getClientPrivilegesSetting + parameters: [] responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/CatalogApplication' + $ref: '#/components/schemas/ClientPrivilegesSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.read + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - User + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Assign all Apps as Target to Role - description: Assign all Apps as Target to Role - operationId: addAllAppsAsTargetToRole - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string + summary: Assign the Default Public Client App Role Setting + description: Assigns the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) as the default role for new public client apps + operationId: assignClientPrivilegesSetting + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ClientPrivilegesSetting' responses: '200': description: Success - content: {} + content: + application/json: + schema: + $ref: '#/components/schemas/ClientPrivilegesSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}: - put: - summary: Assign an Application Target to Administrator Role - description: Success - operationId: addApplicationTargetToAdminRoleForUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/orgs: + post: + summary: Create an org + description: |- + Creates an org (child org) that has the same features as the current requesting org (parent org). + A child org inherits any new features added to the parent org, but new features added to the child org aren't propagated back to the parent org. + > **Notes:** + > * Some features associated with products, such as Atspoke, Workflows, and Okta Identity Governance, aren't propagated to the child org. + > * Wait at least 30 seconds after a 201-Created response before you make API requests to the new child org. + > * For rate limits, see [Org creation rate limits](https://developer.okta.com/docs/reference/rl-additional-limits/#org-creation-rate-limits). + operationId: createChildOrg + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ChildOrg' + examples: + CreateChildOrg: + $ref: '#/components/examples/CreateChildOrgRequestEx' responses: - '204': - description: No Content - content: {} + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/ChildOrg' + examples: + CreateChildOrg: + $ref: '#/components/examples/CreateChildOrgResponseEx' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' + '500': + $ref: '#/components/responses/ErrorInternalServer500' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - User - delete: - summary: Unassign an Application Target from Application Administrator Role - description: Success - operationId: removeApplicationTargetFromApplicationAdministratorRoleForUser + - OrgCreator + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies: + get: + summary: List all Policies + description: Lists all policies with the specified type + operationId: listPolicies parameters: - - name: userId - in: path + - name: type + in: query required: true schema: type: string - - name: roleId - in: path - required: true + enum: + - OKTA_SIGN_ON + - PASSWORD + - MFA_ENROLL + - IDP_DISCOVERY + - ACCESS_POLICY + - PROFILE_ENROLLMENT + - POST_AUTH_SESSION + - ENTITY_RISK + description: Specifies the type of policy to return. The following policy types are available only with the Okta Identity Engine - `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, and `ENTITY_RISK`. + - name: status + in: query schema: type: string - - name: appName - in: path - required: true + description: Refines the query by the `status` of the policy - `ACTIVE` or `INACTIVE` + - name: q + in: query schema: type: string - responses: - '204': - description: No Content - content: {} - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage - tags: - - User - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}/{applicationId}: - put: - summary: Assign an Application Instance Target to an Application Administrator Role - description: Add App Instance Target to App Administrator Role given to a User - operationId: addApplicationTargetToAppAdminRoleForUser - parameters: - - name: userId - in: path - required: true + description: Refines the query by policy name prefix (startWith method) passed in as `q=string` + - name: expand + in: query schema: type: string - - name: roleId - in: path - required: true + default: '' + - name: sortBy + in: query schema: type: string - - name: appName - in: path - required: true + description: Refines the query by sorting on the policy `name` in ascending order + - name: limit + in: query schema: type: string - - name: applicationId - in: path - required: true + description: Defines the number of policies returned, see [Pagination](https://developer.okta.com/docs/api/#pagination) + - name: resourceId + in: query + schema: + type: string + description: Reference to the associated authorization server + - name: after + in: query schema: type: string + description: End page cursor for pagination, see [Pagination](https://developer.okta.com/docs/api/#pagination) responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.policies.read tags: - - User - delete: - summary: Unassign an Application Instance Target to Application Administrator Role - description: Remove App Instance Target to App Administrator Role given to a User - operationId: removeApplicationTargetFromAdministratorRoleForUser + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Policy + description: Creates a policy. There are many types of policies that you can create. See [Policies](https://developer.okta.com/docs/concepts/policies/) for an overview of the types of policies available and then links to more indepth information. + operationId: createPolicy parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string - - name: applicationId - in: path - required: true + - name: activate + description: This query parameter is only valid for Classic Engine orgs. + in: query schema: - type: string + type: boolean + default: true + x-codegen-request-body-name: policy + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Policy' + required: true responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.policies.manage tags: - - User - /api/v1/users/{userId}/roles/{roleId}/targets/groups: - get: - summary: List all Group Targets for Role - description: Success - operationId: listGroupTargetsForRole - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: 20 + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/simulate: + parameters: + - $ref: '#/components/parameters/simulateParameter' + post: + summary: Create a Policy Simulation + description: |- + Creates a policy or policy rule simulation. The access simulation evaluates policy and policy rules based on the existing policy rule configuration. + The evaluation result simulates what the real-world authentication flow is and what policy rules have been applied or matched to the authentication flow. + operationId: createPolicySimulation + x-codegen-request-body-name: simulatePolicy + requestBody: + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/SimulatePolicyBody' + examples: + SimulatePolicy: + $ref: '#/components/examples/SimulatePolicyBody' + required: true responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/Group' + $ref: '#/components/schemas/SimulatePolicyResponse' + examples: + SimulatePolicy: + $ref: '#/components/examples/SimulatePolicyResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13344,36 +17039,45 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.read + - apiToken: [] + - oauth2: + - okta.policies.read tags: - - User - /api/v1/users/{userId}/roles/{roleId}/targets/groups/{groupId}: - put: - summary: Assign a Group Target to Role - description: Assign a Group Target to Role - operationId: addGroupTargetToRole + - Policy + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/policies/{policyId}: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + get: + summary: Retrieve a Policy + description: Retrieves a policy + operationId: getPolicy parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: groupId - in: path - required: true + - name: expand + in: query schema: type: string + default: '' responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13381,35 +17085,43 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.policies.read tags: - - User - delete: - summary: Unassign a Group Target from Role - description: Unassign a Group Target from Role - operationId: removeGroupTargetFromRole - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: groupId - in: path - required: true - schema: - type: string + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Policy + description: Replaces the properties of a Policy identified by `policyId` + operationId: replacePolicy + x-codegen-request-body-name: policy + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Policy' + required: true responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13417,32 +17129,21 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.roles.manage + - apiToken: [] + - oauth2: + - okta.policies.manage tags: - - User - /api/v1/users/{userId}/sessions: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete all User Sessions - description: Removes all active identity provider sessions. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. - operationId: clearUserSessions - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: oauthTokens - in: query - description: Revoke issued OpenID Connect and OAuth refresh and access tokens - schema: - type: boolean - default: false + summary: Delete a Policy + description: Deletes a policy + operationId: deletePolicy responses: '204': description: No Content - content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13450,163 +17151,150 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.policies.manage tags: - - User - /api/v1/users/{userId}/subscriptions: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/app: + parameters: + - $ref: '#/components/parameters/pathPolicyId' get: - summary: List all Subscriptions - description: List subscriptions of a User. Only lists subscriptions for current user. An AccessDeniedException message is sent if requests are made from other users. - operationId: listUserSubscriptions - parameters: - - in: path - name: userId - required: true - schema: - type: string + deprecated: true + summary: List all Applications mapped to a Policy + description: |- + Lists all applications mapped to a policy identified by `policyId` + + > **Note:** Use [List all resources mapped to a Policy](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyMappings) to list all applications mapped to a policy. + operationId: listPolicyApps responses: '200': description: Success content: application/json: schema: - items: - $ref: '#/components/schemas/Subscription' type: array + items: + $ref: '#/components/schemas/Application' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.policies.read tags: - - Subscription - /api/v1/users/{userId}/subscriptions/{notificationType}: - get: - summary: List all Subscriptions by type - description: Get the subscriptions of a User with a specific notification type. Only gets subscriptions for current user. An AccessDeniedException message is sent if requests are made from other users. - operationId: getUserSubscriptionByNotificationType - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: notificationType - required: true - schema: - type: string + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/clone: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + post: + summary: Clone an existing Policy + description: Clones an existing policy + operationId: clonePolicy responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/Subscription' + $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.read + - apiToken: [] + - oauth2: + - okta.policies.manage tags: - - Subscription - /api/v1/users/{userId}/subscriptions/{notificationType}/subscribe: + - Policy + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/policies/{policyId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathPolicyId' post: - summary: Subscribe to a specific notification type - description: Subscribes a User to a specific notification type. Only the current User can subscribe to a specific notification type. An AccessDeniedException message is sent if requests are made from other users. - operationId: subscribeUserSubscriptionByNotificationType - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: notificationType - required: true - schema: - type: string - responses: - '200': - description: Success + summary: Activate a Policy + description: Activates a policy + operationId: activatePolicy + responses: + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.policies.manage tags: - - Subscription - /api/v1/users/{userId}/subscriptions/{notificationType}/unsubscribe: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathPolicyId' post: - summary: Unsubscribe from a specific notification type - description: Unsubscribes a User from a specific notification type. Only the current User can unsubscribe from a specific notification type. An AccessDeniedException message is sent if requests are made from other users. - operationId: unsubscribeUserSubscriptionByNotificationType - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: notificationType - required: true - schema: - type: string + summary: Deactivate a Policy + description: Deactivates a policy + operationId: deactivatePolicy responses: - '200': - description: Success + '204': + description: No Content + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.users.manage + - apiToken: [] + - oauth2: + - okta.policies.manage tags: - - Subscription - /api/v1/zones: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/mappings: + parameters: + - $ref: '#/components/parameters/pathPolicyId' get: - summary: List all Network Zones - description: Enumerates network zones added to your organization with pagination. A subset of zones can be returned that match a supported filter expression or query. - operationId: listNetworkZones - parameters: - - name: after - in: query - description: Specifies the pagination cursor for the next page of network zones - schema: - type: string - - name: limit - in: query - description: Specifies the number of results for a page - schema: - type: integer - format: int32 - default: -1 - - name: filter - in: query - description: Filters zones by usage or id expression - schema: - type: string + summary: List all resources mapped to a Policy + description: Lists all resources mapped to a Policy identified by `policyId` + operationId: listPolicyMappings responses: '200': description: Success @@ -13615,27 +17303,34 @@ paths: schema: type: array items: - $ref: '#/components/schemas/NetworkZone' + $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-list-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.networkZones.read + - apiToken: [] + - oauth2: + - okta.policies.read tags: - - NetworkZone + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a Network Zone - description: Adds a new network zone to your Okta organization. - operationId: createNetworkZone - x-codegen-request-body-name: zone + summary: Map a resource to a Policy + description: Maps a resource to a Policy identified by `policyId` + operationId: mapResourceToPolicy requestBody: content: application/json: schema: - $ref: '#/components/schemas/NetworkZone' + $ref: '#/components/schemas/PolicyMappingRequest' required: true responses: '200': @@ -13643,37 +17338,45 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/NetworkZone' + $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.networkZones.manage + - apiToken: [] + - oauth2: + - okta.policies.manage tags: - - NetworkZone - /api/v1/zones/{zoneId}: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/mappings/{mappingId}: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathPolicyMappingId' get: - summary: Retrieve a Network Zone - description: Fetches a network zone from your Okta organization by `id`. - operationId: getNetworkZone - parameters: - - name: zoneId - in: path - required: true - schema: - type: string + summary: Retrieve a policy resource Mapping + description: Retrieves a resource Mapping for a Policy identified by `policyId` and `mappingId` + operationId: getPolicyMapping responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/NetworkZone' + $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13681,27 +17384,129 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.networkZones.read + - apiToken: [] + - oauth2: + - okta.policies.read tags: - - NetworkZone - put: - summary: Replace a Network Zone - description: Updates a network zone in your organization. - operationId: updateNetworkZone + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a policy resource Mapping + description: Deletes the resource Mapping for a Policy identified by `policyId` and `mappingId` + operationId: deletePolicyResourceMapping + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/rules: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/limitParameter' + get: + summary: List all Policy Rules + description: Lists all policy rules + operationId: listPolicyRules + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/PolicyRule' + examples: + okta-sign-on: + $ref: '#/components/examples/list-all-sign-on-policy-rule-response' + password: + $ref: '#/components/examples/list-all-password-policy-rule-response' + idp-discovery: + $ref: '#/components/examples/list-all-idp-discovery-policy-rule-response' + mfa-enroll: + $ref: '#/components/examples/list-all-mfa-enroll-policy-rule-response' + profile-enrollment: + $ref: '#/components/examples/list-all-profile-enrollment-policy-rule-response' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Policy Rule + description: |- + Creates a policy rule + + > **Note:** You can't create additional rules for the `PROFILE_ENROLLMENT` or `POST_AUTH_SESSION` policies. + operationId: createPolicyRule parameters: - - name: zoneId - in: path - required: true + - name: activate + description: Set this parameter to `false` to create an `INACTIVE` rule. + in: query schema: - type: string - x-codegen-request-body-name: zone + type: boolean + default: true + x-codegen-request-body-name: policyRule requestBody: content: application/json: schema: - $ref: '#/components/schemas/NetworkZone' + $ref: '#/components/schemas/PolicyRule' + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up' + EnableSsprOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP' + Enable2FAPreciseAuth: + $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' + CreateAuthPolicyRuleDevicePlatformCondition: + $ref: '#/components/examples/create-auth-policy-rule-condition' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule' + RadiusRule: + $ref: '#/components/examples/radius-rule' + CloudRule: + $ref: '#/components/examples/cloud-rule' + DenyRule: + $ref: '#/components/examples/deny-rule' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints' required: true responses: '200': @@ -13709,7 +17514,36 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/NetworkZone' + $ref: '#/components/schemas/PolicyRule' + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-response' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-response' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-response' + EnableSsprWithOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP-response' + Enable2FAPreciseAuth: + $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing-response' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' + CreateAuthPolicyRuleDevicePlatformCondition: + $ref: '#/components/examples/create-auth-policy-rule-condition-response' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13719,25 +17553,54 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.networkZones.manage + - apiToken: [] + - oauth2: + - okta.policies.manage tags: - - NetworkZone - delete: - summary: Delete a Network Zone - description: Removes network zone. - operationId: deleteNetworkZone - parameters: - - name: zoneId - in: path - required: true - schema: - type: string + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/rules/{ruleId}: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' + get: + summary: Retrieve a Policy Rule + description: Retrieves a policy rule + operationId: getPolicyRule responses: - '204': - description: No Content - content: {} + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyRule' + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-update' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-update' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-update' + EnableSsprWithOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP-update' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13745,29 +17608,84 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.networkZones.manage + - apiToken: [] + - oauth2: + - okta.policies.read tags: - - NetworkZone - /api/v1/zones/{zoneId}/lifecycle/activate: - post: - summary: Activate a Network Zone - description: Activate Network Zone - operationId: activateNetworkZone - parameters: - - name: zoneId - in: path - required: true - schema: - type: string + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Policy Rule + description: Replaces the properties for a Policy Rule identified by `policyId` and `ruleId` + operationId: replacePolicyRule + x-codegen-request-body-name: policyRule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyRule' + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-update' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-update' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-update' + UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints: + $ref: '#/components/examples/update-auth-policy-rule-condition' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule' + RadiusRule: + $ref: '#/components/examples/radius-rule' + CloudRule: + $ref: '#/components/examples/cloud-rule' + DenyRule: + $ref: '#/components/examples/deny-rule' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/NetworkZone' + $ref: '#/components/schemas/PolicyRule' + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-response' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-response' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-response' + UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints: + $ref: '#/components/examples/update-auth-policy-rule-condition-response' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13775,29 +17693,48 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.networkZones.manage + - apiToken: [] + - oauth2: + - okta.policies.manage tags: - - NetworkZone - /api/v1/zones/{zoneId}/lifecycle/deactivate: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a Policy Rule + description: Deletes a Policy Rule identified by `policyId` and `ruleId` + operationId: deletePolicyRule + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' post: - summary: Deactivate a Network Zone - description: Deactivates a network zone. - operationId: deactivateNetworkZone - parameters: - - name: zoneId - in: path - required: true - schema: - type: string + summary: Activate a Policy Rule + description: Activates a Policy Rule identified by `policyId` and `ruleId` + operationId: activatePolicyRule responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/NetworkZone' + '204': + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13805,1918 +17742,40963 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - API_Token: [] - - OAuth_2.0: - - okta.networkZones.manage + - apiToken: [] + - oauth2: + - okta.policies.manage tags: - - NetworkZone -components: - securitySchemes: - API_Token: - description: 'Pass the API token as the Authorization header value prefixed with SSWS: `Authorization: SSWS {API Token}`' - name: Authorization - type: apiKey - in: header - OAuth_2.0: - type: oauth2 - description: 'Pass the access_token as the value of the Authorization header: `Authorization: {access_token}`' - flows: - authorizationCode: - authorizationUrl: /oauth2/v1/authorize - tokenUrl: /oauth2/v1/token + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' + post: + summary: Deactivate a Policy Rule + description: Deactivates a Policy Rule identified by `policyId` and `ruleId` + operationId: deactivatePolicyRule + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/principal-rate-limits: + get: + summary: List all Principal Rate Limits + description: Lists all Principal Rate Limit entities considering the provided parameters + operationId: listPrincipalRateLimitEntities + parameters: + - name: filter + in: query + schema: + type: string + - name: after + in: query + schema: + type: string + - name: limit + in: query + schema: + type: integer + format: int32 + default: 20 + maximum: 50 + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.principalRateLimits.read + tags: + - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Principal Rate Limit + description: Creates a new Principal Rate Limit entity. In the current release, we only allow one Principal Rate Limit entity per org and principal. + operationId: createPrincipalRateLimitEntity + x-codegen-request-body-name: entity + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + examples: + SSWSToken: + $ref: '#/components/examples/PrincipalRateLimitEntityRequestSSWSToken' + EmptyPercentages: + $ref: '#/components/examples/PrincipalRateLimitEntityRequestEmptyPercentages' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + examples: + SSWSToken: + $ref: '#/components/examples/PrincipalRateLimitEntityResponseSSWSToken' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.principalRateLimits.manage + tags: + - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/principal-rate-limits/{principalRateLimitId}: + parameters: + - $ref: '#/components/parameters/pathPrincipalRateLimitId' + get: + summary: Retrieve a Principal Rate Limit + description: Retrieves a Principal Rate Limit entity by `principalRateLimitId` + operationId: getPrincipalRateLimitEntity + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + examples: + SSWSToken: + $ref: '#/components/examples/PrincipalRateLimitEntityResponseSSWSToken' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.principalRateLimits.read + tags: + - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Principal Rate Limit + description: Replaces a principal rate limit entity by `principalRateLimitId` + operationId: replacePrincipalRateLimitEntity + x-codegen-request-body-name: entity + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + examples: + SSWSToken: + $ref: '#/components/examples/PrincipalRateLimitEntityRequestSSWSToken' + EmptyPercentages: + $ref: '#/components/examples/PrincipalRateLimitEntityRequestEmptyPercentages' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + examples: + SSWSToken: + $ref: '#/components/examples/PrincipalRateLimitEntityResponseSSWSToken' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.principalRateLimits.manage + tags: + - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/push-providers: + get: + summary: List all Push Providers + description: Lists all push providers + operationId: listPushProviders + parameters: + - name: type + in: query + description: Filters push providers by `providerType` + schema: + $ref: '#/components/schemas/ProviderType' + responses: + '200': + description: OK + content: + application/json: + example: + value: + - id: ppchvbeucdTgqeiGxR0g4 + providerType: APNS + name: Example Push Provider 1 + lastUpdatedDate: '2022-01-00T00:00:00.000Z' + configuration: + keyId: ABC123DEFG + teamId: DEF123GHIJ + fileName: fileName.p8 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} + hints: + allow: + - DELETE + - GET + - PUT + - id: ppctekcmngGaqeiBxB0g4 + providerType: FCM + name: Example Push Provider 2 + lastUpdatedDate: '2022-01-00T00:00:00.000Z' + configuration: + projectId: PROJECT_ID + fileName: fileName.json + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} + hints: + allow: + - DELETE + - GET + - PUT + schema: + type: array + items: + $ref: '#/components/schemas/PushProvider' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.pushProviders.read + tags: + - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create a Push Provider + description: Creates a new push provider. Each Push Provider must have a unique `name`. + operationId: createPushProvider + x-codegen-request-body-name: pushProvider + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PushProvider' + examples: + APNs: + $ref: '#/components/examples/PushProviderAPNsRequest' + FCM: + $ref: '#/components/examples/PushProviderFCMRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PushProvider' + examples: + APNs: + $ref: '#/components/examples/PushProviderAPNsResponse' + FCM: + $ref: '#/components/examples/PushProviderFCMResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.pushProviders.manage + tags: + - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/push-providers/{pushProviderId}: + parameters: + - $ref: '#/components/parameters/pathPushProviderId' + get: + summary: Retrieve a Push Provider + description: Retrieves a push provider by `pushProviderId` + operationId: getPushProvider + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PushProvider' + examples: + APNs: + $ref: '#/components/examples/PushProviderAPNsResponse' + FCM: + $ref: '#/components/examples/PushProviderFCMResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.pushProviders.read + tags: + - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a Push Provider + description: Replaces a push provider by `pushProviderId` + operationId: replacePushProvider + x-codegen-request-body-name: pushProvider + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PushProvider' + examples: + APNs: + $ref: '#/components/examples/PushProviderAPNsRequest' + FCM: + $ref: '#/components/examples/PushProviderFCMRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PushProvider' + examples: + APNs: + $ref: '#/components/examples/PushProviderAPNsResponse' + FCM: + $ref: '#/components/examples/PushProviderFCMResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.pushProviders.manage + tags: + - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a Push Provider + description: Deletes a push provider by `pushProviderId`. If the push provider is currently being used in the org by a custom authenticator, the delete will not be allowed. + operationId: deletePushProvider + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: Conflict + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Cannot remove push provider in use by a custom app authenticator: + $ref: '#/components/examples/ErrorPushProviderUsedByCustomAppAuthenticator' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.pushProviders.manage + tags: + - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/rate-limit-settings/admin-notifications: + get: + summary: Retrieve the Rate Limit Admin Notification Settings + description: Retrieves the currently configured Rate Limit Admin Notification Settings + operationId: getRateLimitSettingsAdminNotifications + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitAdminNotifications' + examples: + Enabled: + $ref: '#/components/examples/RateLimitAdminNotificationsEnabled' + Disabled: + $ref: '#/components/examples/RateLimitAdminNotificationsDisabled' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.read + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Rate Limit Admin Notification Settings + description: Replaces the Rate Limit Admin Notification Settings and returns the configured properties + operationId: replaceRateLimitSettingsAdminNotifications + x-codegen-request-body-name: RateLimitAdminNotifications + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitAdminNotifications' + examples: + Enabled: + $ref: '#/components/examples/RateLimitAdminNotificationsEnabled' + Disabled: + $ref: '#/components/examples/RateLimitAdminNotificationsDisabled' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitAdminNotifications' + examples: + Enabled: + $ref: '#/components/examples/RateLimitAdminNotificationsEnabled' + Disabled: + $ref: '#/components/examples/RateLimitAdminNotificationsDisabled' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.manage + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/rate-limit-settings/per-client: + get: + summary: Retrieve the Per-Client Rate Limit Settings + description: Retrieves the currently configured Per-Client Rate Limit Settings + operationId: getRateLimitSettingsPerClient + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PerClientRateLimitSettings' + examples: + EnforceDefault: + $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefault' + EnforceDefaultWithOverrides: + $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefaultWithOverrides' + PreviewDefaultWithOverrides: + $ref: '#/components/examples/PerClientRateLimitSettingsPreviewDefaultWithOverrides' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.read + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Per-Client Rate Limit Settings + description: Replaces the Per-Client Rate Limit Settings and returns the configured properties + operationId: replaceRateLimitSettingsPerClient + x-codegen-request-body-name: perClientRateLimitSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PerClientRateLimitSettings' + examples: + EnforceDefault: + $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefault' + EnforceDefaultWithOverrides: + $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefaultWithOverrides' + PreviewDefaultWithOverrides: + $ref: '#/components/examples/PerClientRateLimitSettingsPreviewDefaultWithOverrides' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/PerClientRateLimitSettings' + examples: + EnforceDefault: + $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefault' + EnforceDefaultWithOverrides: + $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefaultWithOverrides' + PreviewDefaultWithOverrides: + $ref: '#/components/examples/PerClientRateLimitSettingsPreviewDefaultWithOverrides' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.manage + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/rate-limit-settings/warning-threshold: + get: + summary: Retrieve the Rate Limit Warning Threshold Percentage + description: Retrieves the currently configured threshold for warning notifications when the API's rate limit is exceeded + operationId: getRateLimitSettingsWarningThreshold + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitWarningThresholdResponse' + examples: + ExampleThreshold: + $ref: '#/components/examples/RateLimitWarningThresholdValidExample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.read + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Rate Limit Warning Threshold Percentage + description: Replaces the Rate Limit Warning Threshold Percentage and returns the configured property + operationId: replaceRateLimitSettingsWarningThreshold + x-codegen-request-body-name: RateLimitWarningThreshold + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitWarningThresholdRequest' + examples: + ExampleThreshold: + $ref: '#/components/examples/RateLimitWarningThresholdValidExample' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitWarningThresholdResponse' + examples: + ExampleThreshold: + $ref: '#/components/examples/RateLimitWarningThresholdValidExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.manage + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/realm-assignments: + get: + summary: List all Realm Assignments + description: Lists all Realm Assignments + operationId: listRealmAssignments + parameters: + - $ref: '#/components/parameters/queryLimit' + - $ref: '#/components/parameters/queryAfter' + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/RealmAssignment' + examples: + AssignmentLists: + $ref: '#/components/examples/ListRealmAssignmentsResponse' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.read + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Create a Realm Assignment + description: Creates a new Realm Assignment + operationId: createRealmAssignment + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateRealmAssignmentRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/RealmAssignment' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realm-assignments/operations: + get: + summary: List all Realm Assignment operations + description: Lists all Realm Assignment operations. The upper limit is 200 and operations are sorted in descending order from most recent to oldest by id + operationId: listRealmAssignmentOperations + parameters: + - $ref: '#/components/parameters/queryLimit' + - $ref: '#/components/parameters/queryAfter' + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OperationResponse' + examples: + Executions: + value: + - id: rre4mje4ez6B2a7B60g7 + type: realm:assignment + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + realmId: 00g1b7rvh0xPLKXFf0g5 + realmName: Realm Name + assignmentOperation: + configuration: + id: 0pr1b7rxZj2ibQzfP0g5 + name: Realm Assignment 1 + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + numUserMoved: 50 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7 + method: GET + - id: rre4mje4ez7B2a7B60g7 + type: realm:assignment + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + assignmentOperation: + configuration: + id: ALL + name: All Assignments + numUserMoved: 50 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez7B2a7B60g7 + method: GET + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.read + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Execute a Realm Assignment + description: Executes a Realm Assignment + operationId: executeRealmAssignment + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OperationRequest' + examples: + ExecuteSpecificAssignment: + value: + assignmentId: 0pr1b7rxZj2ibQzfP0g5 + ExecuteAllAssignments: + value: + assignmentId: ALL + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OperationResponse' + examples: + Execution: + $ref: '#/components/examples/OperationResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realm-assignments/{assignmentId}: + parameters: + - $ref: '#/components/parameters/assignmentId' + get: + summary: Retrieve a Realm Assignment + description: Retrieves a Realm Assignment + operationId: getRealmAssignment + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RealmAssignment' + examples: + RealmAssignment: + $ref: '#/components/examples/GetRealmAssignmentResponse' + CatchAllRealmAssignment: + $ref: '#/components/examples/DefaultRealmAssignment' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.read + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + put: + summary: Replace a Realm Assignment + description: Replaces a Realm Assignment + operationId: replaceRealmAssignment + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateRealmAssignmentRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RealmAssignment' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + delete: + summary: Delete a Realm Assignment + description: Deletes a Realm Assignment + operationId: deleteRealmAssignment + responses: + '204': + description: No Content + content: {} + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realm-assignments/{assignmentId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/assignmentId' + post: + summary: Activate a Realm Assignment + description: Activates a Realm Assignment + operationId: activateRealmAssignment + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realm-assignments/{assignmentId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/assignmentId' + post: + summary: Deactivate a Realm Assignment + description: Deactivates a Realm Assignment + operationId: deactivateRealmAssignment + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realms: + get: + summary: List all Realms + description: Lists all Realms + operationId: listRealms + parameters: + - name: limit + in: query + description: Specifies the number of results returned. Defaults to 10 if `search` is provided. + schema: + type: integer + format: int32 + default: 200 + - $ref: '#/components/parameters/queryAfter' + - name: search + in: query + description: Searches for Realms with a supported filtering expression for most properties + schema: + type: string + - name: sortBy + in: query + description: Specifies field to sort by and can be any single property (for search queries only). + schema: + type: string + example: profile.name + - name: sortOrder + in: query + description: Specifies sort order `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` isn't present. + schema: + type: string + default: asc + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Realm' + examples: + Realm Lists: + $ref: '#/components/examples/ListRealmsResponse' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.read + tags: + - Realm + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Create a Realm + description: Creates a new Realm + operationId: createRealm + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateRealmRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Realm' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.manage + tags: + - Realm + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realms/{realmId}: + parameters: + - $ref: '#/components/parameters/pathRealmId' + get: + summary: Retrieve a Realm + description: Retrieves a Realm + operationId: getRealm + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Realm' + examples: + DefaultRealm: + $ref: '#/components/examples/DefaultRealmResponse' + NonDefaultRealm: + $ref: '#/components/examples/RealmResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.read + tags: + - Realm + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + put: + summary: Replace the realm profile + description: Replaces the realm profile + operationId: replaceRealm + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateRealmRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Realm' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.manage + tags: + - Realm + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + delete: + summary: Delete a Realm + description: Deletes a Realm permanently. This operation can only be performed after disassociating other entities like Users and Identity Providers from a Realm. + operationId: deleteRealm + responses: + '204': + description: No Content + content: {} + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.manage + tags: + - Realm + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/resource-selectors/{resourceSelectorId}: + parameters: + - $ref: '#/components/parameters/pathResourceSelectorId' + /api/v1/risk/events/ip: + post: + summary: Send multiple Risk Events + description: |- + Sends multiple IP risk events to Okta. + This request is used by a third-party risk provider to send IP risk events to Okta. The third-party risk provider needs to be registered with Okta before they can send events to Okta. See [Risk Providers](/openapi/okta-management/management/tag/RiskProvider/). + This API has a rate limit of 30 requests per minute. You can include multiple risk events (up to a maximum of 20 events) in a single payload to reduce the number of API calls. Prioritize sending high risk signals if you have a burst of signals to send that would exceed the maximum request limits. + operationId: sendRiskEvents + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/RiskEvent' + examples: + RiskEventsRequestExample: + $ref: '#/components/examples/RiskEventsRequestExample' + required: true + responses: + '202': + description: Accepted + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskEvents.manage + tags: + - RiskEvent + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/risk/providers: + get: + summary: List all Risk Providers + description: Lists all Risk Provider objects + operationId: listRiskProviders + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderList: + $ref: '#/components/examples/ListRiskProviderResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskProviders.read + tags: + - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Create a Risk Provider + description: Creates a Risk Provider object. A maximum of three Risk Provider objects can be created. + operationId: createRiskProvider + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderRequestExample: + $ref: '#/components/examples/RiskProviderRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderPostResponseExample: + $ref: '#/components/examples/RiskProviderResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskProviders.manage + tags: + - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/risk/providers/{riskProviderId}: + parameters: + - $ref: '#/components/parameters/pathRiskProviderId' + get: + summary: Retrieve a Risk Provider + description: Retrieves a Risk Provider object by ID + operationId: getRiskProvider + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderGetResponseExample: + $ref: '#/components/examples/RiskProviderResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskProviders.read + tags: + - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + put: + summary: Replace a Risk Provider + description: Replaces the properties for a given Risk Provider object ID + operationId: replaceRiskProvider + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderPutRequestExample: + $ref: '#/components/examples/RiskProviderPutRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderPutResponseExample: + $ref: '#/components/examples/RiskProviderPutResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskProviders.manage + tags: + - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + delete: + summary: Delete a Risk Provider + description: Deletes a Risk Provider object by its ID + operationId: deleteRiskProvider + responses: + '204': + description: No Content + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskProviders.manage + tags: + - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/roles/{roleRef}/subscriptions: + parameters: + - $ref: '#/components/parameters/pathRoleRef' + get: + summary: List all Subscriptions for a Role + description: Lists all subscriptions available to a specified Role + operationId: listSubscriptionsRole + responses: + '200': + description: Success + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Subscription' + type: array + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/roles/{roleRef}/subscriptions/{notificationType}: + parameters: + - $ref: '#/components/parameters/pathRoleRef' + - $ref: '#/components/parameters/pathNotificationType' + get: + summary: Retrieve a Subscription for a Role + description: Retrieves a subscription by `notificationType` for a specified Role + operationId: getSubscriptionsNotificationTypeRole + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Subscription' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/roles/{roleRef}/subscriptions/{notificationType}/subscribe: + parameters: + - $ref: '#/components/parameters/pathRoleRef' + - $ref: '#/components/parameters/pathNotificationType' + post: + summary: Subscribe a Role to a Specific Notification Type + description: Subscribes a Role to a specified notification type. Changes to Role subscriptions override the subscription status of any individual users with the Role. + operationId: subscribeByNotificationTypeRole + responses: + '200': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/roles/{roleRef}/subscriptions/{notificationType}/unsubscribe: + parameters: + - $ref: '#/components/parameters/pathRoleRef' + - $ref: '#/components/parameters/pathNotificationType' + post: + summary: Unsubscribe a Role from a Specific Notification Type + description: Unsubscribes a Role from a specified notification type. Changes to Role subscriptions override the subscription status of any individual users with the Role. + operationId: unsubscribeByNotificationTypeRole + responses: + '200': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/security-events-providers: + get: + summary: List all Security Events Providers + description: Lists all Security Events Provider instances + operationId: listSecurityEventsProviderInstances + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + list: + $ref: '#/components/examples/ListOfSecurityEventsProviderInstances' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.read + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create a Security Events Provider + description: Creates a Security Events Provider instance + operationId: createSecurityEventsProviderInstance + x-codegen-request-body-name: instance + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderRequest' + examples: + well-known-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderRequestWellKnownUrl' + issuer-and-JWKS-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderRequestIssuerAndJwksUrl' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + well-known-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' + issuer-and-JWKS-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderResponseIssuerAndJwksUrl' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.manage + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/security-events-providers/{securityEventProviderId}: + parameters: + - $ref: '#/components/parameters/pathSecurityEventProviderId' + get: + summary: Retrieve the Security Events Provider + description: Retrieves the Security Events Provider instance specified by `id` + operationId: getSecurityEventsProviderInstance + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + get: + $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.read + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a Security Events Provider + description: Replaces a Security Events Provider instance specified by `id` + operationId: replaceSecurityEventsProviderInstance + x-codegen-request-body-name: instance + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderRequest' + examples: + well-known-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderRequestWellKnownUrl' + issuer-and-JWKS-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderRequestIssuerAndJwksUrl' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + well-known-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' + issuer-and-JWKS-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderResponseIssuerAndJwksUrl' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.manage + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a Security Events Provider + description: Deletes a Security Events Provider instance specified by `id` + operationId: deleteSecurityEventsProviderInstance + responses: + '204': + description: No Content + content: {} + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.manage + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathSecurityEventProviderId' + post: + summary: Activate a Security Events Provider + description: |- + Activates a Security Events Provider instance by setting its status to `ACTIVE`. + This operation resumes the flow of events from the Security Events Provider to Okta. + operationId: activateSecurityEventsProviderInstance + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + activatedInstance: + $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.manage + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathSecurityEventProviderId' + post: + summary: Deactivate a Security Events Provider + description: |- + Deactivates a Security Events Provider instance by setting its status to `INACTIVE`. + This operation stops the flow of events from the Security Events Provider to Okta. + operationId: deactivateSecurityEventsProviderInstance + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + deactivatedInstance: + $ref: '#/components/examples/DeactivatedSecurityEventsProviderResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.manage + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/sessions: + post: + summary: Create a Session with session token + description: Creates a new Session for a user with a valid session token. Use this API if, for example, you want to set the session cookie yourself instead of allowing Okta to set it, or want to hold the session ID to delete a session through the API instead of visiting the logout URL. + operationId: createSession + x-codegen-request-body-name: createSessionRequest + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateSessionRequest' + examples: + SessionsCreate: + $ref: '#/components/examples/CreateSessionBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + SessionsCreate: + summary: Create a new Session with a valid session token + $ref: '#/components/examples/CreateSessionResponse' + '400': + description: Bad Request + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + tags: + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/me: + get: + summary: Retrieve the current Session + description: |- + Retrieves Session information for the current user. Use this method in a browser-based application to determine if the user is signed in. + + > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation. + operationId: getCurrentSession + parameters: + - in: header + name: Cookie + schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie + type: string + example: sid=abcde-123 or idx=abcde-123 + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + CurrentSessionsRetrieve: + summary: Retrieve current Session information + $ref: '#/components/examples/RetrieveCurrentSessionResponse' + '404': + description: Not Found + security: [] + tags: + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Close the current Session + description: |- + Closes the Session for the user who is currently signed in. Use this method in a browser-based application to sign out a user. + + > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation. + operationId: closeCurrentSession + parameters: + - in: header + name: Cookie + schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie + type: string + example: sid=abcde-123 or idx=abcde-123 + responses: + '204': + description: No Content + content: {} + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + security: [] + tags: + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/me/lifecycle/refresh: + post: + summary: Refresh the current Session + description: |- + Refreshes the Session for the current user + + > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation. + operationId: refreshCurrentSession + parameters: + - in: header + name: Cookie + schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie + type: string + example: sid=abcde-123 or idx=abcde-123 + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + CurrentSessionsRefresh: + summary: Refersh current Session + $ref: '#/components/examples/RefreshCurrentSessionResponse' + '404': + description: Not Found + security: [] + tags: + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/{sessionId}: + parameters: + - $ref: '#/components/parameters/pathSessionId' + get: + summary: Retrieve a Session + description: Retrieves information about the Session specified by the given session ID + operationId: getSession + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + SessionsRetrieve: + summary: Retrieve Session information for a single session ID + $ref: '#/components/examples/RetrieveSessionResponse' + '400': + description: Bad Request + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.sessions.read + tags: + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke a Session + description: Revokes the specified Session + operationId: revokeSession + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.sessions.manage + tags: + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/{sessionId}/lifecycle/refresh: + parameters: + - $ref: '#/components/parameters/pathSessionId' + post: + summary: Refresh a Session + description: Refreshes an existing Session using the `id` for that Session. A successful response contains the refreshed Session with an updated `expiresAt` timestamp. + operationId: refreshSession + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + SessionsRefresh: + summary: Refresh an existing Session using the session ID + $ref: '#/components/examples/RefreshSessionResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.sessions.manage + tags: + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/ssf/stream: + get: + summary: Retrieve the SSF Stream configuration(s) + description: |- + Retrieves either a list of all known SSF Stream configurations or the individual configuration if specified by ID. + + As Stream configurations are tied to a Client ID, only the Stream associated with the Client ID of the request OAuth 2.0 access token can be viewed. + operationId: getSsfStreams + parameters: + - in: query + name: stream_id + schema: + type: string + example: esc1k235GIIztAuGK0g5 + description: The ID of the specified SSF Stream configuration + responses: + '200': + description: OK + content: + application/json: + schema: + oneOf: + - type: array + title: List of Stream Configurations + items: + $ref: '#/components/schemas/StreamConfiguration' + - $ref: '#/components/schemas/StreamConfiguration' + examples: + listResponse: + $ref: '#/components/examples/listStreamConfigurationExample' + individualStreamResponse: + $ref: '#/components/examples/streamConfigurationExample' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.read + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create an SSF Stream + description: |- + Creates an SSF Stream for an event receiver to start receiving security events in the form of Security Event Tokens (SETs) from Okta. + + An SSF Stream is associated with the Client ID of the OAuth 2.0 access token used to create the stream. The Client ID is provided by Okta for an [OAuth 2.0 app integration](https://help.okta.com/okta_help.htm?id=ext_Apps_App_Integration_Wizard-oidc). One SSF Stream is allowed for each Client ID, hence, one SSF Stream is allowed for each app integration in Okta. + + A maximum of 10 SSF Stream configurations can be created for one org. + operationId: createSsfStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfigurationCreateRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace an SSF Stream + description: |- + Replaces all properties for an existing SSF Stream configuration. + + If the `stream_id` isn't provided in the request body, the associated stream with the Client ID (through the request OAuth 2.0 access token) is replaced. + operationId: replaceSsfStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + patch: + summary: Update an SSF Stream + description: |- + Updates properties for an existing SSF Stream configuration. + + If the `stream_id` isn't provided in the request body, the associated stream with the Client ID (through the request OAuth 2.0 access token) is updated. + operationId: updateSsfStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete an SSF Stream + description: |- + Deletes the specified SSF Stream. + + If the `stream_id` is not provided in the query string, the associated stream with the Client ID (through the request OAuth 2.0 access token) is deleted. Otherwise, the SSF Stream with the `stream_id` is deleted, if found. + operationId: deleteSsfStream + parameters: + - in: query + name: stream_id + schema: + type: string + example: esc1k235GIIztAuGK0g5 + description: The ID of the specified SSF Stream configuration + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/templates/sms: + get: + summary: List all SMS Templates + description: Lists all custom SMS templates. A subset of templates can be returned that match a template type. + operationId: listSmsTemplates + parameters: + - name: templateType + in: query + schema: + $ref: '#/components/schemas/SmsTemplateType' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/SmsTemplate' + examples: + SMS Template List response: + $ref: '#/components/examples/SMSTemplateListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an SMS Template + description: Creates a new custom SMS template + operationId: createSmsTemplate + x-codegen-request-body-name: smsTemplate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Create an SMS Template request: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Create an SMS Template response: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/templates/sms/{templateId}: + parameters: + - $ref: '#/components/parameters/pathTemplateId' + get: + summary: Retrieve an SMS Template + description: Retrieves a specific template by `id` + operationId: getSmsTemplate + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Get an SMS template response: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update an SMS Template + description: | + Updates only some of the SMS Template properties: + * All properties within the custom SMS Template that have values are updated. + * Any translation that doesn't exist is added. + * Any translation with a null or empty value is removed. + * Any translation with non-empty/null value is updated. + operationId: updateSmsTemplate + x-codegen-request-body-name: smsTemplate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Update an SMS Template request: + $ref: '#/components/examples/UpdateSMSTemplateRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Update an SMS Template response: + $ref: '#/components/examples/UpdateSMSTemplateResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an SMS Template + description: | + Replaces the SMS Template + > **Notes:** You can't update the default SMS Template. + operationId: replaceSmsTemplate + x-codegen-request-body-name: smsTemplate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Replace an SMS Template request: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Replace an SMS Template response: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an SMS Template + description: Deletes an SMS template + operationId: deleteSmsTemplate + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/threats/configuration: + get: + summary: Retrieve the ThreatInsight Configuration + description: Retrieves the ThreatInsight configuration for the org + operationId: getCurrentConfiguration + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ThreatInsightConfiguration' + examples: + ThreatInsightResponseEx: + $ref: '#/components/examples/ThreatInsightResponseExample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.threatInsights.read + tags: + - ThreatInsight + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update the ThreatInsight Configuration + description: Updates the ThreatInsight configuration for the org + operationId: updateConfiguration + x-codegen-request-body-name: threatInsightConfiguration + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ThreatInsightConfiguration' + examples: + ThreatInsightUpdateEx: + $ref: '#/components/examples/ThreatInsightUpdateRequestExample' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ThreatInsightConfiguration' + examples: + ThreatInsightUpdateEx: + $ref: '#/components/examples/ThreatInsightUpdateResponseExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.threatInsights.manage + tags: + - ThreatInsight + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/trustedOrigins: + get: + summary: List all Trusted Origins + description: Lists all trusted origins + operationId: listTrustedOrigins + parameters: + - name: q + description: A search string that will prefix match against the `name` and `origin` + in: query + schema: + type: string + - name: filter + description: | + [Filter](/#filter) Trusted Origins with a supported expression for a subset of properties. You can filter on the following properties: `name`, `origin`, `status`, and `type` (type of scopes). + in: query + schema: + type: string + examples: + By name: + value: name eq "Example Trusted Origin" + - name: after + description: The after cursor provided by a prior request. + in: query + schema: + type: string + - name: limit + description: Specifies the number of results. + in: query + schema: + type: integer + format: int32 + default: 20 + maximum: 200 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginsResponse: + $ref: '#/components/examples/TrustedOriginsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.read + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Trusted Origin + description: Creates a trusted origin + operationId: createTrustedOrigin + x-codegen-request-body-name: trustedOrigin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOriginWrite' + examples: + TrustedOriginBody: + $ref: '#/components/examples/TrustedOriginBody' + TrustedOriginBodyWithIframeEmbedding: + $ref: '#/components/examples/TrustedOriginBodyWithIframeEmbedding' + TrustedOriginBodyWithIframeEmbeddingSignIn: + $ref: '#/components/examples/TrustedOriginBodyWithIframeEmbeddingSignIn' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginResponse: + $ref: '#/components/examples/TrustedOriginResponse' + TrustedOriginResponseWithIframeEmbedding: + $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbedding' + TrustedOriginResponseWithIframeEmbeddingSignIn: + $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbeddingSignIn' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.manage + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/trustedOrigins/{trustedOriginId}: + parameters: + - $ref: '#/components/parameters/pathTrustedOriginId' + get: + summary: Retrieve a Trusted Origin + description: Retrieves a trusted origin + operationId: getTrustedOrigin + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginResponse: + $ref: '#/components/examples/TrustedOriginResponse' + TrustedOriginResponseWithIframeEmbedding: + $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbedding' + TrustedOriginResponseWithIframeEmbeddingSignIn: + $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbeddingSignIn' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.read + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Trusted Origin + description: Replaces a trusted origin + operationId: replaceTrustedOrigin + x-codegen-request-body-name: trustedOrigin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginPutBody: + $ref: '#/components/examples/TrustedOriginPutBody' + TrustedOriginPutBodyWithIframeEmbedding: + $ref: '#/components/examples/TrustedOriginPutBodyWithIframeEmbedding' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginPutResponse: + $ref: '#/components/examples/TrustedOriginPutResponse' + TrustedOriginPutResponseWithIFrameEmbedding: + $ref: '#/components/examples/TrustedOriginPutResponseWithIframeEmbedding' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.manage + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a Trusted Origin + description: Deletes a trusted origin + operationId: deleteTrustedOrigin + responses: + '204': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.manage + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathTrustedOriginId' + post: + summary: Activate a Trusted Origin + description: Activates a Trusted Origin. Sets the `status` to `ACTIVE`. + operationId: activateTrustedOrigin + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginResponse: + $ref: '#/components/examples/TrustedOriginResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.manage + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathTrustedOriginId' + post: + summary: Deactivate a Trusted Origin + description: Deactivates a Trusted Origin. Sets the `status` to `INACTIVE`. + operationId: deactivateTrustedOrigin + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginInactiveResponse: + $ref: '#/components/examples/TrustedOriginInactiveResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.manage + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users: + get: + summary: List all users + description: |- + Lists users in your org, with pagination in most cases. + + A subset of users can be returned that match a supported filter expression or search criteria. + operationId: listUsers + parameters: + - $ref: '#/components/parameters/OktaResponse' + - name: q + in: query + description: |- + Finds users who match the specified query. This doesn't support pagination. + + This might not deliver optimal performance for large orgs, and is deprecated for such use cases. To ensure optimal performance, use a [`search` parameter](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!in=query&path=search&t=request) instead. + + Use the `q` parameter for a simple lookup of users by name, for example when creating a people picker. The value of `q` is matched against `firstName`, `lastName`, or `email`. This performs a `startsWith` match, but this is an implementation detail and can change without notice. You don't need to specify `firstName`, `lastName`, or `email`. + schema: + type: string + - $ref: '#/components/parameters/queryAfter' + - name: limit + in: query + description: Specifies the number of results returned. Defaults to 10 if `q` is provided. + schema: + type: integer + format: int32 + default: 200 + - name: filter + in: query + description: |- + Filters users with a supported expression for a subset of properties. + + This requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. Filtering is case-sensitive for attribute names and query values, while attribute operators are case-insensitive. + + Filtering supports the following limited number of properties: `status`, `lastUpdated`, `id`, `profile.login`, `profile.email`, `profile.firstName`, and `profile.lastName`. + + Additionally, filtering supports only the equal `eq` operator from the standard Okta API filtering semantics, except in the case of the `lastUpdated` property. This property can also use the inequality operators (`gt`, `ge`, `lt`, and `le`). For logical operators, only the logical operators `and` and `or` are supported. The `not` operator isn't supported. See [Filtering](https://developer.okta.com/docs/api/#filter) and [Operators](https://developer.okta.com/docs/api/#operators). + schema: + type: string + examples: + filterByStatus: + value: status eq "LOCKED_OUT" + summary: Filter users with status of `LOCKED_OUT` + filterByLogin: + value: profile.login eq "login@example.com" + summary: Filter users with a specified `login` + filterByDateRange: + value: filter=lastUpdated gt "2013-06-01T00:00:00.000Z" and lastUpdated lt "2014-01-01T00:00:00.000Z" + summary: Filter users updated after 06/01/2013 but before 01/01/2014 + filterByTypeAndProfileLastUpdatedAfterDate: + value: lastUpdated gt "2013-06-01T00:00:00.000Z" and (status eq "LOCKED_OUT" or status eq "RECOVERY") + summary: Filter users updated after 06/01/2013 but with a status of `LOCKED_OUT` or `RECOVERY` + - name: search + in: query + description: |- + Searches for users with a supported filtering expression for most properties. Okta recommends using this parameter for search for best performance. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). Use an ID lookup for records that you update to ensure your results contain the latest data. + + Property names in the search parameter are case sensitive, whereas operators (`eq`, `sw`, and so on) and string values are case insensitive. Unlike with user logins, diacritical marks are significant in search string values: a search for `isaac.brock` finds `Isaac.Brock`, but doesn't find a property whose value is `isáàc.bröck`. This operation requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `search=profile.department eq "Engineering"` is encoded as `search=profile.department%20eq%20%22Engineering%22`. + + > **Note:** If you use the special character `"` within a quoted string, it must also be escaped `\` and encoded. For example, `search=profile.lastName eq "bob"smith"` is encoded as `search=profile.lastName%20eq%20%22bob%5C%22smith%22`. + + This operation searches many properties: + * Any user profile property, including custom-defined properties + * The top-level properties `id`, `status`, `created`, `activated`, `statusChanged`, and `lastUpdated` + * The [user type](https://developer.okta.com/docs/reference/api/user-types/) accessed as `type.id` + + You can also use `sortBy` and `sortOrder` parameters. The `ne` (not equal) operator isn't supported, but you can obtain the same result by using `lt ... or ... gt`. For example, to see all users except those that have a status of `STAGED`, use `(status lt "STAGED" or status gt "STAGED")`. + + You can search properties that are arrays. If any element matches the search term, the entire array (object) is returned. Okta follows the [SCIM Protocol Specification](https://tools.ietf.org/html/rfc7644#section-3.4.2.2) for searching arrays. You can search multiple arrays, multiple values in an array, as well as using the standard logical and filtering operators. See [Filter](https://developer.okta.com/docs/reference/core-okta-api/#filter). + schema: + type: string + examples: + searchByStatus: + value: status eq "STAGED" + summary: Search for users that have a status of `STAGED` + searchByLastUpdatedAfterDate: + value: lastUpdated gt "2014-01-01T00:00:00.000Z" + summary: Search for users that have last updated after a specific timestamp + searchById: + value: id eq "00u1ero7vZFVEIYLWPBN" + summary: Search for groups with the specified ID (`00gak46y5hydV6NdM0g4`) + searchByProfileDepartmentCreatedAndStatus: + value: profile.department eq "Engineering" and (created lt "2014-01-01T00:00:00.000Z" or status eq "ACTIVE") + summary: Search for users in the department of `Engineering` who were created before `01/01/2014` or have a status of `ACTIVE` + searchArrayAttributes: + value: profile.arrayAttr eq "arrayAttrVal1" + summary: Searches for properties that are arrays. Custom user attribute `arrayAttr` that contains values ["arrayAttrVal1", "arrayAttrVal2"...] + - name: sortBy + in: query + description: Specifies field to sort by (for search queries only). This can be any single property, for example `sortBy=profile.lastName`. Users with the same value for the `sortBy` property will be ordered by `id`. + schema: + type: string + - name: sortOrder + in: query + description: Specifies sort order asc or desc (for search queries only). Sorting is done in ASCII sort order (that is, by ASCII character value), but isn't case sensitive. `sortOrder` is ignored if `sortBy` is not present. + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/User' + examples: + UserList: + $ref: '#/components/examples/ListRealmAwareUsersResponse' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a user + description: |- + Creates a new user in your Okta org with or without credentials.
+ > **Legal Disclaimer** + > + > After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, + > you agreed not to use Okta's service/product to spam and/or send unsolicited messages. + > Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all + > liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. + + All responses return the created user. Activation of a user is an asynchronous operation. The system performs group reconciliation during activation and assigns the user to all apps via direct or indirect relationships (group memberships). + * The user's `transitioningToStatus` property is `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation. + * The user's `status` is `ACTIVE` when the activation process is complete. + + The user is emailed a one-time activation token if activated without a password. + + > **Note:** If the user is assigned to an app that is configured for provisioning, the activation process triggers downstream provisioning to the app. It is possible for a user to sign in before these apps have been successfully provisioned for the user. + + > **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password. + + For more information about the various scenarios of creating a user listed in the examples, see the [User creation scenarios](/openapi/okta-management/management/tag/User/#user-creation-scenarios) section. + operationId: createUser + parameters: + - name: activate + in: query + description: Executes an [activation lifecycle](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) operation when creating the user + schema: + type: boolean + default: true + - name: provider + in: query + description: Indicates whether to create a user with a specified authentication provider + schema: + type: boolean + default: false + - name: nextLogin + in: query + description: With `activate=true`, if `nextLogin=changePassword`, a user is created, activated, and the password is set to `EXPIRED`. The user must change it the next time they sign in. + schema: + $ref: '#/components/schemas/UserNextLogin' + x-okta-added-version: 0.14.0 + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateUserRequest' + examples: + Create user without credentials: + $ref: '#/components/examples/create-user-without-credentials-request' + Create user with recovery question: + $ref: '#/components/examples/create-user-with-recovery-question-request' + Create user with password: + $ref: '#/components/examples/create-user-with-password-request' + Create user with imported hashed password: + $ref: '#/components/examples/create-user-with-imported-hashed-password-request' + Create user with password import inline hook: + $ref: '#/components/examples/create-user-with-password-import-inline-hook-request' + Create user with password and recovery question: + $ref: '#/components/examples/create-user-with-password-and-recovery-question-request' + Create user with authentication provider: + $ref: '#/components/examples/create-user-with-authentication-provider-request' + Create user in group: + $ref: '#/components/examples/create-user-in-group-request' + Create user with non-default user type: + $ref: '#/components/examples/create-user-with-non-default-user-type-request' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + Create user without credentials: + $ref: '#/components/examples/create-user-without-credentials-response' + Create user with recovery question: + $ref: '#/components/examples/create-user-with-recovery-question-response' + Create user with password: + $ref: '#/components/examples/create-user-with-password-response' + Create user with imported hashed password: + $ref: '#/components/examples/create-user-with-imported-hashed-password-response' + Create user with password import inline hook: + $ref: '#/components/examples/create-user-with-password-import-inline-hook-response' + Create user with password and recovery question: + $ref: '#/components/examples/create-user-with-password-and-recovery-question-response' + Create user with authentication provider: + $ref: '#/components/examples/create-user-with-authentication-provider-response' + Create user in group: + $ref: '#/components/examples/create-user-in-group-response' + Create user with non-default user type: + $ref: '#/components/examples/create-user-with-non-default-user-type-response' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Create user with too many groups specified: + $ref: '#/components/examples/ErrorCreateUserWithTooManyManyGroupsResponse' + Create user with expired password and activate set to `false`: + $ref: '#/components/examples/ErrorCreateUserWithExpiredPasswordWithoutActivation' + Create user with expired password and `null` password: + $ref: '#/components/examples/ErrorCreateUserWithExpiredPasswordWithNullPassword' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/me/lifecycle/delete_sessions: + post: + summary: End a current User session + description: |- + Ends Okta sessions for the currently signed in User. By default, the current session remains active. Use this method in a browser-based app. + > **Note:** This operation requires a session cookie for the User. The API token isn't allowed for this operation. + operationId: endUserSessions + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeepCurrent' + responses: + '200': + description: OK + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: [] + tags: + - UserSessions + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{id}: + parameters: + - $ref: '#/components/parameters/pathId' + get: + summary: Retrieve a user + description: |- + Retrieves a user from your Okta org. + + You can substitute `me` for the `id` to fetch the current user linked to an API token or session cookie. + * The request returns the user linked to the API token that is specified in the Authorization header, not the user linked to the active session. Details of the admin user who granted the API token is returned. + * When the end user has an active Okta session, it is typically a CORS request from the browser. Therefore, it's possible to retrieve the current user without the Authorization header. + + When fetching a user by `login` or `login shortname`, [URL encode](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding) the request parameter to ensure that special characters are escaped properly. Logins with a `/` character can only be fetched by `id` due to URL issues with escaping the `/` character. If you don't know a user's ID, you can use the [List all users](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) endpoint to find it. + + > **Note:** Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies). + operationId: getUser + parameters: + - $ref: '#/components/parameters/OktaResponse' + - $ref: '#/components/parameters/queryUserExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserGetSingleton' + examples: + GetUserExample: + $ref: '#/components/examples/user-example' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update a user + description: |- + Updates a user's profile or credentials with partial update semantics. + + > **Important:** Use the `POST` method for partial updates. Unspecified properties are set to null with `PUT`. + + `profile` and `credentials` can be updated independently or together with a single request. + > **Note**: Currently, the user type of a user can only be changed via a full replacement PUT operation. If the request parameters of a partial update include the type element from the user object, + the value must match the existing type of the user. Only admins are permitted to change the user type of a user; end users are not allowed to change their own user type. + + > **Note**: To update a current user's profile with partial semantics, the `/api/v1/users/me` endpoint can be invoked. + > + > A user can only update profile properties for which the user has write access. Within the profile, if the user tries to update the primary or the secondary email IDs, verification emails are sent to those email IDs, and the fields are updated only upon verification. + + If you are using this endpoint to set a password, it sets a password without validating existing user credentials. This is an administrative operation. For operations that validate credentials, refer to the `Reset Password`, `Forgot Password`, and `Change Password` endpoints. + operationId: updateUser + parameters: + - name: strict + in: query + schema: + type: boolean + description: If true, validates against minimum age and history password policy + x-codegen-request-body-name: user + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateUserRequest' + examples: + Update user Profile: + $ref: '#/components/examples/update-user-profile-request' + Update user password: + $ref: '#/components/examples/update-user-set-password-request' + Set recovery question and answer: + $ref: '#/components/examples/update-user-set-recovery-question-and-answer' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + Update user Response: + $ref: '#/components/examples/user-example' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a user + description: |- + Replaces a user's profile, credentials, or both using strict-update semantics. + + All profile properties must be specified when updating a user's profile with a `PUT` method. Any property not specified in the request is deleted. + > **Important:** Don't use a `PUT` method for partial updates. + operationId: replaceUser + parameters: + - name: strict + in: query + description: If `true`, validates against minimum age and history password policy + schema: + type: boolean + x-okta-added-version: 1.10.0 + x-codegen-request-body-name: user + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateUserRequest' + examples: + Replace user Request: + $ref: '#/components/examples/replace-user-request' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + Replace user Response: + $ref: '#/components/examples/user-example' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a user + description: |- + Deletes a user permanently. This operation can only be performed on users that have a `DEPROVISIONED` status. **This action can't be recovered!** + + This operation on a user that hasn't been deactivated causes that user to be deactivated. A second delete operation is required to delete the user. + + > **Note:** You can also perform user deletion asynchronously. To invoke asynchronous user deletion, pass an HTTP header `Prefer: respond-async` with the request. + + This header is also supported by user deactivation, which is performed if the delete endpoint is invoked on a user that hasn't been deactivated. + operationId: deleteUser + parameters: + - name: sendEmail + in: query + description: Sends a deactivation email to the admin if `true` + schema: + type: boolean + default: false + x-okta-added-version: 1.5.0 + - name: Prefer + in: header + required: false + schema: + type: string + enum: + - respond-async + responses: + '204': + description: No Content + content: {} + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{id}/lifecycle/reactivate: + parameters: + - $ref: '#/components/parameters/pathId' + post: + summary: Reactivate a User + description: |- + Reactivates a user. + + This operation can only be performed on Users with a `PROVISIONED` or `RECOVERY` [status](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=status&t=response). + This operation restarts the activation workflow if for some reason the user activation wasn't completed when using the `activationToken` from [Activate User](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser). + + Users that don't have a password must complete the flow by completing [Reset Password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) and MFA enrollment steps to transition the user to `ACTIVE` status. + + If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link. + operationId: reactivateUser + parameters: + - name: sendEmail + in: query + description: Sends an activation email to the user if `true` + schema: + type: boolean + default: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserActivationToken' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userIdOrLogin}/linkedObjects/{primaryRelationshipName}/{primaryUserId}: + parameters: + - $ref: '#/components/parameters/pathUserIdOrLogin' + - $ref: '#/components/parameters/pathPrimaryRelationshipName' + - $ref: '#/components/parameters/pathPrimaryUserId' + put: + summary: Assign a Linked Object value for primary + description: |- + Assigns the first User as the `associated` and the second User as the `primary` for the specified relationship. + + If the first User is already associated with a different `primary` for this relationship, the previous link is removed. A Linked Object relationship can specify only one primary User for an associated User. + operationId: assignLinkedObjectValueForPrimary + responses: + '204': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - okta.users.manage + tags: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userIdOrLogin}/linkedObjects/{relationshipName}: + parameters: + - $ref: '#/components/parameters/pathUserIdOrLogin' + - $ref: '#/components/parameters/pathRelationshipName' + get: + summary: List the primary or all of the associated Linked Object values + description: |- + Lists either the `self` link for the primary User or all associated Users in the relationship specified by `relationshipName`. If the specified User isn't associated in any relationship, an empty array is returned. + + Use `me` instead of `id` to specify the current session User. + operationId: listLinkedObjectsForUser + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/ResponseLinks' + examples: + GetPrimaryLinkedObjectResponse: + $ref: '#/components/examples/GetPrimaryLinkedObjectResponse' + GetAssociatedLinkedObjectResponse: + $ref: '#/components/examples/GetAssociatedLinkedObjectsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a Linked Object value + description: |- + Deletes any existing relationship between the `associated` and `primary` user. For the `associated` User, this is specified by the ID. The `primary` name specifies the relationship. + + The operation is successful if the relationship is deleted or if the specified User isn't in the `associated` relationship for any instance of the specified `primary` and thus, no relationship is found. + operationId: deleteLinkedObjectForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/appLinks: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all Assigned App Links + description: Lists all App Links for all direct or indirect (via group membership) assigned apps + operationId: listAppLinks + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AppLink' + examples: + List App Links: + $ref: '#/components/examples/ListAppLinks' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserResources + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/blocks: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all user blocks + description: Lists information about how the user is blocked from accessing their account + operationId: listUserBlocks + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserBlock' + examples: + BlocksUnknownDevices: + $ref: '#/components/examples/ListUserBlocksUnknownDevicesResponse' + BlocksAnyDevices: + $ref: '#/components/examples/ListUserBlocksAnyDevicesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/clients: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all Clients + description: Lists all Client resources for which the specified User has grants or tokens + operationId: listUserClients + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2Client' + examples: + List User Clients: + $ref: '#/components/examples/ListUserClients' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserResources + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/clients/{clientId}/grants: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathClientId' + get: + summary: List all Grants for a Client + description: Lists all Grants for a specified User and client + operationId: listGrantsForUserAndClient + parameters: + - name: expand + in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' + schema: + type: string + - name: after + in: query + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + - name: limit + in: query + description: Specifies the number of tokens to return + schema: + type: integer + format: int32 + minimum: 1 + maximum: 200 + default: 20 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke all Grants for a Client + description: Revokes all Grants for the specified User and client + operationId: revokeGrantsForUserAndClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/clients/{clientId}/tokens: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathClientId' + get: + summary: List all Refresh Tokens for a Client + description: Lists all refresh Tokens issued for the specified User and client + operationId: listRefreshTokensForUserAndClient + parameters: + - name: expand + in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' + schema: + type: string + example: scope + - name: after + in: query + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + - name: limit + in: query + description: Specifies the number of tokens to return + schema: + type: integer + format: int32 + minimum: 1 + maximum: 200 + default: 20 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2RefreshToken' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke all Refresh Tokens for a Client + description: Revokes all refresh Tokens issued for the specified User and client + operationId: revokeTokensForUserAndClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathTokenId' + get: + summary: Retrieve a Refresh Token for a Client + description: Retrieves a refresh Token issued for the specified User and client + operationId: getRefreshTokenForUserAndClient + parameters: + - name: expand + in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' + schema: + type: string + example: scope + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2RefreshToken' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke a Token for a Client + description: Revokes the specified refresh Token + operationId: revokeTokenForUserAndClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/credentials/change_password: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Update Password + description: |- + Updates a User's password by validating the User's current Password. + + This operation provides an option to delete all the sessions of the specified User. However, if the request is made in the context of a session owned by the specified User, that session isn't cleared. + + You can only perform this operation on Users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid [Password credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). + + The User transitions to `ACTIVE` status when successfully invoked in `RECOVERY` status. + operationId: changePassword + parameters: + - name: strict + in: query + description: If true, validates against password minimum age policy + schema: + type: boolean + default: false + x-okta-added-version: 1.10.0 + x-codegen-request-body-name: changePasswordRequest + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ChangePasswordRequest' + examples: + Change Password Request: + $ref: '#/components/examples/ChangePwdRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserCredentials' + examples: + Change Password Response: + $ref: '#/components/examples/ChangePwdResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/credentials/change_recovery_question: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Update Recovery Question + description: |- + Updates a User's Recovery Question and answer credential by validating the User's current Password. + You can only perform this operation on Users in `STAGED`, `ACTIVE`, or `RECOVERY` status that have a valid [Password credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). + operationId: changeRecoveryQuestion + x-codegen-request-body-name: userCredentials + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserCredentials' + examples: + Update Recovery Question Request: + $ref: '#/components/examples/UpdateRecQuestionRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserCredentials' + examples: + Update Recovery Question Response: + $ref: '#/components/examples/UpdateRecQuestionResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/credentials/forgot_password: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Start forgot password flow + description: |- + Starts the forgot password flow. + + Generates a one-time token (OTT) that you can use to reset a User's Password. + + The User must validate their security question's answer when visiting the reset link. This operation can only be performed on Users with an ACTIVE status and + a valid [Recovery Question credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/recovery_question&t=request). + + > **Note:** If you have migrated to Identity Engine, you can allow Users to recover passwords with any enrolled MFA authenticator. See [Self-service account recovery](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-sspr.htm?cshid=ext-config-sspr) + + If an email address is associated with multiple Users, keep in mind the following to ensure a successful password recovery lookup: + * Okta no longer includes deactivated Users in the lookup. + * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses. + + If `sendEmail` is `false`, returns a link for the User to reset their Password. This operation doesn't affect the status of the User. + operationId: forgotPassword + parameters: + - name: sendEmail + in: query + description: Sends a forgot password email to the User if `true` + required: false + schema: + type: boolean + default: true + responses: + '200': + description: Reset URL + content: + application/json: + schema: + $ref: '#/components/schemas/ForgotPasswordResponse' + examples: + Forgot Password Response: + $ref: '#/components/examples/ForgotPwdResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/credentials/forgot_password_recovery_question: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Reset Password with Recovery Question + description: |- + Resets the User's password to the specified password if the provided answer to the recovery question is correct. + You must include the Recovery Question answer with the submission. + operationId: forgotPasswordSetNewPassword + parameters: + - name: sendEmail + in: query + required: false + schema: + type: boolean + default: true + x-codegen-request-body-name: userCredentials + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserCredentials' + examples: + Forgot Password Recovery Question Request: + $ref: '#/components/examples/ForgotPwdRecoveryQuestionRequest' + required: true + responses: + '200': + description: Credentials + content: + application/json: + schema: + $ref: '#/components/schemas/UserCredentials' + examples: + Forgot Password Recovery Question Response: + $ref: '#/components/examples/ForgotPwdRecoveryQuestionResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/factors: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all enrolled Factors + description: Lists all enrolled Factors for the specified user + operationId: listFactors + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserFactor' + examples: + ListFactorsResponse: + $ref: '#/components/examples/ListFactorsResults' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Enroll a Factor + description: |- + Enrolls a supported Factor for the specified user + + > **Note:** All responses return the enrolled Factor with a status of either `PENDING_ACTIVATION`` or `ACTIVE`. + + #### Additional SMS/Call Factor information + * **Rate limits**: Okta may return a `429 Too Many Requests` status code if you attempt to resend an SMS or a voice call challenge (OTP) within the same time window. The current [rate limit](https://developer.okta.com/docs/reference/rate-limits/) is one SMS/CALL challenge per phone number every 30 seconds. + * **Existing phone numbers**: Okta may return a `400 Bad Request` status code if a user attempts to enroll with a different phone number when the user has an existing mobile phone or has an existing phone with voice call capability. A user can enroll only one mobile phone for `sms` and enroll only one voice call capable phone for `call` factor. + + #### Additional WebAuthn Factor information + **Enroll WebAuthn response parameters** + * For detailed information on the Webauthn standard, including an up-to-date list of supported browsers, see [webauthn.me](https://a0.to/webauthnme-okta-docs). + + * In the enroll API response, the `response._embedded.activation` object contains properties used to help the client to create a new WebAuthn credential for use with Okta. See the [WebAuthn spec for PublicKeyCredentialCreationOptions](https://www.w3.org/TR/webauthn/#dictionary-makecredentialoptions). + + #### Additional Custom TOTP Factor information + + **Enroll Custom TOTP Factor** + * The enrollment process involves passing both the `factorProfileId` and `sharedSecret` properties for a token. + + * A Factor Profile represents a particular configuration of the Custom TOTP factor. It includes certain properties that match the hardware token that end users possess, such as the HMAC algorithm, passcode length, and time interval. There can be multiple Custom TOTP factor profiles per org, but users can only enroll in one Custom TOTP factor. Admins can [create Custom TOTP factor profiles](https://help.okta.com/okta_help.htm?id=ext-mfa-totp) in the Admin Console. Then, copy the `factorProfileId` from the Admin Console into the API request. + + * + For Custom TOTP enrollment, Okta automaticaly enrolls a user with a `token:software:totp` factor and the `push` factor if the user isn't currently enrolled with these factors. + operationId: enrollFactor + parameters: + - name: updatePhone + description: If `true`, indicates that you are replacing the currently registered phone number for the specified user. This parameter is ignored if the existing phone number is used by an activated Factor. + in: query + schema: + type: boolean + default: false + - name: templateId + in: query + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors. If the provided ID doesn't exist, the default template is used instead. + schema: + type: string + example: cstk2flOtuCMDJK4b0g3 + - name: tokenLifetimeSeconds + description: Defines how long the token remains valid + in: query + schema: + type: integer + format: int32 + minimum: 1 + maximum: 86400 + default: 300 + x-okta-added-version: 1.3.0 + - name: activate + description: If `true`, the factor is immediately activated as part of the enrollment. An activation process isn't required. Currently auto-activation is supported by `sms`, `call`, `email` and `token:hotp` (Custom TOTP) Factor. + in: query + schema: + type: boolean + default: false + x-okta-added-version: 1.3.0 + - name: Accept-Language + description: An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` Factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead. + in: header + schema: + type: string + example: fr + x-codegen-request-body-name: body + requestBody: + description: Factor + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactor' + examples: + question: + $ref: '#/components/examples/EnrollFactorQuestionRequest' + sms: + $ref: '#/components/examples/EnrollFactorSmsRequest' + call: + $ref: '#/components/examples/EnrollFactorCallRequest' + token:software:totp: + $ref: '#/components/examples/EnrollFactorOVTotpRequest' + push: + $ref: '#/components/examples/EnrollFactorOVPushRequest' + google: + $ref: '#/components/examples/EnrollFactorGoogleRequest' + rsa_securId: + $ref: '#/components/examples/EnrollFactorRsaSecurIdRequest' + symantec_vip: + $ref: '#/components/examples/EnrollFactorSymantecVipRequest' + yubikey: + $ref: '#/components/examples/EnrollFactorYubikeyRequest' + email: + $ref: '#/components/examples/EnrollFactorEmailRequest' + u2f: + $ref: '#/components/examples/EnrollFactorU2fRequest' + webAuthn: + $ref: '#/components/examples/EnrollFactorWebauthnRequest' + customTotp: + $ref: '#/components/examples/EnrollFactorCustomTotpRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactor' + examples: + question: + $ref: '#/components/examples/EnrollFactorQuestionResponse' + sms: + $ref: '#/components/examples/EnrollFactorSmsResponse' + call: + $ref: '#/components/examples/EnrollFactorCallResponse' + token:software:totp: + $ref: '#/components/examples/EnrollFactorOVTotpResponse' + push: + $ref: '#/components/examples/EnrollFactorOVPushResponse' + google: + $ref: '#/components/examples/EnrollFactorGoogleResponse' + rsa_securId: + $ref: '#/components/examples/EnrollFactorRsaSecurIdResponse' + symantec_vip: + $ref: '#/components/examples/EnrollFactorSymantecVipResponse' + yubikey: + $ref: '#/components/examples/EnrollFactorYubikeyResponse' + email: + $ref: '#/components/examples/EnrollFactorEmailResponse' + u2f: + $ref: '#/components/examples/EnrollFactorU2fResponse' + webAuthn: + $ref: '#/components/examples/EnrollFactorWebauthnResponse' + customTotp: + $ref: '#/components/examples/EnrollFactorCustomTotpResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/factors/catalog: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all supported Factors + description: Lists all the supported Factors that can be enrolled for the specified user + operationId: listSupportedFactors + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserFactorSupported' + examples: + SupportedFactorResponse: + $ref: '#/components/examples/SupportedFactorResults' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/factors/questions: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + x-okta-no-scope-required: true + summary: List all supported Security Questions + description: Lists all available Security Questions for the specified user + operationId: listSupportedSecurityQuestions + responses: + '200': + description: Success + content: + application/json: + example: + - question: disliked_food + questionText: What is the food you least liked as a child? + - question: name_of_first_plush_toy + questionText: What is the name of your first stuffed animal? + - question: first_award + questionText: What did you earn your first medal or award for? + schema: + type: array + items: + $ref: '#/components/schemas/UserFactorSecurityQuestionProfile' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + tags: + - UserFactor + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/factors/{factorId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + get: + summary: Retrieve a Factor + description: Retrieves an existing Factor for the specified user + operationId: getFactor + responses: + '200': + $ref: '#/components/responses/GetFactorResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unenroll a Factor + description: |- + Unenrolls an existing Factor for the specified user. This allows the user to enroll a new Factor. + + > **Note**: If you unenroll the `push` or the `signed_nonce` Factors, Okta also unenrolls any other `totp`, `signed_nonce`, or Okta Verify `push` Factors associated with the user. + operationId: unenrollFactor + parameters: + - name: removeRecoveryEnrollment + description: If `true`, removes the phone number as both a recovery method and a Factor. This parameter is only used for the `sms` and `call` Factors. + in: query + schema: + type: boolean + default: false + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/factors/{factorId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + post: + summary: Activate a Factor + description: |- + Activates a Factor. Some Factors (`call`, `email`, `push`, `sms`, `token:software:totp`, `u2f`, and `webauthn`) require activation to complete the enrollment process. + + Okta enforces a rate limit of five activation attempts within five minutes. After a user exceeds the rate limit, Okta returns an error message. + + > **Note**: If the user exceeds their SMS, call, or email factor activate rate limit, then an OTP resend request (`/api/v1/users/${userId}}/factors/${factorId}/resend`) isn't allowed for the same Factor. + operationId: activateFactor + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorActivateRequest' + examples: + token:software:totp: + $ref: '#/components/examples/FactorPasscodeRequest' + sms: + $ref: '#/components/examples/FactorPasscodeRequest' + call: + $ref: '#/components/examples/FactorPasscodeRequest' + email: + $ref: '#/components/examples/FactorPasscodeRequest' + u2f: + $ref: '#/components/examples/ActivateFactorU2fRequest' + webauthn: + $ref: '#/components/examples/ActivateFactorWebauthnRequest' + required: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorActivateResponse' + examples: + token:software:totp: + $ref: '#/components/examples/ActivateFactorTotpResponse' + sms: + $ref: '#/components/examples/ActivateFactorSmsResponse' + call: + $ref: '#/components/examples/ActivateFactorCallResponse' + push: + $ref: '#/components/examples/ActivateFactorPushResponse' + email: + $ref: '#/components/examples/ActivateFactorEmailResponse' + u2f: + $ref: '#/components/examples/ActivateFactorU2fResponse' + webauthn: + $ref: '#/components/examples/ActivateFactorWebauthnResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/factors/{factorId}/resend: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + post: + summary: Resend a Factor enrollment + description: |- + Resends an `sms`, `call`, or `email` factor challenge as part of an enrollment flow + + For `call` and `sms` factors, Okta enforces a rate limit of one OTP challenge per device every 30 seconds. You can configure your `sms` and `call` factors to use a third-party telephony provider. See the [Telephony inline hook reference](https://developer.okta.com/docs/reference/telephony-hook/). Okta round-robins between SMS providers with every resend request to help ensure delivery of an SMS and Call OTPs across different carriers. + + > **Note**: Resend operations aren't allowed after a factor exceeds the activation rate limit. See [Activate a Factor](./#tag/UserFactor/operation/activateFactor). + operationId: resendEnrollFactor + parameters: + - name: templateId + in: query + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors. + schema: + example: cstk2flOtuCMDJK4b0g3 + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ResendUserFactor' + examples: + sms: + value: + factorType: sms + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ResendUserFactor' + examples: + sms: + $ref: '#/components/examples/EnrollFactorSmsResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/factors/{factorId}/transactions/{transactionId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + - $ref: '#/components/parameters/pathTransactionId' + get: + summary: Retrieve a Factor transaction status + description: Retrieves the status of a `push` Factor verification transaction + operationId: getFactorTransactionStatus + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorPushTransaction' + examples: + WAITING: + $ref: '#/components/examples/UserFactorVerifyPushTransactionWaiting' + SUCCESS: + $ref: '#/components/examples/UserFactorVerifyPushTransactionApproved' + REJECTED: + $ref: '#/components/examples/UserFactorVerifyPushTransactionRejected' + TIMEOUT: + $ref: '#/components/examples/UserFactorVerifyPushTransactionTimeout' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/factors/{factorId}/verify: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + post: + summary: Verify a Factor + description: |- + Verifies an OTP for a Factor. Some Factors (`call`, `email`, `push`, `sms`, `u2f`, and `webauthn`) must first issue a challenge before you can verify the Factor. Do this by making a request without a body. After a challenge is issued, make another request to verify the Factor. + + **Note**: To verify a `push` factor, use the **poll** link returned when you issue the challenge. See [Retrieve a Factor Transaction Status](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/getFactorTransactionStatus). + operationId: verifyFactor + parameters: + - name: templateId + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors. + in: query + schema: + type: string + example: cstk2flOtuCMDJK4b0g3 + - name: tokenLifetimeSeconds + description: Defines how long the token remains valid + in: query + schema: + type: integer + format: int32 + minimum: 1 + maximum: 86400 + default: 300 + x-okta-added-version: 1.3.0 + - name: X-Forwarded-For + description: Public IP address for the user agent + in: header + schema: + type: string + x-okta-added-version: 1.11.0 + - name: User-Agent + description: Type of user agent detected when the request is made. Required to verify `push` Factors. + in: header + schema: + type: string + x-okta-added-version: 1.11.0 + - name: Accept-Language + description: An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` Factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead. + in: header + schema: + type: string + example: fr + x-codegen-request-body-name: body + requestBody: + description: Some Factors (`call`, `email`, `push`, `sms`, `u2f`, and `webauthn`) must first issue a challenge before you can verify the Factor. Do this by making a request without a body. After a challenge is issued, make another request to verify the Factor. + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorVerifyRequest' + examples: + sms verify: + $ref: '#/components/examples/FactorPasscodeRequest' + call verify: + $ref: '#/components/examples/FactorPasscodeRequest' + email verify: + $ref: '#/components/examples/FactorPasscodeRequest' + u2f verify: + $ref: '#/components/examples/UserFactorVerifyU2fRequest' + webAuthn verify: + $ref: '#/components/examples/UserFactorVerifyWebauthnRequest' + security question verify: + $ref: '#/components/examples/UserFactorVerifySecurityQuestionRequest' + totp verify: + $ref: '#/components/examples/FactorPasscodeRequest' + token verify: + $ref: '#/components/examples/FactorPasscodeRequest' + yubikey verify: + $ref: '#/components/examples/FactorPasscodeRequest' + required: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorVerifyResponse' + examples: + sms challenge: + $ref: '#/components/examples/UserFactorChallengeSmsResponse' + sms verify: + $ref: '#/components/examples/UserFactorVerifySuccessSmsResponse' + call challenge: + $ref: '#/components/examples/UserFactorChallengeCallResponse' + call verify: + $ref: '#/components/examples/UserFactorVerifyCallSuccessResponse' + push challenge: + $ref: '#/components/examples/UserFactorChallengePushResponse' + email challenge: + $ref: '#/components/examples/UserFactorChallengeEmailResponse' + email verify: + $ref: '#/components/examples/UserFactorVerifyEmailSuccessResponse' + u2f challenge: + $ref: '#/components/examples/UserFactorChallengeU2fResponse' + u2f verify: + $ref: '#/components/examples/UserFactorVerifyU2fResponse' + webAuthn challenge: + $ref: '#/components/examples/UserFactorChallengeWebauthnResponse' + webAuthn verify: + $ref: '#/components/examples/UserFactorVerifyWebauthnResponse' + security question verify: + $ref: '#/components/examples/UserFactorVerifySuccessSqResponse' + totp verify: + $ref: '#/components/examples/UserFactorVerifySuccessTotpResponse' + token verify: + $ref: '#/components/examples/UserFactorVerifySuccessTokenResponse' + yubikey verify: + $ref: '#/components/examples/UserFactorVerifySuccessYubikeyResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/grants: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all User Grants + description: Lists all Grants for the specified user + operationId: listUserGrants + parameters: + - name: scopeId + in: query + description: The scope ID to filter on + schema: + type: string + - name: expand + in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' + schema: + type: string + example: scope + - name: after + in: query + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + - name: limit + in: query + description: Specifies the number of grants to return + schema: + type: integer + format: int32 + minimum: 1 + maximum: 200 + default: 20 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke all User Grants + description: Revokes all Grants for a specified User + operationId: revokeUserGrants + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/grants/{grantId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathGrantId' + get: + summary: Retrieve a User Grant + description: Retrieves a Grant for the specified User + operationId: getUserGrant + parameters: + - name: expand + in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' + schema: + type: string + example: scope + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke a User Grant + description: Revokes one Grant for a specified User + operationId: revokeUserGrant + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/groups: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all Groups + description: Lists all Groups of which the User is a member + operationId: listUserGroups + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Group' + examples: + List User Groups: + $ref: '#/components/examples/ListUserGroups' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserResources + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/idps: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all Identity Providers for User + description: Lists the IdPs associated with the User + operationId: listUserIdentityProviders + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/IdentityProvider' + examples: + MultipleIdPsResponse: + $ref: '#/components/examples/MultipleIdPsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Activate a User + description: |- + Activates a User. + + This operation can only be performed on Users with a `STAGED` or `DEPROVISIONED` status. Activation of a User is an asynchronous operation. + * The User will have the `transitioningToStatus` property with an `ACTIVE` value during activation to indicate that the user hasn't completed the asynchronous operation. + * The User will have an `ACTIVE` status when the activation process completes. + + Users who don't have a password must complete the welcome flow by visiting the activation link to complete the transition to `ACTIVE` status. + + > **Note:** If you want to send a branded User Activation email, change the subdomain of your request to the custom domain that's associated with the brand. + > For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains). + + > **Note:** If you have Optional Password enabled, visiting the activation link is optional for users who aren't required to enroll a password. + > See [Create user with Optional Password enabled](https://developer.okta.com/docs/reference/api/users/#create-user-with-optional-password-enabled). + + > **Legal disclaimer** + > After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, + > you agreed not to use Okta's service/product to spam and/or send unsolicited messages. + > Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all + > liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. + operationId: activateUser + parameters: + - name: sendEmail + in: query + description: Sends an activation email to the user if `true` + required: false + schema: + type: boolean + default: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserActivationToken' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Deactivate a User + description: |- + Deactivates a User. + + This operation can only be performed on Users that do not have a `DEPROVISIONED` status. + * The User's `transitioningToStatus` property is `DEPROVISIONED` during deactivation to indicate that the user hasn't completed the asynchronous operation. + * The User's status is `DEPROVISIONED` when the deactivation process is complete. + + > **Important:** Deactivating a User is a **destructive** operation. The User is deprovisioned from all assigned apps, which might destroy their data such as email or files. + **This action cannot be recovered!** + + You can also perform user deactivation asynchronously. To invoke asynchronous user deactivation, pass an HTTP header `Prefer: respond-async` with the request. + operationId: deactivateUser + parameters: + - name: sendEmail + in: query + description: Sends a deactivation email to the admin if `true` + schema: + type: boolean + default: false + x-okta-added-version: 1.5.0 + - name: Prefer + in: header + required: false + schema: + type: string + enum: + - respond-async + description: Request asynchronous processing + responses: + '200': + description: OK + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/lifecycle/expire_password: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Expire Password + description: |- + Expires the password. This operation transitions the User status to `PASSWORD_EXPIRED` so that the User must change their password the next time that they sign in. +
+ If you have integrated Okta with your on-premises Active Directory (AD), then setting a User's Password as expired in Okta also expires the Password in AD. + When the User tries to sign in to Okta, delegated authentication finds the password-expired status in AD, + and the User is presented with the password-expired page where they can change their Password. + operationId: expirePassword + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + Expire Password Response: + $ref: '#/components/examples/ExpirePwdResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/lifecycle/expire_password_with_temp_password: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Expire Password with temporary password + description: |- + Expires the password and resets the User's Password to a temporary password. This operation transitions the User status to `PASSWORD_EXPIRED` so that the User must change their password the next time that they sign in. + User's Password is reset to a temporary password that is returned, and then the User's Password is expired. + If `revokeSessions` is included in the request with a value of `true`, the User's current outstanding sessions are revoked and require re-authentication. +
+ If you have integrated Okta with your on-premises Active Directory (AD), then setting a User's Password as expired in Okta also expires the Password in AD. + When the User tries to sign in to Okta, delegated authentication finds the password-expired status in AD, + and the User is presented with the password-expired page where they can change their Password. + operationId: expirePasswordWithTempPassword + parameters: + - name: revokeSessions + in: query + description: Revokes the User's existing sessions if `true` + required: false + schema: + type: boolean + default: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + Expire Password with Temp Password Response: + $ref: '#/components/examples/ExpirePwdWithTempPwdResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/lifecycle/reset_factors: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Reset Factors + description: Resets all factors for the specified User. All MFA factor enrollments return to the unenrolled state. The User's status remains `ACTIVE`. This link is present only if the User is currently enrolled in one or more MFA factors. + operationId: resetFactors + responses: + '200': + description: OK + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/lifecycle/reset_password: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Reset password + description: |- + Resets password. Generates a one-time token (OTT) that you can use to reset a User's password. You can automatically email the OTT link to the User or return the OTT to the API caller and distribute using a custom flow. + + This operation transitions the User to the `RECOVERY` status. The User is then not able to sign in or initiate a forgot password flow until they complete the reset flow. + + This operation provides an option to delete all the User's sessions. However, if the request is made in the context of a session owned by the specified User, that session isn't cleared. + > **Note:** You can also use this API to convert a User with the Okta Credential Provider to use a Federated Provider. After this conversion, the User can't directly sign in with a password. + > To convert a federated User back to an Okta User, use the default API call. + + If an email address is associated with multiple Users, keep in mind the following to ensure a successful password recovery lookup: + * Okta no longer includes deactivated Users in the lookup. + * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses. + If `sendEmail` is `false`, returns a link for the User to reset their password. + operationId: resetPassword + parameters: + - name: sendEmail + in: query + required: true + schema: + type: boolean + - name: revokeSessions + description: Revokes all User sessions, except for the current session, if set to `true` + in: query + required: false + schema: + type: boolean + default: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ResetPasswordToken' + examples: + Reset Password without Sending Email Response: + $ref: '#/components/examples/ResetPwdWithoutSendingEmailResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/lifecycle/suspend: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Suspend a User + description: |- + Suspends a user. This operation can only be performed on Users with an `ACTIVE` status. The User has a `SUSPENDED` status when the process completes. + + Suspended users can't sign in to Okta. They can only be unsuspended or deactivated. Their group and app assignments are retained. + operationId: suspendUser + responses: + '200': + description: OK + content: {} + '400': + $ref: '#/components/responses/ErrorMissingRequiredParameter400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/lifecycle/unlock: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Unlock a User + description: |- + Unlocks a User with a `LOCKED_OUT` status or unlocks a User with an `ACTIVE` status that is blocked from unknown devices. Unlocked Users have an `ACTIVE` status and can sign in with their current password. + > **Note:** This operation works with Okta-sourced users. It doesn't support directory-sourced accounts such as Active Directory. + operationId: unlockUser + responses: + '200': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/lifecycle/unsuspend: + parameters: + - $ref: '#/components/parameters/pathUserId' + post: + summary: Unsuspend a User + description: Unsuspends a user and returns them to the `ACTIVE` state. This operation can only be performed on users that have a `SUSPENDED` status. + operationId: unsuspendUser + responses: + '200': + description: Success + content: {} + '400': + $ref: '#/components/responses/ErrorMissingRequiredParameter400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/risk: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: Retrieve the user's risk + description: Retrieves the User Risk object for a user ID + operationId: getUserRisk + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/UserRiskGetResponse' + examples: + UserRiskResponseExample: + $ref: '#/components/examples/UserRiskResponse' + UserRiskNoneResponseExample: + $ref: '#/components/examples/UserRiskNoneResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.userRisk.read + tags: + - UserRisk + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Upsert the user's risk + description: Upserts (creates or updates) the User Risk object for a user ID + operationId: upsertUserRisk + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserRiskRequest' + examples: + RiskProviderRequestExample: + $ref: '#/components/examples/UserRiskRequest' + required: true + responses: + '200': + description: Updated the user's risk + content: + application/json: + schema: + $ref: '#/components/schemas/UserRiskPutResponse' + examples: + UserRiskResponseExample: + $ref: '#/components/examples/UserRiskResponse' + '201': + description: Created the user's risk + content: + application/json: + schema: + $ref: '#/components/schemas/UserRiskPutResponse' + examples: + UserRiskResponseExample: + $ref: '#/components/examples/UserRiskResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.userRisk.manage + tags: + - UserRisk + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/users/{userId}/roles: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all user role assignments + description: Lists all roles assigned to a user (identified by `userId`) + operationId: listAssignedRolesForUser + parameters: + - $ref: '#/components/parameters/pathQueryRoleExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponse' + Custom Roles: + $ref: '#/components/examples/StandardAndCustomRolesListResponse' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Assign a user role + description: |- + Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a user. + + You can also assign a custom role to a user, but the preferred method to assign a custom role to a user is to create a binding between the custom role, the resource set, and the user. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + > **Notes:** + > * The request payload is different for standard and custom role assignments. + > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. + operationId: assignRoleToUser + parameters: + - name: disableNotifications + description: Setting this to `true` grants the user third-party admin status + in: query + schema: + type: boolean + default: false + x-codegen-request-body-name: assignRoleRequest + requestBody: + content: + application/json: + schema: + type: object + oneOf: + - $ref: '#/components/schemas/StandardRoleAssignmentSchema' + - $ref: '#/components/schemas/CustomRoleAssignmentSchema' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + type: object + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRoleResponseUser' + Custom Roles: + $ref: '#/components/examples/CustomRoleResponseUser' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRoleResponseUser' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: Retrieve a user role assignment + description: Retrieves a role assigned to a user (identified by `userId`). The `roleAssignmentId` parameter is the unique identifier for either a standard role assignment object or a custom role resource set binding object. + operationId: getUserAssignedRole + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRoleResponseUser' + Custom Roles: + $ref: '#/components/examples/CustomRoleResponseUser' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRoleResponseUser' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a user role + description: Unassigns a role assignment (identified by `roleAssignmentId`) from a user (identified by `userId`) + operationId: unassignRoleFromUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: Retrieve all User Role Governance Sources + description: Retrieves the governance sources of a Role (identified by `roleAssignmentId`) that's assigned to a User (identified by `userId`) + operationId: getUserAssignedRoleGovernance + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RoleGovernance' + examples: + Example Response: + $ref: '#/components/examples/GetUseRoleGovernanceResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGrantId' + get: + summary: Retrieve a User Role Governance Source + description: Retrieves a Governance Source (identified by `grantId`) for a Role (identified by `roleAssignmentId`) that's assigned to a User (identified by `userId`) + operationId: getRoleAssignmentGovernanceGrant + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RoleGovernanceSource' + examples: + Example Response: + $ref: '#/components/examples/GetRoleAssignmentGovernanceGrantResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}/resources: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGrantId' + get: + summary: Retrieve the User Role Governance Source Resources + description: Retrieves the resources of a Governance Source (identified by `grantId`) for a Role (identified by `roleAssignmentId`) that's assigned to a User (identified by `userId`) + operationId: getRoleAssignmentGovernanceGrantResources + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RoleGovernanceResources' + examples: + Example Response: + $ref: '#/components/examples/GetRoleAssignmentGovernanceGrantResources' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: List all admin role application targets + description: Lists all app targets for an `APP_ADMIN` role assigned to a user. The response is a list that includes OIN-cataloged apps or app instances. The response payload for an app instance contains the `id` property, but an OIN-cataloged app payload doesn't. + operationId: listApplicationTargetsForApplicationAdministratorRoleForUser + parameters: + - name: after + in: query + schema: + type: string + - name: limit + in: query + schema: + type: integer + format: int32 + default: 20 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Assign all apps as target to role + description: Assigns all apps as target to role + operationId: assignAllAppsAsTargetToRoleForUser + responses: + '200': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + put: + summary: Assign an admin role application target + description: | + Assigns an OIN app target for an `APP_ADMIN` role assignment to an admin user. When you assign the first app target, you reduce the scope of the role assignment. + The role no longer applies to all app targets, but applies only to the specified target. Assigning an OIN app target overrides any existing app instance targets of the OIN app. + For example, if a user was assigned to administer a specific Facebook instance, a successful request to add an OIN app target with `facebook` for `appName` makes that user the administrator for all Facebook instances. + operationId: assignAppTargetToAdminRoleForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign an admin role application target + description: | + Unassigns an OIN app target from an `APP_ADMIN` role assignment to an admin user. + + > **Note:** You can't remove the last OIN app target from a role assignment since this causes an exception. + > If you need a role assignment that applies to all apps, delete the `APP_ADMIN` role assignment to the user and recreate a new one. + operationId: unassignAppTargetFromAppAdminRoleForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + - $ref: '#/components/parameters/pathAppId' + put: + summary: Assign an admin role application instance target + description: | + Assigns an app instance target to an `APP_ADMIN` role assignment to an admin user. When you assign the first OIN app or app instance target, you reduce the scope of the role assignment. + The role no longer applies to all app targets, but applies only to the specified target. + + > **Note:** You can target a mixture of both OIN app and app instance targets, but can't assign permissions to manage all instances of an OIN app and then assign a subset of permission to the same OIN app. + > For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app. + operationId: assignAppInstanceTargetToAppAdminRoleForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign an admin role application instance target + description: |- + Unassigns an app instance target from an `APP_ADMIN` role assignment to an admin user. + + > **Note:** You can't remove the last app instance target from a role assignment since this causes an exception. + > If you need a role assignment that applies to all apps, delete the `APP_ADMIN` role assignment and recreate a new one. + operationId: unassignAppInstanceTargetFromAdminRoleForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: List all admin role group targets + description: | + Lists all group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. + If the role isn't scoped to specific group targets, an empty array `[]` is returned. + operationId: listGroupTargetsForRole + parameters: + - name: after + in: query + schema: + type: string + - name: limit + in: query + schema: + type: integer + format: int32 + default: 20 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Group' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups/{groupId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGroupId' + put: + summary: Assign an admin role group target + description: | + Assigns a group target for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. + When you assign the first group target, you reduce the scope of the role assignment. The role no longer applies to all targets but applies only to the specified target. + operationId: assignGroupTargetToUserRole + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign an admin role group target + description: | + Unassigns a group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. + + > **Note:** You can't remove the last group target from a role assignment since this causes an exception. + > If you need a role assignment that applies to all groups, delete the role assignment to the user and recreate a new one. + operationId: unassignGroupTargetFromUserAdminRole + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/sessions: + parameters: + - $ref: '#/components/parameters/pathUserId' + delete: + summary: Revoke all User sessions + description: |- + Revokes all active Identity Provider sessions of the User. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the User. + > **Note:** This operation doesn't clear the sessions created for web or native apps. + operationId: revokeUserSessions + parameters: + - name: oauthTokens + in: query + description: Revoke issued OpenID Connect and OAuth refresh and access tokens + schema: + type: boolean + default: false + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserSessions + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/subscriptions: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all subscriptions for a user + description: Lists all subscriptions available to a specified user. Returns an `AccessDeniedException` message if requests are made for another user. + operationId: listSubscriptionsUser + parameters: + - in: path + name: userId + required: true + schema: + type: string + description: The unique ID of the user + responses: + '200': + description: Success + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Subscription' + type: array + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/subscriptions/{notificationType}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathNotificationType' + get: + summary: Retrieve a subscription for a user + description: Retrieves a subscription by `notificationType` for a specified user. Returns an `AccessDeniedException` message if requests are made for another user. + operationId: getSubscriptionsNotificationTypeUser + parameters: + - in: path + name: userId + required: true + schema: + type: string + description: The unique ID of the user + - $ref: '#/components/parameters/pathNotificationType' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Subscription' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/subscriptions/{notificationType}/subscribe: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathNotificationType' + post: + summary: Subscribe a user to a specific notification type + description: Subscribes the current user to a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. + operationId: subscribeByNotificationTypeUser + parameters: + - in: path + name: userId + required: true + schema: + type: string + description: The unique ID of the user + - $ref: '#/components/parameters/pathNotificationType' + responses: + '200': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/subscriptions/{notificationType}/unsubscribe: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathNotificationType' + post: + summary: Unsubscribe a user from a specific notification type + description: Unsubscribes the current user from a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. + operationId: unsubscribeByNotificationTypeUser + parameters: + - in: path + name: userId + required: true + schema: + type: string + description: The unique ID of the user + - $ref: '#/components/parameters/pathNotificationType' + responses: + '200': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/zones: + get: + summary: List all Network Zones + description: |- + Lists all Network Zones with pagination. A subset of zones can be returned that match a supported filter expression or query. + + This operation requires URL encoding. For example, `filter=(id eq "nzoul0wf9jyb8xwZm0g3" or id eq "nzoul1MxmGN18NDQT0g3")` is encoded as `filter=%28id+eq+%22nzoul0wf9jyb8xwZm0g3%22+or+id+eq+%22nzoul1MxmGN18NDQT0g3%22%29`. + + Okta supports filtering on the `id` and `usage` properties. See [Filtering](https://developer.okta.com/docs/reference/core-okta-api/#filter) for more information on the expressions that are used in filtering. + operationId: listNetworkZones + parameters: + - name: after + in: query + schema: + type: string + description: Specifies the pagination cursor for the next page of Network Zones + example: BlockedIpZones + - name: limit + in: query + schema: + type: integer + description: Specifies the number of results for a page + format: int32 + example: 5 + default: -1 + - name: filter + in: query + schema: + type: string + description: Filters zones by usage or ID expression + example: id eq "nzowc1U5Jh5xuAK0o0g3" + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/NetworkZone' + examples: + RetrieveAllZonesWithFilter: + $ref: '#/components/examples/RetrieveAllZonesWithFilter' + RetrieveAllZones: + $ref: '#/components/examples/RetrieveAllZones' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.read + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Network Zone + description: |- + Creates a Network Zone + * For an IP Network Zone, you must define either `gateways` or `proxies`. + * For a Dynamic Network Zone, you must define at least one of the following: `asns`, `locations`, or `proxyType`. + * For an Enhanced Dynamic Network Zone, you must define at least one of the following: `asns`, `locations`, or `ipServiceCategories`. + operationId: createNetworkZone + x-codegen-request-body-name: zone + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + CreateIPPolicyNetworkZone: + $ref: '#/components/examples/CreateIPPolicyNetworkZone' + CreateIPPolicyBlocklistNetworkZone: + $ref: '#/components/examples/CreateIPPolicyBlockListNetworkZone' + CreateEDNetworkZone: + $ref: '#/components/examples/CreateEDNZRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + CreateIPPolicyNetworkZone: + $ref: '#/components/examples/CreateIPPolicyNetworkZoneResponse' + CreateIPPolicyBlocklistNetworkZone: + $ref: '#/components/examples/CreateIPPolicyBlockListNetworkZoneResponse' + CreateEDNetworkZone: + $ref: '#/components/examples/CreateEDNZResponse' + '400': + $ref: '#/components/responses/NzErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.manage + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/zones/{zoneId}: + parameters: + - $ref: '#/components/parameters/pathZoneId' + get: + summary: Retrieve a Network Zone + description: Retrieves a Network Zone by `zoneId` + operationId: getNetworkZone + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + RetrieveNetworkZoneIP: + $ref: '#/components/examples/RetrieveNetworkZoneIP' + RetrieveNetworkZoneDynamic: + $ref: '#/components/examples/RetrieveNetworkZoneDynamic' + RetrieveNetworkZoneEnhancedDynamic: + $ref: '#/components/examples/CreateEDNZResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/NzErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.read + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Network Zone + description: |- + Replaces a Network Zone by `zoneId`. The replaced Network Zone type must be the same as the existing type. + You can replace the usage (`POLICY`, `BLOCKLIST`) of a Network Zone by updating the `usage` attribute. + operationId: replaceNetworkZone + x-codegen-request-body-name: zone + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + ReplaceNetworkZone: + $ref: '#/components/examples/ReplaceNetworkZone' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + ReplaceNetworkZone: + $ref: '#/components/examples/ReplaceNetworkZoneResponse' + '400': + $ref: '#/components/responses/NzErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/NzErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.manage + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a Network Zone + description: |- + Deletes a Network Zone by `zoneId` + > **Notes:** + > * You can't delete a Network Zone that's used by a [Policy](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) or [Rule](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyRules). + > * For Okta Identity Engine orgs, you can't delete a Network Zone with an ACTIVE `status`. + operationId: deleteNetworkZone + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/NzErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.manage + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/zones/{zoneId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathZoneId' + post: + summary: Activate a Network Zone + description: Activates a Network Zone by `zoneId` + operationId: activateNetworkZone + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + ActivateNetworkZone: + $ref: '#/components/examples/ActivateNetworkZone' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/NzErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.manage + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/zones/{zoneId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathZoneId' + post: + summary: Deactivate a Network Zone + description: Deactivates a Network Zone by `zoneId` + operationId: deactivateNetworkZone + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + DeactivateNetworkZone: + $ref: '#/components/examples/DeactivateNetworkZone' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/NzErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.manage + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /attack-protection/api/v1/authenticator-settings: + get: + summary: Retrieve the Authenticator Settings + description: Retrieves the Authenticator Settings for an org + operationId: getAuthenticatorSettings + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - AttackProtection + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the Authenticator Settings + description: Replaces the Authenticator Settings for an org + operationId: replaceAuthenticatorSettings + x-codegen-request-body-name: authenticatorSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - AttackProtection + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /attack-protection/api/v1/user-lockout-settings: + get: + summary: Retrieve the User Lockout Settings + description: Retrieves the User Lockout Settings for an org + operationId: getUserLockoutSettings + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserLockoutSettings' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - AttackProtection + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the User Lockout Settings + description: Replaces the User Lockout Settings for an org + operationId: replaceUserLockoutSettings + x-codegen-request-body-name: lockoutSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserLockoutSettings' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/UserLockoutSettings' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - AttackProtection + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /device-access/api/v1/desktop-mfa/enforce-number-matching-challenge-settings: + get: + summary: Retrieve the Desktop MFA Enforce Number Matching Challenge Org Setting + description: Retrieves the status of the Desktop MFA Enforce Number Matching Challenge push notifications feature. That is, whether or not the feature is enabled for your org. + operationId: getDesktopMFAEnforceNumberMatchingChallengeOrgSetting + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the Desktop MFA Enforce Number Matching Challenge Org Setting + description: Replaces the status of the Desktop MFA Enforce Number Matching Challenge push notifications feature. That is, whether or not the feature is enabled for your org. + operationId: replaceDesktopMFAEnforceNumberMatchingChallengeOrgSetting + x-codegen-request-body-name: DesktopMFAEnforceNumberMatchingChallengeOrgSetting + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /device-access/api/v1/desktop-mfa/recovery-pin-settings: + get: + summary: Retrieve the Desktop MFA Recovery PIN Org setting + description: Retrieves the status of the Desktop MFA Recovery PIN feature. That is, whether or not the feature is enabled for your org. + operationId: getDesktopMFARecoveryPinOrgSetting + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the Desktop MFA Recovery PIN Org Setting + description: Replaces the Desktop MFA Recovery PIN feature for your org + operationId: replaceDesktopMFARecoveryPinOrgSetting + x-codegen-request-body-name: DesktopMFARecoveryPinOrgSetting + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /integrations/api/v1/api-services: + get: + summary: List all API Service Integration instances + description: Lists all API Service Integration instances with a pagination option + operationId: listApiServiceIntegrationInstances + parameters: + - $ref: '#/components/parameters/queryAfter' + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/APIServiceIntegrationInstance' + examples: + APIServiceIntegrationResponseExample: + $ref: '#/components/examples/APIServiceIntegrationListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.read + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an API Service Integration instance + description: Creates and authorizes an API Service Integration instance + operationId: createApiServiceIntegrationInstance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/postAPIServiceIntegrationInstanceRequest' + examples: + postAPIServiceIntegrationRequestExample: + $ref: '#/components/examples/postAPIServiceIntegrationRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/postAPIServiceIntegrationInstance' + examples: + APIServiceIntegrationResponseExample: + $ref: '#/components/examples/postAPIServiceIntegrationResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services/{apiServiceId}: + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + get: + summary: Retrieve an API Service Integration instance + description: Retrieves an API Service Integration instance by `id` + operationId: getApiServiceIntegrationInstance + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstance' + examples: + APIServiceIntegrationResponseExample: + $ref: '#/components/examples/APIServiceIntegrationResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.read + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an API Service Integration instance + description: Deletes an API Service Integration instance by `id`. This operation also revokes access to scopes that were previously granted to this API Service Integration instance. + operationId: deleteApiServiceIntegrationInstance + responses: + '204': + description: No Content + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets: + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + get: + summary: List all API Service Integration instance Secrets + description: Lists all client secrets for an API Service Integration instance by `apiServiceId` + operationId: listApiServiceIntegrationInstanceSecrets + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + APIServiceIntegrationResponseExample: + $ref: '#/components/examples/APIServiceIntegrationInstanceSecretListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.read + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an API Service Integration instance Secret + description: Creates an API Service Integration instance Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects. + operationId: createApiServiceIntegrationInstanceSecret + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + newAPIServiceIntegrationInstanceSecretResponse: + $ref: '#/components/examples/newAPIServiceIntegrationInstanceSecretResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}: + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + - $ref: '#/components/parameters/pathSecretId' + delete: + summary: Delete an API Service Integration instance Secret + description: Deletes an API Service Integration instance Secret by `secretId`. You can only delete an inactive Secret. + operationId: deleteApiServiceIntegrationInstanceSecret + responses: + '204': + description: No Content + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + - $ref: '#/components/parameters/pathSecretId' + post: + summary: Activate an API Service Integration instance Secret + description: Activates an API Service Integration instance Secret by `secretId` + operationId: activateApiServiceIntegrationInstanceSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + activeAPIServiceIntegrationInstanceSecretResponse: + $ref: '#/components/examples/activeAPIServiceIntegrationInstanceSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + - $ref: '#/components/parameters/pathSecretId' + post: + summary: Deactivate an API Service Integration instance Secret + description: Deactivates an API Service Integration instance Secret by `secretId` + operationId: deactivateApiServiceIntegrationInstanceSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + inactiveAPIServiceIntegrationInstanceSecretResponse: + $ref: '#/components/examples/inactiveAPIServiceIntegrationInstanceSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/submissions/{submissionId}: + parameters: + - $ref: '#/components/parameters/pathSubmissionId' + /integrations/api/v1/submissions/{submissionId}/submit: + parameters: + - $ref: '#/components/parameters/pathSubmissionId' + /integrations/api/v1/submissions/{submissionId}/testing: + parameters: + - $ref: '#/components/parameters/pathSubmissionId' + /oauth2/v1/clients/{clientId}/roles: + parameters: + - $ref: '#/components/parameters/pathClientId' + get: + summary: List all Client Role Assignments + description: Lists all roles assigned to a Client Application identified by `clientId` + operationId: listRolesForClient + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponseClient' + Custom Roles: + $ref: '#/components/examples/CustomRolesListResponseClient' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponseClient' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Assign a Client Role + description: |- + Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a Client Application. + + You can also assign a custom role to a Client Application, but the preferred method to assign a custom role to a client is to create a binding between the Custom Role, the Resource Set, and the Client Application. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + > **Notes:** + > * The request payload is different for standard and custom role assignments. + > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. + operationId: assignRoleToClient + requestBody: + required: true + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRoleAssignmentSchema' + - $ref: '#/components/schemas/CustomRoleAssignmentSchema' + examples: + Standard Role: + $ref: '#/components/examples/StandardRoleAssignmentRequest' + Custom Role Assignment: + $ref: '#/components/examples/CustomRoleAssignmentRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Role: + $ref: '#/components/examples/StandardRoleResponseClient' + Custom Role Assignment: + $ref: '#/components/examples/CustomRoleResponseClient' + IAM-based Role Assignment: + $ref: '#/components/examples/IAMStandardRolesListResponseClient' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: Retrieve a Client Role + description: Retrieves a Role Assignment (identified by `roleAssignmentId`) for a Client Application (identified by `clientId`) + operationId: retrieveClientRole + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Role: + $ref: '#/components/examples/StandardRoleResponseClient' + Custom Role Assignment: + $ref: '#/components/examples/CustomRoleResponseClient' + IAM-based Standard Role Assignment: + $ref: '#/components/examples/IAMStandardRoleResponseClient' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a Client Role + description: Unassigns a Role Assignment (identified by `roleAssignmentId`) from a Client Application (identified by `clientId`) + operationId: deleteRoleFromClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: List all Client Role Application Targets + description: Lists all OIN app targets for an `APP_ADMIN` Role that's assigned to a client Application (by `clientId`). + operationId: listAppTargetRoleToClient + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + put: + summary: Assign a Client Role Application Target + description: |- + Assigns an OIN app target for an `APP_ADMIN` Role Assignment to a client Application. When you assign an app target from the OIN catalog, you reduce the scope of the Role Assignment. + The Role applies to only app instances that are included in the specified OIN app target. + + An assigned OIN app target overrides any existing app instance targets. + For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app target with `facebook` for `appName` makes that user the administrator for all Facebook instances. + operationId: assignAppTargetRoleToClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a Client Role Application Target + description: |- + Unassigns an OIN app target for a Role Assignment to a client Application + + > **Note:** You can't remove the last OIN app target from a Role Assignment since operation causes an exception. + > If you need a Role assignment that applies to all apps, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). + operationId: removeAppTargetRoleFromClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + - $ref: '#/components/parameters/pathAppId' + put: + summary: Assign a Client Role Application Instance Target + description: |- + Assigns an app instance target to an `APP_ADMIN` Role Assignment to a client Application. When you assign the first OIN app or app instance target, you reduce the scope of the Role Assignment. + The Role no longer applies to all app targets, but applies only to the specified target. + + > **Note:** You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app. + For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage only specific configurations of the Salesforce app. + operationId: assignAppTargetInstanceRoleForClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a Client Role Application Instance Target + description: |- + Unassigns an OIN app instance target from a Role Assignment to a client Application + + > **Note:** You can't remove the last app instance target from a Role Assignment since this causes an exception. + > If you need a Role Assignment that applies to all the apps, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). + operationId: removeAppTargetInstanceRoleForClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: List all Client Role Group Targets + description: Lists all Group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client. If the Role isn't scoped to specific Group targets, an empty array `[]` is returned. + operationId: listGroupTargetRoleForClient + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Group' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups/{groupId}: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGroupId' + put: + summary: Assign a Client Role Group Target + description: Assigns a Group target to a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client Application. When you assign the first Group target, you reduce the scope of the Role Assignment. The Role no longer applies to all targets, but applies only to the specified target. + operationId: assignGroupTargetRoleForClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a Client Role Group Target + description: |- + Unassigns a Group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client Application. + + > **Note:** You can't remove the last Group target from a Role Assignment, as it causes an exception. If you need a Role Assignment that applies to all Groups, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). + operationId: removeGroupTargetRoleFromClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /okta-personal-settings/api/v1/edit-feature: + put: + summary: Replace the Okta Personal admin settings + description: Replaces Okta Personal admin settings in a Workforce org + operationId: replaceOktaPersonalAdminSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OktaPersonalAdminFeatureSettings' + examples: + exampleSettings: + $ref: '#/components/examples/editFeatureExample' + required: true + responses: + '204': + description: No Content + content: {} + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.manage + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /okta-personal-settings/api/v1/export-blocklists: + get: + summary: List all blocked email domains + description: Lists all blocked email domains which are excluded from app migration + operationId: listPersonalAppsExportBlockList + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PersonalAppsBlockList' + examples: + exampleSettings: + $ref: '#/components/examples/getBlockListExample' + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.read + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the blocked email domains + description: Replaces the list of blocked email domains which are excluded from app migration + operationId: replaceBlockedEmailDomains + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PersonalAppsBlockList' + examples: + exampleSettings: + $ref: '#/components/examples/getBlockListExample' + required: true + responses: + '204': + description: No Content + content: {} + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.manage + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /privileged-access/api/v1/accounts/{id}: + parameters: + - $ref: '#/components/parameters/privilegedAccountId' + /privileged-access/api/v1/resources/{id}: + parameters: + - $ref: '#/components/parameters/privilegedResourceId' + /privileged-access/api/v1/resources/{id}/claim: + parameters: + - $ref: '#/components/parameters/privilegedResourceId' + /privileged-access/api/v1/resources/{id}/rotate-password: + parameters: + - $ref: '#/components/parameters/privilegedResourceId' + /security/api/v1/security-events: + post: + summary: Publish a Security Event Token + description: Publishes a Security Event Token (SET) sent by a Security Events Provider. After the token is verified, Okta ingests the event and performs any appropriate action. + operationId: publishSecurityEventTokens + x-codegen-request-body-name: Security Event Token + requestBody: + required: true + description: | + The request body is a signed [SET](https://datatracker.ietf.org/doc/html/rfc8417), which is a type of JSON Web Token (JWT). + + For SET JWT header and body descriptions, see [SET JWT header](/openapi/okta-management/management/tag/SSFSecurityEventToken/#tag/SSFSecurityEventToken/schema/SecurityEventTokenRequestJwtHeader) and [SET JWT body payload](/openapi/okta-management/management/tag/SSFSecurityEventToken/#tag/SSFSecurityEventToken/schema/SecurityEventTokenRequestJwtBody). + content: + application/secevent+jwt: + schema: + type: string + examples: + SET: + value: eyJraWQiOiJzYW1wbGVfa2lkIiwidHlwIjoic2ZXZlbnQra ... mrtmw + responses: + '202': + description: Accepted + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventTokenError' + security: [] + tags: + - SSFSecurityEventToken + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/activate: + post: + summary: Activate a Preregistered WebAuthn Factor + description: Activates a preregistered WebAuthn Factor. As part of this operation, Okta first decrypts and verifies the Factor PIN and enrollment data sent by the fulfillment provider. + operationId: activatePreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment Activation Request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationResponse' + '400': + description: PIN or Cred Requests Generation Failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorPinOrCredResponsesProcessingFailure' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/enroll: + post: + summary: Enroll a Preregistered WebAuthn Factor + description: Enrolls a preregistered WebAuthn Factor. This WebAuthn Factor has a longer challenge timeout period to accommodate the fulfillment request process. As part of this operation, Okta generates EC key-pairs used to encrypt the Factor PIN and enrollment data sent by the fulfillment provider. + operationId: enrollPreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment Initialization Request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationResponse' + '400': + description: PIN or Cred Requests Generation Failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorPinOrCredRequestsGenerationFailure' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/initiate-fulfillment-request: + post: + summary: Generate a Fulfillment Request + description: Generates a fulfillment request by sending a WebAuthn Preregistration event to start the flow. The Okta Workflows WebAuthn preregistration integration uses this to populate the fulfillment request. + operationId: generateFulfillmentRequest + x-codegen-request-body-name: body + requestBody: + description: Fulfillment Request + content: + application/json: + schema: + $ref: '#/components/schemas/FulfillmentRequest' + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/send-pin: + post: + summary: Send a PIN to user + description: Sends the decoded PIN for the specified WebAuthn Preregistration Enrollment. PINs are sent to the user's email. To resend the PIN, call this operation again. + operationId: sendPin + x-codegen-request-body-name: body + requestBody: + description: Send PIN Request + content: + application/json: + schema: + $ref: '#/components/schemas/PinRequest' + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/users/{userId}/enrollments: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all WebAuthn Preregistration Factors + description: Lists all WebAuthn Preregistration Factors for the specified user + operationId: listWebAuthnPreregistrationFactors + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/WebAuthnPreregistrationFactor' + example: + - id: fwf23789dfs9asdf782 + factorType: webauthn + provider: FIDO + vendorName: FIDO + fulfillmentProvider: yubico + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: YubiKey 5C + presetPinAvailable: true + _links: + self: + href: https://example.okta.com/webauthn-registration/api/v1/users/00u15s1KDETTQMQYABRL/enrollments/fwf23789dfs9asdf782 + hints: + allow: + - DELETE + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/users/{userId}/enrollments/{authenticatorEnrollmentId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/authenticatorEnrollmentId' + delete: + summary: Delete a WebAuthn Preregistration Factor + description: Deletes a specific WebAuthn Preregistration Factor for a user + operationId: deleteWebAuthnPreregistrationFactor + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine +x-webhooks: + CreateTelephonyInlineHook: + post: + summary: Create a Telephony Inline Hook + description: |- + Creates an Okta Telephony inline hook request. This is an automated request from Okta to your third-party service endpoint. + + The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, + which specify the Okta commands to execute. + + >**Note:** The size of your response payload must be less than 256 KB. + + See also: + * For a general introduction to Okta inline hooks, see [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) + * For information on the API for registering external service endpoints with Okta, see [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) + * For an example implementation of a telephony inline hook, see [Telephony inline hook ](https://developer.okta.com/docs/guides/telephony-inline-hook) + + ### About + + The Okta telephony inline hook allows you to integrate your own custom code into Okta flows that send SMS or voice call messages. You can integrate this hook with enrollment, authentication, and recovery flows that involve the phone authenticator. Okta uses your external provider to deliver the one-time passcode (OTP) to the Requester. The provider can respond with commands that indicate if the delivery was successful or not. + + You can have only one active telephony inline hook per org. + + When you create a telephony inline hook, you must include the `authScheme` parameter. See [Create inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createInlineHook) and the [authScheme object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createInlineHook!path=channel/0/config/authScheme&t=request) + + ### Time-out behavior + + If the provider response times out, Okta attempts to send the OTP using the Okta telephony providers. See [Troubleshoot](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTelephonyInlineHook/#troubleshoot). + + >**Note:** The failover mechanism that uses the Okta telephony providers is heavily rate-limited. + + ### Troubleshoot + + This section explains several common causes of failure for telephony inline hooks. + + Note: Administrators can use the [Okta System Log](https://developer.okta.com/docs/reference/api/system-log/) to view errors. See the Troubleshooting section in the inline hooks topic for details on events captured by the Okta System Log. + + | Issue | Impact | Error Visibility | + |-------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|-------------------------------------------| + |External service fails to communicate or times out | Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider | Administrators only | + |External service responds with any HTTP status code besides `200` | Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider | Administrators only | + |External service returns an error object | Inline hook operation fails, OTP is sent to the Requester using an Okta telephony provider | Administrators, developers, and end users | + |Hook response is malformed or can't be mapped to the expected API response | Inline hook operation is skipped | Administrators only | + |Request header doesn't include an `authScheme` | Inline hook operation is skipped | Administrators only | + |Response uses an invalid status | Inline hook operation is skipped | Administrators only | + |Operation adds an active telephony inline hook when a hook exists | Inline hook operation is skipped | Administrators only | + operationId: createTelephonyInlineHook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/TelephonyRequest' + examples: + TelephonyPayloadExample: + $ref: '#/components/examples/TelephonyPayloadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/TelephonyResponse' + examples: + TelephonySuccessResponse: + $ref: '#/components/examples/TelephonySuccessResponse' + TelephonyFailureResponse: + $ref: '#/components/examples/TelephonyFailureResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook + CreatePasswordImportInlineHook: + post: + summary: Create a Password Import Inline Hook + description: |- + Creates a password import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, + and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, + which specify the Okta commands to execute. + + >**Note:** The size of your response payload must be less than 256 KB. + + The password import inline hook allows you to migrate users from another data store where you want the users to retain their current passwords. + Use this hook with the [Create user with password import inline hook flow](/openapi/okta-management/management/tag/User/#create-user-with-password-import-inline-hook) that's described in the [Users API](/openapi/okta-management/management/tag/User/). + + The password import inline hook is triggered when the user tries to sign in to Okta for the first time. Okta sends your external service the password that the user supplied. Your external service then needs to send a response to Okta indicating whether the password supplied by the end user is valid. + + If your service returns a response that indicates that the password is valid, Okta sets the password for the user. The password import inline hook won't need to call your service again. + However, if the Okta service is in read-only mode, it might not be possible to set the password. Okta then needs to call your service again the next time the user attempts to sign in. + See [Password inline hook and Okta read-only mode](#password-inline-hook-and-okta-read-only-mode) and [Removing password from existing user store](#password-removal-from-an-existing-user-store). + + >**Notes:** + > * Password policies don't apply to the password import inline hook. That is, if your external service validates the password, the password is imported even if it doesn't meet the Okta password policy requirements. + > * You can create only one password import inline hook per org. + + See also: + + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console + * [Password import inline hook](https://developer.okta.com/docs/guides/password-import-inline-hook/nodejs/main/) for an example implementation of this inline hook + + ### Enable a password import inline hook + + To enable a password import inline hook, you first need to register your external service endpoint with Okta and configure it as an inline hook of type `com.okta.user.credential.password.import`. + You can enable the hook using the Admin Console, see [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) or through the [Inline Hooks management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/). + When creating a user with the Users API, you need to use the [Create User with password import inline hook](/openapi/okta-management/management/tag/User/#create-user-with-password-import-inline-hook) use case. + This involves specifying a `credentials.password.hook` property in the request body. + + When the user that you have added attempts to sign in to Okta for the first time, the hook is triggered and Okta calls your external service. The call sends the credentials that the end user provided. Your service can check + the credentials and respond with a command to indicate whether the credentials are valid or not. + + ### Password inline hook and Okta read-only mode + + If your external service responds to Okta indicating that the credentials are valid, Okta saves the password and can authenticate the user independently from then on. However, if your Okta org is in a special [read-only mode](https://support.okta.com/help/s/article/What-is-Oktas-Readonly-Mode) + at the time the user signs in, then saving the password might not be possible. The next time the end user attempts to sign in, the password import inline hook needs to be called again. + + ### Password removal from an existing user store + + Because of the possibility of your org being in a special service mode, you shouldn't attempt to permanently delete user passwords from your existing user store until you can verify the success of the password import . An Okta System Log Event, `user.import.password`, is available for this purpose. An event of this type is created every time a password import inline hook is fired, with its `Event.Outcome` property providing a status of `FAILURE` or `SUCCESS` for the password import operation. + If the status is `SUCCESS`, Okta has successfully saved the end user's password, and it's safe to delete it from your previous user store. + + You can configure an [Event hook](https://developer.okta.com/docs/concepts/event-hooks/) to send this event type to you for use when triggering automated cleanup of end-user + passwords after successful migration. + operationId: createPasswordImportInlineHook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/PasswordImportRequest' + examples: + PasswordImportPayloadExample: + $ref: '#/components/examples/PasswordImportPayloadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/PasswordImportResponse' + examples: + PasswordImportVerifiedResponse: + $ref: '#/components/examples/PasswordImportVerifiedResponse' + PasswordImportUnVerifiedResponse: + $ref: '#/components/examples/PasswordImportUnVerifiedResponse' + '204': + description: No content - Unverified user response + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook + create-registration-hook: + post: + summary: Create a Registration Inline Hook + description: |- + Creates a registration inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, + and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, + which specify the Okta commands to execute. + + The Okta registration inline hook allows you to integrate your own custom code into Okta's [Profile Enrollment](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-profile-enrollment) flow. The hook is triggered after Okta receives the registration or profile update request. Your custom code can: + - Allow or deny the registration attempt, based on your own validation of the information the user has submitted + - Set or override the values that are populated in attributes of the user's Okta profile + > **Note:** Profile Enrollment and self-service registration (SSR) inline hooks only work with the [Okta Sign-In Widget](https://developer.okta.com/code/javascript/okta_sign-in_widget/) version 4.5 or later. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console + * [Registration inline hook](https://developer.okta.com/docs/guides/registration-inline-hook) for an example implementation of this inline hook + operationId: create-registration-hook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + examples: + ProfileEnrollmentRequest: + $ref: '#/components/examples/ProfileEnrollmentRequest' + ProgressiveProfileRequest: + $ref: '#/components/examples/ProgressiveProfileRequest' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/RegistrationResponse' + examples: + ProfileEnrollmentResponse: + $ref: '#/components/examples/ProfileEnrollmentResponse' + ProgressiveProfileResponse: + $ref: '#/components/examples/ProgressiveProfileResponse' + ProfileEnrollmentResponseDeny: + $ref: '#/components/examples/ProfileEnrollmentResponseDeny' + ProgressiveProfileResponseDeny: + $ref: '#/components/examples/ProgressiveProfileResponseDeny' + '204': + description: No content - Allow registration to proceed without any update. + tags: + - InlineHook + security: + - apiToken: [] + - oauth2: [] + x-okta-no-scope-required: true + CreateUserImportInlineHook: + post: + summary: Create a User Import Inline Hook + description: |- + Creates a user import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. + This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include + in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute. + + The user import inline hook enables you to add custom logic to the process of importing new users into Okta from an app. You can resolve conflicts in user name or other profile attributes, + modify values of profile attributes, and control whether the imported user is treated as a match for an existing user or not. The hook is invoked for each user being imported, + at the point immediately after any applicable profile attribute mappings have been applied, and any potential matches with existing users have been found, but before the Okta user profile is created. + + >**Note:** If the external service times out after receiving an Okta request, the Okta process flow continues and the user is created. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console + + >**Note:** The procedure for associating a user import inline hook with an app using the Admin Console can't be used with AD or LDAP. + operationId: createUserImportInlineHook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/UserImportRequest' + examples: + UserImportPayloadExample: + $ref: '#/components/examples/UserImportPayloadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/UserImportResponse' + examples: + UserImportChangeAppUserProfileExample: + $ref: '#/components/examples/UserImportChangeAppUserProfileExample' + UserImportChangeUserProfileExample: + $ref: '#/components/examples/UserImportChangeUserProfileExample' + UserImportCreateANewUserExample: + $ref: '#/components/examples/UserImportCreateANewUserExample' + UserImportMatchExample: + $ref: '#/components/examples/UserImportMatchExample' + UserImportErrorExample: + $ref: '#/components/examples/UserImportErrorExample' + '204': + description: No content - Use the default action + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook + create-saml-hook: + post: + summary: Create a SAML Assertion Inline Hook + description: |- + Creates a SAML Assertion inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute. + + This type of inline hook is triggered when Okta generates a SAML assertion in response to an authentication request. Before sending the SAML assertion to the app that will consume it, Okta calls out to your external service. Your external service can respond with commands to add attributes to the assertion or to modify its existing attributes. + + You can use this functionality to add data to assertions, which might be data that is sensitive, calculated at runtime, or complexly-structured and not appropriate for storing in Okta user profiles. Data added this way is never logged or stored by Okta. As an example, SAML assertions generated for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta. + + This inline hook works only when using custom SAML apps, not apps from the OIN. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * For a use case example of how to implement a SAML assertion inline hook, see [SAML assertion inline hook](https://developer.okta.com/docs/guides/saml-inline-hook) + * For steps to enable this inline hook, see [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook). + + ### Specify location within the assertion + + Specify the location within the assertion where you want to apply your operation using a slash-delimited path, which follows JSON Patch conventions. + + When you perform an `add` op to add a new attribute statement, begin with `/claims/` and follow that with the name of the new attribute that you're adding. + + When you modify an existing assertions statement, begin the path with `/subject/`, `/authentication/`, `/conditions/`, or `/claims/`, depending on which part of the assertion you want to modify. You then look deeper within the child elements using slash-delimited element names, for example, `/claims/array/attributeValues/1/value`. (The `/1/` in the path indicates the index of the array, using zero-based indexing.) + + ### URI claims + + Okta supports URI claims with SAML assertion hooks. When you need to replace or add a URI claim, encode the claim name within the command per the [JavaScript Object Notation (JSON) Pointer](https://tools.ietf.org/html/rfc6901) specification. Specifically, this replaces `~` with `~0` and `/` with `~1`. + + ### SessionNotOnOrAfter support + + In some scenarios, your service provider may require the `SessionNotOnOrAfter` attribute for the `` in the SAML assertion, which sets the provider session time correctly. Use `add` op with the path `/authentication/sessionLifetime` and a value for session lifetime in seconds to add this attribute. Okta calculates `SessionNotOnOrAfter` by adding the `/authentication/sessionLifetime` value to the `issueInstant` attribute and returns it in the SAML `data.assertion. + operationId: createSAMLAssertionInlineHook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/SAMLPayLoad' + examples: + SAMLPayloadExample: + $ref: '#/components/examples/SAMLPayLoadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/SAMLHookResponse' + examples: + SAMLHookResponseExample: + $ref: '#/components/examples/SAMLHookResponseExample' + SAMLHookResponseWithURIFormat: + $ref: '#/components/examples/SAMLHookResponseWithURIFormat' + '204': + description: No content - Use the default action + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook + create-token-hook: + post: + summary: Create a Token inline hook + description: |- + Creates a Token inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. + + This type of inline hook is triggered when OAuth 2.0 and OpenID Connect (OIDC) tokens are minted by your Okta custom authorization server. Before sending the token to the requester, Okta calls out to your external service. Your service can then respond with commands to add custom claims to the token or to modify existing claims. + + Use this functionality to add data that is sensitive, calculated at runtime, or complexly structured and not appropriate for storing in Okta user profiles. Okta never logs nor stores data that is added this way. As an example, tokens minted for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta. + + In addition to adding custom claims, you can modify or remove an existing custom claim or an OIDC standard profile claim. You can also update how long an access token or an ID token is valid. + + This inline hook works only when using an [Okta custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/#create-an-authorization-server), not the built-in Okta org authorization server. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * For an example implementation of this inline hook, see [Token inline hook](https://developer.okta.com/docs/guides/token-inline-hook) + + ### Timeout behavior + After receiving the Okta request, if there's a response timeout, the Okta process flow proceeds with the original token returned. + + ### Enabling a token inline hook + To activate the inline hook, you first need to register your external service endpoint with Okta using the [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook). + You then need to associate the registered inline hook with a custom authorization server policy rule by completing the following steps: + 1. Go to **Security** > **API** > **Authorization Servers.** + 2. Select a custom authorization server from the list. + 3. Select **Access Policies** and select a policy to use with the hook. In most cases, pick the Default Policy. + 4. One of the policy's rules needs to trigger the inline hook. Click the pencil icon for a rule to edit it. If you only have one rule, edit the Default Policy Rule. + 5. Click the **Use this Inline Hook** dropdown menu. Any inline hooks that you have registered are listed. Select the hook that you would like to use. + 6. Click **Update Rule**. + + > **Note:** You can associate only one inline hook with each rule. + + ### Troubleshoot + This section covers what happens when a token inline hook flow fails either due to the external inline hook service returning an error object or not returning a successful response, or the inline hook patch fails. + > **Note:** Administrators can use the [Okta System Log](https://developer.okta.com/docs/reference/api/system-log/) to view errors. See the [Troubleshooting](https://developer.okta.com/docs/concepts/inline-hooks/#troubleshooting) section in the inline hooks concept piece for more information on the events related to inline hooks that the Okta System Log captures. + - When there's a communication failure with the external service, a timeout for example, the inline hook operation is skipped. The token is generated without any modification from the inline hook. + + **Who can see this error?** Administrators + + - When the external service returns a response with any other HTTP status code besides `200`, the inline hook operation is skipped. The token is generated without any modification from the inline hook. + + **Who can see this error?** Administrators + + - When the external service returns an error object in the response, the entire token inline hook flow fails with no token generated. + + **Who can see this error?** Administrators, developers, and end users. When the OAuth 2.0 client receives the error, the client developer can see that error if the client has the debug information. What the end user sees depends on how errors are handled within the client. + > **Note:** See the [error](https://developer.okta.com/docs/reference/token-hook/#error) section on this page for more information on what to include in the error object of your response and what the OAuth 2.0 error includes that Okta returns to the requestor of the token. + + - When a hook command (for example, updating, adding, and deleting claims) can't be performed, the inline hook operation is skipped. The token is generated without any modification from the inline hook. + + **Who can see this error?** Administrators + + The following actions result in an error: + - Using an invalid command. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`. + - Using an invalid operation + - Attempting to remove a system-specific claim + - Attempting to update a claim that doesn't exist + - Attempting to update an element within an array that doesn't exist or specifying an invalid index + - Attempting to remove a claim that doesn't exist + operationId: createTokenInlineHook + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/TokenRequest' + examples: + TokenPayLoadExample: + $ref: '#/components/examples/TokenPayLoadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/TokenHookResponse' + examples: + TokenHookResponse: + $ref: '#/components/examples/TokenHookResponse' + TokenHookResponseWithURIFormat: + $ref: '#/components/examples/TokenHookResponseWithURIFormat' + TokenHookResponseAppendArray: + $ref: '#/components/examples/TokenHookResponseAppendArray' + TokenHookReplaceExisting: + $ref: '#/components/examples/TokenHookReplaceExisting' + TokenHookReplaceInPath: + $ref: '#/components/examples/TokenHookReplaceInPath' + TokenHookModifyLifetime: + $ref: '#/components/examples/TokenHookModifyLifetime' + TokenHookRemoveClaim: + $ref: '#/components/examples/TokenHookRemoveClaim' + TokenHookRemoveFromArray: + $ref: '#/components/examples/TokenHookRemoveFromArray' + TokenHookRemoveFromObject: + $ref: '#/components/examples/TokenHookRemoveFromObject' + TokenHookErrorExample: + $ref: '#/components/examples/TokenHookErrorExample' + '204': + description: No content - Unverified user response + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook +components: + examples: + APIDevicesListAllResponse: + summary: List all devices with embedded users + value: + - id: guo4a5u7YAHhjXrMK0g4 + status: CREATED + created: '2019-10-02T18:03:07.000Z' + lastUpdated: '2019-10-02T18:03:07.000Z' + profile: + displayName: Example Device name 1 + platform: WINDOWS + serialNumber: XXDDRFCFRGF3M8MD6D + sid: S-1-11-111 + registered: true + secureHardwarePresent: false + diskEncryptionType: ALL_INTERNAL_VOLUMES + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 1 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g4 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users + hints: + allow: + - GET + _embedded: + users: [] + - id: guo4a5u7YAHhjXrMK0g5 + status: ACTIVE + created: '2023-06-21T23:24:02.000Z' + lastUpdated: '2023-06-21T23:24:02.000Z' + profile: + displayName: Example Device name 2 + platform: ANDROID + manufacturer: Google + model: Pixel 6 + osVersion: 13:2023-05-05 + registered: true + secureHardwarePresent: true + diskEncryptionType: USER + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 2 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g5 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users + hints: + allow: + - GET + _embedded: + users: + - managementStatus: MANAGED + created: '2021-10-01T16:52:41.000Z' + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + status: ACTIVE + created: '2020-08-12T06:46:50.000Z' + activated: '2020-08-12T06:46:50.000Z' + statusChanged: '2021-01-27T21:05:32.000Z' + lastLogin: '2021-10-14T09:04:48.000Z' + lastUpdated: '2021-01-27T21:05:32.000Z' + passwordChanged: '2020-08-12T06:46:50.000Z' + type: + id: oty7ut9Uu76oHVUZc0w4 + profile: + firstName: fname + lastName: lname + mobilePhone: null + secondEmail: null + login: email@email.com + email: email@email.com + credentials: + password: {} + recovery_question: + question: What is the food you least liked as a child? + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend + method: POST + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc7ut9Uu76oHVUZc0w4 + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password + method: POST + forgotPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password + method: POST + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/oty7ut9Uu76oHVUZc0w4 + changePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate + APIDevicesListAllUserSummaryResponse: + summary: List all devices with embedded user summaries + value: + - id: guo4a5u7YAHhjXrMK0g4 + status: CREATED + created: '2019-10-02T18:03:07.000Z' + lastUpdated: '2019-10-02T18:03:07.000Z' + profile: + displayName: Example Device name 1 + platform: WINDOWS + serialNumber: XXDDRFCFRGF3M8MD6D + sid: S-1-11-111 + registered: true + secureHardwarePresent: false + diskEncryptionType: ALL_INTERNAL_VOLUMES + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 1 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g4 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users + hints: + allow: + - GET + _embedded: + users: [] + - id: guo4a5u7YAHhjXrMK0g5 + status: ACTIVE + created: '2023-06-21T23:24:02.000Z' + lastUpdated: '2023-06-21T23:24:02.000Z' + profile: + displayName: Example Device name 2 + platform: ANDROID + manufacturer: Google + model: Pixel 6 + osVersion: 13:2023-05-05 + registered: true + secureHardwarePresent: true + diskEncryptionType: USER + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 2 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g5 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users + hints: + allow: + - GET + _embedded: + users: + - managementStatus: MANAGED + created: '2021-10-01T16:52:41.000Z' + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + realmId: 00u17vh0q8ov8IU8T0g5 + profile: + firstName: fname + lastName: lname + login: email@email.com + email: email@email.com + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + APIDevicesListAllUsersResponse: + summary: Response example + value: + - created: '2021-08-20T17:13:35.000Z' + managementStatus: NOT_MANAGED + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + status: ACTIVE + created: '2021-08-20T16:08:25.000Z' + activated: null + statusChanged: '2021-08-20T16:39:41.000Z' + lastLogin: '2023-04-18T17:54:12.000Z' + lastUpdated: '2021-12-20T18:27:30.000Z' + passwordChanged: '2021-12-20T18:27:30.000Z' + type: + id: oty17vh0n2EHVnbYF1d7 + profile: + firstName: Bunk + lastName: Moreland + mobilePhone: null + secondEmail: null + login: bunk.moreland@example.com + email: bunk.moreland@example.com + credentials: + password: null + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend + method: POST + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc17vh0n2EHVnbYF1d7 + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password + method: POST + forgotPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password + method: POST + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + resetFactors: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_factors + method: POST + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/oty17vh0n2EHVnbYF1d7 + changePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password + method: POST + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate + method: POST + APIPushProvidersListAllResponse: + value: + - id: ppchvbeucdTgqeiGxR0g4 + providerType: APNS + name: Example Push Provider 1 + lastUpdatedDate: '2022-01-00T00:00:00.000Z' + configuration: + keyId: ABC123DEFG + teamId: DEF123GHIJ + fileName: fileName.p8 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} + hints: + allow: + - DELETE + - GET + - PUT + - id: ppctekcmngGaqeiBxB0g4 + providerType: FCM + name: Example Push Provider 2 + lastUpdatedDate: '2022-01-00T00:00:00.000Z' + configuration: + projectId: PROJECT_ID + fileName: fileName.json + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} + hints: + allow: + - DELETE + - GET + - PUT + APIServiceIntegrationInstanceSecretListResponse: + summary: Secrets list response example + value: + - id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: '***DhOW' + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: '***MQGQ' + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + APIServiceIntegrationListResponse: + summary: List response example + value: + - id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + APIServiceIntegrationResponse: + summary: Response example + value: + id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + ActivateFactorCallResponse: + summary: call + value: + id: clf1o51EADOTFXHHBXBP + factorType: call + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-06T16:56:31.000Z' + lastUpdated: '2014-08-06T16:56:31.000Z' + profile: + phoneNumber: +1-555-415-1337 + phoneExtension: '1234' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorEmailResponse: + summary: email + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: ACTIVE + profile: + email: changed@clouditude.net + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + ActivateFactorPushResponse: + summary: push + value: + id: opf3hkfocI4JTLAju0g4 + factorType: push + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2015-03-16T18:01:28.000Z' + lastUpdated: '2015-08-27T14:25:17.000Z' + profile: + credentialId: dade.murphy@example.com + deviceType: SmartPhone_IPhone + name: Gibson + platform: IOS + version: '9.0' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorSmsResponse: + summary: sms + value: + id: sms1o51EADOTFXHHBXBP + factorType: sms + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-06T16:56:31.000Z' + lastUpdated: '2014-08-06T16:56:31.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorTotpResponse: + summary: token:software:totp + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-08-06T00:31:07.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorU2fRequest: + summary: u2f + value: + registrationData: BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew + clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ + ActivateFactorU2fResponse: + summary: u2f + value: + id: fuf2rovRxogXJ0nDy0g4 + factorType: u2f + provider: FIDO + vendorName: FIDO + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: WVO-QyHEi0eWmTNqESqJynDtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + version: U2F_V2 + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorWebauthnRequest: + summary: webAuthn + value: + attestation: o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ== + clientData: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0= + ActivateFactorWebauthnResponse: + summary: webAuthn + value: + id: fwf2rovRxogXJ0nDy0g4 + factorType: webauthn + provider: FIDO + vendorName: FIDO + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateIdPResponse: + summary: Activate an Identity Provider + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-25T19:14:23.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + ActivateNetworkZone: + summary: Activated Network Zone + value: + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + ActiveAuthorizationServerKey: + summary: Active Authorization Server Key + value: + status: ACTIVE + alg: RS256 + e: AQAB + 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ + kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + hints: + allow: + - GET + AddMappingBody: + summary: Update an existing profile mapping by adding one or more properties + value: + properties: + additionalProperties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.nickName + pushStatus: PUSH + AddMappingResponse: + summary: Update an existing profile mapping by adding one or more properties + value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.nickName + pushStatus: PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + AdminConsoleSettingsExample: + summary: Default Okta Admin Console Settings + value: + sessionMaxLifetimeMinutes: 720 + sessionIdleTimeoutMinutes: 15 + AerialConsentDetails: + description: Example response of consent details + value: + accountId: 0200bs0617vvhv2v675mch1cukp + grantDate: '2023-04-06T21:32:33.000Z' + grantedBy: 00uabcdefg1234567890 + AerialConsentInvalidAccountIdResponse: + description: Aerial account ID is invalid + value: + errorCode: E0000001 + errorSummary: 'API validation failed: account' + errorLink: E0000001 + errorId: oaewjePjfdBT7m71KkPz0Ipaw + errorCauses: + - errorSummary: Invalid aerial account ID. + AerialConsentOrgAlreadyLinkedResponse: + description: The revoke operation isn't possible when the org is already linked + value: + errorCode: E0000001 + errorSummary: 'API validation failed: account' + errorLink: E0000001 + errorId: oae_wheRkaxRT-EFAXwBmBKLg + errorCauses: + - errorSummary: The org is already linked to an Account. + AerialGrantAlreadyPresentErrorResponse: + description: Grant is already present + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: account' + errorLink: E0000001 + errorId: oaewjePjfdBT7m71KkPz0Ipaw + errorCauses: + - errorSummary: The org already has a consent grant added to Aerial. + AerialGrantNotFoundResponse: + description: No grant found for org + value: + errorCode: E0000007 + errorSummary: 'Not found: Resource not found: grant (String)' + errorLink: E0000007 + errorId: sampleFYH_dTSSTdpPYIAdHJw + errorCauses: [] + AllAssignmentsOperationResponse: + value: + id: rre4mje4ez7B2a7B60g7 + type: realm:assignment + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + assignmentOperation: + configuration: + id: ALL + name: All Assignments + numUserMoved: 50 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez7B2a7B60g7 + method: GET + ApiTokenListMetadataResponse: + value: + - name: My API Token + userId: 00uabcdefg1234567890 + tokenWindow: P30D + network: + connection: ANYWHERE + id: 00Tabcdefg1234567890 + clientName: Okta API + expiresAt: '2021-12-11T20:38:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 + hints: + allow: + - GET + - name: Another API Token + userId: 00uabcdefg1234567890 + tokenWindow: PT5M + id: 00T1234567890abcdefg + clientName: Okta API + expiresAt: '2021-11-11T20:43:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 + hints: + allow: + - GET + ApiTokenMetadataResponse: + value: + name: My API Token + userId: 00uXXXXXXXXXXXXXXXXX + tokenWindow: P30D + network: + connection: ANYWHERE + id: 00Tabcdefg1234567890 + clientName: Okta API + expiresAt: '2021-12-11T20:38:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX + hints: + allow: + - GET + AppCsrJsonResponse: + summary: CSR object in JSON format + value: + id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: + - GET + - DELETE + publish: + href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + AppCsrPkcs10Response: + summary: CSR in DER format + value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9 + AppFeatureListResponseEx: + summary: List app Feature response + value: + - name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: DISABLED + update: + profile: + status: DISABLED + lifecycleDeactivate: + status: DISABLED + password: + status: DISABLED + seed: RANDOM + change: KEEP_EXISTING + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT + AppFeatureResponseEx: + summary: App Feature response + value: + name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: DISABLED + update: + profile: + status: DISABLED + lifecycleDeactivate: + status: DISABLED + password: + status: DISABLED + seed: RANDOM + change: KEEP_EXISTING + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT + AppGrantsEx: + summary: App Grants example + value: + id: oag91n9ruw3dsaXzP0h6 + status: ACTIVE + created: '2023-02-21T16:54:00.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-21T16:54:00.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.users.read + source: ADMIN + _embedded: + scope: + id: okta.users.read + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + AppGrantsPostEx: + summary: App Grants example + value: + issuer: '{yourOktaDomain}' + scopeId: okta.users.read + AppResponseBaseEx: + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + AppUserAssignProvRequest: + summary: SSO and provisioning Application User request example + value: + id: 00u15s1KDETTQMQYABRL + scope: USER + credentials: + username: saml.jackson@example.com + profile: + salesforceGroups: + - Employee + role: Developer + profile: Standard User + AppUserAssignSSORequest: + summary: SSO Application User request example + value: + id: 00ud4tVDDXYVKPXKVLCO + scope: USER + credentials: + username: rae.cloud@example.com + AppUserCredUpdateResponse: + summary: Application User credential update + value: + id: 00ud4tVDDXYVKPXKVLCO + externalId: null + created: '2024-01-27T03:52:45.000Z' + lastUpdated: '2024-01-27T05:15:30.000Z' + scope: USER + status: ACTIVE + statusChanged: '2024-01-27T03:52:45.000Z' + passwordChanged: '2024-01-27T05:15:30.000Z' + syncState: DISABLED + credentials": + userName: rae.cloud@example.com + password: {} + profile: + street_address: null + country: null + website: null + zoneinfo: America/Los_Angeles + birthdate: null + gender: null + formatted: null + profile: null + locality: null + given_name: Rae + middle_name: null + locale: en_US + picture: null + name: Rae Cloud + nickname: null + phone_number: null + region: null + postal_code: null + family_name: Cloud + email: rae.cloud@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO + AppUserListEx: + summary: List Application User example + value: + - id: 00u1dnq5S0CfjlkpABCD + externalId: 00u5edt3PNbbjzvIABCD + created: '2024-01-31T18:25:01.000Z' + lastUpdated: '2024-01-31T18:25:03.000Z' + scope: USER + status: PROVISIONED + statusChanged: '2024-01-31T18:25:03.000Z' + passwordChanged: null + syncState: SYNCHRONIZED + lastSync: '2024-01-31T18:25:03.000Z' + credentials: + userName: saml.test@example.com + profile: + secondEmail: null + lastName: Test + mobilePhone: null + displayName: Saml O Test + email: saml.test@example.com + salesforceGroups: [] + role: Tester + firstName: Saml + streetAddress: null + profile: Standard Platform User + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL + user: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + _embedded: + user: + id: 00u1dnq5S0CfjlkpABCD + status: ACTIVE + created: '2024-01-09T15:36:04.000Z' + activated: '2024-01-09T15:36:05.000Z' + statusChanged: '2024-01-09T15:36:05.000Z' + lastLogin: null + lastUpdated: '2024-01-09T15:36:05.000Z' + passwordChanged: '2024-01-09T15:36:05.000Z' + type: + id: otyzhh29g7Python90g3 + profile: + firstName: Saml + lastName: Test + mobilePhone: null + secondEmail: null + login: saml.test@example.com + email: saml.test@example.com + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend + method: POST + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9 + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password + method: POST + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3 + changePassword: + href: https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password + method: POST + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate + method: POST + AppUserProfUpdateResponse: + summary: Application User profile update + value: + id: 00ud4tVDDXYVKPXKVLCO + externalId: null + created: '2024-01-27T03:52:45.000Z' + lastUpdated: '2024-01-27T05:05:32.000Z' + scope: USER + status: ACTIVE + statusChanged: '2024-01-27T03:52:45.000Z' + passwordChanged: null + syncState: DISABLED + credentials": + userName: rae.cloud@example.com + profile: + street_address: null + country: null + website: null + zoneinfo: America/Los_Angeles + birthdate: null + gender: null + formatted: null + profile: null + locality: null + given_name: Rae + middle_name: Mae + locale: en_US + picture: null + name: Rae Mae Cloud + nickname: null + phone_number: null + region: null + postal_code: null + family_name: Cloud + email: rae.cloud@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO + AppUserProvExpandResponse: + summary: Application User expand example + value: + id: 00u1dnq5S0CfjlkpABCD + externalId: 00u5edt3PNbbjzvIABCD + created: '2024-01-31T18:25:01.000Z' + lastUpdated: '2024-01-31T18:25:03.000Z' + scope: USER + status: PROVISIONED + statusChanged: '2024-01-31T18:25:03.000Z' + passwordChanged: null + syncState: SYNCHRONIZED + lastSync: '2024-01-31T18:25:03.000Z' + credentials: + userName: saml.test@example.com + profile: + secondEmail: null + lastName: Test + mobilePhone: null + displayName: Saml O Test + email: saml.test@example.com + salesforceGroups: [] + role: Tester + firstName: Saml + streetAddress: null + profile: Standard Platform User + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL + user: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + _embedded: + user: + id: 00u1dnq5S0CfjlkpABCD + status: ACTIVE + created: '2024-01-09T15:36:04.000Z' + activated: '2024-01-09T15:36:05.000Z' + statusChanged: '2024-01-09T15:36:05.000Z' + lastLogin: null + lastUpdated: '2024-01-09T15:36:05.000Z' + passwordChanged: '2024-01-09T15:36:05.000Z' + type: + id: otyzhh29g7Python90g3 + profile: + firstName: Saml + lastName: Test + mobilePhone: null + secondEmail: null + login: saml.test@example.com + email: saml.test@example.com + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend + method: POST + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9 + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password + method: POST + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3 + changePassword: + href: https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password + method: POST + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate + method: POST + AppUserProvResponse: + summary: SSO and provisioning Application User response example + value: + id: 00u15s1KDETTQMQYABRL + externalId: 005o0000000ogQ9AAI + created: '2014-08-16T02:35:14.000Z' + lastUpdated: '2014-08-16T02:56:49.000Z' + scope: USER + status: PROVISIONED + statusChanged: '2014-08-16T02:56:49.000Z' + passwordChanged: null + syncState: SYNCHRONIZED + lastSync: '2014-08-16T02:56:49.000Z' + credentials: + userName: saml.jackson@example.com + profile: + secondEmail: null + lastName: Jackson + mobilePhone: null + email: saml.jackson@example.com + salesforceGroups: + - Employee + role: Developer + firstName: Saml + profile: Standard User + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + AppUserSSOResponse: + summary: SSO Application User response example + value: + id: 00ud4tVDDXYVKPXKVLCO + externalId: null + created: '2024-01-27T03:52:45.000Z' + lastUpdated: '2024-01-27T03:52:45.000Z' + scope: USER + status: ACTIVE + statusChanged: '2024-01-27T03:52:45.000Z' + passwordChanged: null + syncState: DISABLED + credentials": + userName: rae.cloud@example.com + profile: + street_address: null + country: null + website: null + zoneinfo: America/Los_Angeles + birthdate: null + gender: null + formatted: null + profile: null + locality: null + given_name: Rae + middle_name: null + locale: en_US + picture: null + name: Rae Cloud + nickname: null + phone_number: null + region: null + postal_code: null + family_name: Cloud + email: rae.cloud@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO + AppUserSchemaAddRequest: + value: + definitions: + custom: + id: '#custom' + type: object + properties: + twitterUserName: + title: Twitter username + externalName: twitterUserName + description: User's username for twitter.com + type: string + required: false + minLength: 1 + maxLength: 20 + required: [] + AppUserSchemaResponse: + value: + id: https://{yourOktaDomain}/meta/schemas/apps/0oa25gejWwdXNnFH90g4/default + $schema: http://json-schema.org/draft-04/schema# + name: Example App + title: Example App User + lastUpdated: '2017-07-18T23:18:43.000Z' + created: '2017-07-18T22:35:30.000Z' + definitions: + base: + id: '#base' + type: object + properties: + userName: + title: Username + type: string + required: true + scope: NONE + maxLength: 100 + required: + - userName + custom: + id: '#custom' + type: object + properties: + twitterUserName: + title: Twitter username + externalName: twitterUserName + description: User's username for twitter.com + type: string + scope: NONE + minLength: 1 + maxLength: 20 + required: [] + type: object + properties: + profile: + allOf: + - $ref: '#/definitions/base' + - $ref: '#/definitions/custom' + AppUserUpdateCredRequest: + summary: Application User credentials update + value: + credentials: + userName: rae.cloud@example.com + password: + value: updatedP@55word + AppUserUpdateProfileRequest: + summary: Application User profile update + value: + profile: + name: Rae Mae Cloud + middle_name: Mae + AppleIdPResponse: + summary: Apple Identity Provider + value: + id: 0oa18hsHsG3boVejU0g4 + type: APPLE + issuerMode: ORG_URL + name: Apple Identity Provider + status: ACTIVE + created: '2020-06-05T20:57:51.000Z' + lastUpdated: '2020-06-05T20:57:51.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://appleid.apple.com/auth/authorize + binding: HTTP-REDIRECT + token: + url: https://appleid.apple.com/auth/token + binding: HTTP-POST + scopes: + - openid + - email + - name + credentials: + client: + client_id: your-client-id + signing: + teamId: test team ID + privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + kid: test key ID + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa18hsHsG3boVejU0g4&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri=${redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + AssignGroupOwnerRequest: + summary: Assign a group owner request example + value: + id: 00u1cmc03xjzePoWD0h8 + type: USER + AssignGroupOwnerResponse: + summary: Assign a group owner response example + value: + id: 00u1cmc03xjzePoWD0h8 + type: USER + resolved: true + originId: null + originType: OKTA_DIRECTORY + displayName: Oliver Putnam + lastUpdated: Wed Mar 29 18:34:31 UTC 2023 + AuthenticatorMethodInactiveVoice: + value: + type: voice + status: INACTIVE + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice + hints: + allow: + - GET + - PUT + activate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate + hints: + allow: + - POST + AuthenticatorMethodPhone: + value: + - type: sms + status: ACTIVE + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms + hints: + allow: + - GET + - PUT + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate + hints: + allow: + - POST + - type: voice + status: INACTIVE + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice + hints: + allow: + - GET + - PUT + activate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate + hints: + allow: + - POST + AuthenticatorMethodSms: + value: + type: sms + status: ACTIVE + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms + hints: + allow: + - GET + - PUT + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate + hints: + allow": + - POST + AuthenticatorMethodWebauth: + value: + type: webauthn + status: ACTIVE + settings: + userVerification: DISCOURAGED + attachment: ANY + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/webauthn + hints: + allow: + - GET + - PUT + AuthenticatorRequestDuo: + value: + key: duo + name: Duo Security + provider: + type: DUO + configuration: + userNameTemplate: + template: oktaId + integrationKey: testIntegrationKey + secretKey: testSecretKey + host: https://api-xxxxxxxx.duosecurity.com + AuthenticatorResponseDuo: + value: + type: app + id: aut9gnvcjUHIWb37J0g4 + key: duo + status: ACTIVE + name: Duo Security + created: '2022-07-15T21:14:02.000Z' + lastUpdated: '2022-07-15T21:14:02.000Z' + settings: {} + provider: + type: DUO + configuration: + host: https://api-xxxxxxxx.duosecurity.com + userNameTemplate: + template: oktaId + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4 + hints: + allow: + - GET + - PUT + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/lifecycle/deactivate + hints: + allow: + - POST + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/methods + hints: + allow: + - GET + AuthenticatorResponseEmail: + value: + type: email + id: aut1nbsPHh7jNjjyP0g4 + key: okta_email + status: ACTIVE + name: Email + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-28T21:45:52.000Z' + settings: + allowedFor: any + tokenLifetimeInMinutes: 5 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorResponseInactiveWebAuthn: + value: + type: security_key + id: aut1nd8PQhGcQtSxB0g4 + key: webauthn + status: INACTIVE + name: Security Key or Biometric + created: '2020-07-26T21:16:37.000Z' + lastUpdated: '2020-07-27T18:59:30.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorResponsePassword: + value: + type: password + id: aut1nbtrJKKA9m45a0g4 + key: okta_password + status: ACTIVE + name: Password + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods + hints: + allow: + - GET + AuthenticatorResponsePhone: + value: + type: phone + id: aut1nbuyD8m1ckAYc0g4 + key: phone_number + status: INACTIVE + name: Phone + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-29T00:21:29.000Z' + settings: + allowedFor: none + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods + hints: + allow: + - GET + activate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate + hints: + allow: + - POST + AuthenticatorResponseSecurityQuestion: + summary: Security Question + value: + type: security_question + id: aut1nbvIgEenhwE6c0g4 + key: security_question + status: ACTIVE + name: Security Question + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4 + hints: + allow: + - GET + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorResponseWebAuthn: + value: + type: security_key + id: aut1nd8PQhGcQtSxB0g4 + key: webauthn + status: ACTIVE + name: Security Key or Biometric + created: '2020-07-26T21:16:37.000Z' + lastUpdated: '2020-07-27T18:59:30.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorsResponse: + summary: Org Authenticators + value: + - type: email + id: aut1nbsPHh7jNjjyP0g4 + key: okta_email + status: ACTIVE + name: Email + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-28T21:45:52.000Z' + settings: + allowedFor: any + tokenLifetimeInMinutes: 5 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate + hints: + allow: + - POST + - type: password + id: aut1nbtrJKKA9m45a0g4 + key: okta_password + status: ACTIVE + name: Password + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods + hints: + allow: + - GET + - type: phone + id: aut1nbuyD8m1ckAYc0g4 + key: phone_number + status: INACTIVE + name: Phone + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-29T00:21:29.000Z' + settings: + allowedFor: none + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods + hints: + allow: + - GET + activate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate + hints: + allow: + - POST + - type: security_key + id: aut1nd8PQhGcQtSxB0g4 + key: webauthn + status: ACTIVE + name: Security Key or Biometric + created: '2020-07-26T21:16:37.000Z' + lastUpdated: '2020-07-27T18:59:30.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthorizationServerPolicy: + summary: Authorization Server Policy + value: + type: OAUTH_AUTHORIZATION_POLICY + id: 00palyaappA22DPkj0h7 + status: ACTIVE + name: Vendor2 Policy + description: Vendor2 policy description + priority: 1 + system: false + conditions: + clients: + include: + - ALL_CLIENTS + created: '2017-05-26T19:43:53.000Z' + lastUpdated: '2017-06-07T15:28:17.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate + hints: + allow: + - POST + rules: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules + hints: + allow: + - GET + AuthorizationServerPolicyRule: + summary: Authorization Server Policy Rule + value: + type: RESOURCE_ACCESS + id: 0prbsjfyl01zfSZ9K0h7 + status: ACTIVE + name: Default Policy Rule + priority: 1 + created: '2017-08-25T16:57:02.000Z' + lastUpdated: '2017-08-30T14:51:05.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: + - EVERYONE + exclude: [] + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate + hints: + allow: + - POST + AutoLoginAppResponseEx: + summary: AUTO_LOGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + customswaapp_link: true + name: customswaapp + label: Custom SWA App + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + signOn: + redirectUrl: http://swasecondaryredirecturl.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + AutoLoginEx: + summary: AUTO_LOGIN + value: + label: Custom SWA App + signOnMode: AUTO_LOGIN + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + settings: + signOn: + redirectUrl: http://swasecondaryredirecturl.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + AutoLoginPutEx: + summary: AUTO_LOGIN + value: + label: Custom SWA App updated + status: ACTIVE + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: ADMIN_SETS_CREDENTIALS + userNameTemplate: + template: ${source.email} + type: BUILT_IN + settings: + signOn: + redirectUrl: http://swasecondaryredirecturlupdated.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + AutoLoginPutResponseEx: + summary: AUTO_LOGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + customswaapp_link: true + name: customswaapp + label: Custom SWA App updated + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: ADMIN_SETS_CREDENTIALS + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + signOn: + redirectUrl: http://swasecondaryredirecturlupdated.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + BaseSignOnModeEx: + value: + status: ACTIVE + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + features: [] + BasicAuthEx: + summary: BASIC_AUTH + value: + name: template_basic_auth + label: Sample Basic Auth App + signOnMode: BASIC_AUTH + settings: + app: + url: https://example.com/login.html + authURL: https://example.com/auth.html + BasicAuthPutEx: + summary: BASIC_AUTH + value: + label: Sample Basic Auth App updated + signOnMode: BASIC_AUTH + settings: + app: + url: https://example.com/loginUpdated.html + authURL: https://example.com/auth.html + BasicAuthPutResponseEx: + summary: BASIC_AUTH + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_basic_auth + label: Sample Basic Auth App updated + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + url: https://example.com/loginUpdated.html + authURL: https://example.com/auth.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BasicAuthResponseEx: + summary: BASIC_AUTH + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_basic_auth + label: Sample Basic Auth App + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + url: https://example.com/login.html + authURL: https://example.com/auth.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BehaviorRuleRequest: + value: + name: My Behavior Rule + type: VELOCITY + BehaviorRuleResponse: + value: + id: abcd1234 + name: My Behavior Rule + type: VELOCITY + settings: + velocityKph: 805 + status: ACTIVE + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _link: + self: + href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234 + hints: + allow: + - GET + - POST + - PUT + - DELETE + BookmarkAppResponseEx: + summary: BOOKMARK + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: bookmark + label: Sample Bookmark App + features: [] + signOnMode: BOOKMARK + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: {} + settings: + app: + requestIntegration: false + url: https://example.com/bookmark.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BookmarkEx: + summary: BOOKMARK + value: + name: bookmark + label: Sample Bookmark App + signOnMode: BOOKMARK + settings: + app: + url: https://example.com/bookmark.html + BookmarkPutEx: + summary: BOOKMARK + value: + name: bookmark + label: Sample Bookmark App updated + signOnMode: BOOKMARK + settings: + app: + requestIntegration: true + url: https://example.com/bookmark.html + BookmarkPutResponseEx: + summary: BOOKMARK + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: bookmark + label: Sample Bookmark App updated + features: [] + signOnMode: BOOKMARK + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: {} + settings: + app: + requestIntegration: true + url: https://example.com/bookmark.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginEx: + summary: BROWSER_PLUGIN + value: + name: template_swa + label: Sample Plugin App + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + BrowserPluginPutEx: + summary: BROWSER_PLUGIN + value: + name: template_swa + label: Sample Plugin App updated + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example_updated.com/login.html + BrowserPluginPutResponseEx: + summary: BROWSER_PLUGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa + label: Sample Plugin App updated + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + usernameField: txtbox-username + buttonField: btn-login + passwordField: txtbox-password + url: https://example_updated.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginResponseEx: + summary: BROWSER_PLUGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa + label: Sample Plugin App + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + usernameField: txtbox-username + buttonField: btn-login + passwordField: txtbox-password + url: https://example.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginSwa3FieldEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + name: template_swa3field + label: Sample Plugin App + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonSelector: '#btn-login' + passwordSelector: '#txtbox-password' + userNameSelector: '#txtbox-username' + targetURL: https://example.com/login.html + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + BrowserPluginSwa3FieldPutEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + name: template_swa3field + label: Sample Plugin App updated + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonSelector: '#btn-login' + passwordSelector: '#txtbox-password' + userNameSelector: '#txtbox-username' + targetURL: https://exampleupdated.com/login.html + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + BrowserPluginSwa3FieldPutResponseEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa3field + label: Sample Plugin App updated + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + userNameSelector: '#txtbox-username' + passwordSelector: '#txtbox-password' + buttonSelector: '#btn-login' + targetURL: https://exampleupdated.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginSwa3FieldResponseEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa3field + label: Sample Plugin App + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + userNameSelector: '#txtbox-username' + passwordSelector: '#txtbox-password' + buttonSelector: '#btn-login' + targetURL: https://example.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BundleEntitlementsResponse: + summary: List of governance bundle entitlements + value: + entitlements: + - id: espfxqCAJWWGELFTYASJ + role: GROUP_MEMBERSHIP_ADMIN + name: Group Membership Admin + description: Perform all admin activities for groups in the org + _links: + values: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements/espfxqCAJWWGELFTYASJ/values + _links: + self: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 + next: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12 + bundle: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA + CAPTCHAInstanceRequestHCaptcha: + value: + name: myHCaptcha + secretKey: xxxxxxxxxxx + siteKey: xxxxxxxxxxx + type: HCAPTCHA + CAPTCHAInstanceRequestReCaptcha: + value: + name: myReCaptcha + secretKey: xxxxxxxxxxx + siteKey: yyyyyyyyyyyyyyy + type: RECAPTCHA_V2 + CAPTCHAInstanceResponseHCaptcha: + value: + id: abcd1234 + name: myHCaptcha + siteKey: xxxxxxxxxxx + type: HCAPTCHA + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234 + hints: + allow: + - GET + - POST + - PUT + - DELETE + CAPTCHAInstanceResponseReCaptcha: + value: + id: abcd4567 + name: myReCaptcha + siteKey: yyyyyyyyyyyyyyy + type: RECAPTCHA_V2 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + hints: + allow: + - GET + - POST + - PUT + - DELETE + ChangePwdRequest: + value: + oldPassword: + value: tlpWENT2m + newPassword: + value: uTVM,TPw55 + revokeSessions: true + ChangePwdResponse: + value: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + CreateAnEventHook: + summary: Create an event hook + value: + name: Event Hook Test + events: + type: EVENT_TYPE + items: + - group.user_membership.add + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + CreateAnEventHookWithFilter: + summary: Create an event hook with a filter + value: + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + CreateAppleIdPRequest: + summary: Create Apple Identity Provider + value: + type: APPLE + name: Apple Identity Provider + protocol: + type: OIDC + scopes: + - openid + - email + - name + credentials: + client: + client_id: your-client-id + signing: + privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + kid: test key ID + teamId: test team ID + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + matchType: USERNAME + CreateAssocAuthServerBody: + summary: Create a trusted relationship between authorization servers + value: + - trusted: '{authorizationServerId}' + CreateAssocAuthServerResponse: + summary: Create a trusted relationship between authorization servers + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: CUSTOM_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - DELETE + CreateAuthServerBody: + summary: Create a custom authorization server + value: + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - api://default + CreateAuthServerResponse: + summary: Create a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + CreateAuthorizationServerPolicyRequest: + summary: Create Authorization Server Policy + value: + type: OAUTH_AUTHORIZATION_POLICY + status: ACTIVE + name: Default Policy + description: Default policy description + priority: 1 + system: false + conditions: + clients": + include": + - ALL_CLIENTS + CreateAuthorizationServerPolicyRuleRequest: + summary: Create Authorization Server Policy Rule + value: + type: RESOURCE_ACCESS + name: Default Policy Rule + priority: 1 + conditions: + people: + groups: + include: + - EVERYONE + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + CreateBrandRequest: + value: + name: My Awesome Brand + CreateBrandResponse: + value: + id: bnd114iNkrcN6aR680g5 + removePoweredByOkta: false + customPrivacyPolicyUrl: null, + agreeToCustomPrivacyPolicy: false, + name: My Awesome Brand + locale: en + defaultApp: + appInstanceId: null + appLinkName: null + classicApplicationUri: null + isDefault: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5/themes + hints: + allow: + - GET + CreateChildOrgRequestEx: + summary: Create org request + value: + subdomain: my-child-org-1 + name: My Child Org 1 + website: http://www.examplecorp.com + edition: SKU + admin: + profile: + firstName: First + lastName: Last + email: FirstLast@example.com + login: FirstLast@example.com + mobilePhone: null + credentials: + password: + value: XXXX + CreateChildOrgResponseEx: + summary: Create org response + value: + id: 00o1n8sbwArJ7OQRw406 + subdomain: my-child-org-1 + name: My Child Org 1 + website: http://www.examplecorp.com + status: ACTIVE + edition: SKU + expiresAt: null + created: '2024-08-27T15:42:52.000Z' + lastUpdated: '2024-08-27T15:42:56.000Z' + licensing: + apps: [] + settings: + app: + errorRedirectUrl: null + interstitialUrl: null + interstitialMinWaitTime: 1200 + userAccount: + attributes: + secondaryEmail: true + secondaryImage: true + portal: + errorRedirectUrl: null + signOutUrl: null + logs: + level: INFO + token: XXXXXXXXXXXXX + tokenType: SSWS + _links: + administrator: + href: https://my-child-org-1.oktapreview.com/api/v1/users/00u1n8sheI1WBQlDV406 + uploadLogo: + href: https://my-child-org-1.oktapreview.com/api/v1/org/logo + organization: + href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1 + contacts: + href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/contacts + policy: + href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/policy + CreateCustomRoleResponseGroup: + value: + id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + CreateCustomTokenClaimBody: + summary: Create a custom token Claim + value: + - alwaysIncludeInToken: true + claimType: IDENTITY + conditions: + scopes: + - profile + group_filter_type: CONTAINS + name: Support + status: ACTIVE + system: false + value: Support + valueType: GROUPS + CreateCustomTokenClaimResponse: + summary: Create a custom token Claim response + value: + - id: '{claimId}' + name: Support + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Support + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + CreateEDNZRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Create an Enhanced Dynamic Network Zone + value: + type: DYNAMIC_V2 + name: testZone106 + status: ACTIVE + usage: BLOCKLIST + locations: + include: [] + exclude: [] + asns: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclude: [] + CreateEDNZResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Enhanced Dynamic Network Zone + value: + type: DYNAMIC_V2 + id: nzok0oz2xYHOZtIch0g4 + name: testZone106 + status: ACTIVE + usage: BLOCKLIST + create: '2024-05-13T16:33:44.000Z' + lastUpdated: '2024-05-13T16:33:44.000Z' + system: false + locations: + include: [] + exclude: [] + asns: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclude: [] + _links: + self: + href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate + hints: + allow: + - POST + CreateEmailDomainRequest: + value: + displayName: Admin + userName: admin + domain: example.com + brandId: bnd100iSrkcN6aR680g1 + validationSubdomain: mail + CreateFacebookIdPRequest: + summary: Create Facebook Identity Provider + value: + type: FACEBOOK + name: Facebook + protocol: + type: OAUTH2 + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + CreateGenericOidcIdPRequest: + summary: Create Generic OpenID Connect Identity Provider + value: + type: OIDC + name: Example OpenID Connect IdP + protocol: + algorithms: + request: + signature: + algorithm: HS256 + scope: REQUEST + endpoints: + acs: + binding: HTTP-POST + type: INSTANCE + authorization: + binding: HTTP-REDIRECT + url: https://idp.example.com/authorize + token: + binding: HTTP-POST + url: https://idp.example.com/token + userInfo: + binding: HTTP-REDIRECT + url: https://idp.example.com/userinfo + jwks: + binding: HTTP-REDIRECT + url: https://idp.example.com/keys + scopes: + - openid + - profile + - email + type: OIDC + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + pkce_required: 'true' + issuer: + url: https://idp.example.com + policy: + accountLink: + action: AUTO + filter: null + provisioning: + action: AUTO + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + groups: + action: NONE + mapAMRClaims: false + maxClockSkew: 120000 + subject: + userNameTemplate: + template: idpuser.email + matchType: USERNAME + CreateGoogleIdPRequest: + summary: Create Google Identity Provider + value: + type: GOOGLE + name: Google + protocol: + type: OAUTH2 + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + CreateHookKeyResponse: + summary: Create a key response example + value: + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + _embedded: + kty: RSA + alg: RSA + kid: 7fbc27fd-e3df-4522-86bf-1930110256ad + use: 'null' + e: AQAB + 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` + CreateIAMStandardRoleResponseGroup: + value: + id: irb1q92TFAHzySt3x0g4 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests Administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7 + CreateIPPolicyBlockListNetworkZone: + summary: Create an IP Blocklist Network Zone + value: + type: IP + name: newBlockListNetworkZone + status: ACTIVE + usage: BLOCKLIST + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: null + CreateIPPolicyBlockListNetworkZoneResponse: + summary: IP Blocklist Network Zone + value: + type: IP + id: nzo1qasnPb1kqEq0e0g4 + name: newBlockListNetworkzone + status: ACTIVE + usage: BLOCKLIST + created: '2021-08-09T20:22:09.000Z' + lastUpdated: '2021-08-09T20:22:09.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4/lifecycle/deactivate + hints: + allow: + - POST + CreateIPPolicyNetworkZone: + summary: Create an IP Policy Network Zone + value: + type: IP + name: newNetworkZone + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: + - type: CIDR + value: 2.2.3.4/24 + - type: CIDR + value: 3.3.4.5/24 + CreateIPPolicyNetworkZoneResponse: + summary: IP Policy Network Zone + value: + type: IP + id: nzowb8T5Jh5xuAJ0o0g7 + name: newNetworkZone + status: ACTIVE + usage: POLICY + created: '2021-08-09T21:32:01.000Z' + lastUpdated: '2021-08-09T21:32:01.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24' + - type: CIDR + value: 2.3.4.5/24 + proxies: + - type: CIDR + value: 2.2.3.4/24 + - type: CIDR + value: 3.3.4.5/24 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7/lifecycle/deactivate + hints: + allow: + - POST + CreateLinkedObjectRequest: + summary: Create manager-subordinate link request + value: + primary: + name: manager + title: manager + description: Manager link property + type: USER + associated: + name: subordinate + title: subordinate + description: Subordinate link property + type: USER + CreateLinkedObjectResponse: + summary: Create manager-subordinate link property response + value: + primary: + name: manager + title: manager + description: Manager link property + type: USER + associated: + name: subordinate + title: subordinate + description: Subordinate link property + type: USER + _links: + self: + href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager + CreateMicrosoftIdPRequest: + summary: Create Microsoft Identity Provider + value: + type: MICROSOFT + name: Microsoft + protocol: + type: OIDC + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + CreateOAuth2ScopeRequest: + summary: Example scope + value: + name: car:drive + description: Drive car + consent: REQUIRED + displayName: Saml Jackson + CreateOrReplaceSMSTemplateRequest: + value: + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + CreateOrReplaceSMSTemplateResponse: + value: + id: 6NQUJ5yR3bpgEiYmq8IC + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + CreateSamlIdPRequest: + summary: Create SAML 2.0 Identity Provider + value: + type: SAML2 + name: Example SAML IdP + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + format: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + filter: (\S+@example\.com) + matchType: USERNAME + CreateSessionBody: + summary: Create a new Session with a valid session token + value: + sessionToken: 00HiohZYpJgMSHwmL9TQy7RRzuY-q9soKp1SPmYYow + CreateSessionResponse: + summary: Create a new Session with a valid session token + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + CreateSmartCardIdPRequest: + summary: Create SmartCard Identity Provider + value: + type: X509 + status: ACTIVE + name: Smart Card IDP Name + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + credentials: + trust: + revocation: CRL + revocationCacheLifetime: 2880 + issuer: your-issuer + kid: your-kid + policy: + provisioning: + action: DISABLED + mapAMRClaims: false + maxClockSkew: 120000 + subject: + matchType: EMAIL + matchAttribute: '' + userNameTemplate: + template: idpuser.subjectAltNameEmail + CreateStandardRoleAssignmentResponseGroup: + value: + id: grasraHPx7i79ajaJ0g3 + label: Organization Administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-27T14:56:55.000Z' + lastUpdated: '2019-02-27T14:56:55.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 + CreateUISchemaBody: + summary: UI Schema body request + value: + uiSchema: + type: Group + elements: + - type: Control + scope: '#/properties/firstName' + label: First Name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last Name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Primary email + options: + format: text + buttonLabel: Submit + label: Sign in + CreateUISchemaResponse: + summary: Returns full UI Schema body + value: + id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Primary email + options: + format: text + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + hints: + allow: + - GET + - PUT + - DELETE + CreateUpdateEmailCustomizationRequest: + value: + language: fr + subject: Bienvenue dans ${org.name}! + body:

Bonjour ${user.profile.firstName}. Activer le compte

+ isDefault: false + CreateUpdateEmailCustomizationResponse: + value: + language: fr + subject: Bienvenue dans ${org.name}! + body:

Bonjour ${user.profile.firstName}. Activer le compte

+ isDefault: false + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + hints: + allow: + - GET + - PUT + - DELETE + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + CreateUpdateIamRolePermissionRequestExampleWithExclude: + value: + conditions: + exclude: + okta:ResourceAttribute/User/Profile: + - zipCode + CreateUpdateIamRolePermissionRequestExampleWithInclude: + value: + conditions: + include: + okta:ResourceAttribute/User/Profile: + - city + - state + CreateUserRequest: + summary: Create a user type request + value: + description: A new custom user type + displayName: New User Type + name: newUserType + CreateUserResponse: + summary: Create a user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: New User Type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + CsrJsonResponse: + summary: CSR object in JSON format + value: + id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: + - GET + - DELETE + publish: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + CsrPkcs10Response: + summary: CSR in DER format + value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9 + CustomRoleAssignmentRequest: + value: + type: CUSTOM + role: cr04cxy6yzSCtNciD0g7 + resource-set: iam4cxy6z7hhaZCSk0g7 + CustomRoleResponseClient: + value: + id: irb4ey26fpFI3vQ8y0g7 + label: view_minimal + type: CUSTOM + status: ACTIVE + created: '2023-05-01T15:16:47.000Z' + lastUpdated: '2023-05-01T15:16:47.000Z' + assignmentType: CLIENT + resource-set: iam4cxy6z7hhaZCSk0g7 + role: cr04cxy6yzSCtNciD0g7 + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7 + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7 + CustomRoleResponseUser: + value: + id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + CustomRolesListResponseClient: + value: + - id: irb4ey26fpFI3vQ8y0g7 + label: view_minimal + type: CUSTOM + status: ACTIVE + created: '2023-05-01T15:16:47.000Z' + lastUpdated: '2023-05-01T15:16:47.000Z' + assignmentType: CLIENT + resource-set: iam4cxy6z7hhaZCSk0g7 + role: cr04cxy6yzSCtNciD0g7 + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7 + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7 + CustomRolesListResponseGroup: + value: + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + DeactivateIdPResponse: + summary: Deactivate an Identity Provider + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: INACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-25T19:16:53.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + DeactivateNetworkZone: + summary: Deactivated Network Zone + value: + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: INACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + activate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/activate + hints: + allow: + - POST + DeactivatedSecurityEventsProviderResponse: + summary: Inactive Security Events Provider + value: + id: sse1qg25RpusjUP6m0g5 + name: Security Events Provider with well-known URL + type: okta + status: INACTIVE + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 + hints: + allow: + - GET + - PUT + - DELETE + activate: + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/activate + hints: + allow: + - POST + DefaultEnhancedDynamicNetworkZone: + summary: Default Enhanced Dynamic Network Zone + value: + type: DYNAMIC_V2 + id: nzohcnxFrSgsiwyHp0g4 + name: DefaultEnhancedDynamicZone + status: ACTIVE + usage: BLOCKLIST + created: '2024-05-06T19:12:29.000Z' + lastUpdated: '2024-05-09T21:02:31.000Z' + system: true + locations: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclue: [] + asns: + include: [] + exclude: [] + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate + hints: + allow: + - POST + DefaultIpBlocklistNetworkZone: + summary: Default IP Blocklist Network Zone + value: + type: IP + id: nzou3u0stMCmgOzXK1d6 + name: BlockedIpZone + status: ACTIVE + usage: BLOCKLIST + created: '2021-06-09T21:32:46.000Z' + lastUpdated: '2021-06-09T21:32:46.000Z' + system: true + gateways: null + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate + hints: + allow: + - POST + DefaultIpNetworkZone: + summary: Default IP Network Zone + value: + type: IP + id: nzou3u0ssJfZjYsWL1d6 + name: LegacyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-09T21:32:46.000Z' + lastUpdated: '2021-06-09T21:32:46.000Z' + system: true + gateways: null + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6/lifecycle/deactivate + hints: + allow: + - POST + DefaultRealmAssignment: + value: + id: rul2jy7jLUlnO5ng00g4 + status: ACTIVE + name: Catch-all + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + conditions: + profileSourceId: 0oa4enoRyjwSCy6hx0g4, + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf2g5 + priority: 499 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4 + method: GET + DefaultRealmResponse: + value: + id: guox9jQ16k9V8IQWL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + profile: + name: Default Realm + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IQWL0g3 + method: GET + DeviceAssuranceAndroidRequest: + summary: Android request + value: + name: Device assurance Android + osVersion: + minimum: 12 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceAndroidResponse: + summary: Android response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Android + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceAndroidWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with dynamic version requirement request + value: + name: Device assurance Android + osVersion: + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 0 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceAndroidWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Android + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 0 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: ChromeOS with third-party signal providers request + value: + name: Device assurance ChromeOS + platform: CHROMEOS + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + allowScreenLock: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_OS_VERIFIED_MODE + DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: ChromeOS with third-party signal providers response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance ChromeOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + platform: CHROMEOS + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + allowScreenLock: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_OS_VERIFIED_MODE + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceIosRequest: + summary: iOS request + value: + name: Device assurance iOS + osVersion: + minimum: 12.4.5 + jailbreak: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + DeviceAssuranceIosResponse: + summary: iOS response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance iOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + jailbroken: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceIosWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with dynamic version requirement request + value: + name: Device assurance iOS + osVersion: + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + latestSecurityPatch: true + jailbreak: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + DeviceAssuranceIosWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance iOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + latestSecurityPatch: true + jailbroken: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSRequest: + summary: macOS request + value: + name: Device assurance macOS + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceMacOSResponse: + summary: macOS response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with dynamic version requirement request + value: + name: Device assurance macOS + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceMacOSWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with third-party signal providers request + value: + name: Device assurance macOS + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain": testDomain + builtInDnsClientEnabled": true + chromeRemoteDesktopAppBlocked": true + safeBrowsingProtectionLevel": true + siteIsolationEnabled": true + passwordProtectionWarningTrigger": PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode": true + DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with third-party signal providers response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_BROWSER_HW_KEY + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsRequest: + summary: Windows request + value: + name: Device assurance Windows + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsResponse: + summary: Windows response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 and Windows 10 dynamic version requirements request + value: + name: Device assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 1 + latestSecurityPatch: true + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 and Windows 10 dynamic version requirements response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 1 + latestSecurityPatch: true + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with third-party signal providers request + value: + name: Device assurance Windows + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + secureBootEnabled: true + windowsMachineDomain: testMachineDomain + windowsUserDomain: testUserDomain + thirdPartyBlockingEnabled: true + crowdStrikeCustomerId: testCustomerId + crowdStrikeAgentId": testAgentId + keyTrustLevel: CHROME_BROWSER_HW_KEY + DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with third-party signal providers response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + secureBootEnabled: true + windowsMachineDomain: testMachineDomain + windowsUserDomain: testUserDomain + thirdPartyBlockingEnabled: true + crowdStrikeCustomerId: testCustomerId + crowdStrikeAgentId": testAgentId + keyTrustLevel: CHROME_BROWSER_HW_KEY + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version request + value: + name: Device assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 1 + - majorVersionConstraint: WINDOWS_10 + minimum: 10.0.19045.0 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 1 + - majorVersionConstraint: WINDOWS_10 + minimum: 10.0.19045.0 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 minimum version and a Windows 10 dynamic version requirement request + value: + name: Device assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + minimum: 10.0.22000.0 + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: NOT_ALLOWED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 minimum version and Windows 10 dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + minimum: 10.0.22000.0 + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: NOT_ALLOWED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceChecksMacOSRequest: + summary: macOS request + value: + name: Device Check macOS + description: Query macOS devices to check if firewall is enabled + variableName: macOSFirewall + platform: MACOS + query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; + DeviceChecksMacOSResponse: + summary: macOS response + value: + id: dch3m8o4rWhwReDeM1c5 + name: Device Check macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + description: Query macOS devices to check if firewall is enabled + variableName: macOSFirewall + query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; + platform: MACOS + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-checks/dch3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceChecksWindowsRequest: + summary: Windows request + value: + name: Device Check Windows + description: Query Windows devices to check if firewall is enabled + variableName: windowsFirewall + platform: WINDOWS + query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles; + DeviceChecksWindowsResponse: + summary: Windows response + value: + id: dch3m8o4rWhwReDeM1c5 + name: Device Check Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + description: Query Windows devices to check if firewall is enabled + variableName: windowsFirewall + query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles; + platform: WINDOWS + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-checks/dch3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceResponse: + value: + id: guo8jx5vVoxfvJeLb0w4 + status: ACTIVE + created: '2020-11-03T21:47:01.000Z' + lastUpdated: '2020-11-03T23:46:27.000Z' + profile: + displayName: DESKTOP-EHAD3IE + platform: WINDOWS + manufacturer: International Corp + model: VMware7,1 + osVersion: 10.0.18362 + serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce + udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE + sid: S-1-5-21-3992267483-1860856704-2413701314-500 + registered: true + secureHardwarePresent: false + diskEncryptionType: NONE + resourceId: guo8jx5vVoxfvJeLb0w4 + resourceDisplayName: + value: DESKTOP-EHAD3IE + sensitive: false + resourceType: UDDevice + resourceAlternateId: null + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate + hints: + allow: + - POST + EmailCustomizationResponse: + value: + language: en + isDefault: true + subject: Welcome to ${org.name}! + body:

Hello, ${user.profile.firstName}. Click here to activate your account. + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + hints: + allow: + - GET + - PUT + - DELETE + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + EmailDomainResponse: + value: + id: OeD114iNkrcN6aR680g4 + validationStatus: NOT_STARTED + displayName: Admin + userName: admin + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + EmailSettingsRequest: + value: + recipients: ALL_USERS + EmailSettingsResponse: + value: + recipients: ALL_USERS + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + EmailTemplateDefaultContentResponse: + value: + subject: Welcome to ${org.name}! + body:

Hello, ${user.profile.firstName}. Click here to activate your account. + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview + hints: + allow: + - GET + EmbeddedGroupAssignmentSampleResponse: + summary: Application Group with an embedded Group + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-02T13:17:57.000Z' + profile: + preferredLanguage: English + manager: Donald Glover + securityQuestion: Who is the footballer to have played the game + securityAnswer: Ronaldinho + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: wazobia + userType: null + department: marketing + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + _embedded: + group: + id: 00g15acRUy0SYb9GT0g4 + created: '2024-06-02T13:02:12.000Z' + lastUpdated: '2024-06-02T13:02:12.000Z' + lastMembershipUpdated: '2024-06-02T13:03:13.000Z' + objectClass: + - okta:user_group + type: OKTA_GROUP + profile: + name: Football Group + description: Group with professional footballers + _links: + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-medium.30ce6d4085dff29412984e4c191bc874.png + type: image/png + - name: large + href: http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-large.c3cb8cda8ae0add1b4fe928f5844dbe3.png + type: image/png + users: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/users + apps: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/apps + EmbeddedMetadataGroupAssignmentSampleResponse: + summary: Application Group with embedded metadata + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-02T13:17:57.000Z' + profile: + preferredLanguage: English + manager: Donald Glover + securityQuestion: Who is the footballer to have played the game + securityAnswer: Ronaldinho + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: wazobia + userType: null + department: marketing + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + _embedded: + metadata: + credentials: {} + profile: + division: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + preferredLanguage: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + manager: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + securityQuestion: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + securityAnswer: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + timezone: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + organization: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + initialStatus: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + managerId: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + userType: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + locale: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + department: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + EnrollFactorCallRequest: + summary: call + value: + factorType: call + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 + honeExtension: '1234' + EnrollFactorCallResponse: + summary: call + value: + id: clf1nz9JHJGHWRKMTLHP + factorType: call + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-08-05T20:59:49.000Z' + lastUpdated: '2014-08-06T03:59:49.000Z' + profile: + phoneNumber: +1-555-415-1337 + phoneExtension: '1234' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/lifecycle/activate + hints: + allow: + - POST + resend: + - name: call + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/resend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorCustomTotpRequest: + summary: custom totp + value: + factorType: token:hotp + provider: CUSTOM + factorProfileId: fpr20l2mDyaUGWGCa0g4 + profile: + sharedSecret: 484f97be3213b117e3a20438e291540a + EnrollFactorCustomTotpResponse: + summary: custom totp + value: + id: chf20l33Ks8U2Zjba0g4 + factorType: token:hotp + provider: CUSTOM + vendorName: Entrust Datacard + status: ACTIVE + created: '2019-07-22T23:22:36.000Z' + lastUpdated: '2019-07-22T23:22:36.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4 + hints: + allow: + - GET + - DELETE + verify: + href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3 + hints: + allow: + - GET + EnrollFactorEmailRequest: + summary: email + value: + factorType: email + provider: OKTA + profile: + email: test@gmail.com + EnrollFactorEmailResponse: + summary: email + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/lifecycle/activate + hints: + allow: + - POST + resend: + - name: email + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/resend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + EnrollFactorGoogleRequest: + summary: google token:software:totp + value: + factorType: token:software:totp + provider: GOOGLE + EnrollFactorGoogleResponse: + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: GOOGLE + vendorName: GOOGLE + status: PENDING_ACTIVATION + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-07-16T16:13:56.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: JBTWGV22G4ZGKV3N + encoding: base32 + keyLength: 16 + _links: + qrcode: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4 + type: image/png + EnrollFactorOVPushRequest: + summary: token:software:totp push + value: + factorType: push + provider: OKTA + EnrollFactorOVPushResponse: + summary: token:software:totp + value: + id: opfbtzzrjgwauUsxO0g4 + factorType: push + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2015-11-13T07:34:22.000Z' + lastUpdated: '2015-11-13T07:34:22.000Z' + _links: + poll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/poll + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + expiresAt: '2015-11-13T07:44:22.000Z' + factorResult: WAITING + _links: + send: + - name: email + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/email + hints: + allow: + - POST + - name: sms + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/sms + hints: + allow: + - POST + qrcode: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/qr/00Ji8qVBNJD4LmjYy1WZO2VbNqvvPdaCVua-1qjypa + type: image/png + EnrollFactorOVTotpRequest: + summary: token:software:totp + value: + factorType: token:software:totp + provider: OKTA + EnrollFactorOVTotpResponse: + summary: token:software:totp + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-07-16T16:13:56.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: JBTWGV22G4ZGKV3N + encoding: base32 + keyLength: 6 + _links: + qrcode: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4 + type: image/png + EnrollFactorQuestionRequest: + summary: question + value: + question: + summary: question factor + value: + factorType: question + provider: OKTA + profile: + question: disliked_food + answer: mayonnaise + EnrollFactorQuestionResponse: + summary: question + value: + id: ufs1o01OTMGHLAJPVHDZ + factorType: question + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-05T22:58:49.000Z' + lastUpdated: '2014-08-05T22:58:49.000Z' + profile: + question: disliked_food + questionText: What is the food you least liked as a child? + _links: + questions: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs1o01OTMGHLAJPVHDZ + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorRsaSecurIdRequest: + summary: RSA SecurID + value: + factorType: token + provider: RSA + profile: + credentialId: dade.murphy@example.com + verify: + passCode: '5275875498' + EnrollFactorRsaSecurIdResponse: + summary: RSA SecurID + value: + id: rsabtznMn6cp94ez20g4 + factorType: token + provider: RSA + vendorName: RSA + status: ACTIVE + created: '2015-11-13T07:05:53.000Z' + lastUpdated: '2015-11-13T07:05:53.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorSmsRequest: + summary: sms + value: + factorType: sms + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 + EnrollFactorSmsResponse: + summary: sms + value: + id: mbl1nz9JHJGHWRKMTLHP + factorType: sms + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-08-05T20:59:49.000Z' + lastUpdated: '2014-08-06T03:59:49.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/lifecycle/activate + hints: + allow: + - POST + resend: + - name: sms + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/resend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorSymantecVipRequest: + summary: Symantec VIP + value: + factorType: token + provider: SYMANTEC + profile: + credentialId: VSMT14393584 + verify: + passCode: '875498' + nextPassCode: '678195' + EnrollFactorSymantecVipResponse: + summary: Symantec VIP + value: + id: ufvbtzgkYaA7zTKdQ0g4 + factorType: token + provider: SYMANTEC + vendorName: SYMANTEC + status: ACTIVE + created: '2015-11-13T06:52:08.000Z' + lastUpdated: '2015-11-13T06:52:08.000Z' + profile: + credentialId: VSMT14393584 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorU2fRequest: + summary: u2f + value: + factorType: u2f + provider: FIDO + EnrollFactorU2fResponse: + summary: u2f + value: + id: fuf2rovRxogXJ0nDy0g4 + factorType: u2f + provider: FIDO + vendorName: FIDO + status: PENDING_ACTIVATION + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T20:43:19.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + version: U2F_V2 + nonce: 9DmGJDLvaU6KWxJbfrZ0 + timeoutSeconds: 20 + EnrollFactorWebauthnRequest: + summary: webAuthn + value: + factorType: webauthn + provider: FIDO + EnrollFactorWebauthnResponse: + summary: webAuthn + value: + id: fwf2rovRxogXJ0nDy0g4 + factorType: webauthn + provider: FIDO + vendorName: FIDO + status: PENDING_ACTIVATION + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T20:43:19.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + attestation: direct + authenticatorSelection: + userVerification: preferred + requireResidentKey: false + challenge: cdsZ1V10E0BGE4GcG3IK + excludeCredentials: [] + pubKeyCredParams: + - type: public-key + alg: -7 + - type: public-key + alg: -257 + rp: + name: Rain-Cloud59 + user: + displayName: First Last + name: first.last@gmail.com + id: 00u15s1KDETTQMQYABRL + EnrollFactorYubikeyRequest: + summary: yubikey + value: + factorType: token:hardware + provider: YUBICO + verify: + passCode: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji + EnrollFactorYubikeyResponse: + value: + id: ykfbty3BJeBgUi3750g4 + factorType: token:hardware + provider: YUBICO + vendorName: YUBICO + status: ACTIVE + created: '2015-11-13T05:27:49.000Z' + lastUpdated: '2015-11-13T05:27:49.000Z' + profile: + credentialId: '000004102994' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4/verify + hints: + allow: + - POST + self: + href: hhttps://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EntitlementValuesResponse: + summary: List of bundle entitlement values + value: + entitlementValues: + - id: entfxqCAJWWGELFTYAAA + value: orn:okta:00o5rb5mt2H3d1TJd0h7:groups:00guaxWZ0AOa5NFAj0g3 + name: Restricted users group + _links: + group: http://your-subdomain.okta.com/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + _links: + self: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 + bundle: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA + entitlements: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorAgentTimeOut: + value: + errorCode: E0000237 + errorSummary: Timed out waiting for agent. + errorLink: E0000237 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorAppFeatureAPIValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: feature' + errorLink: E0000001 + errorId: oaeZLxeiHUUQomPkM8xOqvu1A + errorCauses: + - errorSummary: Provisioning is not enabled for the app instance. + ErrorAppUserForbiddenAction: + summary: Forbidden action + description: If the `PUSH_NEW_USERS` or `PUSH_PROFILE_UPDATES` feature is enabled and the request specifies a value for a profile-mapped (Universal Directory) attribute that doesn't match the mapped value, then a 403 error is returned. + value: + errorCode: E0000075 + errorSummary: Cannot modify the firstName attribute because it has a field mapping and profile push is enabled. + errorLink: E0000075 + errorId: sampleWXiR_K-WwaTKhlgBQ + errorCauses: [] + ErrorAppUserUpdateBadRequest: + summary: Bad request + description: If you attempt to assign a username or password to an app with an incompatible authentication scheme, then a 400 error is returned. + value: + errorCode: E0000041 + errorSummary: Credentials should not be set on this resource based on the scheme. + errorLink: E0000041 + errorId: oaeUM77NBynQQu4C_qT5ngjGQ + errorCauses: + errorSummary: User level credentials should not be provided for this scheme. + ErrorCAPTCHALimitOfOne: + value: + errorCode: E0000165 + errorSummary: CAPTCHA count limit reached. At most one CAPTCHA instance is allowed per Org. + errorLink: E0000165 + errorId: oaejrB1fWL1S7mc-2KcG-SOtw + errorCauses: [] + ErrorCAPTCHAOrgWideSetting: + value: + errorCode: E0000149 + errorSummary: Current CAPTCHA is associated with org-wide settings, cannot be removed. + errorLink: E0000149 + errorId: samplezsusshPdiTWiITwqBt8 + errorCauses: [] + ErrorCAPTCHAOrgWideSettingNull: + summary: captchaId is null, but enabledPages is defined + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: captchaId' + errorLink: E0000001 + errorId: oae-hk3rssXQmOWDRsaFfxe8A + errorCauses: + errorSummary: 'captchaId: Invalid CAPTCHA ID. The value of captchaId cannot be blank when enabledPages is not empty. Please resubmit with an existing CAPTCHA ID or disable CAPTCHA support on all supported pages.' + ErrorClientJsonWebKeyDuplicateKid: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: All keys in the 'jwks' must have a unique `kid`. + ErrorClientJsonWebKeyKidLengthTooShort: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: RSA key length in the 'jwks' is less than '2,048' bits for the given key. + ErrorClientJsonWebKeyNonUniqueKid: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Each key should have a unique kid when adding multiple keys. Use the Apps API to update the JWKS to add a kid for the existing key, or delete the existing key and re-add the key with a kid using the JWKS APIs. + ErrorClientJsonWebKeyTooManyKids: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't create a new key. You have reached the maximum number of keys allowed (50). To add another key, you must first delete an existing one. + ErrorClientSecretNonAscii: + summary: Client secret allows only ASCII error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''''client_secret'''' must only contain printable ASCII: [x20-x7E]+' + ErrorClientSecretTooLong: + summary: Client secret too long error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''client_secret'' can''t be more than ''100'' characters long.' + ErrorClientSecretTooShort: + summary: Client secret too short error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''client_secret'' must be at least ''14'' characters long.' + ErrorClientSecretTooShortWithClientSecretJWT: + summary: Client secret is too short for JWT error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''client_secret'' must be at least ''32'' characters long when ''token_endpoint_auth_method'' is ''client_secret_jwt''.' + ErrorClientSecretWithPrivateKeyJWT: + summary: Client secret can't be used for private key JWT error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: '''client_secret'' can''t be used when ''token_endpoint_auth_method'' is ''private_key_jwt''.' + ErrorCreateBrandExists: + value: + errorCode: E0000202 + errorSummary: Brand name already exists. + errorLink: E0000202 + errorId: oaeKABuesTdRvCXeCTpSpXAcQ + errorCauses: [] + ErrorCreateUserWithExpiredPasswordWithNullPassword: + value: + errorCode: E0000124 + errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified. + errorLink: E0000124 + errorId: oaeXxuZgXBySvqi1FvtkwoYCA + errorCauses: + - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified. + ErrorCreateUserWithExpiredPasswordWithoutActivation: + value: + errorCode: E0000125 + errorSummary: Could not create user. To create a user and expire their password immediately, `activate` must be true. + errorLink: E0000125 + errorId: oaeDd77L9R-TJaD7j_rXsQ31w + errorCauses: + - errorSummary: Could not create user. To create a user and expire their password immediately, `activate` must be true. + ErrorCreateUserWithTooManyManyGroupsResponse: + value: + errorCode: E0000093 + errorSummary: Target count limit exceeded + errorLink: E0000093 + errorId: oaePVSLIYnIQsC0B-ptBIllVA + errorCauses: + - errorSummary: The number of group targets is too large + ErrorDeactivateTheOnlyClientSecret: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't deactivate the only active client secret. + ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Can't deactivate the only active JSON Web Key when the value for `token_endpoint_auth_method` is `private_key_jwt`. + ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The `jwks` must contain at least one key with an algorithm matching the `request_object_signature_algorithm`. + ErrorDeleteActiveJsonWebKey: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't delete an active JSON Web key. Deactivate the key before deleting it. + ErrorDeleteActiveSecret: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't delete an active client secret. Deactivate the secret before deleting it. + ErrorDeleteBrandAssociatedWithDomain: + value: + errorCode: E0000201 + errorSummary: A brand associated with a domain cannot be deleted + errorLink: E0000201 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorDeleteDefaultBrand: + value: + errorCode: E0000200 + errorSummary: A default brand cannot be deleted + errorLink: E0000200 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorDeviceAssuranceInUse: + summary: Can't delete device assurance policy in use by authentication policies + value: + errorSummary: Device assurance is in use and cannot be deleted. + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] + ErrorDeviceCheckInUse: + summary: Can't delete device check in use by device assurance policies + value: + errorSummary: Device check is in use and can't be deleted. + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] + ErrorEmailCustomizationCannotClearDefault: + value: + errorCode: E0000185 + errorSummary: The isDefault parameter of the default email template customization can't be set to false. + errorLink: E0000185 + errorId: oaejrB1fWL1S7mc-2KcG-SOtw + errorCauses: [] + ErrorEmailCustomizationCannotDeleteDefault: + value: + errorCode: E0000184 + errorSummary: A default email template customization can't be deleted. + errorLink: E0000184 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorEmailCustomizationDefaultAlreadyExists: + value: + errorCode: E0000182 + errorSummary: A default email template customization already exists. + errorLink: E0000182 + errorId: oaeXYwTiMvASsC3O4HCzjFaCA + errorCauses: [] + ErrorEmailCustomizationLanguageAlreadyExists: + value: + errorCode: E0000183 + errorSummary: An email template customization for that language already exists. + errorLink: E0000183 + errorId: oaeUcGELffqRay0u1OPdnPypw + errorCauses: [] + ErrorEmailDomainAlreadyExists: + value: + errorCode: E0000197 + errorSummary: Email domain already exists. + errorLink: E0000197 + errorId: oaeEdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorEmailDomainInUse: + value: + errorCode: E0000216 + errorSummary: Email domain can't be deleted due to mail provider restrictions. + errorLink: E0000216 + errorId: oaeEdRqprFuTyKokyYPbURJkB + errorCauses: [] + ErrorEmailDomainInvalidStatus: + value: + errorCode: E0000217 + errorSummary: Invalid status. Can't validate email domain with current status. + errorLink: E0000217 + errorId: oaeEdRqprFuTyKokyYPbURJkD + errorCauses: [] + ErrorEmailDomainNotVerified: + value: + errorCode: E0000218 + errorSummary: Email domain couldn't be verified by mail provider. + errorLink: E0000218 + errorId: oaeEdRqprFuTyKokyYPbURJkC + errorCauses: [] + ErrorInternalServer: + summary: Internal Server Error + value: + errorCode: E0000009 + errorSummary: Internal Server Error + errorLink: E0000000 + errorId: sampleAlJ82XS2SDB_vaNIWgcA + errorCauses: [] + ErrorInvalidEmailTemplateRecipients: + value: + errorCode: E0000189 + errorSummary: This template does not support the recipients value. + errorLink: E0000189 + errorId: oae8L1-UkcNTeGi5xVQ28_lww + errorCauses: [] + ErrorInvalidLinkedObjectDef: + summary: Invalid linked objection definition + value: + errorCode: E0000127 + errorSummary: Invalid linked objection definition. Linked object identifier is already in use. + errorLink: E0000127 + errorId: oaeh5FICFF2RnqakoNofPadhw + errorCauses: + - errorSummary: Linked object identifier for primary is already in use. + reason: UNIQUE_CONSTRAINT + locationType: body + domain: linkedObjects + - errorSummary: Linked object identifier for associated is already in use. + reason: UNIQUE_CONSTRAINT + locationType: body + domain: linkedObjects + ErrorInvalidTokenProvided: + summary: Invalid Token Provided + value: + errorCode: E0000011 + errorSummary: Invalid token provided + errorLink: E0000011 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorKeyCredentialCloneDuplicateKey: + summary: Duplicate key credential error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: cloneKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Key already exists in the list of key credentials for the target app. + ErrorKeyCredentialInvalidValidity: + summary: Key credential invalid year error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: generateKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Validity years out of range. It should be 2 - 10 years. + ErrorMaxNumberOfSecrets: + summary: Maximum client secrets reached error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You've reached the maximum number of client secrets per client. + ErrorMissingRequiredParameter: + summary: Missing Required Parameter + value: + errorCode: E0000028 + errorSummary: The request is missing a required parameter. + errorLink: E0000028 + errorId: sampleiCF-l7mr9XqM1NQ + errorCauses: [] + ErrorNoConnectedAgents: + value: + errorCode: E0000236 + errorSummary: There are no connected agents. + errorLink: E0000236 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorPinOrCredRequestsGenerationFailure: + summary: PIN or Cred Requests Generation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: pinRequest|credRequests' + errorLink: E0000001 + errorId: oaehk3rssXQmOWDRsaFfxe8A + errorCauses: + errorSummary: There was a problem generating the pinRequest|credRequests. + ErrorPinOrCredResponsesProcessingFailure: + summary: PIN or Cred Response Processing Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: pinResponse|credResponses' + errorLink: E0000001 + errorId: oaehk3rssXQmOWDRsaFfxe8B + errorCauses: + errorSummary: There was a problem generating the pinResponse|credResponses. + ErrorPublishCSRCertDoesNotMatchCSR: + summary: Mismatch certificate and CSR error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: certificate' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The certificate doesn't match the CSR. + ErrorPublishCSRCertValidityLessThan90Days: + summary: Certificate valid for 90 days error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: certificate' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The certificate must be valid for more than 90 days. + ErrorPushProviderUsedByCustomAppAuthenticator: + value: + errorCode: E0000187 + errorSummary: Cannot delete push provider because it is being used by a custom app authenticator. + errorLink: E0000187 + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ExampleOAuth2Scope: + summary: Example scope + value: + id: scp5yu8kLOnDzo7lh0g4 + name: car:drive + description: Drive car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: NO_CLIENTS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 + hints: + allow: + - GET + - PUT + - DELETE + ExampleOAuth2Scopes: + summary: All scopes + value: + - id: scp5yu8kLOnDzo7lh0g4 + name: car:drive + description: Drive car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: NO_CLIENTS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 + hints: + allow: + - GET + - PUT + - DELETE + ExpirePwdResponse: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: PASSWORD_EXPIRED + created: '2013-06-24T16:39:18.000Z' + activated: '2013-06-24T16:39:19.000Z' + statusChanged: '2013-06-24T16:39:19.000Z' + lastLogin: '2013-06-24T17:39:19.000Z' + lastUpdated: '2013-06-27T16:35:28.000Z' + passwordChanged: '2013-06-24T16:39:19.000Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + _links: + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_password + resetFactors: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_factors + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/expire_password + forgotPassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/forgot_password + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_recovery_question + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/deactivate + changePassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_password + ExpirePwdWithTempPwdResponse: + value: + tempPassword: F46gy7X4 + ExpiredAuthorizationServerKey: + summary: Expired Authorization Server Key + value: + status: EXPIRED + alg: RS256 + e: AQAB + 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ + kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + hints: + allow: + - GET + FacebookIdPResponse: + summary: Facebook Identity Provider + value: + id: 0oa62b57p7c8PaGpU0h7 + type: FACEBOOK + name: Facebook + status: ACTIVE + created: '2016-03-24T23:18:27.000Z' + lastUpdated: '2016-03-24T23:18:27.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.facebook.com/dialog/oauth + binding: HTTP-REDIRECT + token: + url: https://graph.facebook.com/v2.5/oauth/access_token + binding: HTTP-POST + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + FactorEmail: + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: ACTIVE + profile: + email: changed@clouditude.net + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + FactorPasscodeRequest: + value: + passCode: '123456' + FactorResponseSms: + value: + id: sms2gt8gzgEBPUWBIFHN + factorType: sms + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-06-27T20:27:26.000Z' + lastUpdated: '2014-06-27T20:27:26.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ForgotPwdRecoveryQuestionRequest: + value: + password: + value: uTVM,TPw55 + recovery_question: + answer: Annie Oakley + ForgotPwdRecoveryQuestionResponse: + value: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + ForgotPwdResponse: + value: + resetPasswordUrl: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO + GenericOidcIdpResponse: + summary: Generic OpenID Connect Identity Provider + value: + id: 0oaulob4BFVa4zQvt0g3 + type: OIDC + name: Example OpenID Connect IdP + status: ACTIVE + created: '2019-02-07T20:07:47.000Z' + lastUpdated: '2019-02-07T20:07:47.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://idp.example.com/authorize + binding: HTTP-REDIRECT + token: + url: https://idp.example.com/token + binding: HTTP-POST + userInfo: + url: https://idp.example.com/userinfo + binding: HTTP-REDIRECT + jwks: + url: https://idp.example.com/keys + binding: HTTP-REDIRECT + algorithms: + request: + signature: + algorithm: HS256 + scope: REQUEST + scopes: + - openid + issuer: + url: https://idp.example.com + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + pkce_required: 'true' + policy: + provisioning: + action: AUTO + profileMaster: false + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + GetApplicationsByGroupResponseEx: + summary: Retrieve apps assigned to a group + value: + - id: 0oa7vicdkRNrz59R80w6 + name: workday + label: hrportal2 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:50.000Z' + created: '2021-05-17T23:10:49.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate + - id: 0oa7vicvor8YSr9Hc0w6 + name: workday + label: hrportal1 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:22.000Z' + created: '2021-05-17T23:10:22.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate + - id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https:/example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + GetApplicationsByKeyResponseEx: + summary: Retrieve apps using a key + value: + - id: 0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + _links: + logo: + - name: medium + href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-03-21T23:31:35.000Z' + lastUpdated: '2014-03-21T23:31:35.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-03-21T23:31:35.000Z' + passwordChanged: null + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https://example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-06-10T15:16:01.000Z' + lastUpdated: '2014-06-10T15:17:38.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-06-10T15:16:01.000Z' + passwordChanged: '2014-06-10T15:17:38.000Z' + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + password: {} + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + GetApplicationsByNameResponseEx: + summary: Retrieve apps by name + value: + - id: 0oa7vicdkRNrz59R80w6 + name: workday + label: hrportal2 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:50.000Z' + created: '2021-05-17T23:10:49.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate + - id: 0oa7vicvor8YSr9Hc0w6 + name: workday + label: hrportal1 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:22.000Z' + created: '2021-05-17T23:10:22.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate + GetApplicationsByUserResponseEx: + summary: Retrieve apps assigned to a user + value: + - id: 0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + _links: + logo: + - name: medium + href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-03-21T23:31:35.000Z' + lastUpdated: '2014-03-21T23:31:35.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-03-21T23:31:35.000Z' + passwordChanged: null + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https://example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-06-10T15:16:01.000Z' + lastUpdated: '2014-06-10T15:17:38.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-06-10T15:16:01.000Z' + passwordChanged: '2014-06-10T15:17:38.000Z' + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + password: {} + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + GetApplicationsResponseEx: + summary: Retrieve an app + value: + id: 0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + inlineHooks: + - id: cal3ughy17pylLxQB357 + _links: + self: + href: https://{yourOktaDomain}/api/v1/inlineHooks/cal3ughy17pylLxQB357 + hints: + allow: + - GET + - PUT + - DELETE + _links: + logo: + - name: medium + href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + GetAssociatedLinkedObjectsResponse: + summary: Retrieve all associated Linked Object values response + value: + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u5zex6ztMbOZhF50h7 + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u1tsf0nQKavLDUh0g5 + GetBrandResponse: + value: + id: bnd114iNkrcN6aR680g4 + agreeToCustomPrivacyPolicy: false + removePoweredByOkta: false + customPrivacyPolicyUrl: null + name: Okta Default + isDefault: true + locale: en + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + hints: + allow: + - GET + emailDomain: + href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + GetEmailTemplateResponse: + value: + name: UserActivation + _embedded: + customizationCount: 0 + settings: + recipients: ALL_USERS + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + settings: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + defaultContent: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + customizations: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations + hints: + allow: + - GET + - POST + - DELETE + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + GetPrimaryLinkedObjectResponse: + summary: Retrieve primary Linked Object value response + value: + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + GetRealmAssignmentResponse: + value: + id: rul2jy7jLUlnO3ng00g4 + status: ACTIVE + name: Realm Assignment 1 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + priority: 0 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4 + method: GET + GetRoleAssignmentGovernanceGrantResources: + value: + resources: + - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g114290ar1oCC5A0g5 + label: test-group-1 + - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5B0g5 + label: test-group-2 + _links: + next: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources?after=orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5A0g5 + self: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + GetRoleAssignmentGovernanceGrantResponse: + value: + type: ENTITLEMENT-BUNDLE + grantId: grai2556vZgWesWf10g4 + bundleId: enbhz2pAwtts9UBes0g4 + expirationDate: '2024-12-09 14:17:22.0' + _links: + resources: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + self: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4 + GetSessionResponse: + value: + id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CREATED + importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T16:15:44.000Z' + GetThemeResponse: + value: + id: thdul904tTZ6kWVhP0g3 + logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png + favicon: https://{yourOktaDomain}/favicon.ico + backgroundImage: null + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + GetUseRoleGovernanceResponse: + value: + grants: + - type: CUSTOM + grantId: grai24zWTjnDazeOI0g4 + _links: + resources: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai24zWTjnDazeOI0g4/resources + - type: ENTITLEMENT-BUNDLE + grantId: grai2556vZgWesWf10g4 + bundleId: enbhz2pAwtts9UBes0g4 + expirationDate: '2024-12-09 14:17:22.0' + _links: + resources: + href: https://{yourOktaDomain}//api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5" + GetUserLinkedObjectResponse: + summary: Retrieve user linked object value + value: + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + GetUserResponse: + summary: Retrieve a user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: New User Type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + GetYubikeyOptTokenResponse: + summary: Get Yubikey OPT Token response + value: + id: ykkxdtCA1fKVxyu6R0g3 + created: '2020-06-09T23:42:05.000Z' + activated: '2020-06-09T23:47:29.000Z' + lastVerified: '2020-06-09T23:47:29.000Z' + lastUpdated: '2020-06-09T23:47:29.000Z' + status: ACTIVE + profile: + serial: '000009508427' + _links: + self: + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3 + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3 + hints: + allow: + - DELETE + GoogleIdPResponse: + summary: Google Identity Provider + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-24T23:21:49.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + GovernanceBundle: + summary: Governance Bundle + value: + id: 0bbfxqCAJWWGELFTYAAA + name: Group admin bundle + description: Group bundle for administrative access + status: ACTIVE + orn: orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA + _links: + self: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA + entitlements: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements + GovernanceBundleCreateRequestCustomRole: + summary: Create governance bundle with custom role + value: + name: Custom admin bundle + description: Custom bundle for administrative access + entitlements: + role: cr0WxyzJxGIr0ouum0g4 + resourceSets: + - iamoJDFKaJxGIr0oamd9g + GovernanceBundleCreateRequestScopedStandardRole: + summary: Create governance bundle with scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + targets: + - 00guaxWZ0AOa5NFAj0g3 + GovernanceBundleCreateRequestStandardRole: + summary: Create governance bundle with non-scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + GovernanceBundleUpdateRequestCustomRole: + summary: Update governance bundle with custom role + value: + name: Custom admin bundle + description: Custom bundle for administrative access + entitlements: + role: cr0WxyzJxGIr0ouum0g4 + resourceSets: + - iamoJDFKaJxGIr0oamd9g + GovernanceBundleUpdateRequestScopedStandardRole: + summary: Update governance bundle with scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + targets: + - 00guaxWZ0AOa5NFAj0g3 + GovernanceBundleUpdateRequestStandardRole: + summary: Update governance bundle with non-scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + GovernanceBundlesResponse: + summary: List of governance bundles + value: + bundles: + - id: 0bbfxqCAJWWGELFTYAAA + name: Group admin bundle + description: Group bundle for administrative access + status: ACTIVE + orn: orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA + _links: + entitlements: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements + _links: + self: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 + next: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12 + GroupAssignmentExListResponse: + summary: Application Groups list with embedded metadata + value: + - id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-02T13:17:57.000Z' + profile: + preferredLanguage: English + manager: Donald Glover + securityQuestion: Who is the footballer to have played the game + securityAnswer: Ronaldinho + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: wazobia + userType: null + department: marketing + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + _embedded: + metadata: + credentials: {} + profile: + division: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + preferredLanguage: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + manager: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + securityQuestion: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + securityAnswer: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + timezone: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + organization: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + initialStatus: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + managerId: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + userType: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + locale: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + department: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + GroupAssignmentExResponse: + summary: Application Group response + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-02T13:17:57.000Z' + profile: + preferredLanguage: English + manager: Donald Glover + securityQuestion: Who is the footballer to have played the game + securityAnswer: Ronaldinho + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: wazobia + userType: null + department: marketing + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + GroupAssignmentPatchRequestExample: + summary: Update app group request + value: + - op: replace + path: /profile/manager + value: Carlo Ancelotti + GroupAssignmentPatchResponseExample: + summary: Update Application Group response + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-03T13:42:20.000Z' + profile: + preferredLanguage: English + securityQuestion: Who is the footballer to have played the game + securityAnswer: Jay Jay Okocha + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: null + userType: null + department: Accounting + manager: Carlo Ancelotti + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + GroupAssignmentPutRequestExample: + summary: Assign Application Group request + value: + id: 00g15acRUy0SYb9GT0g4 + profile: + preferredLanguage: English + manager: Arsene Wenger + securityQuestion: Who is the footballer to have played the game + securityAnswer: Jay Jay Okocha + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: null + userType: null + department: Accounting + GroupAssignmentPutResponseExample: + summary: Assign Application Group response + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-03T13:52:07.000Z' + profile: + preferredLanguage: English + manager: Arsene Wenger + securityQuestion: Who is the footballer to have played the game + securityAnswer: Jay Jay Okocha + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: null + userType: null + department: Accounting + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + GroupSchemaAddRequest: + value: + definitions: + custom: + id: '#custom' + type: object + properties: + groupContact: + title: Group administrative contact + description: Group administrative contact + type: string + required: false + minLength: 1 + maxLength: 20 + permissions: + - principal: SELF + action: READ_WRITE + required: [] + GroupSchemaResponse: + value: + $schema: http://json-schema.org/draft-04/schema# + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/group/default + method: GET + rel: self + created: '2021-01-30T00:18:24.000Z' + definitions: + base: + id: '#base' + properties: {} + required: + - name + type: object + custom: + id: '#custom' + properties: + groupContact: + description: Group administrative contact + master: + type: PROFILE_MASTER + mutability: READ_WRITE + permissions: + - action: READ_WRITE + principal: SELF + scope: NONE + title: Group administrative contact + type: string + required: [] + type: object + description: Okta group profile template + id: https://{yourOktaDomain}/meta/schemas/group/default + lastUpdated: '2021-02-25T23:05:31.000Z' + name: group + properties: + profile: + allOf: + - $ref: '#/definitions/custom' + - $ref: '#/definitions/base' + title: Okta group + type: object + IAMStandardRoleResponseClient: + value: + id: irb4jlodtdN4yJ88b0g7 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests Administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2023-07-06T21:52:48.000Z' + lastUpdated: '2023-07-06T21:52:48.000Z' + assignmentType: CLIENT + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/client/0oa5vymVNCe2cPEeZ0g4 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7 + IAMStandardRoleResponseUser: + value: + id: irb1q92TFAHzySt3x0g4 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb1q92TFAHzySt3x0g4 + IAMStandardRolesListResponse: + value: + - id: IFIFAX2BIRGUSTQ + label: Application administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions + IAMStandardRolesListResponseClient: + value: + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications Administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: CLIENT + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/clients/0oa4ee9vgbIuqTUvd0g7 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissionsZ + IAMStandardRolesListResponseGroup: + value: + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications Administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: Group + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions + IdPAppUserResponse: + summary: IdP User + value: + id: 00u5t60iloOHN9pBi0h7 + externalId: externalId + created: '2017-12-19T17:30:16.000Z' + lastUpdated: '2017-12-19T17:30:16.000Z' + profile: + profileUrl: null + firstName: null + lastName: null + honorificSuffix: null + displayName: null + honorificPrefix: null + middleName: null + email: null + _links: + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7 + self: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7/users/00u5t60iloOHN9pBi0h7 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + IdPKeyCredentialRequest: + summary: Identity Provider Key Credential + value: + e: '65537' + 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdPKeyCredentialResponse: + summary: Identity Provider Key Credential + value: + kid: your-key-id + created: '2016-01-03T18:15:47.000Z' + lastUpdated: '2016-01-03T18:15:47.000Z' + e: '65537' + 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + kty: RSA + use: sig + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdPSigningKeyCredentialResponse: + summary: Identity Provider Signing Key Credential + value: + created: '2015-12-10T18:56:23.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + kid: akm5hvbbevE341ovl0h7 + kty: RSA + use: sig + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + InlineHookMgmtCreateHTTPRequest: + summary: Create an inline hook with HTTP authentication + value: + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: + - key: x-any-key + value: my-header-value + method: POST + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + InlineHookMgmtCreateHTTPResponse: + summary: Inline hook with HTTP authentication response + value: + id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + InlineHookMgmtCreateOAuthClientSecretRequest: + summary: Create an inline hook with OAuth 2.0 Client Secret + value: + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + authType: client_secret_post + clientId: 0oaj43vkrq7wKxZSI5e6 + clientSecret: b-iATvTu7sIocvhWx95S9kF.....vfZhM6q6khSaojLBejF21cUn5bPm9abi + uri: https://example.com/tokenHook + headers: [] + method: POST + tokenUrl: https://example.okta.com/oauth2/default/v1/token + InlineHookMgmtCreateOAuthClientSecretResponse: + summary: Inline hook with OAuth 2.0 Client Secret response + value: + id: calj4fythrqj5Bxol5e5 + status: ACTIVE + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.user.pre-registration + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/registrationHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5e6 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: client_secret_post + scope: null + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtCreateOAuthPrivateKeyRequest: + summary: Create an inline hook with OAuth 2.0 Private Key + value: + name: Token hook with OAuth 2.0 Private Key authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + authType: private_key_jwt + clientId: 0oaj43vkrq7wKxZSI5e6 + hookKeyId: HKYj4ft1a3fjmwZg05e6 + uri: https://example.com/tokenHook + headers: + - key: x-any-key + value: my-header-value + method: POST + tokenUrl: https://example.okta.com/oauth2/default/v1/token + InlineHookMgmtCreateOAuthPrivateKeyResponse: + summary: Inline hook with OAuth 2.0 Private Key response + value: + id: calj4fythrqj5Bxol4ai6 + status: ACTIVE + name: Token Hook with OAuth 2.0 Private Key JWT + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5d7 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: private_key_jwt + scope: null + hookKeyId: HKYj4ft1a3fjmwZg05d6 + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtHTTPexample: + summary: An inline hook with HTTP authentication + value: + id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + InlineHookMgmtHTTPexampleDeactivate: + value: + id: calb7gacafgwgE7hc5e4 + status: INACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + InlineHookMgmtOAuthCSPexample: + summary: An inline hook example with OAuth 2.0 Client Secret Post + value: + id: calj4fythrqj5Bxol5e5 + status: ACTIVE + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.user.pre-registration + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/registrationHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5e6 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: client_secret_post + scope: null + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtOauthPKJexample: + summary: An inline hook example with OAuth 2.0 Private Key JWT + value: + id: calj4fythrqj5Bxol4ai6 + status: ACTIVE + name: Token Hook with OAuth 2.0 Private Key JWT + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5d7 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: private_key_jwt + scope: null + hookKeyId: HKYj4ft1a3fjmwZg05d6 + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtPutHTTPRequest: + summary: Update an inline hook name + value: + name: New name token hook with HTTP authentication + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: + - key: x-any-key + value: my-header-value + method: POST + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + InlineHookMgmtPutResponse: + value: + id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: New name token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + description: Inline hook response with a new name + InlineHookTelephony: + value: + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://your-external-webservice/sendOtp + headers: [] + method: POST + authScheme: + type: HEADER + key: x-telephony-key + created: '2024-03-28T17:30:25.000Z' + id: caldpyulr3nbET2du1d7 + lastUpdated: '2024-05-07T16:35:18.000Z' + name: testTelephonyHook + status: ACTIVE + type: com.okta.telephony.provider + version: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7 + execute: + href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7/execute + hints: + allow": + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7/lifecycle/deactivate + hints: + allow": + - POST + InlineHooktMgmtListAllexample: + summary: List all inline hooks response + value: + - id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + - id: calj4fythrqj5Bxol5e5 + status: ACTIVE + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.user.pre-registration + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/registrationHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5e6 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: client_secret_post + scope: null + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate + hints: + allow: + - POST + - id: calj4fythrqj5Bxol4ai6 + status: ACTIVE + name: Token Hook with OAuth 2.0 Private Key JWT + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5d7 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: private_key_jwt + scope: null + hookKeyId: HKYj4ft1a3fjmwZg05d6 + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate + hints: + allow: + - POST + InvalidRotateUse: + summary: Invalid Use + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: rotateKeys' + errorLink: E0000001 + errorId: oaeprak9qKHRlaWiclJ4oPJRQ + errorCauses: + - errorSummary: Invalid value specified for key 'use' parameter + KeyCredentialExample: + summary: Key Credential example + value: + created: '2015-12-10T18:56:23.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + e: AQAB + 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + kty: RSA + use: sig + x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + LinkIdPAppUserResponse: + summary: Linked IdP User + value: + id: 00ub0oNGTSWTBKOLGLNR + externalId: '121749775026145' + created: '2017-03-30T02:19:51.000Z' + lastUpdated: '2017-03-30T02:19:51.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7/users/00ub0oNGTSWTBKOLGLNR + hints: + allow: + - GET + - DELETE + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7 + user: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + ListAllKeyCredentialsExample: + summary: List all Key Credentials example + value: + - created: '2015-12-10T18:56:23.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + e: AQAB + 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + kty: RSA + use: sig + x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + - created: '2015-12-10T18:55:35.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2045-01-23T02:15:23.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAUsUkouzMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTAxMjMwMjE0MjNaFw00NTAxMjMwMjE1MjNaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhmkmKsu3FYeBiJg44aN6Ah3g9gof1cytXJVMnblDUWpLfe/FMUQCssh8Y8NCYRri5jni4efBgk6B3SkC7ymqsOXILIEHSwUYWnAaqDOTxO101mHzryowu1+0PldRNoyTthahpprvAPYlTin9zrDTqFT+WY/zwoaN8H+CfixlW1nM85qF18zYYekkW50MSoHPcfJKe2ywIhPXTYTSBEPcHh8dQEjBrZn7A4qOoDnfOXll8OL7j2O6EVyTtHA0tLJHVLpwI4gSPsXFwEnHltjN57odwYe9yds0BbM/YG9i+am1+3cmZ6Uyd16mLGclrr05o9BHcEZ4ZctV2hr6whbRsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAnNlF27gRmhGTQ+GRAvbvYToFRgsIbBAPvRqB2LmEIiQ6UJd602w6uP1sv/zEzBYg4SnMLuVyWgOJ6d71dCvXdIO9mgAq6BaEPjlo0WhGyt+zGrpkMnIX5EwRa64kHydcPRHNA607wVYA96sJdyNJEMzBvjY9fJnfevzzDCN3NWpMS2T6rk6HP5IziI1VuFWY2OUC1kbCqLj1dUgp8koe3ftLL55ZpkAocnVMnrzBveNjgAOAiKTMcyS0bhESph9aVWvuHVZSfTnUjnTPb/4jA2YlB3ED+qaU3aqHwft1KXwZskNXBKXy7lyC+CMoeB3/ncFhSg/UllBooPPS3wYlNA== + e: AQAB + 'n': htbi5H5MN_oYaKcZ8vlWRZn2oTrPY0v8_2Br_VZPJgJ57dCgguq5dDk1Me_ax-B3kjBPdXcW8wEoUFaU30spyVeQjZrdqsSvF0nMW4OzrMOIqrGLwCrAoDBS8tutfk5Y7qc-5xABzxgu4BjgSK5nWXbCt_UR0DzVTknotmMGeT8tAej8F6GAphLa0YhIxWT7Jy-y_pdANsiUPRiZBoLueGI0rrCqgYHIQVjNoj4-si105KCXbQuyYM9_Cd-dyyu5KJ4Ic0cOW61gpx4pnecMgSy8OX57FEd06W2hExBd49ah6jra2KFMeOGe3rkIXirdkofl1mBgeQ77ruKO1wW9Qw + kid: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo + kty: RSA + use: sig + x5t#S256": 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ + ListAllKeysResponse: + summary: List All Keys response example + value: + - id: HKY1i2htmXF5UNQhL0g4 + keyId: bb5bed7d-6e4d-488f-9c86-59b93a2bb3fb + name: My new key + created: '2022-08-22T16:34:33.000Z' + lastUpdated: '2022-08-22T16:34:33.000Z' + isUsed: 'true' + - id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: Test key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + ListAppGrantsEx: + summary: List all app Grants example + value: + - id: oag91n9ruw3dsaXzP0h6 + status: ACTIVE + created: '2023-02-21T16:54:00.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-21T16:54:00.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.users.read + source: ADMIN + _embedded: + scope: + id: okta.users.read + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + - id: oaghm3sh9ukdkvDmO0h6 + status: ACTIVE + created: '2023-02-03T21:57:49.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-03T21:57:49.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.apps.manage + source: ADMIN + _embedded: + scope: + id: okta.apps.manage + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oaghm3sh9ukdkvDmO0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + ListAppLinks: + value: + - id: 00ub0oNGTSWTBKOLGLNR + label: Google Apps Mail + linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/50 + logoUrl: https://{yourOktaDomain}/img/logos/google-mail.png + appName: google + appInstanceId: 0oa3omz2i9XRNSRIHBZO + appAssignmentId: 0ua3omz7weMMMQJERBKY + credentialsSetup: false + hidden: false + sortOrder: 0 + - id: 00ub0oNGTSWTBKOLGLNR + label: Google Apps Calendar + linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/54 + logoUrl: https://{yourOktaDomain}/img/logos/google-calendar.png + appName: google + appInstanceId: 0oa3omz2i9XRNSRIHBZO + appAssignmentId: 0ua3omz7weMMMQJERBKY + credentialsSetup: false + hidden: false + sortOrder: 1 + - id: 00ub0oNGTSWTBKOLGLNR + label: Box + linkUrl: https://{yourOktaDomain}/home/boxnet/0oa3ompioiQCSTOYXVBK/72 + logoUrl: https://{yourOktaDomain}/img/logos/box.png + appName: boxnet + appInstanceId: 0oa3ompioiQCSTOYXVBK + appAssignmentId: 0ua3omx46lYEZLPPRWBO + credentialsSetup: false + hidden: false + sortOrder: 3 + - id: 00ub0oNGTSWTBKOLGLNR + label: Salesforce.com + linkUrl: https://{yourOktaDomain}/home/salesforce/0oa12ecnxtBQMKOXJSMF/46 + logoUrl: https://{yourOktaDomain}/img/logos/salesforce_logo.png + appName: salesforce + appInstanceId: 0oa12ecnxtBQMKOXJSMF + appAssignmentId: 0ua173qgj5VAVOBQMCVB + credentialsSetup: true + hidden: false + sortOrder: 2 + ListAssocAuthServerResponse: + summary: List associated Authorization Servers + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: CUSTOM_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: DYNAMIC + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - DELETE + ListAuthServersResponse: + summary: List all custom authorization servers in your org + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + ListAuthorizationServerKeys: + summary: All Credential Keys + value: + - status: ACTIVE + alg: RS256 + e: AQAB + 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ + kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + hints: + allow: + - GET + - status: NEXT + alg: RS256 + e: AQAB + 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ + kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + hints: + allow: + - GET + - status: EXPIRED + alg: RS256 + e: AQAB + 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ + kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + hints: + allow: + - GET + ListAuthorizationServerPolicies: + summary: List Authorization Server Policies + value: + - type: OAUTH_AUTHORIZATION_POLICY + id: 00palyaappA22DPkj0h7 + status: ACTIVE + name: Vendor2 Policy + description: Vendor2 policy description + priority: 1 + system: false + conditions: + clients: + include: + - ALL_CLIENTS + created: '2017-05-26T19:43:53.000Z' + lastUpdated: '2017-06-07T15:28:17.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate + hints: + allow: + - POST + rules: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules + hints: + allow: + - GET + ListAuthorizationServerPolicyRules: + summary: List Authorization Server Policy Rules + value: + - type: RESOURCE_ACCESS + id: 0prbsjfyl01zfSZ9K0h7 + status: ACTIVE + name: Default Policy Rule + priority: 1 + created: '2017-08-25T16:57:02.000Z' + lastUpdated: '2017-08-30T14:51:05.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: + - EVERYONE + exclude: [] + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate + hints: + allow: + - POST + ListBrandsResponse: + value: + - id: bnd114iNkrcN6aR680g4 + name: Okta Default + isDefault: true + agreeToCustomPrivacyPolicy: false + removePoweredByOkta: false + customPrivacyPolicyUrl: null + locale: en + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + hints: + allow: + - GET + emailDomain: + href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + ListClientsResponse: + summary: List all Client resources for which an authorization server has tokens + value: + - client_id: '{clientId}' + client_name: My Web App + client_uri: null, + logo_uri: null, + _links: + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: My Web App + tokens: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens + hints: + allow: + - GET + - DELETE + ListCustomTokenClaimsResponse: + summary: List all custom token Claims for an authorization server + value: + - id: '{claimId}' + name: sub + status: ACTIVE + claimType: RESOURCE + valueType: EXPRESSION + value: '(appuser != null) ? appuser.userName : app.clientId' + conditions: + scopes: + - profile + system: true + alwaysIncludeInToken: true + apiResourceId: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + ListEmailCustomizationResponse: + value: + - language: en + isDefault: true + subject: Welcome to ${org.name}! + body:

Hello, ${user.profile.firstName}. Click here to activate your account. + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + hints: + allow: + - GET + - PUT + - DELETE + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + ListEmailTemplateResponse: + value: + - name: UserActivation + _embedded: + customizationCount: 0 + settings: + recipients: ALL_USERS + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + settings: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + defaultContent: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + customizations: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations + hints: + allow: + - GET + - POST + - DELETE + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + ListFactorsResults: + summary: All of the enrolled Factors for the specified User + value: + - id: ufs2bysphxKODSZKWVCT + factorType: question + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-04-15T18:10:06.000Z' + lastUpdated: '2014-04-15T18:10:06.000Z' + profile: + question: favorite_art_piece + questionText: What is your favorite piece of art? + _links: + questions: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs2bysphxKODSZKWVCT + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + - id: ostf2gsyictRQDSGTDZE + factorType: token:software:totp + provider: OKTA + status: PENDING_ACTIVATION + created: '2014-06-27T20:27:33.000Z' + lastUpdated: '2014-06-27T20:27:33.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + next: + name: activate + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: HE64TMLL2IUZW2ZLB + encoding: base32 + keyLength: 16 + - id: sms2gt8gzgEBPUWBIFHN + factorType: sms + provider: OKTA + status: ACTIVE + created: '2014-06-27T20:27:26.000Z' + lastUpdated: '2014-06-27T20:27:26.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ListFeatureDependenciesResponse: + summary: List all dependencies for a feature + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: OPEN + value: EA + status: ENABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListFeatureDependentsResponse: + summary: List all feature dependents for the specified feature + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: OPEN + value: EA + status: ENABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListFeaturesResponse: + summary: List all self-service features for your org + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: CLOSED + value: BETA + status: DISABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListIdPUsersResponse: + summary: List of linked IdP Users + value: + - id: 00u5cl9lo7nMjHjPr0h7 + externalId: '109912936038778' + created: '2015-11-03T19:10:11.000Z' + lastUpdated: '2015-11-03T19:11:49.000Z' + profile: + firstName: Carol + middleName: Lee + lastName: Johnson + email: carol_johnson@tfbnw.net + displayName: Carol Johnson + profile: https://www.facebook.com/app_scoped_user_id/109912936038778/ + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7/users/00u5cl9lo7nMjHjPr0h7 + hints: + allow: + - GET + - DELETE + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7 + user: + href: https://{yourOktaDomain}/api/v1/users/00u5cl9lo7nMjHjPr0h7 + ListLinkedObjects: + summary: List all Linked Object definitions + value: + - primary: + name: manager + title: manager + description: Manager link property + type: USER + associated: + name: subordinate + title: subordinate + description: Subordinate link property + type: USER + _links: + self: + href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager + ListLogs: + summary: List all system logs + value: + - actor: + id: 00uttidj01jqL21aM1d6 + type: User + alternateId: john.doe@example.com + displayName: John Doe + detailEntry: null + client: + userAgent: + rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 + os: Mac OS X + browser: CHROME + zone: null + device: Computer + id: null + ipAddress: 10.0.0.1 + geographicalContext: + city: New York + state: New York + country: United States + postalCode: 10013 + geolocation: + lat: 40.3157 + lon: -74.01 + device: + id: guofdhyjex1feOgbN1d9 + name: Mac15,6 + os_platform: OSX + os_version: 14.6.0 + managed: false + registered: true + device_integrator: null + disk_encryption_type: ALL_INTERNAL_VOLUMES + screen_lock_type: BIOMETRIC + jailbreak: null + secure_hardware_present: true + authenticationContext: + authenticationProvider: null + credentialProvider: null + credentialType: null + issuer: null + interface: null + authenticationStep: 0 + rootSessionId: idxBager62CSveUkTxvgRtonA + externalSessionId: idxBager62CSveUkTxvgRtonA + displayMessage: User login to Okta + eventType: user.session.start + outcome: + result: SUCCESS + reason: null + published: '2024-08-13T15:58:20.353Z' + securityContext: + asNumber: 394089 + asOrg: ASN 0000 + isp: google + domain: null + isProxy: false + severity: INFO + debugContext: + debugData: + requestId: ab609228fe84ce59cdcbfa690bcce016 + requestUri: /idp/idx/authenticators/poll + url: /idp/idx/authenticators/poll + legacyEventType: core.user_auth.login_success + transaction: + type: WEB + id: ab609228fe84ce59cdcbfa690bgce016 + detail: null + uuid: dc9fd3c0-598c-11ef-8478-2b7584bf8d5a + version: 0 + request: + ipChain: + - ip: 10.0.0.1 + geographicalContext: + city: New York + state: New York + country: United States + postalCode: 10013 + geolocation: + lat: 40.3157 + lon: -74.01 + version: V4 + source: null + target: + - id: pfdfdhyjf0HMbkP2e1d7 + type: AuthenticatorEnrollment + alternateId: unknown + displayName: Okta Verify + detailEntry: null + - id: 0oatxlef9sQvvqInq5d6 + type: AppInstance + alternateId: Okta Admin Console + displayName: Okta Admin Console + detailEntry: null + ListMappingsResponse: + summary: List all Profile Mappings response + value: + - id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + ListOfSecurityEventsProviderInstances: + summary: List of Security Events Providers + value: + - id: sse1qg25RpusjUP6m0g5 + name: Security Events Provider with well-known URL + type: okta + status: ACTIVE + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate + hints: + allow: + - POST + - id: sse1qu4fUtsoD12iF0g5 + name: Security Events Provider with an issuer and a JWKS URL + type: okta + status: ACTIVE + settings: + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate + hints: + allow: + - POST + ListPrivilegedAccounts: + summary: List Privileged Accounts with mixed account types + value: + - accountType: APP_ACCOUNT + description: This is for accessing AWS Prod-5 + id: a747a818-a4c4-4446-8a87-704216495a08 + name: AWS Prod-5 account + ownerGroupIds: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + - 00u11s48P9zGW8yqm0g5 + status: NO_ISSUES + statusDetail: ROTATED + created: '2023-04-04T15:56:05.000Z' + lastUpdated: '2023-05-05T18:15:44.000Z' + details: + credentials: + username: testuser@example.com + oktaApplicationId: aln1aqcs055ZRoizW0g8 + appInstanceName: AWS Prod-5 + appGlobalName: AWS Account Federation + - accountType: OKTA_USER_ACCOUNT + description: Shared admin account for managing AD integrations + id: d1b65a78-21ed-429b-8ea3-eec96f2748d6 + name: AD Integrations Admin + ownerGroupIds: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + - 00u11s48P9zGW8yqm0g5 + status: INFO + statusDetail: ROTATING + created: '2023-04-04T15:56:05.000Z' + lastUpdated: '2023-05-05T18:15:44.000Z' + details: + credentials: + username: shr-ad-admin-01@example.com + email: shr-ad-admin-01@example.com + oktaUserId: 00u11s48P9zGW8yqm0g5 + ListRealmAssignmentsResponse: + value: + - id: rul2jy7jLUlnO3ng00g4 + status: ACTIVE + name: Realm Assignment 1 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: user.profile.role ==\"Manager\" + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + priority: 0 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4 + method: GET + - id: rul2jy7jLUlnO5ng00g4 + status: ACTIVE + name: Catch-all + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + conditions: + profileSourceId: 0oa4enoRyjwSCy6hx0g4, + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf2g5 + priority: 499 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4 + method: GET + ListRealmAwareUsersResponse: + summary: List all users + value: + - id: 00u118oQYT4TBGuay0g4 + status: ACTIVE + created: '2022-04-04T15:56:05.000Z' + activated: null + statusChanged: null + lastLogin: '2022-05-04T19:50:52.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + passwordChanged: '2022-04-04T16:00:22.000Z' + type: + id: oty1162QAr8hJjTaq0g4 + profile: + firstName: Alice + lastName: Smith + mobilePhone: null + secondEmail: null + login: alice.smith@example.com + email: alice.smith@example.com + realmId: guo1afiNtSnZYILxO0g4 + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + self: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + ListRealmsResponse: + value: + - id: guox9jQ16k9V8IFEL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + profile: + name: Car Co + realmType: PARTNER + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 + method: GET + ListRefreshTokensClientsResponse: + summary: List all refresh tokens for a Client + value: + - id: '{refreshTokenId}' + status: ACTIVE + created: '2023-09-21T19:59:56.000Z' + lastUpdated: '2023-09-21T20:00:38.000Z' + expiresAt: '2023-09-28T20:00:38.000Z' + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + client_id: '{clientId}' + userId: '{userId}' + scopes: + - offline_access + - openid + _embedded: + scopes: + - id: '{scopeId}' + name: openid + displayName: openid + description: Signals that a request is an OpenID request + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + title: openid + - id: '{scopeID}' + name: offline_access + displayName: Keep you signed in to the app + description: This keeps you signed in to the app, even when you aren't using it. + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + itle: Keep you signed in to the app + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: My Web App + authorizationServer: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + title: Authorization Server name + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + revoke: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: My Web App + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + title: Joe User + ListRiskProviderResponse: + summary: List Risk Provider response example + value: + - id: 00rp12r4skkjkjgsn + action: log_only + name: Risk-Partner-X + clientId: 00ckjsfgjkdkjdkkljjsd + created: '2021-01-05 22:18:30' + lastUpdated: '2021-01-05 22:18:30' + _links: + self: + href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn + hints: + allow: + - GET + - PUT + ListSessionsResponseForGetSessions: + value: + - id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CREATED + importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T16:15:44.000Z' + - id: aps1quck606ngubVq0h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: TRIGGERED + importType: INCREMENTAL + created: '2022-04-04T16:56:05.000Z' + lastUpdated: '2022-05-05T17:15:44.000Z' + - id: aps1qzy2acb5jDlUc0h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: IN_PROGRESS + importType: INCREMENTAL + created: '2022-04-04T17:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + - id: aps1qqne8c1JHkMdF0h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: EXPIRED + importType: INCREMENTAL + created: '2022-04-04T18:56:05.000Z' + lastUpdated: '2022-05-05T19:15:44.000Z' + - id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CLOSED + importType: INCREMENTAL + created: '2022-04-04T19:56:05.000Z' + lastUpdated: '2022-05-05T20:15:44.000Z' + ListThemesResponse: + value: + - id: thdul904tTZ6kWVhP0g3 + logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png + favicon: https://{yourOktaDomain}/favicon.ico + backgroundImage: null + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + ListUISchemaResponse: + summary: Lists all UI Schemas response + value: + - id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + options: + format: text + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://example.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + hints: + allow: + - GET + - PUT + - DELETE + - id: uis4abjqkkKXVPGAU0g7 + uiSchema: + type: Group + label: Sign in 2 + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://example.com/api/v1/meta/uischemas/uis4abjqkkKXVPGAU0g7 + hints: + allow: + - GET + - PUT + - DELETE + ListUserBlocksAnyDevicesResponse: + value: + - type: DEVICE_BASED + appliesTo: ANY_DEVICES + ListUserBlocksUnknownDevicesResponse: + value: + - type: DEVICE_BASED + appliesTo: UNKNOWN_DEVICES + ListUserClients: + value: + - client_id: 0oabskvc6442nkvQO0h7 + client_name: My App + client_uri: null + logo_uri: null + _links: + grants: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants + tokens: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens + ListUserGroups: + value: + - id: 0gabcd1234 + profile: + name: Cloud App Users + description: Users can access cloud apps + - id: 0gefgh5678 + profile: + name: Internal App Users + description: Users can access internal apps + ListUsersResponse: + summary: List all users + value: + - id: 00u118oQYT4TBTemp0g4 + status: ACTIVE + created: '2022-04-04T15:56:05.000Z' + activated: null + statusChanged: null + lastLogin: '2022-05-04T19:50:52.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + passwordChanged: '2022-04-04T16:00:22.000Z' + type: + id: oty1162QAr8hJjTaq0g4 + profile: + firstName: Alice + lastName: Smith + mobilePhone: null + secondEmail: null + login: alice.smith@example.com + email: alice.smith@example.com + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + self: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + ListYubikeyOptTokensResponse: + summary: List Yubikey OPT Token response + value: + - id: ykkwcx13nrDq8g4oy0g3 + created: '2020-01-14T21:53:09.000Z' + lastVerified: '2020-01-14T21:53:06.000Z' + lastUpdated: '2020-01-14T21:53:09.000Z' + status: UNASSIGNED + profile: + serial: '000003632071' + _links: + self: + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkwcx13nrDq8g4oy0g3 + hints: + allow: + - GET + - DELETE + - id: ykkxdtCA1fKVxyu6R0g3 + created: '2020-06-09T23:42:05.000Z' + activated: '2020-06-09T23:47:29.000Z' + lastVerified: '2020-06-09T23:47:29.000Z' + lastUpdated: '2020-06-09T23:47:29.000Z' + status: ACTIVE + profile: + serial: '000009508427' + _links: + self: + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3 + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3 + hints: + allow: + - DELETE + ListsAllUserTypes: + summary: Lists all user types + value: + - id: otyfnly5cQjJT9PnR0g4 + displayName: New User Type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + - id: otyz9fj2jMiRBC1ZT1d6 + displayName: User + name: user + description: Okta user profile template with default permission settings + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: true + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + ListsOwnerOneResponse: + summary: Lists a response with one owner + value: + - id: 00g1gae1k0znUcLuU0h8 + type: GROUP + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Product & Engineering + lastUpdated: '2023-03-29 18:18:37.0' + ListsOwnersMultipleResponse: + summary: Lists a response with multiple owners + value: + - id: 00u1cmbqjkkmFXeqb0h8 + type: USER + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Mabel Mora + lastUpdated: '2023-03-29T18:30:58.000Z' + - id: 00u1cmc52x5B86cnZ0h8 + type: USER + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Cinda Canning + lastUpdated: '2023-03-29T18:30:55.000Z' + LogStreamActivateResponse: + summary: Activate Log Stream response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:22:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamDeactivateResponse: + summary: Deactivate Log Stream response + value: + id: 0oa7agphh5FT7H521d7 + type: splunk_cloud_logstreaming + name: Splunk Cloud Example + lastUpdated: '2023-03-24T21:23:00.000Z' + created: '2023-03-24T21:15:13.000Z' + status: INACTIVE + settings: + edition: aws + host: okexample.splunkcloud.com + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7 + method: GET + activate: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7/lifecycle/activate + method: POST + LogStreamGetAllResponse: + summary: Lists all Log Streams + value: + - id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:02:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamPostRequest: + summary: Create an AWS EventBridge Log Stream + value: + type: aws_eventbridge + name: Example AWS EventBridge + settings: + eventSourceName: your-event-source-name + accountId: '123456789012' + region: us-east-2 + LogStreamPostResponse: + summary: AWS EventBridge Log Stream response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:02:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamPutRequest: + summary: Replace AWS EventBridge name + value: + type: aws_eventbridge + name: Updated AWS EventBridge + settings: + eventSourceName: your-event-source-name + accountId: '123456789012' + region: us-east-2 + LogStreamPutResponse: + summary: Replace AWS EventBridge name response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Updated AWS EventBridge + lastUpdated: '2023-03-24T21:12:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamSchemaAws: + value: + $schema: https://json-schema.org/draft/2020-12/schema + $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge + title: AWS EventBridge + type: object + properties: + settings: + description: Configuration properties specific to AWS EventBridge + type: object + properties: + accountId: + title: AWS Account ID + description: Your Amazon AWS Account ID. + type: string + writeOnce: true + pattern: ^\d{12}$ + eventSourceName: + title: AWS Event Source Name + description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge. + type: string + writeOnce: true + pattern: ^[\.\-_A-Za-z0-9]{1,75}$ + region: + title: AWS Region + description: The destination AWS region for your system log events. + type: string + writeOnce: true + oneOf: + - title: US East (Ohio) + const: us-east-2 + - title: US East (N. Virginia) + const: us-east-1 + - title: US West (N. California) + const: us-west-1 + - title: US West (Oregon) + const: us-west-2 + - title: Canada (Central) + const: ca-central-1 + - title: Europe (Frankfurt) + const: eu-central-1 + - title: Europe (Ireland) + const: eu-west-1 + - title: Europe (London) + const: eu-west-2 + - title: Europe (Paris) + const: eu-west-3 + - title: Europe (Milan) + const: eu-south-1 + - title: Europe (Stockholm) + const: eu-north-1 + required: + - eventSourceName + - accountId + - region + errorMessage: + properties: + accountId: Account number must be 12 digits. + eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters. + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + LogStreamSchemaList: + value: + - $schema: https://json-schema.org/draft/2020-12/schema + $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge + title: AWS EventBridge + type: object + properties: + settings: + description: Configuration properties specific to AWS EventBridge + type: object + properties: + accountId: + title: AWS Account ID + description: Your Amazon AWS Account ID. + type: string + writeOnce: true + pattern: ^\d{12}$ + eventSourceName: + title: AWS Event Source Name + description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge. + type: string + writeOnce: true + pattern: ^[\.\-_A-Za-z0-9]{1,75}$ + region: + title: AWS Region + description: The destination AWS region for your system log events. + type: string + writeOnce: true + oneOf: + - title: US East (Ohio) + const: us-east-2 + - title: US East (N. Virginia) + const: us-east-1 + - title: US West (N. California) + const: us-west-1 + - title: US West (Oregon) + const: us-west-2 + - title: Canada (Central) + const: ca-central-1 + - title: Europe (Frankfurt) + const: eu-central-1 + - title: Europe (Ireland) + const: eu-west-1 + - title: Europe (London) + const: eu-west-2 + - title: Europe (Paris) + const: eu-west-3 + - title: Europe (Milan) + const: eu-south-1 + - title: Europe (Stockholm) + const: eu-north-1 + required: + - eventSourceName + - accountId + - region + errorMessage: + properties: + accountId: Account number must be 12 digits. + eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters. + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + - $schema: https://json-schema.org/draft/2020-12/schema + id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming + title: Splunk Cloud + type: object + properties: + settings: + description: Configuration properties specific to Splunk Cloud + type: object + properties: + host: + title: Host + description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com' + type: string + writeOnce: false + pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ + token: + title: HEC Token + description: The token from your Splunk Cloud HTTP Event Collector (HEC). + type: string + writeOnce: false + pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' + required: + - host + - token + errorMessage: + properties: + host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com' + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + LogStreamSchemaSplunk: + value: + $schema: https://json-schema.org/draft/2020-12/schema + id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming + title: Splunk Cloud + type: object + properties: + settings: + description: Configuration properties specific to Splunk Cloud + type: object + properties: + host: + title: Host + description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com' + type: string + writeOnce: false + pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ + token: + title: HEC Token + description: The token from your Splunk Cloud HTTP Event Collector (HEC). + type: string + writeOnce: false + pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' + required: + - host + - token + errorMessage: + properties: + host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com' + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + LogTargetChangeDetails: + summary: Example of the `changeDetails` property on the target + value: + from: + vpnLocationOptions: DISABLED + vpnSettingsZones: + include: null + exclude: null + to: + message: You must a use VPN to connect to this application + vpnLocationOptions: ZONE + vpnSettingsZones: + include: + - ALL_ZONES + exclude: null + MicrosoftIdPResponse: + summary: Microsoft Identity Provider + value: + id: 0oajmvdFawBih4gey0g3 + type: MICROSOFT + name: Microsoft + status: ACTIVE + created: '2016-03-29T16:47:36.000Z' + lastUpdated: '2016-03-29T16:47:36.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize + binding: HTTP-REDIRECT + token: + url: https://login.microsoftonline.com/common/oauth2/v2.0/token + binding: HTTP-POST + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + MultipleIdPCsrsResponse: + summary: Identity Provider CSRs + value: + - id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: + - GET + - DELETE + publish: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + - id: '-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg' + created: '2017-03-28T01:21:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg + hints: + allow: + - GET + - DELETE + publish: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg/lifecycle/publish + hints: + allow: + - POST + MultipleIdPKeyCredentialsResponse: + summary: Identity Provider Key Credentials + value: + - kid: your-key-id + created: '2016-01-03T18:15:47.000Z' + lastUpdated: '2016-01-03T18:15:47.000Z' + e: '65537' + 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + kty: RSA + use: sig + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + - kty: EC + created: '2020-04-24T20:51:20.000Z' + lastUpdated: '2020-04-24T20:51:20.000Z' + expiresAt: '2040-03-01T20:22:29.000Z' + alg: EC + x5c: + - MIICqDCCAgqgAwIBAgIJAOkmCa/S8dHiMAoGCCqGSM49BAMCMG0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdKYW5reUNvMR8wHQYDVQQDDBZUZXN0IElkZW50aXR5IFByb3ZpZGVyMB4XDTIwMDMwNjIwMjIyOVoXDTQwMDMwMTIwMjIyOVowbTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoMB0phbmt5Q28xHzAdBgNVBAMMFlRlc3QgSWRlbnRpdHkgUHJvdmlkZXIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABW/lGHl17mKDtCD4D7gcMYYOWgyWTGno8MTefDOABA8PddessTsbfrguF49Gli6lCzrZaAKhhvgINc3R6t/dYleAE3lY6LAocOoLe9xDkeggXNcSuP5fDc1x5R9GHTXl44vLoJOLSLsMbOXVMXIXoqbPDzTSYUy24aFdv4W4LZxW6ak6NQME4wHQYDVR0OBBYEFChTXNWvs4z1qjRVemPDD/hqlDQ4MB8GA1UdIwQYMBaAFChTXNWvs4z1qjRVemPDD/hqlDQ4MAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDgYsAMIGHAkIBuDhHMNLbBIsorbKtjxJzHJ2ItCSD2wAwqYv/6JBtA2ulKN5gRTSqdNCnqFsZ1/nYY7FFVXHEuQ2N3pPq7Ri8h84CQSgCq1UQyd0lFtb7+57JbiGb6LVaRqRm7vwx8zLRA+tVjIM1DlQ2Gbxkj3nlkzmM93j9wchiqGdQidyKnF6EBnfd + x: Vv5Rh5de5ig7Qg-A-4HDGGDloMlkxp6PDE3nwzgAQPD3XXrLE7G364LhePRpYupQs62WgCoYb4CDXN0erf3WJXg + 'y': ATeVjosChw6gt73EOR6CBc1xK4_l8NzXHlH0YdNeXji8ugk4tIuwxs5dUxcheips8PNNJhTLbhoV2_hbgtnFbpqT + crv: P-521 + kid: your-kid + use: sig + x5t#S256: TUx-AIwypm2pZURHNqafk7ZDxqQP_ypzIyUwDDnPOlw + MultipleIdPSigningKeyCredentialsResponse: + summary: Identity Provider Signing Key Credentials + value: + - created: '2015-12-10T18:56:23.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + kid: akm5hvbbevE341ovl0h7 + kty: RSA + use: sig + x5t#S256: 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + - created: '2015-12-10T18:55:35.000Z' + expiresAt: '2045-01-23T02:15:23.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + kid: akm5hvbn1vojA9Fsa0h7 + kty: RSA + use: sig + x5t#S256: 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ + MultipleIdPsResponse: + summary: Multiple Identity Providers + value: + - id: 0oa62b57p7c8PaGpU0h7 + type: FACEBOOK + name: Facebook + status: ACTIVE + created: '2016-03-24T23:18:27.000Z' + lastUpdated: '2016-03-24T23:18:27.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.facebook.com/dialog/oauth + binding: HTTP-REDIRECT + token: + url: https://graph.facebook.com/v2.5/oauth/access_token + binding: HTTP-POST + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: ACTIVE + created: '2016-03-24T23:14:54.000Z' + lastUpdated: '2016-03-24T23:14:54.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + filter: (\S+@example\.com) + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + metadata: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml + hints: + allow: + - GET + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate + hints: + allow: + - POST + - id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-24T23:21:49.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa62bfdjnK55Z5x80h7 + type: LINKEDIN + name: LinkedIn + status: ACTIVE + created: '2016-03-24T23:23:59.000Z' + lastUpdated: '2016-03-24T23:23:59.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.linkedin.com/uas/oauth2/authorization + binding: HTTP-REDIRECT + token: + url: https://www.linkedin.com/uas/oauth2/accessToken + binding: HTTP-POST + scopes: + - r_basicprofile + - r_emailaddress + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdjnK55Z5x80h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oajmvdFawBih4gey0g3 + type: MICROSOFT + name: Microsoft + status: ACTIVE + created: '2016-03-29T16:47:36.000Z' + lastUpdated: '2016-03-29T16:47:36.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize + binding: HTTP-REDIRECT + token: + url: https://login.microsoftonline.com/common/oauth2/v2.0/token + binding: HTTP-POST + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oaulob4BFVa4zQvt0g3 + type: OIDC + name: Example OpenID Connect IdP + status: ACTIVE + created: '2019-02-07T20:07:47.000Z' + lastUpdated: '2019-02-07T20:07:47.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://idp.example.com/authorize + binding: HTTP-REDIRECT + token: + url: https://idp.example.com/token + binding: HTTP-POST + userInfo: + url: https://idp.example.com/userinfo + binding: HTTP-REDIRECT + jwks: + url: https://idp.example.com/keys + binding: HTTP-REDIRECT + scopes: + - openid + issuer: + url: https://idp.example.com + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: false + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa6jxasyhwM2ZHJh0g4 + type: X509 + name: Smart Card IDP Name + status: ACTIVE + created: '2020-01-07T00:19:27.000Z' + lastUpdated: '2020-01-07T00:19:27.000Z' + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + endpoints: + sso: + url: https://{yourOktaDomain}.okta.com/login/cert + credentials: + trust: + issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + audience: null + kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc + revocation: CRL + revocationCacheLifetime: 2880 + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: idpuser.subjectAltNameEmail + filter: null + matchType: EMAIL + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + deactivate: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users + hints: + allow: + - GET + keys: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc + hints: + allow: + - GET + NextAuthorizationServerKey: + summary: Next Authorization Server Key + value: + status: NEXT + alg: RS256 + e: AQAB + 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ + kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + hints: + allow: + - GET + NzErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000003 + errorSummary: The request body was not well-formed. + errorLink: E0000003 + errorId: samplewNxQUR9iohr4QYlD0eg + errorCauses: [] + NzErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: Resource not found: itd (NetworkZone)' + errorLink: E0000007 + errorId: samplejCSVaKFDkCMElmKQ + errorCauses: [] + OAuth2RefreshTokenResponseEx: + summary: OAuth 2.0 refresh token example + value: + id: oar579Mcp7OUsNTlo0g3 + status: ACTIVE + created: '2023-03-09T03:18:06.000Z' + lastUpdated: '2023-03-09T03:18:06.000Z' + expiresAt: '2023-03-16T03:18:06.000Z' + issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 + clientId: 0oabskvc6442nkvQO0h7 + userId: 00u5t60iloOHN9pBi0h7 + scopes: + - offline_access + - car:drive + _embedded: + scopes: + - id: scppb56cIl4GvGxy70g3 + name: offline_access + description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: offline_access + - id: scp142iq2J8IGRUCS0g4 + name: car:drive + displayName: Drive car + description: Allows the user to drive a car + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4 + title: Drive car + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: Native + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + revoke: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7 + title: Example Client App + user: + href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3 + title: Saml Jackson + authorizationServer: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: Example Authorization Server + OAuth2RefreshTokenResponseListEx: + summary: App refresh token list example + value: + - id: oar579Mcp7OUsNTlo0g3 + status: ACTIVE + created: '2023-03-09T03:18:06.000Z' + lastUpdated: '2023-03-09T03:18:06.000Z' + expiresAt: '2023-03-16T03:18:06.000Z' + issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 + clientId: 0oabskvc6442nkvQO0h7 + userId: 00u5t60iloOHN9pBi0h7 + scopes: + - offline_access + - car:drive + _embedded: + scopes: + - id: scppb56cIl4GvGxy70g3 + name: offline_access + description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: offline_access + - id: scp142iq2J8IGRUCS0g4 + name: car:drive + displayName: Drive car + description: Allows the user to drive a car + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4 + title: Drive car + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: Native + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + revoke: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7 + title: Example Client App + user: + href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3 + title: Saml Jackson + authorizationServer: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: Example Authorization Server + OpenidConnectEx: + summary: OPENID_CONNECT + value: + name: oidc_client + label: Sample Client profile + signOnMode: OPENID_CONNECT + credentials: + oauthClient: + token_endpoint_auth_method: client_secret_post + profile: + label: oauth2 client app 1 + settings: + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + participate_slo: false + OpenidConnectPutEx: + summary: OPENID_CONNECT + value: + name: oidc_client + label: Sample Client profile updated + signOnMode: OPENID_CONNECT + OpenidConnectPutResponseEx: + summary: OPENID_CONNECT + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: true + web: true + appLinks: + oidc_client_link: true + name: oidc_client + label: Sample Client profile updated + features: [] + signOnMode: OPENID_CONNECT + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc + oauthClient: + autoKeyRotation: true + client_id: 0oahonkqCRR6TSNlg4 + client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5 + token_endpoint_auth_method: client_secret_post + pkce_required: true + settings: + app: {} + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + issuer_mode: DYNAMIC + idp_initiated_login: + mode: DISABLED + default_scope: [] + wildcard_redirect: DISABLED + dpop_bound_access_tokens: false + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + OpenidConnectResponseEx: + summary: OPENID_CONNECT + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: true + web: true + appLinks: + oidc_client_link: true + name: oidc_client + label: Sample Client profile + features: [] + signOnMode: OPENID_CONNECT + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc + oauthClient: + autoKeyRotation: true + client_id: 0oahonkqCRR6TSNlg4 + client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5 + token_endpoint_auth_method: client_secret_post + pkce_required: true + settings: + app: {} + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + issuer_mode: DYNAMIC + idp_initiated_login: + mode: DISABLED + default_scope: [] + wildcard_redirect: DISABLED + dpop_bound_access_tokens: false + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + profile: + label: oauth2 client app 1 + OperationResponse: + value: + id: rre4mje4ez6B2a7B60g7 + type: realm:assignment + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + realmId: 00g1b7rvh0xPLKXFf0g5 + realmName: Realm Name + assignmentOperation: + configuration: + id: 0pr1b7rxZj2ibQzfP0g5 + name: Realm Assignment 1 + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + numUserMoved: 50 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7 + method: GET + OptInStatusResponse: + summary: Opt in response + value: + optInStatus: OPTING_IN + _links: + optInStatus: + href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn + OptOutStatusResponse: + summary: Opt out response + value: + optInStatus: OPTING_OUT + _links: + optInStatus: + href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn + OrgCAPTCHASettingsConfigured: + summary: Org-wide Captcha Settings are configured + value: + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + hints: + allow: + - GET + - POST + - PUT + - DELETE + OrgCAPTCHASettingsDisable: + summary: Disable Org-wide Captcha Settings + value: + captchaId: 'null' + enabledPages: 'null' + OrgCAPTCHASettingsDisabled: + summary: Disabled Org-wide Captcha Settings + value: + captchaId: 'null' + enabledPages: '[]' + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/ + hints: + allow: + - GET + - PUT + OrgCAPTCHASettingsEmpty: + summary: Org-wide Captcha Settings aren't configured + value: + captchaId: null + enabledPages: [] + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas + hints: + allow: + - GET + - POST + - PUT + - DELETE + OrgCAPTCHASettingsUpdate: + summary: Update Org-wide Captcha Settings + value: + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN + OrgCAPTCHASettingsUpdated: + summary: Updated Org-wide Captcha Settings + value: + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + hints: + allow: + - GET + - POST + - PUT + - DELETE + OrgSettingResponse: + summary: Org setting response + value: + address1: 100 1st St + address2: 6th floor + city: San Fransico + companyName: okta + country: United States + endUserSupportHelpURL: support.okta.com + phoneNumber: '+18887227871' + postalCode: '94105' + state: California + supportPhoneNumber: '+18887227871' + website: www.okta.com + id: 00o3qqiw0vSCIwu8I0g7 + created: '2024-01-24T14:15:22Z' + lastUpdated: '2024-07-21T14:15:22Z' + expiresAt: '2024-12-24T14:15:22Z' + status: ACTIVE + subdomain: okta + _links: + preferences: + href: https://{yourOktaDomain}/v1/org/preferences + uploadLogo: + href: https://{yourOktaDomain}/api/v1/org/logo + hints: + allow: + - POST + oktaCommunication: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication + logo: null + oktaSupport: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport + contacts: + href: https://vantest.oktapreview.com/api/v1/org/contacts + PasswordImportPayloadExample: + summary: An example password import inline hook request body + value: + eventId: 3o9jBzq1SmOGmmsDsqyyeQ + eventTime: '2020-01-17T21:23:56.000Z' + eventType: com.okta.user.credential.password.import + eventTypeVersion: '1.0' + contentType: application/json + cloudEventVersion: '0.1' + source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7 + data: + context: + request: + id: XiIl6wn7005Rr@fjYqeC7CCDBxw + method: POST + url: + value: /idp/idx/challenge/answer + ipAddress: 66.124.153.138 + credential: + username: isaac.brock@example.com + password: Okta + action: + credential: UNVERIFIED + PasswordImportUnVerifiedResponse: + summary: An example password hook response for an unverified user password + value: + commands: + - type: com.okta.action.update + value: + credential: UNVERIFIED + PasswordImportVerifiedResponse: + summary: An example password hook response for a verified user password + value: + commands: + - type: com.okta.action.update + value: + credential: VERIFIED + PerClientRateLimitSettingsEnforceDefault: + value: + defaultMode: ENFORCE + PerClientRateLimitSettingsEnforceDefaultWithOverrides: + value: + defaultMode: ENFORCE + useCaseModeOverrides: + OAUTH2_AUTHORIZE: PREVIEW + OIE_APP_INTENT: DISABLE + PerClientRateLimitSettingsPreviewDefaultWithOverrides: + value: + defaultMode: PREVIEW + useCaseModeOverrides: + LOGIN_PAGE: ENFORCE + PermissionResponse: + value: + label: okta.users.manage + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.manage + PermissionResponseWithConditions: + value: + label: okta.users.read + conditions: + include: + okta:ResourceAttribute/User/Profile: + - city + - state + - zipCode + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read + PermissionsResponse: + value: + permissions: + - label: okta.users.create + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.create + - label: okta.users.read + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + conditions: + include: + okta:ResourceAttribute/User/Profile: + - city + - state + - zipCode + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read + - label: okta.groups.read + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.groups.read + - label: okta.users.userprofile.manage + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.userprofile.manage + PreviewEmailCustomizationResponse: + value: + subject: Welcome to Okta! + body:

Hello, John. Click here to activate your account. + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview + hints: + allow: + - GET + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + PreviewEmailTemplateDefaultContentResponse: + value: + subject: Welcome to Okta! + body:

Hello, John. Click here to activate your account. + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview + hints: + allow: + - GET + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + defaultContent: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test/default-content + hints: + allow: + - POST + PrincipalRateLimitEntityRequestEmptyPercentages: + value: + principalId: token1234 + principalType: SSWS_TOKEN + PrincipalRateLimitEntityRequestSSWSToken: + value: + principalId: token1234 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 75 + PrincipalRateLimitEntityResponseSSWSToken: + value: + id: abcd1234 + orgId: org1234 + principalId: token1234 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 75 + createdDate: '2022-05-19T20:05:32.720Z' + createdBy: user1234 + lastUpdate: '2022-05-20T21:13:07.410Z' + lastUpdatedBy: user4321 + PrivilegedResourceClaimAppAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: APP_ACCOUNT + containerDetails: + appName: google, + containerId: 0oa103099SBEb3Z2b0g4, + displayName: Google App1, + globalAppId: 964b82aa-85b4-5645-b790-83312c473480, + passwordPushSupported: true, + provisioningEnabled: true, + _links: + login: + href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, + logo: + href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, + credentials: + userName: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourceClaimOktaAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4, + credentials: + userName: username + profile: + email: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourceCreateAppAccountRequest: + value: + resourceType: APP_ACCOUNT + containerDetails: + containerId: 0oa103099SBEb3Z2b0g4 + credentials: + userName: testuser@example.com + PrivilegedResourceCreateAppAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: APP_ACCOUNT + containerDetails: + appName: google, + containerId: 0oa103099SBEb3Z2b0g4, + displayName: Google App1, + globalAppId: 964b82aa-85b4-5645-b790-83312c473480, + passwordPushSupported: true, + provisioningEnabled: true, + _links: + login: + href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, + logo: + href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, + credentials: + userName: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: INACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourceCreateOktaAccountRequestConvert: + value: + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4 + PrivilegedResourceCreateOktaAccountRequestNew: + value: + resourceType: OKTA_USER_ACCOUNT + credentials: + userName: username + profile: + email: testuser@example.com + PrivilegedResourceCreateOktaAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4, + credentials: + userName: username + profile: + email: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: INACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourceRotatePasswordAppAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: APP_ACCOUNT + containerDetails: + appName: google, + containerId: 0oa103099SBEb3Z2b0g4, + displayName: Google App1, + globalAppId: 964b82aa-85b4-5645-b790-83312c473480, + passwordPushSupported: true, + provisioningEnabled: true, + _links: + login: + href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, + logo: + href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, + credentials: + userName: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '' + syncState: SYNCING + errorCode: '' + errorReason: '' + PrivilegedResourceRotatePasswordOktaAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4, + credentials: + userName: username + profile: + email: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-11T11:11:01.000Z' + syncState: SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourcesAppAccountUpdateRequest: + value: + username: username + PrivilegedResourcesGetAppAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: APP_ACCOUNT + containerDetails: + appName: google, + containerId: 0oa103099SBEb3Z2b0g4, + displayName: Google App1, + globalAppId: 964b82aa-85b4-5645-b790-83312c473480, + passwordPushSupported: true, + provisioningEnabled: true, + _links: + login: + href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, + logo: + href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, + credentials: + userName: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-10T11:30:01.000Z' + syncState: SYNC_FAILED + errorCode: UNKNOWN_ERROR + errorReason: Password update failed + PrivilegedResourcesGetOktaAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4, + credentials: + userName: testuser@example.com + profile: + email: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-10T11:30:01.000Z' + syncState: SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourcesOktaUserAccountUpdateRequest: + value: + username: username + profile: + email: testuser@example.com + ProfileEnrollmentRequest: + summary: An example registration hook profile enrollment (SSR) inline hook request body + value: + eventId: 04Dmt8BcT_aEgM + eventTime: '2022-04-25T17:35:27.000Z' + eventType: com.okta.user.pre-registration + eventTypeVersion: 1 + contentType: application/json + cloudEventVersion: 0.1 + source: regt4qeBKU29vSoPz0g3 + requestType: self.service.registration + data: + context: + request: + method: POST + ipAddress: 127.0.0.1 + id: 123testId456 + url: + value: /idp/idx/enroll/new + userProfile: + firstName: Rosario + lastName: Jones + login: rosario.jones@example.com + email: rosario.jones@example.com + action: ALLOW + ProfileEnrollmentResponse: + summary: An example registration hook profile enrollment (SSR) inline hook response + value: + commands: + - type: com.action.update + value: + registration: ALLOW + ProfileEnrollmentResponseDeny: + summary: An example Profile Enrollment (SSR) inline hook Deny response + value: + commands: + - type: com.action.update + value: + registration: DENY + error: + errorSummary: Incorrect email address. Please contact your admin. + errorCauses: + - errorSummary: Only example.com emails can register. + reason: INVALID_EMAIL_DOMAIN + locationType: body + location: data.userProfile.email + domain: end-user + ProgressiveProfileRequest: + summary: An example Progressive Profile inline hook request + value: + eventId: vzYp_zMwQu2htIWRbNJdfw + eventTime: '2022-04-25T04:04:41.000Z' + eventType: com.okta.user.pre-registration + eventTypeVersion: 1 + contentType: application/json + cloudEventVersion: 0.1 + source: regt4qeBKU29vS + requestType: progressive.profile + data: + context: + request: + method: POST + ipAddress: 127.0.0.1 + id: 123dummyId456 + url: + value: /idp/idx/enroll/update + user: + passwordChanged: '2022-01-01T00:00:00.000Z' + _links: + groups: + href: /api/v1/users/00u48gwcu01WxvNol0g7/groups + factors: + href: /api/v1/users/00u48gwcu01WxvNol0g7/factors + profile: + firstName: Rosario + lastName: Jones" + timeZone: America/Los_Angeles + login: rosario.jones@example.com + locale: en_US + id: 00u48gwcu01WxvNo + action: ALLOW + userProfileUpdate: + employeeNumber: 1234 + ProgressiveProfileResponse: + summary: An example Progressive Profile inline hook response + value: + commands: + - type: com.okta.user.progressive.profile.update' + value: request.body.data.userProfileUpdate['employeeNumber'] + ProgressiveProfileResponseDeny: + summary: An example Progressive Profile inline hook Deny response + value: + commands: + - type: com.action.update + value: + registration: DENY + error: + errorSummary: Incorrect employee number. Enter an employee number with 4 digits. + errorCauses: + - errorSummary: Only employee numbers with 4 digits can register. + reason: INVALID_EMPLOYEE_NUMBER + locationType: body + location: data.userProfile.employeeNumber + domain: end-user + ProvisioningConnectionOauthO365RequestEx: + summary: Provisioning Connection with OAuth 2.0 for Microsoft Office 365 app + value: + profile: + authScheme: OAUTH2 + settings: + adminUsername: office_admin-username + adminPassword: office_admin-password + ProvisioningConnectionOauthRequestEx: + summary: Provisioning Connection with OAuth 2.0 + value: + profile: + authScheme: OAUTH2 + ProvisioningConnectionOauthResponseEx: + summary: Provisioning Connection with OAuth 2.0 for Microsoft Office 365 app + value: + status: ENABLED + profile: + authScheme: OAUTH2 + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default + hints: + allow: + - GET + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate + hints: + allow: + - POST + authorize: + href: https://login.microsoftonline.com/myofficetenant.onmicrosoft.com/oauth2/authorize?response_type=code&state=>&client_id=&redirect_uri=&scope= + hints: + allow: + - GET + guidance: + - Specifies the URI to invoke in a browser for granting scope consent required to complete the OAuth 2.0 connection. + ProvisioningConnectionTokenOrg2OrgRequestEx: + summary: Provisioning Connection with token for Okta Org2Org app + value: + profile: + authScheme: TOKEN + clientId: 0oa2h6su6bVFyJzIf1d7 + ProvisioningConnectionTokenRequestEx: + summary: Provisioning Connection with token for Zscaler 2.0 (`zscalerbyz`) app + value: + baseUrl: https://scim.zscalerbeta.net/1234567/890/scim + profile: + authScheme: TOKEN + token: 00NgAPZqUVy8cX9ehNzzahEE5b-On9sImTcInvWp-x + ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx: + summary: Provisioning Connection with token for Okta Org2Org (`okta_org2org`) app + value: + authScheme: TOKEN + status: ENABLED + baseUrl: https://targetorg.okta.com + profile: + authScheme: TOKEN + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default + hints: + allow: + - GET + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate + hints: + allow: + - POST + ProvisioningConnectionTokenResponseWithProfileZscalerEx: + summary: Provisioning Connection with token for Zscaler 2.0 (`zscalerbyz`) app + value: + authScheme: TOKEN + status: ENABLED + baseUrl: https://scim.zscalerbeta.net/1234567/890/scim + profile: + authScheme: TOKEN + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default + hints: + allow: + - GET + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate + hints: + allow: + - POST + PushProviderAPNsRequest: + value: + name: APNs Example + providerType: APNS + configuration: + keyId: KEY_ID + teamId: TEAM_ID + tokenSigningKey: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' + fileName: fileName.p8 + PushProviderAPNsResponse: + value: + id: ppctekcmngGaqeiBxB0g4 + name: APNs Example + providerType: APNS + lastUpdatedDate: '2022-01-01T00:00:00.000Z' + configuration: + keyId: KEY_ID + teamId: TEAM_ID + fileName: fileName.p8 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 + hints: + allow: + - DELETE + - GET + - PUT + PushProviderFCMRequest: + value: + name: FCM Example + providerType: FCM + configuration: + serviceAccountJson: + type: service_account + project_id: PROJECT_ID + private_key_id: KEY_ID + private_key: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' + client_email: SERVICE_ACCOUNT_EMAIL + client_id: CLIENT_ID + auth_uri: https://accounts.google.com/o/oauth2/auth + token_uri: https://accounts.google.com/o/oauth2/token + auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs + client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL + fileName: fileName.json + PushProviderFCMResponse: + value: + id: ppctekcmngGaqeiBxB0g4 + name: FCM Example + providerType: FCM + lastUpdatedDate: '2022-01-01T00:00:00.000Z' + configuration: + projectId: PROJECT_ID + fileName: fileName.p8 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 + hints: + allow: + - DELETE + - GET + - PUT + RateLimitAdminNotificationsDisabled: + value: + notificationsEnabled: false + RateLimitAdminNotificationsEnabled: + value: + notificationsEnabled: true + RateLimitWarningThresholdValidExample: + value: + warningThreshold: 66 + RealmResponse: + value: + id: guox9jQ16k9V8IFEL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + profile: + name: Car Co + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 + method: GET + RefreshCurrentSessionResponse: + summary: Refresh current session + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - GET + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/me + refresh: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh + user: + hints: + allow: + - GET + href: https://{yourOktaDomain}/api/v1/users/me + name: User Name + RefreshSessionResponse: + summary: Refresh an existing Session using the session ID + value: + amr: + - pwd + createdAt: '2019-08-25T14:17:22Z' + expiresAt: '2019-08-25T14:17:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + RemoveMappingBody: + summary: Update an existing profile mapping by removing one or more properties + value: + properties: + nickName: + expression: null + pushStatus: null + RemoveMappingResponse: + summary: Update an existing profile mapping by removing one or more properties + value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + ReplaceAnEventHookWithFilter: + summary: Replace an event hook + value: + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + ReplaceAuthServerBody: + summary: Replace a custom authorization server + value: + name: New Authorization Server + description: Authorization Server description + audiences: + - api://default + credentials: + signing: + rotationMode: AUTO + use: sig + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + ReplaceAuthServerResponse: + summary: Replace a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + ReplaceCustomTokenClaimBody: + summary: Replace a custom token Claim + value: + - alwaysIncludeInToken: true + claimType: IDENTITY + conditions: + scopes: + - profile + group_filter_type: CONTAINS + name: Knowledge_Base + status: ACTIVE + system: false + value: Knowledge Base + valueType: GROUPS + ReplaceCustomTokenClaimResponse: + summary: Replace a custom token Claim response + value: + - id: '{claimId}' + name: Knowledge_Base + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Knowledge Base + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + ReplaceIdPRequestResponse: + summary: Replace an Identity Provider + value: + id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: INACTIVE + created: null + lastUpdated: '2016-03-29T21:23:45.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com/saml2/sso + binding: HTTP-REDIRECT + destination: https://idp.example.com/saml2/sso + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + credentials: + trust: + issuer: https://idp.example.com + audience: https://www.okta.com/saml2/service-provider/spCQJRNaaxs7ANqKBO7M + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.subjectNameId + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 120000 + _links: + metadata: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml + hints: + allow: + - GET + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users + hints: + allow: + - GET + activate: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/activate + hints: + allow: + - POST + ReplaceKeyResponse: + summary: Replace a key response example + value: + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My updated new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:16:59.000Z' + isUsed: 'false' + ReplaceNetworkZone: + summary: Replace a Network Zone + value: + type: IP + id: nzovw2rFz2YoqmvwZ0g9 + name: UpdatedNetZone + status: ACTIVE + system: false + usage: POLICY + gateways: + - type: CIDR + value: 10.2.3.4/24 + - type: CIDR + value: 12.2.3.4/24 + - type: RANGE + value: 13.4.5.6-13.4.5.8 + - type: CIDR + value: 14.2.3.4/24 + proxies: + - type: CIDR + value: 12.2.3.4/24 + - type: CIDR + value: 13.3.4.5/24 + - type: RANGE + value: 14.4.5.6-14.4.5.8 + - type: RANGE + value: 15.5.6.7/24-15.5.6.9 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate + hints: + allow: + - POST + ReplaceNetworkZoneResponse: + summary: Replace Network Zone + value: + type: IP + id: nzovw2rFz2YoqmvwZ0g9 + name: UpdatedNetZone + status: ACTIVE + usage: POLICY + created: '2022-05-08T18:25:05.000Z' + lastUpdated: '2022-05-10T13:15:22.000Z' + system: false + gateways: + - type: CIDR + value: 10.2.3.4/24 + - type: CIDR + value: 12.2.3.4/24 + - type: RANGE + value: 13.4.5.6-13.4.5.8 + - type: CIDR + value: 14.2.3.4/24 + proxies: + - type: CIDR + value: 12.2.3.4/24 + - type: CIDR + value: 13.3.4.5/24 + - type: RANGE + value: 14.4.5.6-14.4.5.8 + - type: RANGE + value: 15.5.6.7/24-15.5.6.9 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate + hints: + allow: + - POST + ReplaceResourceSetRequest: + value: + label: SF-IT-People + description: People in the IT department of San Francisco + ReplaceRoleRequest: + value: + label: UserCreator + description: Create users + ReplaceUserTypePutRequest: + summary: Replace user type request + value: + displayName: Replacement Display Name + description: Replacement description + name: newUserType + ReplaceUserTypePutResponse: + summary: Replace user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: Replacement Display Name + name: newUserType + description: Replacement description + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + ResetPwdWithoutSendingEmailResponse: + value: + summary: Reset password without sending email + resetPasswordUrl: https://{yourOktaDomain}/reset_password/XE6wE17zmphl3KqAPFxO + ResourceSelectorCreateRequestExample: + value: + name: All applications except Workday applications + description: All applications except Workday applications + schema: /api/v1/apps + filter: name ne "workday" + ResourceSelectorCreateResponseExample: + value: + id: rsl1hx31gVEa6x10v0g5 + name: All applications except Workday applications + description: All applications except Workday applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps + _links: + self: + href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5 + resources: + href: https://{yourOktaDomain}/api/v1/apps?filter="name ne "workday"" + ResourceSelectorPatchRequestExample: + value: + name: All applications except Facebook applications + description: All applications except Facebook applications + filter: name ne "facebook" + ResourceSelectorPatchResponseExample: + value: + id: rsl1hx31gVEa6x10v0g5 + name: All applications except Facebook applications + description: All applications except Facebook applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps + _links: + self: + href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5 + resources: + href: https://{yourOktaDomain}/api/v1/apps?filter="name ne "facebook"" + ResourceSelectorResponseExample: + value: + id: rsl1hx31gVEa6x10v0g5 + name: All applications except a specific application + description: All applications except a specific application + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps + _links: + self: + href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5 + resources: + href: https://{yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqAAJWWGELFTYASH" + ResourceSelectorsResponseExample: + value: + resourceSelectors: + - id: rsl1hx31gVEa6x10v0g5 + name: All applications except Workday applications + description: All applications except Workday applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps + _links: + resources: + href: http://${yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqCAJWWGELFTYASJ" + - id: rsl1hx31gVEa6x10v0g6 + name: All applications except Facebook applications + description: All applications except Facebook applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g6:apps + _links: + resources: + href: http://${yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqAAJWWGELFTYASH + _links: + next: + href: https://{yourOktaDomain}/api/v1/resource-selectors?after=rsl1hx31gVEa6x10v0g6 + ResourceSetBindingAddMembersRequestExample: + value: + additions: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/users/00u67DU2qNCjNZYO0g3 + ResourceSetBindingCreateRequestExample: + value: + role: cr0Yq6IJxGIr0ouum0g3 + members: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + ResourceSetBindingMemberResponse: + value: + id: irb1qe6PGuMc7Oh8N0g4 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 + ResourceSetBindingMembersResponse: + value: + members: + - id: irb1qe6PGuMc7Oh8N0g4 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 + - id: irb1q92TFAHzySt3x0g4 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + _links: + binding: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members?after=0ouRq6IJmGIr3ouum0g3 + ResourceSetBindingResponseExample: + value: + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetBindingResponseWithIdExample: + value: + id: cr0Yq6IJxGIr0ouum0g3 + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetBindingsResponse: + value: + roles: + - id: cr0WxyzJxGIr0ouum0g4 + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0WxyzJxGIr0ouum0g4 + members: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0WxyzJxGIr0ouum0g4/members + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings?after=cr0WxyzJxGIr0ouum0g4 + ResourceSetRequest: + value: + label: SF-IT-People + description: People in the IT department of San Francisco + resources: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + - https://{yourOktaDomain}/api/v1/users + ResourceSetResourcePatchRequestExample: + value: + additions: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + ResourceSetResourcePostRequestExample: + summary: Resource Set with conditions request + value: + resourceOrnOrUrl: https://{yourOktaDomain}/api/v1/apps + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + ResourceSetResourcePutRequestExample: + value: + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + ResourceSetResourceResponse: + summary: Resource Set response + value: + id: ire106sQKoHoXXsAe0g4 + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1 + ResourceSetResourcesResponse: + value: + resources: + - id: ire106sQKoHoXXsAe0g4 + orn: orn:{partition}:directory:{yourOrgId}:groups:00guaxWZ0AOa5NFAj0g3 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1 + - id: ire106riDrTYl4qA70g4 + orn: orn:{partition}:directory:{yourOrgId}:groups:00gu67DU2qNCjNZYO0g3:contained_resources + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g2 + - id: irezvo4AwE2ngpMw40g3 + orn: orn:{partition}:directory:{yourOrgId}:users + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users + users: + href: https://{yourOktaDomain}/api/v1/users + - id: ire2j4iDnxHhUFaZN0g4 + orn: orn:{partition}:directory:{yourOrgId}:groups + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups + groups: + href: https://{yourOktaDomain}/api/v1/groups + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g3 + _links: + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources?after=irezvn1ZZxLSIBM2J0g3 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetResponse: + value: + id: iamoJDFKaJxGIr0oamd9g + label: SF-IT-People + description: People in the IT department of San Francisco + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + resources: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + ResourceSetsResponse: + value: + resource-sets: + - id: iamoJDFKaJxGIr0oamd9g + label: SF-IT-1 + description: First San Francisco IT Resource Set + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + resources: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + - id: iamoJDFKaJxGIr0oamd0q + label: SF-IT-2 + description: Second San Francisco IT Resource Set + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q + resources: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/resources + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/bindings + _links: + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets?after=iamoJDFKaJxGIr0oamd0q + RetrieveADeactivatedEventHook: + summary: Deactivated event hook + value: + id: who8vt36qfNpCGz9H1e6 + status: INACTIVE + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAllEventHooks: + summary: Retrieves all event hooks + value: + - id: who8tsqyrhCdmetzx135 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T17:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T17:43:03.000Z' + events: + type: EVENT_TYPE + items: + - user.lifecycle.deactivate + - user.lifecycle.activate + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userDeactivate + headers: [] + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/deactivate + hints: + allow: + - POST + - id: who8vt36qfNpCGz9H1e6 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + version: null + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: [] + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAllZones: + summary: Retrieves all Network Zones + value: + - type: DYNAMIC_V2 + id: nzok0oz2xYHOZtIch0g4 + name: testZone106 + status: ACTIVE + usage: BLOCKLIST + create: '2024-05-13T16:33:44.000Z' + lastUpdated: '2024-05-13T16:33:44.000Z' + system: false + locations: + include: [] + exclude: [] + asns: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclude: [] + _links: + self: + href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate + hints: + allow: + - POST + - type: DYNAMIC + id: nzoy0ox5xADOZtKrh0g6 + name: test + status: ACTIVE + usage: POLICY + created: '2022-05-19T15:33:32.000Z' + lastUpdated: '2022-05-19T15:33:32.000Z' + system: false + locations: + - country: AF + region: AF-BGL + proxyType: ANY + asns: + - '23457' + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate + hints: + allow: + - POST + - type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + - type: IP + id: nzou3u0stMCmgOzXK1d6 + name: BlockedIpZone + status: ACTIVE + usage: BLOCKLIST + created: '2021-06-09T21:32:46.000Z' + lastUpdated: '2021-06-09T21:32:46.000Z' + system: true + gateways: null + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate + hints: + allow: + - POST + - type: DYNAMIC_V2 + id: nzohcnxFrSgsiwyHp0g4 + name: DefaultEnhancedDynamicZone + status: ACTIVE + usage: BLOCKLIST + created: '2024-05-06T19:12:29.000Z' + lastUpdated: '2024-05-09T21:02:31.000Z' + system: true + locations: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclue: [] + asns: + include: [] + exclude: [] + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate + hints: + allow: + - POST + - type: IP + id: nzou3u0ssJfZjYsWL1d6 + name: LegacyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-09T21:32:46.000Z' + lastUpdated: '2021-06-09T21:32:46.000Z' + system: true + gateways: null + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAllZonesWithFilter: + summary: Retrieves Network Zones with filter + value: + - type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAnEventHook: + summary: Retrieve an event hook + value: + id: who8vt36qfNpCGz9H1e6 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAnEventHookWithFilter: + summary: Retrieve an event hook + value: + id: who8vt36qfNpCGz9H1e6 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + version: null + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAuthServerResponse: + summary: Retrieve a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + RetrieveCurrentSessionResponse: + summary: Retrieve current session + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - GET + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/me + refresh: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh + user: + hints: + allow: + - GET + href: https://{yourOktaDomain}/api/v1/users/me + name: User Name + RetrieveCustomTokenClaimResponse: + summary: Retrieve a custom token Claim response + value: + - id: '{claimId}' + name: Support + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Support + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + RetrieveFeaturesResponse: + summary: Retrieve a feature by ID + value: + id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: CLOSED + value: BETA + status: DISABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + RetrieveKeyResponse: + summary: Retrieve a key by id response example + value: + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + RetrieveMappingsResponse: + summary: Retrieve a single Profile Mapping + value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + firstName: + expression: user.firstName + pushStatus: PUSH + lastName: + expression: user.lastName + pushStatus: PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + RetrieveNetworkZoneDynamic: + summary: Dynamic Network Zone + value: + type: DYNAMIC + id: nzoy0ox5xADOZtKrh0g6 + name: test + status: ACTIVE + usage: POLICY + created: '2022-05-19T15:33:32.000Z' + lastUpdated: '2022-05-19T15:33:32.000Z' + system: false + locations: + - country: AF + region: AF-BGL + proxyType: ANY + asns: + - '23457' + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveNetworkZoneIP: + summary: IP Network Zone + value: + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + RetrievePublicKeyResponse: + summary: Retrieve Public Key response example + value: + _embedded: + kty: RSA + alg: RSA + kid: 7fbc27fd-e3df-4522-86bf-1930110256ad + use: null + e: AQAB + 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` + RetrieveRefreshTokenClientResponse: + summary: Retrieve a refresh token for a Client + value: + - id: '{refreshTokenId}' + status: ACTIVE + created: '2023-09-21T19:59:56.000Z' + lastUpdated: '2023-09-21T20:00:38.000Z' + expiresAt: '2023-09-28T20:00:38.000Z' + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + client_id: '{clientId}' + userId: '{userId}' + scopes: + - offline_access + - openid + _embedded: + scopes: + - id: '{scopeID}' + name: offline_access + displayName: Keep you signed in to the app + description: This keeps you signed in to the app, even when you aren't using it. + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + title: Keep you signed in to the app + - id: '{scopeId}' + name: openid + displayName: openid + description: Signals that a request is an OpenID request + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + title: openid + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: My Web App + authorizationServer: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + title: Authorization Server name + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + revoke: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: My Web App + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + title: Joe User + RetrieveSessionResponse: + summary: Retrieve Session information for a single session ID + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + RetrieveUISchemaResponse: + summary: Retrieves a UI Schema response + value: + id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + hints: + allow: + - GET + - PUT + - DELETE + RiskEventsRequestExample: + summary: Risk Events payload example + value: + - timestamp: '2021-01-20T00:00:00.001Z' + subjects: + - ip: 6.7.6.7 + riskLevel: MEDIUM + - ip: 1.1.1.1 + riskLevel: HIGH + message: Detected Attack tooling and suspicious activity + - timestamp: '2021-01-20T01:00:00.001Z' + subjects: + - ip: 6.7.6.7 + riskLevel: LOW + - ip: 2.2.2.2 + riskLevel: HIGH + RiskProviderPutRequest: + summary: Replace Risk Provider request example + value: + name: Risk-Partner-Y + action: enforce_and_log + clientId: 00ckjsfgjkdkjdkkljjsd + RiskProviderPutResponse: + summary: Replace Risk Provider response example + value: + id: 00rp12r4skkjkjgsn + action: enforce_and_log + name: Risk-Partner-Y + clientId: 00ckjsfgjkdkjdkkljjsd + created: '2021-01-05 22:18:30' + lastUpdated: '2021-01-05 23:18:30' + _links: + self: + href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn + hints: + allow: + - GET + - PUT + RiskProviderRequest: + summary: Risk Provider payload example + value: + name: Risk-Partner-X + action: log_only + clientId: 00ckjsfgjkdkjdkkljjsd + RiskProviderResponse: + summary: Risk Provider response example + value: + id: 00rp12r4skkjkjgsn + action: log_only + name: Risk-Partner-X + clientId: 00ckjsfgjkdkjdkkljjsd + created: '2021-01-05 22:18:30' + lastUpdated: '2021-01-05 22:18:30' + _links: + self: + href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn + hints: + allow: + - GET + - PUT + RoleAssignedUsersResponseExample: + value: + value: + - id: 00u118oQYT4TBGuay0g4 + orn: orn:okta:00o5rb5mt2H3d1TJd0h7:users:00u118oQYT4TBGuay0g4 + _links: + self: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + roles: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4/roles + _links: + next: + href: http://your-subdomain.okta.com/api/v1/iam/assignees/users?after=00u118oQYT4TBGuay0g4&limit=1 + RoleRequest: + value: + label: UserCreator + description: Create users + permissions: + - okta.users.create + - okta.users.read + - okta.groups.read + - okta.users.userprofile.manage + RoleResponse: + value: + id: cr0Yq6IJxGIr0ouum0g3 + label: UserCreator + description: Create users + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + RolesResponse: + value: + roles: + - id: cr0Yq6IJxGIr0ouum0g3 + label: UserCreator + description: Create users + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + - id: cr0Fw7HKcWIroo88m3r1 + label: GroupMembershipManager + description: Manage group membership + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1/permissions + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1 + _links: + next: + href: https://{yourOktaDomain}/api/v1/iam/roles?after=cr0Fw7HKcWIroo88m3r1 + SAMLHookResponseExample: + summary: An example SAML assertion inline hook response + value: + commands: + - type: com.okta.assertion.patch + value: + - op: replace + path: /claims/array/attributeValues/1/value + value: replacementValue + - op: replace + path: /authentication/authnContext + value: + authnContextClassRef: replacementValue + - op: add + path: /claims/extPatientId + value: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + attributeValues: + - attributes: + xsi:type: xs:string + value: '4321' + - op: add + path: /authentication/sessionLifetime + value: 300 + - type: com.okta.assertion.patch + value: + - op: replace + path: /authentication/sessionIndex + value: exampleSession + SAMLHookResponseWithURIFormat: + summary: An example with `replace` and `add` operations with the URI formatted claim encoded + value: + commands: + - type: com.okta.assertion.patch + value: + - op: replace + path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributeValues/0/value + value: replacementValue + - op: replace + path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributes + value: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + - op: add + path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1bar + value: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + attributeValues: + - attributes: + xsi:type: xs:string + value: bearer + SAMLPayLoadExample: + summary: An example SAML assertion inline hook request body + value: + source: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml + eventId: XMFoHCM1S4Wi_SGWzL8T9A + eventTime: '2019-03-28T19:15:23.000Z' + data: + context: + request: + id: reqqXypjzYJRSu2j1G1imUovA + method: GET + url: + value: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml + ipAddress: 127.0.0.1 + protocol: + type: SAML2.0 + issuer: + id: 0oath92zlO60urQOP0g3 + name: SAML 2.0 App + uri: http://www.okta.com/exkth8lMzFm0HZOTU0g3 + session: + id: 102LN9Bnuc4S_ewfc9BYwageA + userId: 00uq8tMo3zV0OfJON0g3 + login: user@example.com + createdAt: '2019-03-28T16:45:55.000Z' + expiresAt: '2019-03-28T21:15:23.000Z' + status: ACTIVE + lastPasswordVerification: '2019-03-28T16:45:55.000Z' + amr: + - PASSWORD + idp: + id: 00oq6kcVwvrDY2YsS0g3 + type: OKTA + mfaActive: false + user: + id: 00uq8tMo3zV0OfJON0g3 + passwordChanged: '2018-09-11T23:19:12.000Z' + profile: + login: user@example.com + firstName: Admin + lastName: Last + locale: en + timeZone: America/Los_Angeles + _links: + groups: + href: https://${yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups + factors: + href: https://${yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors + assertion: + subject: + nameId: user@example.com + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + confirmation: + method: urn:oasis:names:tc:SAML:2.0:cm:bearer + data: + recipient: http://www.example.com:7070/saml/sso + authentication: + sessionIndex: id1553800523546.312669168 + authnContext: + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + conditions: + audienceRestriction: + - urn:example:sp + claims: + extPatientId: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:integer + value: '4321' + array: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: Array 1 + - attributes: + xsi:type: xs:string + value: Array2 + - attributes: + xsi:type: xs:string + value: Array3 + middle: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: admin + firstAndLast: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: 7d6a50c8-4d7e-4058-9c5b-2cc98cecd294 + lifetime: + expiration: 300 + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + eventType: com.okta.saml.tokens.transform + contentType: application/json + SMSTemplateEditablePropertyValues: + value: + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + SMSTemplateListResponse: + value: + - id: 6NQUJ5yR3bpgEiYmq8IC + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + SMSTemplateResponseValues: + value: + id: 6NQUJ5yR3bpgEiYmq8IC + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + Saml2.0Ex: + summary: SAML_2_0 + value: + label: Example Custom SAML 2.0 App + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + signOnMode: SAML_2_0 + settings: + signOn: + defaultRelayState: '' + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: true + acsEndpoints: + - url: http://testorgone.okta + index: 0 + - url: http://testorgone.okta/1 + index: 1 + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + Saml2.0PutEx: + summary: SAML_2_0 + value: + label: Example Custom SAML 2.0 App updated + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + signOnMode: SAML_2_0 + settings: + signOn: + defaultRelayState: '' + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n..." + requestCompressed: false + allowMultipleAcsEndpoints: true + acsEndpoints: + - url: http://testorgone.okta + index: 0 + - url: http://testorgone.okta/1 + index: 1 + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + Saml2.0PutResponseEx: + summary: SAML_2_0 + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_examplecustomsaml20app_1_link: true + name: testorgone_examplecustomsaml20app_1 + label: Example Custom SAML 2.0 App updated + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q + settings: + app: {} + signOn: + defaultRelayState: null + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + spIssuer: https://testorgone.okta.com + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + samlSignedRequestEnabled: false + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + inlineHooks: [] + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + Saml2.0ResponseEx: + summary: SAML_2_0 + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_examplecustomsaml20app_1_link: true + name: testorgone_examplecustomsaml20app_1 + label: Example Custom SAML 2.0 App + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q + settings: + app: {} + signOn: + defaultRelayState: null + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + spIssuer: https://testorgone.okta.com + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + samlSignedRequestEnabled: false + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + inlineHooks: [] + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + SamlIdPResponse: + summary: SAML 2.0 Identity Provider + value: + id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: ACTIVE + created: '2016-03-24T23:14:54.000Z' + lastUpdated: '2016-03-24T23:14:54.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + filter: (\S+@example\.com) + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + metadata: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml + hints: + allow: + - GET + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate + hints: + allow: + - POST + SecurePasswordStoreEx: + summary: SECURE_PASSWORD_STORE + value: + name: template_sps + label: Example SWA App + signOnMode: SECURE_PASSWORD_STORE + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue + SecurePasswordStorePutEx: + summary: SECURE_PASSWORD_STORE + value: + name: template_sps + label: Example SWA App updated + signOnMode: SECURE_PASSWORD_STORE + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue_updated + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue_updated + SecurePasswordStorePutResponseEx: + summary: SECURE_PASSWORD_STORE + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_sps + label: Example SWA App updated + features: [] + signOnMode: SECURE_PASSWORD_STORE + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue_updated + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue_updated + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + SecurePasswordStoreResponseEx: + summary: SECURE_PASSWORD_STORE + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_sps + label: Example SWA App + features: [] + signOnMode: SECURE_PASSWORD_STORE + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + SecurityEventsProviderRequestIssuerAndJwksUrl: + summary: Provider with issuer and JWKS + value: + name: Security Events Provider with an issuer and a JWKS URL + type: okta + settings: + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + SecurityEventsProviderRequestWellKnownUrl: + summary: Provider with well-known URL + value: + name: Security Events Provider with well-known URL + type: okta + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + SecurityEventsProviderResponseIssuerAndJwksUrl: + summary: Provider with issuer and JWKS + value: + id: sse1qu4fUtsoD12iF0g5 + name: Security Events Provider with an issuer and a JWKS URL + type: okta + status: ACTIVE + settings: + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate + hints: + allow: + - POST + SecurityEventsProviderResponseWellKnownUrl: + summary: Provider with well-known URL + value: + id: sse1qg25RpusjUP6m0g5 + name: Security Events Provider with well-known URL + type: okta + status: ACTIVE + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate + hints: + allow: + - POST + SimulatePolicyBody: + summary: Simulate policy request body + description: Simulate policy request body + value: + policyType: + - OKTA_SIGN_ON + - MFA_ENROLL + appInstance: 0oa4eroj3nYCIJIW70g7 + policyContext: + groups: + ids: + - 00g4eralvekR5RLuS0g7 + - 00g4eralvekR5RLuS0g8 + risk: + level: LOW + zones: + ids: + - nzo4eralxcRnbIHYJ0g7 + device: + platform: IOS + registered: true + managed: true + SimulatePolicyElExpressionBody: + summary: Simulate policy request body with EL context + description: Simulate policy request body with EL context + value: + appInstance: 0oa4fdudGhhB5FNKR0g4 + policyContext: + user: + id: 00u10wvS3zms2JVaO0g4 + status: ACTIVE + created: '2024-04-29T18:05:24.000Z' + lastUpdated: '2024-04-29T18:05:24.000Z' + passwordChanged: '2024-04-29T18:05:24.000Z' + lastLogin: '2024-04-29T18:05:24.000Z' + profile: + city: string + costCenter: string + countryCode: st + department: string + displayName: string + division: string + email: user@example.com + employeeNumber: string + firstName: string + honorificPrefix: string + honorificSuffix: string + lastName: string + locale: string + login: string + manager: string + managerId: string + middleName: string + mobilePhone: string + nickName: string + organization: string + postalAddress: string + preferredLanguage: string + primaryPhone: string + profileUrl: string + secondEmail: user@example.com + state: string + streetAddress: string + timezone: string + title: string + userType: string + zipCode: string + SimulatePolicyElExpressionResponse: + summary: Simulate policy response body with EL Context + description: Simulate policy response body with EL Context + value: + evaluation: + - status: null + policyType: OKTA_SIGN_ON + result: + policies: + - id: 00p4eromwukk6qUku0g7 + name: test policy + status: MATCH + conditions: [] + rules: + - id: 0pr4erof85nGcyC7Y0g7 + name: test rule + status: MATCH + conditions: + - type: people.groups.include + status: MATCH + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: MFA_ENROLL + result: + policies: + - id: 00p4eram2kw1aLcrx0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: 0pr4eram2lMQT5FZF0g7 + name: null + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: ACCESS_POLICY + result: + policies: + - id: rst4eram06ZKZewEe0g7 + name: Any two factors + status: MATCH + conditions: [] + rules: + - id: rul4eram07VsWgybo0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: PROFILE_ENROLLMENT + result: + policies: + - id: rst4eram08ZSjPTOl0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: rul4eram094PrQ2BX0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + SimulatePolicyResponse: + summary: Simulate policy response body + description: Simulate policy response body + value: + evaluation: + - status: null + policyType: OKTA_SIGN_ON + result: + policies: + - id: 00p4eromwukk6qUku0g7 + name: test policy + status: MATCH + conditions: [] + rules: + - id: 0pr4erof85nGcyC7Y0g7 + name: test rule + status: MATCH + conditions: + - type: people.groups.include + status: MATCH + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: MFA_ENROLL + result: + policies: + - id: 00p4eram2kw1aLcrx0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: 0pr4eram2lMQT5FZF0g7 + name: null + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: ACCESS_POLICY + result: + policies: + - id: rst4eram06ZKZewEe0g7 + name: Any two factors + status: MATCH + conditions: [] + rules: + - id: rul4eram07VsWgybo0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: PROFILE_ENROLLMENT + result: + policies: + - id: rst4eram08ZSjPTOl0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: rul4eram094PrQ2BX0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + SmartCardIdPResponse: + summary: SmartCard Identity Provider + value: + id: 0oa6jxasyhwM2ZHJh0g4 + type: X509 + name: Smart Card IDP Name + status: ACTIVE + created: '2020-01-07T00:19:27.000Z' + lastUpdated: '2020-01-07T00:19:27.000Z' + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + endpoints: + sso: + url: https://{yourOktaDomain}.okta.com/login/cert + credentials: + trust: + issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + audience: null + kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc + revocation: CRL + revocationCacheLifetime: 2880 + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: idpuser.subjectAltNameEmail + filter: null + matchType: EMAIL + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 120000 + _links: + deactivate: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users + hints: + allow: + - GET + keys: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc + hints: + allow: + - GET + SocialAuthTokensResponse: + summary: Social Authentication Tokens + value: + - id: + token: JBTWGV22G4ZGKV3N + tokenType: urn:ietf:params:oauth:token-type:access_token + tokenAuthScheme: Bearer + expiresAt: '2014-08-06T16:56:31.000Z' + scopes: + - openid + - foo + - id: + token: JBTWGV22G4ZJBRXJ + tokenType: urn:ietf:params:oauth:token-type:id_token + tokenAuthScheme: null + StandardAndCustomRolesListResponse: + value: + - id: IFIFAX2BIRGUSTQ + label: Application administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: ra125eqBFpETrMwu80g4 + label: Organization administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: gra25fapn1prGTBKV0g4 + label: API Access Management administrator + type: API_ACCESS_MANAGEMENT_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4 + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + - id: irb5e92YgBazyyQ3x1q5 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoakjsdQaJxGIr03int1o + _links: + assignee: + href: https://{ yourOktaDomain }/api/v1/groups/00g1ousb3XCr9Dkr20g4 + resource-set: + href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoakjsdQaJxGIr03int1o + member: + href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{ yourOktaDomain }/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{ yourOktaDomain }/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + StandardRoleAssignmentRequest: + value: + type: HELP_DESK_ADMIN + StandardRoleResponseClient: + value: + id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk Administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2023-05-01T14:24:54.000Z' + lastUpdated: '2023-05-01T14:24:54.000Z' + assignmentType: CLIENT + _links: + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles + StandardRoleResponseUser: + value: + id: ra1b8anIk7rx7em7L0g4 + label: Super Organization administrator + type: SUPER_ADMIN + status: ACTIVE + created: '2015-09-06T15:28:47.000Z' + lastUpdated: '2015-09-06T15:28:47.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + StandardRolesListResponse: + value: + - id: IFIFAX2BIRGUSTQ + label: Application administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: ra125eqBFpETrMwu80g4 + label: Organization administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: gra25fapn1prGTBKV0g4 + label: API Access Management administrator + type: API_ACCESS_MANAGEMENT_ADMIN + status: ACTIVE + created": '2019-02-06T16:20:57.000Z' + lastUpdated": '2019-02-06T16:20:57.000Z' + assignmentType": GROUP + _links": + assignee": + href": https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4 + StandardRolesListResponseClient: + value: + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk Administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2023-05-01T14:24:54.000Z' + lastUpdated: '2023-05-01T14:24:54.000Z' + assignmentType: CLIENT + _links: + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles + StandardRolesListResponseGroup: + value: + - id: IFIFAX2BIRGUSTQ + label: Application Administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + SubmissionOidcRequest: + summary: Submission OIDC request example + value: + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + oidc: + redirectUris: + - https://${org.subdomain}.example.com/strawberry/oidc/login + initiateLoginUri: https://${org.subdomain}.example.com/strawberry/oidc/sp-init + postLogoutUris: + - https://${org.subdomain}.example.com/strawberry/oidc/logged-out + doc: https://example.com/strawberry/help/oidcSetup + config: + - name: subdomain + label: Subdomain + SubmissionOidcResponse: + summary: Submission OIDC response example + value: + id: acme_strawberrycentral_1 + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + oidc: + redirectUris: + - https://${org.subdomain}.example.com/strawberry/oidc/login + initiateLoginUri: https://${org.subdomain}.example.com/strawberry/oidc/sp-init + postLogoutUris: + - https://${org.subdomain}.example.com/strawberry/oidc/logged-out + doc: https://example.com/strawberry/help/oidcSetup + config: + - name: subdomain + label: Subdomain + status: New + lastUpdated: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR + lastPublished: '2023-09-01T13:23:45.000Z' + SubmissionSamlRequest: + summary: Submission SAML request example + value: + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + saml: + acs: + - url: https://${org.subdomain}.example.com/saml/login + entityId: https://${org.subdomain}.example.com + claims: + - name: manager + values: + - ${user.manager} + groups: + - name: groups + doc: https://example.com/strawberry/help/samlSetup + config: + - name: subdomain + label: Subdomain + SubmissionSamlResponse: + summary: Submission SAML response example + value: + id: acme_strawberrycentral_1 + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + saml: + acs: + - url: https://${org.subdomain}.example.com/saml/login + entityId: https://${org.subdomain}.example.com + claims: + - name: manager + values: + - ${user.manager} + groups: + - name: groups + doc: https://example.com/strawberry/help/samlSetup + config: + - name: subdomain + label: Subdomain + status: To be reviewed by Okta + lastUpdated: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR + lastPublished: null + SubmissionsResponse: + summary: Submission list example + value: + - id: acme_strawberrycentral_1 + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + saml: + acs: + - url: https://${org.subdomain}.example.com/saml/login + entityId: https://${org.subdomain}.example.com + claims: + - name: manager + values: + - ${user.manager} + groups: + - name: groups + doc: https://example.com/strawberry/help/samlSetup + config: + - name: subdomain + label: Subdomain + status: Complete + lastUpdated: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR + lastPublished: '2023-09-01T13:23:45.000Z' + SupportedFactorResults: + value: + - factorType: question + provider: OKTA + vendorName: OKTA + _links: + questions: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions + hints: + allow: + - GET + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token:software:totp + provider: OKTA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token:software:totp + provider: GOOGLE + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: sms + provider: OKTA + vendorName: OKTA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + _embedded: + phones: + - id: mblldntFJevYKbyQQ0g3 + profile: + phoneNumber: '+14081234567' + status: ACTIVE + - factorType: call + provider: OKTA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token + provider: RSA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token + provider: SYMANTEC + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + TelephonyFailureResponse: + summary: An example telephony hook response for an external web service returning failure + value: + error: + - errorSummary: Failed to deliver SMS OTP to test.user@okta.com + - errorCauses: + errorSummary: Provider could not deliver OTP + reason: The content of the message is not supported + location: South Africa + TelephonyPayloadExample: + summary: An example telephony inline hook request body + value: + eventId: uS5871kJThSsU8qlA1LTcg + eventTime: '2020-01-17T21:23:56.000Z' + eventType: com.okta.telephony.provider + eventTypeVersion: '1.0' + contentType: application/json + cloudEventVersion: '0.1' + source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7 + data: + context: + request: + id: reqRgSk8IBBRhuo0YdlEDTmUw + method: POST + url: + value: /api/internal/v1/inlineHooks/com.okta.telephony.provider/generatePreview + ipAddress: 127.0.0.1 + userProfile: + firstName: test + lastName: user + login: test.user@okta.com + userId: 00uyxxSknGtK8022w0g3 + messageProfile: + msgTemplate: (HOOK)Your code is 11111 + phoneNumber: 9876543210 + otpExpires: '2022-01-28T21:48:34.321Z' + deliveryChannel: SMS + otpCode: 11111 + locale: EN-US + TelephonySuccessResponse: + summary: An example telephony hook response for an external web service returning success + value: + commands: + - type: com.okta.telephony.action + - value: + status: FAILURE + provider: VONAGE + transactionId: SM49a8ece2822d44e4adaccd7ed268f954 + transactionMetadata: Duration=300ms + TestInfoOidcRequest: + summary: OIDC SSO Submission Testing Information request + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + oidcTestConfiguration: + jit: false + spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init + TestInfoOidcResponse: + summary: OIDC SSO Submission Testing Information response + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + oidcTestConfiguration: + idp: true + sp: true + jit: false + spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init + TestInfoSamlRequest: + summary: SAML SSO Submission Testing Information request + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + samlTestConfiguration: + idp: true + sp: true + jit: false + spInitiateUrl: https://test.example.com/strawberry/saml/sp-init + spInitiateDescription: Go to the app URL from a browser and enter your username + TestInfoSamlResponse: + summary: SAML SSO Submission Testing Information response + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + samlTestConfiguration: + idp: true + sp: true + jit: false + spInitiateUrl: https://test.example.com/strawberry/saml/sp-init + spInitiateDescription: Go to the app URL from a browser and enter your username + ThreatInsightResponseExample: + summary: ThreatInsight response + value: + action: none + excludeZones: [] + created: '2020-08-05T22:18:30.629Z' + lastUpdated: '2020-08-05T22:18:30.629Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/threats/configuration + hints: + allow: + - GET + - POST + ThreatInsightUpdateRequestExample: + summary: ThreatInsight update request + value: + action: audit + excludeZones: + - nzo1q7jEOsoCnoKcj0g4 + - nzouagptWUz5DlLfM0g3 + ThreatInsightUpdateResponseExample: + summary: ThreatInsight update response + value: + action: audit + excludeZones: + - nzo1q7jEOsoCnoKcj0g4 + - nzouagptWUz5DlLfM0g3 + created: '2020-08-05T22:18:30.629Z' + lastUpdated: '2020-10-13T21:23:10.178Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/threats/configuration + hints: + allow: + - GET + - POST + TokenHookErrorExample: + summary: Error response + value: + error: + errorSummary: Human-readable summary of the error + TokenHookModifyLifetime: + summary: Modify token lifetime + value: + commands: + - type: com.okta.identity.patch + value: + - op: replace + path: /token/lifetime/expiration + value: 36000 + - type: com.okta.access.patch + value: + - op: replace + path: /token/lifetime/expiration + value: 36000 + TokenHookRemoveClaim: + summary: Remove claim + value: + commands: + - type: com.okta.identity.patch + value: + - op: remove + path: /claims/birthdate + value: null + - type: com.okta.access.patch + value: + - op: remove + path: /claims/external_guid + TokenHookRemoveFromArray: + summary: Remove from array + value: + commands: + - type: com.okta.identity.patch + value: + - op: remove + path: /claims/preferred_airports/1 + TokenHookRemoveFromObject: + summary: Remove from JSON object + value: + commands: + - type: com.okta.identity.patch + value: + - op: remove + path: /claims/employee_profile/email + TokenHookReplaceExisting: + summary: Replace an existing claim + value: + commands: + - type: com.okta.identity.patch + value: + - op: replace + path: /claims/extPatientId + value: '1234' + - op: replace + path: /claims/external_guid + value: F0384685-F87D-474B-848D-2058AC5655A7 + TokenHookReplaceInPath: + summary: Replace within JSON object + value: + commands: + - type: com.okta.identity.patch + value: + - op: replace + path: /claims/employee_profile/email + value: anna@company.com + TokenHookResponse: + description: Token inline hook response + summary: An example token inline hook response that adds a claim + value: + commands: + - type: com.okta.assertion.patch + value: + - op: add + path: /claims/extPatientId + value: '1234' + - type: com.okta.assertion.patch + value: + - op: add + path: /claims/external_guid + value: F0384685-F87D-474B-848D-2058AC5655A7 + TokenHookResponseAppendArray: + summary: Append to array + value: + commands: + - type: com.okta.identity.patch + value: + - op: add + path: /claims/preferred_airports/3 + value: lax + TokenHookResponseWithURIFormat: + summary: Add new members to existing JSON objects + value: + commands: + - type: com.okta.identity.patch + value: + - op: add + path: /claims/employee_profile/department_id + value: '4947' + TokenPayLoadExample: + summary: An example token inline hook request body + description: An example token inline hook request body + value: + source: https://{yourOktaDomain}/oauth2/default/v1/authorize + eventId: 3OWo4oo-QQ-rBWfRyTmQYw + eventTime: '2019-01-15T23:20:47.000Z' + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + contentType: application/json + eventType: com.okta.oauth2.tokens.transform + data: null + context: + request: + id: reqv66CbCaCStGEFc8AdfS0ng + method: GET + url: + value: https://{yourOktaDomain}/oauth2/default/v1/authorize?scope=openid+profile+email&response_type=token+id_token&redirect_uri=https%3A%2F%2Fhttpbin.org%2Fget&state=foobareere&nonce=asf&client_id=customClientIdNative + ipAddress: 127.0.0.1 + protocol: + type: OAUTH2.0 + request: + scope: openid profile email + state: foobareere + redirect_uri: https://httpbin.org/get + response_mode: fragment + response_type: token id_token + client_id: customClientIdNative + issuer: + uri: https://{yourOktaDomain}/oauth2/default + client: + id: customClientIdNative + name: Native client + type: PUBLIC + session: + id: 102Qoe7t5PcRnSxr8j3I8I6pA + userId: 00uq8tMo3zV0OfJON0g3 + login: administrator1@clouditude.net + createdAt: '2019-01-15T23:17:09.000Z' + expiresAt: '2019-01-16T01:20:46.000Z' + status: ACTIVE + lastPasswordVerification: '2019-01-15T23:17:09.000Z' + amr: + - PASSWORD + idp: + id: 00oq6kcVwvrDY2YsS0g3 + type: OKTA + mfaActive: false + user: + id: 00uq8tMo3zV0OfJON0g3 + passwordChanged: '2018-09-11T23:19:12.000Z' + profile: + login: administrator1@clouditude.net + firstName: Add-Min + lastName: O'Cloudy Tud + locale: en + timeZone: America/Los_Angeles + _links: + groups: + href: https://{yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups + factors: + href: https://{yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors + policy: + id: 00pq8lGaLlI8APuqY0g3 + rule: + id: 0prq8mLKuKAmavOvq0g3 + identity: + claims: + sub: 00uq8tMo3zV0OfJON0g3 + name: Add-Min O'Cloudy Tud + email: administrator1@clouditude.net + ver: 1 + iss: https://{yourOktaDomain}/oauth2/default + aud: customClientIdNative + jti: ID.YxF2whJfB3Eu4ktG_7aClqtCgjDq6ab_hgpiV7-ZZn0 + amr: + - pwd + idp: 00oq6kcVwvrDY2YsS0g3 + nonce: asf + preferred_username: administrator1@clouditude.net + auth_time: 1547594229 + token: + lifetime: + expiration: 3600 + access: + claims: + ver: 1 + jti: AT.W-rrB-z-kkZQmHW0e6VS3Or...QfEN_YvoWJa46A7HAA + iss: https://{yourOktaDomain}/oauth2/default + aud: api://default + cid: customClientIdNative + uid: 00uq8tMo3zV0OfJON0g3 + sub: administrator1@clouditude.net + firstName: Add-Min + preferred_username: administrator1@clouditude.net + token: + lifetime: + expiration: 3600 + scopes: + openid: + id: scpq7bW1cp6dcvrz80g3 + action: GRANT + profile: + id: scpq7cWJ81CIP5Qkr0g3 + action: GRANT + email: + id: scpq7dxsoz6LQlRj00g3 + action: GRANT + refresh_token: + jti: oarob4a0tckCkGcyo1d6 + TriggerSessionResponse: + value: + - id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: TRIGGERED + importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + TrustedOriginBody: + summary: Trusted origin request body + value: + name: New Trusted Origin + origin: http://example.com + scopes: + - type: CORS + - type: REDIRECT + TrustedOriginBodyWithIframeEmbedding: + summary: Trusted origin request body with iFrame embedding (Okta End-User Dashboard and Okta sign-in page) + description: | + Creates a new Trusted Origin for iFrame embedding of an Okta resource within that origin. In this example, the type + of Okta resource is both the Okta End-User Dashboard and the Okta sign-in page. + value: + name: New Trusted Origin + origin: http://example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + TrustedOriginBodyWithIframeEmbeddingSignIn: + summary: Trusted origin request body with iFrame embedding (Okta sign-in page) + description: | + Creates a new Trusted Origin for iFrame embedding of an Okta resource within that origin. In this example, the Okta + resource is the Okta sign-in page. + value: + name: New Trusted Origin + origin: http://example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: [] + TrustedOriginInactiveResponse: + summary: Trusted origin response + value: + id: tos10hu7rkbtrFt1M0g4 + name: New Trusted Origin + origin: http://example.com + status: INACTIVE + scopes: + - type: CORS + - type: REDIRECT + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + TrustedOriginPut: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: CORS + - type: REDIRECT + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutBody: + summary: Trusted origin request body + value: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: CORS + - type: REDIRECT + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutBodyWithIframeEmbedding: + summary: Trusted origin request body with iFrame embedding + value: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutResponse: + summary: Trusted origin response body + value: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: CORS + - type: REDIRECT + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutResponseWithIframeEmbedding: + summary: Trusted origin response body with iFrame embedding + value: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutWithIframeEmbedding: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginResponse: + summary: Trusted origin response + value: + id: tos10hu7rkbtrFt1M0g4 + name: New Trusted Origin + origin: http://example.com + status: ACTIVE + scopes: + - type: CORS + - type: REDIRECT + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginResponseWithIframeEmbedding: + summary: Trusted origin response with iFrame embedding (End-User Dashboard and Okta sign-in page) + value: + id: tos10hu7rkbtrFt1M0g4 + name: New Trusted Origin + origin: http://example.com + status: ACTIVE + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginResponseWithIframeEmbeddingSignIn: + summary: Trusted origin response with iFrame embedding (Okta sign-in page) + value: + id: tos10hu7rkbtrFt1M0g4 + name: New Trusted Origin + origin: http://example.com + status: ACTIVE + scopes: + - type: IFRAME_EMBED + allowedOktaApps: [] + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginsResponse: + summary: Trusted origins response + value: + - id: tos10hu7rkbtrFt1M0g4 + name: New Trusted Origin + origin: http://example.com + status: ACTIVE scopes: - okta.agentPools.manage: Read or modify Agent Pools - okta.agentPools.read: Read Agent Pools - okta.apiToken.read: Read API Tokens. - okta.apiToken.manage: Read or modify API Tokens. - okta.apps.read: Read Apps. - okta.apps.manage: Read or modify Apps. - okta.authenticators.read: Read Authenticators. - okta.authenticators.manage: Read or modify Authenticators. - okta.authorizationServers.read: Read Authorization Servers. - okta.authorizationServers.manage: Read or modify Authorization Servers. - okta.behaviors.read: Read Behavior Detection Rules. - okta.behaviors.manage: Read or modify Behavior Detection Rules. - okta.brands.read: Read Brands. - okta.brands.manage: Read or modify Brands. - okta.captchas.manage: Read or modify CAPTCHA instances in your org. - okta.captchas.read: Read CAPTCHA instances in your org. - okta.domains.read: Read Domains. - okta.domains.manage: Read or modify Domains. - okta.eventHooks.read: Read Event Hooks. - okta.eventHooks.manage: Read or modify Event Hooks. - okta.groups.read: Read Groups. - okta.groups.manage: Read or modify Groups. - okta.roles.read: Read Roles. - okta.roles.manage: Read or modify Roles. - okta.idps.read: Read Identity Providers. - okta.idps.manage: Read or modify Identity Providers. - okta.users.read: Read Users. - okta.users.manage: Read or modify Users. - okta.inlineHooks.read: Read Inline Hooks. - okta.inlineHooks.manage: Read or modify Inline Hooks. - okta.logs.read: Read Logs. - okta.profileMappings.read: Read Profile Mappings. - okta.profileMappings.manage: Read or modify Profile Mappings. - okta.schemas.read: Read Schemas. - okta.schemas.manage: Read or modify Schemas. - okta.linkedObjects.read: Read Linked Objects. - okta.linkedObjects.manage: Read or modify Linked Objects. - okta.userTypes.read: Read Usertypes. - okta.userTypes.manage: Read or modify Usertypes. - okta.orgs.read: Read Org Settings. - okta.orgs.manage: Read or modify Org Settings. - okta.policies.read: Read Policies. - okta.policies.manage: Read or modify Policies. - okta.principalRateLimits.read: Read Principal Rate Limits. - okta.principalRateLimits.manage: Read or modify Principal Rate Limits. - okta.pushProviders.read: Read Push Providers such as APNs and FCM. - okta.pushProviders.manage: Read or modify Push Providers such as APNs and FCM. - okta.sessions.read: Read Sessions. - okta.sessions.manage: Read or modify Sessions. - okta.templates.read: Read Templates. - okta.templates.manage: Read or modify Templates. - okta.trustedOrigins.read: Read Trusted Origins. - okta.trustedOrigins.manage: Read or modify Trusted Origins. - okta.deviceAssurance.read: Read device assurance policies. - okta.deviceAssurance.manage: Read or modify device assurance policies. - examples: - ApiTokenListMetadataResponse: + - type: CORS + - type: REDIRECT + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + UpdateAppFeatureRequestEx: + summary: Update USER_PROVISIONING request + value: + create: + lifecycleCreate: + status: ENABLED + update: + lifecycleDeactivate: + status: ENABLED + profile: + status: ENABLED + password: + status: ENABLED + seed: RANDOM + change: CHANGE + UpdateAppFeatureResponseEx: + summary: Update USER_PROVISIONING response + value: + name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: ENABLED + update: + lifecycleDeactivate: + status: ENABLED + profile: + status: ENABLED + password: + status: ENABLED + seed: RANDOM + change: CHANGE + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT + UpdateAuthorizationServerPolicyRequest: + summary: Update Authorization Server Policy + value: + id: 00p5m9xrrBffPd9ah0g4 + type: OAUTH_AUTHORIZATION_POLICY + status: ACTIVE + name: Default Policy + description: Default policy description + priority: 1 + system: false + conditions: + clients": + include": + - ALL_CLIENTS + UpdateAuthorizationServerPolicyRuleRequest: + summary: Update Authorization Server Policy Rule + value: + type: RESOURCE_ACCESS + name: Default Policy Rule + priority: 1 + status: ACTIVE + conditions: + people: + groups: + include: + - EVERYONE + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + UpdateBrandRequest: + value: + customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy + agreeToCustomPrivacyPolicy: true + removePoweredByOkta: true + name: New Name For Brand + emailDomainId: OeD114iNkrcN6aR680g4 + locale: en + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + UpdateBrandResponse: + value: + id: bnd114iNkrcN6aR680g4 + removePoweredByOkta: true + agreeToCustomPrivacyPolicy: true + name: New Name For Brand + isDefault: true + customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + locale: en + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + hints: + allow: + - GET + emailDomain: + href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + UpdateEmailDomainRequest: + value: + displayName: IT Admin + userName: noreply + UpdateFeatureLifecycleResponse: + summary: Update the feature lifecycle status + value: + description: Example feature description + id: ftrZooGoT8b41iWRiQs7 + name: Example feature name + stage: + state: OPEN + value: BETA + status: DISABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + UpdateInboundProvisioningFeatureRequestEx: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Update INBOUND_PROVISIONING request + value: + capabilities: + importSettings: + username: + userNameFormat: EMAIL + schedule: + status: ENABLED + fullImport: + expression: 0 0 * * 0 + timezone: America/New_York + incrementalImport: + expression: 0 */3 * * * + timezone: America/New_York + importRules: + userCreateAndMatch: + exactMatchCriteria: EMAIL + allowPartialMatch: false + autoConfirmPartialMatch: false + autoConfirmExactMatch: false + autoConfirmNewUsers: false + autoActivateNewUsers: false + UpdateInboundProvisioningFeatureResponseEx: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Update INBOUND_PROVISIONING response + value: + name: INBOUND_PROVISIONING + status: ENABLED + description: In-bound provisioning settings from an application to Okta + capabilities: + importSettings: + username: + userNameFormat: EMAIL + schedule: + status: ENABLED + fullImport: + expression: 0 0 * * 0 + timezone: America/New_York + incrementalImport: + expression: 0 */3 * * * + timezone: America/New_York + importRules: + userCreateAndMatch: + exactMatchCriteria: EMAIL + allowPartialMatch: false + autoConfirmPartialMatch: false + autoConfirmExactMatch: false + autoConfirmNewUsers: false + autoActivateNewUsers: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/INBOUND_PROVISIONING + hints: + allow: + - GET + - PUT + UpdateMappingBody: + summary: Update an existing profile mapping by updating one or more properties + value: + properties: + nickName: + expression: user.honorificPrefix + user.displayName + pushStatus: DONT_PUSH + UpdateMappingResponse: + summary: Update an existing profile mapping by updating one or more properties + value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.honorificPrefix + user.displayName + pushStatus: DONT_PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + UpdateOAuth2ScopeRequest: + summary: Example scope + value: + description: Order car + name: car:order + metadataPublish: ALL_CLIENTS + UpdateOrgSettingEx: + summary: Org setting request + value: + address1: 100 1st St + address2: 6th floor + city: San Fransico + companyName: okta + country: United States + endUserSupportHelpURL: support.okta.com + phoneNumber: '+18887227871' + postalCode: '94105' + state: California + supportPhoneNumber: '+18887227871' + website: www.okta.com + UpdateRecQuestionRequest: + value: + password: + value: tlpWENT2m + recovery_question: + question: How many roads must a man walk down? + answer: forty two + UpdateRecQuestionResponse: + value: + password: {} + recovery_question: + question: How many roads must a man walk down? + provider: + type: OKTA + name: OKTA + UpdateSMSTemplateRequest: + value: + translations: + de: '${org.name}: ihre bestätigungscode ist ${code}.' + UpdateSMSTemplateResponse: + value: + id: 6NQUJ5yR3bpgEiYmq8IC + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + de: '${org.name}: ihre bestätigungscode ist ${code}.' + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + UpdateThemeRequest: + value: + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + UpdateThemeResponse: + value: + id: thdul904tTZ6kWVhP0g3 + logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png + favicon: https://{yourOktaDomain}/favicon.ico + backgroundImage: null + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + UpdateUserTypePostRequest: + summary: Update user type request + value: + displayName: Updated Display Name + UpdateUserTypePostResponse: + summary: Update user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: Updated Display Name + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + UpdatedEmailDomainResponse: + value: + id: OeD114iNkrcN6aR680g4 + validationStatus: NOT_STARTED + displayName: IT Admin + userName: noreply + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + UpdatedOAuth2ScopeResponse: + summary: Updated scope + value: + id: scp5yu8kLOnDzo7lh0g4 + name: car:order + description: Order car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: ALL_CLIENTS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 + hints: + allow: + - GET + - PUT + - DELETE + UploadYubikeyTokenSeedRequest: + summary: Yubikey OTP Seed + value: + serialNumber: '7886622' + publicId: ccccccijgibu + privateId: b74be6169486 + aesKey: 1fcc6d8ce39bf1604e0b17f3e0a11067 + UploadYubikeyTokenSeedResponse: + value: + id: ykkut4G6ti62DD8Dy0g3 + created: '2020-01-10T23:04:10.000Z' + lastVerified: '2020-01-10T23:04:10.000Z' + lastUpdated: '2020-01-10T23:04:10.000Z' + status: UNASSIGNED + profile: + serial: '000007886622' + _links: + self: + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkut4G6ti62DD8Dy0g3 + hints: + allow: + - GET + - DELETE + UserFactorChallengeCallResponse: + summary: call challenge + value: + factorResult: CHALLENGE + profile: + phoneNumber: '+12532236986' + phoneExtension: '1234' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV + hints: + allow: + - GET + - DELETE + UserFactorChallengeEmailResponse: + summary: email challenge + value: + factorResult: CHALLENGE + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + - DELETE + UserFactorChallengePushResponse: + summary: push challenge + value: + expiresAt: '2015-04-01T15:57:32.000Z' + factorResult: WAITING + _links: + poll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g + hints: + allow: + - GET + cancel: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g + hints: + allow: + - DELETE + UserFactorChallengeSmsResponse: + summary: sms challenge + value: + factorResult: CHALLENGE + profile: + phoneNumber: '+12532236986' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3 + hints: + allow: + - GET + - DELETE + UserFactorChallengeU2fResponse: + summary: u2f challenge + value: + factorResult: CHALLENGE + profile: + credentialId: GAiiLsVab2m3-zL1Fi3bVtNrM9G6_MntUITHKjxkV24ktGKjLSCRnz72wCEdHCe18IvC69Aia0sE4UpsO0HpFQ + version: U2F_V2 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + _embedded: + challenge: + nonce: vQFwTt6zKzMV7HFPzjS2 + timeoutSeconds: 20 + UserFactorChallengeWebauthnResponse: + summary: webAuthn challenge + value: + factorResult: CHALLENGE + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + _embedded: + challenge: + challenge: vQFwTt6zKzMV7HFPzjS2 + extensions: {} + UserFactorVerifyCallSuccessResponse: + summary: call verify + value: + factorResult: SUCCESS + UserFactorVerifyEmailSuccessResponse: + summary: email verify + value: + factorResult: SUCCESS + UserFactorVerifyPushRejectedResponse: + summary: push verification rejected + value: + factorResult: REJECTED + profile: + credentialId: jane.doe@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifyPushTransactionApproved: + summary: SUCCESS + value: + factorResult: SUCCESS + UserFactorVerifyPushTransactionRejected: + summary: REJECTED + value: + factorResult: REJECTED + profile: + credentialId: jane.doe@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifyPushTransactionTimeout: + summary: TIMEOUT + value: + factorResult: TIMEOUT + profile: + credentialId: jane.doe@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifyPushTransactionWaiting: + summary: WAITING + value: + expiresAt: '2015-04-01T15:57:32.000Z' + factorResult: WAITING + profile: + credentialId: jane.doe@example.com + _links: + poll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA + hints: + allow: + - GET + cancel: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA + hints: + allow: + - DELETE + UserFactorVerifySecurityQuestionRequest: + summary: security question verify + value: + answer: mayonnaise + UserFactorVerifySuccessSmsResponse: + summary: sms verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessSqResponse: + summary: security question verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessTokenResponse: + summary: token verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessTotpResponse: + summary: totp verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessYubikeyResponse: + summary: yubikey verify + value: + factorResult: SUCCESS + UserFactorVerifyU2fRequest: + summary: u2f verify + value: + clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9 + signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc + UserFactorVerifyU2fResponse: + summary: u2f verify response + value: + factorResult: SUCCESS + profile: + credentialId: h1bFwJFU9wnelYkexJuQfoUHZ5lX3CgQMTZk4H3I8kM9Nn6XALiQ-BIab4P5EE0GQrA7VD-kAwgnG950aXkhBw + version: U2F_V2 + UserFactorVerifyWebauthnRequest: + summary: WebAuthn verify challenge (posts a signed assertion using the challenge `nonce`) + value: + clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9 + authenticatorData: SBv04caJ+NLZ0bTeotGq9esMhHJ8YC5z4bMXXPbT95UFXbDsOg== + signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc + UserFactorVerifyWebauthnResponse: + summary: WebAuthn verify + value: + factorResult: SUCCESS + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + UserImportChangeAppUserProfileExample: + summary: An example user import inline hook response that updates an app user's profile + value: + commands: + - type: com.okta.appUser.profile.update + value: + firstName: Stan + UserImportChangeUserProfileExample: + summary: Update an Okta user's profile response + value: + commands: + - type: com.okta.user.profile.update + value: + firstName: Stan + UserImportCreateANewUserExample: + summary: Create a new Okta user profile response + value: + commands: + - type: com.okta.action.update + value: + result: CREATE_USER + UserImportErrorExample: + summary: Return an error object + value: + error: + errorSummary: Error at third-party service. Please contact your admin. + UserImportMatchExample: + summary: Match an existing Okta user response + value: + commands: + - type: com.okta.action.update + value: + result: LINK_USER + - type: com.okta.user.update + value: + id: 00garwpuyxHaWOkdV0g3 + UserImportPayloadExample: + summary: An example user import request body + value: + source: cal7eyxOsnb20oWbZ0g4 + eventId: JUGOUiYZTaKPmH6db0nDag + eventTime: '2019-02-27T20:59:04.000Z' + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + eventType: com.okta.import.transform + contentType: application/json + data: + context: + conflicts: + - login + application: + name: test_app + id: 0oa7ey7aLRuBvcYUD0g4 + label: Test App + status: ACTIVE + job: + id: ij17ez2AWtMZRfCZ60g4 + type: import:users + matches: [] + policy: + - EMAIL + - FIRST_AND_LAST_NAME + action: + result: CREATE_USER + appUser: + profile: + firstName: Sally2 + lastName: Admin2 + mobilePhone: null + accountType: PRO + secondEmail: null + failProvisioning: null + failDeprovisioning: null + externalId: user221 + groups: + - everyone@examplee.net + - tech@example.net + userName: administrator2 + email: sally.admin@example.net + user: + profile: + lastName: Admin2 + zipCode: null + city: null + secondEmail: null + postAddress: null + login: sally.admin@example.net + firstName: Sally2 + primaryPhone: null + mobilePhone: null + streetAddress: null + countryCode: null + typeId: null + state: null + email: sally.admin@example.net + UserRiskNoneResponse: + summary: Example User Risk with NONE risk level response + value: + riskLevel: NONE + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/{userId}/risk + hints: + allow: + - GET + - PUT + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + hints: + allow: + - GET + UserRiskRequest: + summary: Example upsert the risk for a user request + value: + riskLevel: HIGH + UserRiskResponse: + summary: Example User Risk response + value: + riskLevel: HIGH + reason: Admin override risk + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/{userId}/risk + hints: + allow: + - GET + - PUT + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + hints: + allow: + - GET + UserSchemaAddRequest: + value: + definitions: + custom: + id: '#custom' + type: object + properties: + twitterUserName: + title: Twitter username + description: Twitter Username + type: string + required: false + minLength: 1 + maxLength: 20 + permissions: + - principal: SELF + action: READ_WRITE + required: [] + UserSchemaResponse: + value: + id: https://{yourOktaDomain}/meta/schemas/user/default + $schema: http://json-schema.org/draft-04/schema# + name: user + title: Default Okta User + lastUpdated: '2015-09-05T10:40:45.000Z' + created: '2015-02-02T10:27:36.000Z' + definitions: + base: + id: '#base' + type: object + properties: + login: + title: Username + type: string + required: true + minLength: 5 + maxLength: 100 + permissions: + - principal: SELF + action: READ_WRITE + firstName: + title: First name + type: string + required: true + minLength: 1 + maxLength: 50 + permissions: + - principal: SELF + action: READ_WRITE + lastName: + title: Last name + type: string + required: true + minLength: 1 + maxLength: 50 + permissions: + - principal: SELF + action: READ_WRITE + email: + title: Primary email + type: string + required: true + format: email + permissions: + - principal: SELF + action: READ_WRITE + required: + - login + - firstName + - lastName + - email + custom: + id: '#custom' + type: object + properties: + twitterUserName: + title: Twitter username + description: User's username for twitter.com + type: string + required: false + minLength: 1 + maxLength: 20 + permissions: + - principal: SELF + action: READ_WRITE + required: [] + type: object + properties: + profile: + allOf: + - $ref: '#/definitions/base' + - $ref: '#/definitions/custom' + VerifiedEmailDomainResponse: + value: + id: OeD114iNkrcN6aR680g4 + validationStatus: VERIFIED + displayName: IT Admin + userName: noreply + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + WSFederationEx: + summary: WS_FEDERATION + value: + name: template_wsfed + label: Sample WS-Fed App + signOnMode: WS_FEDERATION + settings: + app: + audienceRestriction: urn:example:app + groupValueFormat: windowsDomainQualifiedName + wReplyURL: https://example.com/ + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + siteURL: https://example.com + usernameAttribute: username + WSFederationPutEx: + summary: WS_FEDERATION + value: + name: template_wsfed + label: Sample WS-Fed App updated + signOnMode: WS_FEDERATION + settings: + app: + audienceRestriction: urn:exampleupdated:app + groupValueFormat: windowsDomainQualifiedName + wReplyURL: https://example.com/ + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + siteURL: https://example.com + usernameAttribute: username + WSFederationPutResponseEx: + summary: WS_FEDERATION + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_wsfed + label: Sample WS-Fed App updated + features: [] + signOnMode: WS_FEDERATION + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU + settings: + app: + groupFilter: null + siteURL: https://example.com + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + wReplyOverride: false + digestAlgorithm: SHA1 + usernameAttribute: username + signatureAlgorithm: RSA_SHA1 + audienceRestriction: urn:exampleupdated:app + wReplyURL: https://example.com/ + groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role + attributeStatements: null + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4 + groupValueFormat: windowsDomainQualifiedName + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + WSFederationResponseEx: + summary: WS_FEDERATION + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_wsfed + label: Sample WS-Fed App + features: [] + signOnMode: WS_FEDERATION + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU + settings: + app: + groupFilter: null + siteURL: https://example.com + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + wReplyOverride: false + digestAlgorithm: SHA1 + usernameAttribute: username + signatureAlgorithm: RSA_SHA1 + audienceRestriction: urn:example:app + wReplyURL: https://example.com/ + groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role + attributeStatements: null + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4 + groupValueFormat: windowsDomainQualifiedName + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + WellKnownAppAuthenticatorConfigurationCustomApp: + value: + - authenticatorId: aut22f6xzargnJZYE3l7 + orgId: 00o1vhf34q20MfCFC3l7 + type: app + key: custom_app + name: EnergyAus Authenticator + createdDate: '2022-10-11T08:56:45.000Z' + lastUpdated: '2023-09-07T11:31:35.000Z' + settings: + userVerification: PREFERRED + supportedMethods: + - type: push + status: ACTIVE + settings: + algorithms: + - RS256 + - ES256 + keyProtection: ANY + appAuthenticatorEnrollEndpoint: https://{yourOktaDomain}/idp/myaccount/app-authenticators + WellKnownOrgMetadataResponseClassic: + value: + id: 00o5rb5mt2H3d1TJd0h7 + _links: + organization: + href: https://{{yourOktaDomain}} + pipeline: v1 + settings: + analyticsCollectionEnabled: false + bugReportingEnabled: true + omEnabled: true + WellKnownOrgMetadataResponseCustomUrlOie: + value: + id: 00o47wwoytgsDqEtz0g7 + _links: + organization: + href: https://{yourSubdomain}.okta.com + alternate: + href: https://{yourCustomDomain} + pipeline: idx + settings: + analyticsCollectionEnabled: false + bugReportingEnabled: true + omEnabled: false + activateOAuth2ClientSecretResponse: + summary: Activate Secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + activeAPIServiceIntegrationInstanceSecretResponse: + summary: Activate Secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: '***MQGQ' + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + bulkDeletePayload: + value: + entityType: USERS + profiles: + - externalId: EXT123456784C2IF + - externalId: EXT123456784C3IF + - externalId: EXT123456784C4IF + bulkUpsertPayload: + value: + entityType: USERS + profiles: + - externalId: EXT123456784C2IF + profile: + userName: isaac.brock@example.com + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + secondEmail: isaac2.brock@example.com + mobilePhone: 123-456-7890 + homeAddress: Kirkland, WA + cloud-rule: + summary: Global session policy - Challenge cloud users + description: This global session policy uses a rule to challenge cloud users + value: + type: SIGN_ON + name: Challenge Cloud Users + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: [] + exclude: [] + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + actions: + signon: + access: ALLOW + requireFactor: true + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + cloud-rule-response: + summary: Global session policy - Challenge cloud users + description: The response body from the creation of a global session policy that uses a rule to challenge cloud users + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + type: SIGN_ON + name: Challenge Cloud Users + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: [] + exclude: [] + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: ALLOW + requireFactor: true + primaryFactor: PASSWORD_IDP_ANY_FACTOR + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + create-auth-policy-rule-condition: + summary: Authentication policy - Create rule with conditions + description: Creates an authentication policy rule with a conditions object. + value: + system: false + type: ACCESS_POLICY + name: Rule with conditions + conditions: + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + network: + connection: ZONE + exclude: + - 00u7yq5goxNFTiMjW1d7 + riskScore: + level: ANY + people: + users: + exclude: + - 00u7yq5goxNFTiMjW1d7 + include: [] + groups: + include: + - 00g9i12jictsYdZdi1d7 + exclude: [] + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + reauthenticateIn: PT2H + constraints: + - knowledge: + reauthenticateIn: PT2H + types: + - password + type: ASSURANCE + create-auth-policy-rule-condition-response: + summary: Authentication policy - Policy rule with conditions + description: The response body from the creation of an authentication policy rule with conditions. + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + name: Rule with conditions + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: + - 00u7yq5goxNFTiMjW1d7 + groups: + include: + - 00g9i12jictsYdZdi1d7 + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + exclude: [] + riskScore: + level: ANY + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + required: true + types: + - password + reauthenticateIn: PT2H + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + create-group-rule-request-example: + summary: Create group rule request example + value: + type: group_rule + name: Engineering group rule + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + create-user-in-group-request: + description: See [Create user in group](/openapi/okta-management/management/tag/User/#create-user--in-group) for description. + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + groupIds: + - 00g1emaKYZTWRYYRRTSK + - 00garwpuyxHaWOkdV0g4 + create-user-in-group-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-authentication-provider-request: + description: Set `activate` parameter to `true`. See [Create user with authentication provider](/openapi/okta-management/management/tag/User/#create-user-with-authentication-provider) for description. + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: FEDERATION + name: FEDERATION + create-user-with-authentication-provider-response: + value: + id: 00uijntSwJjSHtDY70g3 + status: ACTIVE + created: '2016-01-19T22:02:08.000Z' + activated: '2016-01-19T22:02:08.000Z' + statusChanged: '2016-01-19T22:02:08.000Z' + lastLogin: null + lastUpdated: '2016-01-19T22:02:08.000Z' + passwordChanged: null + profile: + login: isaac.brock@example.com + firstName: Isaac + lastName: Brock + mobilePhone: 555-415-1337 + email: isaac.brock@example.com + secondEmail: null + credentials: + provider: + type: FEDERATION + name: FEDERATION + _links: + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/reset_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/credentials/change_recovery_question + method: POST + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/deactivate + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-imported-hashed-password-request: + description: Set `activate` parameter to `true`. See [Create user with imported hashed password](/openapi/okta-management/management/tag/User/#create-user-with-password) for description. + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + hash: + algorithm: BCRYPT + workFactor: 10 + salt: rwh3vH166HCH/NT9XV5FYu + value: qaMqvAPULkbiQzkTCWo5XDcvzpk8Tna + create-user-with-imported-hashed-password-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: IMPORT + name: IMPORT + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-non-default-user-type-request: + description: See [Create user with non-default user type](/openapi/okta-management/management/tag/User/#create-user-with-non-default-user-type) for description. + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + type: + id: otyfnjfba4ye7pgjB0g4 + create-user-with-non-default-user-type-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + type: + id: otyfnjfba4ye7pgjB0g4 + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA + _links: + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscfnjfba4ye7pgjB0g4 + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otyfnjfba4ye7pgjB0g4 + create-user-with-password-and-recovery-question-request: + description: See [Create user with password and recovery question](/openapi/okta-management/management/tag/User/#create-user-with-password-and-recovery-question) for description. + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + value: tlpWENT2m + recovery_question: + question: Who is a major player in the cowboy scene? + answer: Annie Oakley + create-user-with-password-and-recovery-question-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-password-import-inline-hook-request: + description: Set `activate` parameter to `true`. See [Create user with password inline hook](/openapi/okta-management/management/tag/User/#create-user-with-password-inline-hook) for description. + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + hook: + type: default + create-user-with-password-import-inline-hook-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: IMPORT + name: IMPORT + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-password-request: + description: Set `activate` parameter to `true`. See [Create user with password](/openapi/okta-management/management/tag/User/#create-user-with-password) for description. + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + value: tlpWENT2m + create-user-with-password-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-recovery-question-request: + description: See [Create user with recovery question](/openapi/okta-management/management/tag/User/#create-user-with-recovery-question) for description. + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + recovery_question: + question: Who is a major player in the cowboy scene? + answer: Annie Oakley + create-user-with-recovery-question-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-without-credentials-request: + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + create-user-without-credentials-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + createOAuth2ClientSecretCustomRequestBody: + summary: Add a user provided client secret + value: + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + status: ACTIVE + createOAuth2ClientSecretSystemGeneratedRequestBody: + summary: Add a system-generated client secret + value: {} + deactivateOAuth2ClientJsonWebKeyResponse: + summary: Deactivate JSON Web Key example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: INACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/activate + hints: + allow: + - POST + deactivateOAuth2ClientSecretResponse: + summary: Deactivate Secret response example + value: + id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + deny-rule: + summary: Global session policy - Deny users + description: This global session policy uses a rule to deny users + value: + type: SIGN_ON + name: Deny users + conditions: + network: + connection: ANYWHERE + authContext: + authType: ANY + actions: + signon: + access: DENY + requireFactor: false + deny-rule-response: + summary: Global session policy - Deny users + description: The response body from the creation of a global session policy that uses a rule to deny users + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + type: SIGN_ON + name: Deny + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + authContext: + authType: ANY + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: DENY + requireFactor: false + primaryFactor: PASSWORD_IDP + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 120 + maxSessionLifetimeMinutes: 0 + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + editFeatureExample: + summary: Enable Okta Personal admin settings + value: + enableExportApps: true + enableEnduserEntryPoints: true + getBlockListExample: + summary: List of blocked email domains + value: + domains: + - yahoo.com + - google.com + group-example: + summary: Group example + description: Example of a Group + value: + id: 00g1emaKYZTWRYYRRTSK + created: '2015-02-06T10:11:28.000Z' + lastUpdated: '2015-10-05T19:16:43.000Z' + lastMembershipUpdated: '2015-11-28T19:15:32.000Z' + objectClass: + - okta:user_group + type: OKTA_GROUP + profile: + name: West Coast Users + description: All Users West of The Rockies + _links: + logo: + - name: medium + href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png + type: image/png + - name: large + href: https://{yourOktaDomain}/img/logos/groups/okta-large.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps + group-rule-example: + summary: Group rule example + description: Example of a group rule + value: + type: group_rule + id: 0pr3f7zMZZHPgUoWO0g4 + status: INACTIVE + name: Engineering group rule + created: '2016-12-01T14:40:04.000Z' + lastUpdated: '2016-12-01T14:40:04.000Z' + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + idp-discovery-dynamic-routing-rule: + summary: IdP discovery policy - Dynamic routing rule + description: This routing rule uses a dynamic Identity Provider. + value: + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + idp-discovery-dynamic-routing-rule-response: + summary: IdP discovery policy - Dynamic routing rule + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + idp-discovery-policy-response: + summary: IDP_DISCOVERY + value: + type: IDP_DISCOVERY + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + idp-discovery-specific-routing-rule: + summary: IdP discovery policy - Specific routing rule + description: This routing rule uses a specific Identity Provider. + value: + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY + idp-discovery-specific-routing-rule-response: + summary: IdP discovery policy - Specific routing rule + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY + inactiveAPIServiceIntegrationInstanceSecretResponse: + summary: Deactivate Secret response example + value: + id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: '***DhOW' + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + list-all-idp-discovery-policy-rule-response: + summary: IDP_DISCOVERY + value: + - id: 0prgu3bb10hce267M1d7 + status: ACTIVE + name: Test rule + priority: 1 + created: '2024-08-27T19:51:15.000Z' + lastUpdated: '2024-08-27T19:51:15.000Z' + system: true + conditions: + network: + connection: ANYWHERE + platform: + include: [] + exclude: [] + userIdentifier: + patterns: [] + app: + include: [] + exclude: [] + actions: + idp: + providers: + - type: OKTA + idpSelectionType: SPECIFIC + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + type: IDP_DISCOVERY + list-all-mfa-enroll-policy-rule-response: + summary: MFA_ENROLL + value: + - id: 0prgu3g4mon9ARm9F1d7 + status: ACTIVE + name: Test Rule + priority: 1 + created: '2024-08-27T19:51:39.000Z' + lastUpdated: '2024-08-27T19:51:39.000Z' + system: true + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + enroll: + self: CHALLENGE + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + type: MFA_ENROLL + list-all-password-policy-rule-response: + summary: PASSWORD + value: + - id: 0prgu3baytQGHuVEv1d7 + status: ACTIVE + name: Test Rule + priority: 1 + created: '2024-08-27T19:51:11.000Z' + lastUpdated: '2024-08-27T19:51:17.000Z' + system: true + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - email + stepUp: + required: false + selfServiceUnlock: + access: DENY + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + type: PASSWORD + list-all-profile-enrollment-policy-rule-response: + summary: PROFILE_ENROLLMENT + value: + - id: rulgu3bb4oWR7qbMi1d7 + status: ACTIVE + name: Test Rule + priority: 99 + created: '2024-08-27T19:51:18.000Z' + lastUpdated: '2024-08-27T19:51:22.000Z' + system: true + conditions: null + actions: + profileEnrollment: + access: ALLOW + preRegistrationInlineHooks: null + profileAttributes: + - name: email + label: Email + required: true + - name: firstName + label: First name + required: true + - name: lastName + label: Last name + required: true + targetGroupIds: null + unknownUserAction: DENY + activationRequirements: + emailVerification: true + uiSchemaId: uisgu3bb4zTbvwD8S1d7 + progressiveProfilingAction: DISABLED + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + type: PROFILE_ENROLLMENT + list-all-sign-on-policy-rule-response: + summary: OKTA_SIGN_ON + value: + - id: 0prh1sd28q5sXGW08697 + status: ACTIVE + name: Test rule + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + primaryFactor: PASSWORD_IDP_ANY_FACTOR + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - POST + type: SIGN_ON + list-apps-example: + summary: List apps example + description: List all apps example + value: + - id: 0oafwvZDWJKVLDCUWUAC + name: template_basic_auth + label: Sample Basic Auth App + status: ACTIVE + lastUpdated: '2013-09-30T00:56:52.000Z' + created: '2013-09-30T00:56:52.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + url: https://example.com/login.html + authURL: https://example.com/auth.html + _links: + appLinks: + - href: https://{yourOktaDomain}/home/template_basic_auth/0oafwvZDWJKVLDCUWUAC/1438 + name: login + type: text/html + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/lifecycle/deactivate + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/groups + list-group-rules-example: + summary: List Group rules example + description: List all group rules example + value: + - type: group_rule + id: 0pr3f7zMZZHPgUoWO0g4 + status: INACTIVE + name: Engineering group rule + created: '2016-12-01T14:40:04.000Z' + lastUpdated: '2016-12-01T14:40:04.000Z' + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + list-groups-examples: + summary: List all groups example + description: Lists an example of an OKTA_GROUP and an APP_GROUP + value: + - id: 00g1emaKYZTWRYYRRTSK + created: '2015-02-06T10:11:28.000Z' + lastUpdated: '2015-10-05T19:16:43.000Z' + lastMembershipUpdated: '2015-11-28T19:15:32.000Z' + objectClass: + - okta:user_group + type: OKTA_GROUP + profile: + name: West Coast Users + description: All Users West of The Rockies + _links: + logo: + - name: medium + href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png + type: image/png + - name: large + href: https://{yourOktaDomain}/img/logos/groups/okta-large.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps + - id: 00garwpuyxHaWOkdV0g4 + created: '2015-08-15T19:15:17.000Z' + lastUpdated: '2015-11-18T04:02:19.000Z' + lastMembershipUpdated: '2015-08-15T19:15:17.000Z' + objectClass: + - okta:windows_security_principal + type: APP_GROUP + profile: + name: Engineering Users + description: corp.example.com/Engineering/Engineering Users + groupType: Security + samAccountName: Engineering Users + objectSid: S-1-5-21-717838489-685202119-709183397-1177 + groupScope: Global + dn: CN=Engineering Users,OU=Engineering,DC=corp,DC=example,DC=com + windowsDomainQualifiedName: CORP\Engineering Users + externalId: OZJdWdONCU6h7WjQKp+LPA== + source: + id: 0oa2v0el0gP90aqjJ0g7 + _links: + logo: + - name: medium + href: https://{yourOktaDomain}/img/logos/groups/active_directory-medium.png + type: image/png + - name: large + href: https://{yourOktaDomain}/img/logos/groups/active_directory-large.png + type: image/png + source: + href: https://{yourOktaDomain}/api/v1/apps/0oa2v0el0gP90aqjJ0g7 + users: + href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/apps + list-user-example: + value: + - id: 00u1f96ECLNVOKVMUSEA + status: ACTIVE + created: '2013-12-12T16:14:22.000Z' + activated: '2013-12-12T16:14:22.000Z' + statusChanged: '2013-12-12T22:14:22.000Z' + lastLogin: '2013-12-12T22:14:22.000Z' + lastUpdated: '2015-11-15T19:23:32.000Z' + passwordChanged: '2013-12-12T22:14:22.000Z' + profile: + firstName: Easy + lastName: E + email: easy-e@example.com + login: easy-e@example.com + mobilePhone: null + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA + listStreamConfigurationExample: + summary: List of SSF Stream configurations example + value: + - aud: https://example.com + delivery: + method: urn:ietf:rfc:8935 + endpoint_url: https://example.com + events_delivered: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_requested: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_supported: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + format: iss_sub + iss: https://{yourOktaDomain} + min_verification_interval: 0 + stream_id: esc1k235GIIztAuGK0g5 + mfa-enroll-policy-response: + summary: MFA_ENROLL + value: + type: MFA_ENROLL + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: + people: + groups: + include: + - groupId + settings: + factors: + okta_otp: + enroll: + self: OPTIONAL + consent: + type: NONE + okta_push: + enroll: + self: OPTIONAL + consent: + type: NONE + okta_password: + enroll: + self: OPTIONAL + consent: + type: NONE + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + newAPIServiceIntegrationInstanceSecretResponse: + summary: New secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + secret_hash: FpCwXwSjTRQNtEI11I00-g + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oAuth2ClientSecretResponse: + summary: Client secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: FpCwXwSjTRQNtEI11I00-g + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oAuthClientJsonWebKey: + summary: JSON Web Key example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oAuthClientJsonWebKeyListResponse: + summary: JSON Web Key list response example + value: + jwks: + keys: + - id: pks2f4zrZbs8nUa7p0g4 + kid: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU= + status: INACTIVE + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oAuthClientJsonWebKeyRequest: + summary: JSON Web Key Request example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + oAuthClientSecretListResponse: + summary: Secrets list response example + value: + - id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: HAGDTYU9XbLnS......3xasFDDwecdZuFs5B + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oamp-id-proofing-policy-rule: + summary: Account Management Policy - Account management policy rule with ID proofing enabled + description: This account management policy rule enables ID proofing for enrollment processes + value: + id: ruleId + name: Account Management Policy Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + appSignOn: + access: ALLOW + verificationMethod: + id: entity_id + type: ID_PROOFING + oamp-id-proofing-policy-rule-response: + summary: Account Management Policy - Account management policy rule with ID proofing enabled + description: This account management policy rule response enables ID proofing for enrollment processes + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Account Management Policy Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + appSignOn: + access: ALLOW + verificationMethod: + id: entity_id + type: ID_PROOFING + orgCommunicationOptInResponse: + summary: Opt in to communication emails + value: + optOutEmailUsers: false + _links: + optOut: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optOut + hints: + allow: + - POST + orgCommunicationOptOutResponse: + summary: Opt out of communication emails + value: + optOutEmailUsers: true + _links: + optIn: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optIn + hints: + allow: + - POST + orgContactTypeResponse: + summary: Org Contact Types + value: + - contactType: BILLING + _links: + billing: + href: https://{yourOktaDomain}/api/v1/org/contacts/billing + - contactType: TECHNICAL + _links: + technical: + href: https://{yourOktaDomain}/api/v1/org/contacts/technical + orgContactUserResponse: + summary: Contact User + value: + userId: 00ux3u0ujW1r5AfZC1d7 + _links: + user: + href: https://{yourOktaDomain}/api/v1/users/00ux3u0ujW1r5AfZC1d7 + orgHideFooterPrefResponse: + summary: Hide footer response + value: + showEndUserFooter: false + _links: + showEndUserFooter: + href: https://{yourOktaDomain}/api/v1/org/preferences/showEndUserFooter + hints: + allow: + - POST + orgShowFooterPrefResponse: + summary: Show footer response + value: + showEndUserFooter: true + _links: + hideEndUserFooter: + href: https://{yourOktaDomain}/api/v1/org/preferences/hideEndUserFooter + hints: + allow: + - POST + orgSupportSettingsResponse: + summary: Org Support Settings + value: + support: ENABLED + expiration: '2024-01-24T11:13:14.000Z' + _links: + extend: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/extend + hints: + allow: + - POST + revoke: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/revoke + hints: + allow: + - POST + orgSupportSettingsRevokeResponse: + summary: Revoked Org Support + value: + support: DISABLED + expiration: null + _links: + grant: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/grant + hints: + allow: + - POST + password-policy-response: + summary: PASSWORD + value: + type: PASSWORD + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: + people: + groups: + include: + - groupId + authProvider: + provider: provider + settings: + password: + complexity: + minLength: 8 + minLowerCase: 1 + minUpperCase: 1 + minNumber: null + minSymbol: 0 + excludeUsername: true + dictionary: + common: + exclude: false + excludeAttributes: [] + age: + maxAgeDays: 0 + expireWarnDays: 0 + minAgeMinutes: 0 + historyCount: 4 + lockout: + maxAttempts: 0 + autoUnlockMinutes: 0 + userLockoutNotificationChannels: [] + showLockoutFailures: false + recovery: + factors: + recovery_question: + status: ACTIVE + properties: + complexity: + complexity: 4 + okta_email: + status: ACTIVE + properties: + recoveryToken: + tokenLifetimeMinutes: 10080 + okta_sms: + status: INACTIVE + okta_call: + status: INACTIVE + delegation: + options: + skipUnlock: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + policy-mapping-list-response: + summary: List all Mappings for a policy + value: + - id: policyId + _links: + application: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + hints: + allow: + - GET + - PUT + - DELETE + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId} + hints: + allow: + - GET + - PUT + - DELETE + policy: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + - DELETE + policy-mapping-response: + summary: Policy Mapping for a Policy + value: + id: policyId + _links: + application: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + hints: + allow: + - GET + - PUT + - DELETE + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId} + hints: + allow: + - GET + - PUT + - DELETE + policy: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + - DELETE + postAPIServiceIntegrationRequest: + value: + type: my_app_cie + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + postAPIServiceIntegrationResponse: + summary: Post response example + value: + id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + profile-enrollment-policy-response: + summary: PROFILE_ENROLLMENT + value: + type: PROFILE_ENROLLMENT + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + radius-rule: + summary: Global session policy - Challenge VPN users with Radius + description: This global session policy uses a rule to challenge VPN users with Radius + value: + type: SIGN_ON + status: ACTIVE + name: Challenge VPN users + conditions: + network: + connection: ANYWHERE + authContext: + authType: RADIUS + people: + users: + exclude: [] + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: ALLOW + requireFactor: true + primaryFactor: PASSWORD_IDP_ANY_FACTOR + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + radius-rule-response: + summary: Global session policy - Challenge VPN users with Radius + description: The response body from the creation of a global session policy that uses a rule to challenge VPN users with Radius + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + type: SIGN_ON + name: Challenge VPN users + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + network: + connection: ANYWHERE + authContext: + authType: RADIUS + actions: + signon: + access: ALLOW + requireFactor: true + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + replace-user-request: + value: + credentials: + password: + value: tlpWENT2m + recovery_question: + question: Who's a major player in the cowboy scene? + answer: Annie Oakley + provider: + type: OKTA + name: OKTA + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + settingsResponseBaseEx: + value: + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + sign-on-policy-rule: + summary: Sign-on policy - Rule with factor mode always + description: Sign-on policy rule with a factor mode always + value: + type: SIGN_ON + name: Test Sign On + conditions: + network: + connection: ANYWHERE + riskScore: + level: ANY + identityProvider: + provider: ANY + authContext: + authType: ANY + actions: + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR + sign-on-policy-rule-response: + summary: Sign-on policy - Rule with factor mode always + description: Sign-on policy rule with a factor mode always + value: + type: SIGN_ON + name: Test Sign On + id: 0prh1sd28q5sXGW08697 + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + status: ACTIVE + conditions: + network: + connection: ANYWHERE + riskScore: + level: ANY + identityProvider: + provider: ANY + authContext: + authType: ANY + people: + users: + exclude: [] + actions: + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + skip-factor-challenge-on-prem-rule: + summary: Global session policy - Skip factor challenge for on-prem sign-in use + description: This global session policy uses a rule to skip factor challenge for on-prem sign-in use + value: + type: SIGN_ON + status: ACTIVE + name: Skip Factor Challenge when On-Prem + conditions: + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + actions: + signon: + access: ALLOW + requireFactor: false + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + skip-factor-challenge-on-prem-rule-response: + summary: Global session policy - Skip factor challenge for on-prem sign-in use + description: The response body from the creation of a global session policy that uses a rule to skip the factor challenge for on-prem sign-in use + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + name: Skip Factor Challenge when On-Prem + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + people: + users: + exclude: [] + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: ALLOW + requireFactor: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + type: SIGN_ON + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + sspr-enabled-OAMP: + summary: Password policy - SSPR with Okta account management policy + description: This policy defers to the Okta account management policy to define SSPR authentication requirements. + value: + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-OAMP-response: + summary: Password policy - SSPR with access control set to Okta account management policy + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-OAMP-update: + summary: Password policy - SSPR with Okta account management policy + description: This policy defers to the Okta account management policy to define SSPR authentication requirements. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-no-step-up: + summary: Password policy - SSPR with no step up + description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators with no secondary authentication required. + value: + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-no-step-up-response: + summary: Password policy - SSPR with no step up + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-no-step-up-update: + summary: Password policy - SSPR with no step up + description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators with no secondary authentication required. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sq-step-up: + summary: Password policy - SSPR with security question as step-up auth + description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are the initial authenticators, and the secondary authentication is a security question. + value: + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + methods: + - security_question + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sq-step-up-response: + summary: Password policy - SSPR with security question as step up + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + methods: + - security_question + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sq-step-up-update: + summary: Password policy - SSPR with security question as step up + description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are initial authenticators, and the secondary authentication is a security question. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + methods: + - security_question + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up: + summary: Password policy - SSPR with any SSO authenticator as step up + description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators. The step-up authentication required is any active SSO authenticator. + value: + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-response: + summary: Password policy - SSPR with any SSO authenticator as step up + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-update: + summary: Password policy - SSPR with any SSO authenticator as step up + description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators. The step-up authentication required is any active SSO authenticator. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-with-constraints: + summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint + description: This password policy permits self-service password change, reset, and unlock. Okta Verify push, Phone SMS, or Google OTP are initial authenticators. The secondary authentication required is any SSO authenticator. The `methodConstraints` property limits OTP authenticators to Google. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + - otp + methodConstraints: + - method: otp + allowedAuthenticators: + - key: google_otp + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-with-constraints-response: + summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint + value: + id: ruleId + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + - otp + methodConstraints: + - method: otp + allowedAuthenticators: + - key: google_otp + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-with-constraints-update: + summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint + description: This password policy permits self-service password change, reset, and unlock. Okta Verify push, Phone SMS, or Google OTP are initial authenticators. The secondary authentication required is any SSO authenticator. The `methodConstraints` property limits OTP authenticators to Google. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + - otp + methodConstraints: + - method: otp + allowedAuthenticators: + - key: google_otp + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + streamConfigurationExample: + summary: SSF Stream configuration example + value: + aud: https://example.com + delivery: + method: urn:ietf:rfc:8935 + endpoint_url: https://example.com + events_delivered: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_requested: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_supported: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + format: iss_sub + iss: https://{yourOktaDomain} + min_verification_interval: 0 + stream_id: esc1k235GIIztAuGK0g5 + twofa-enabled-disallow-password-allow-phishing: + summary: Authentication policy - 2FA with granular authentication + description: This two-factor authentication policy uses a rule to disallow passwords and require phishing resistance for possession authenticators for authentication. + value: + name: Passwordless 2FA + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + possession: + deviceBound: REQUIRED + phishingREsistant: REQUIRED + type: ACCESS_POLICY + twofa-enabled-disallow-password-allow-phishing-response: + summary: Authentication policy - 2FA with granular authentication + description: The rule from a two-factor authentication policy that disallows passwords and requires phishing resistance + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: Passwordless 2FA + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: false + possession: + deviceBound: REQUIRED + phishingREsistant: REQUIRED + required: true + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + twofa-enabled-post-auth-kmsi-disabled: + summary: Authentication policy - 2FA with granular authentication (KMSI disabled) + description: This two-factor authentication policy uses a rule that doesn't prompt the user to stay signed in post-authentication. value: - - name: My API Token - userId: 00uabcdefg1234567890 - tokenWindow: P30D - id: 00Tabcdefg1234567890 - clientName: Okta API - expiresAt: 2021-12-11T20:38:10.000Z - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + name: 2FA with Post Auth KMSI prompt disabled + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + keepMeSignedIn: + postAuth: NOT_ALLOWED + type: ACCESS_POLICY + twofa-enabled-post-auth-kmsi-disabled-response: + summary: Authentication policy - 2FA with granular authentication (KMSI disabled) + description: This two-factor authentication policy uses a rule that doesn't prompt the user to stay signed in post-authentication. + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: 2FA with Post Auth KMSI prompt disabled + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: true + keepMeSignedIn: + postAuth: NOT_ALLOWED + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + twofa-enabled-post-auth-kmsi-enabled: + summary: Authentication policy - 2FA with granular authentication (KMSI enabled) + description: This two-factor authentication policy uses a rule to prompt the user to stay signed in post authentication. + value: + name: 2FA with Post Auth KMSI prompt enabled + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + keepMeSignedIn: + postAuth: ALLOWED + postAuthPromptFrequency: P30D + twofa-enabled-post-auth-kmsi-enabled-response: + summary: Authentication policy - 2FA with granular authentication (KMSI enabled) + description: This two-factor authentication policy uses a rule to prompt the user to stay signed in post authentication. + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: 2FA with Post Auth KMSI prompt enabled + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: true + keepMeSignedIn: + postAuth: ALLOWED + postAuthPromptFrequency: PT720H + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + update-auth-policy-rule-condition: + summary: Authentication policy - Update rule with conditions + description: Updates the conditions object on the request body of an authentication policy rule. + value: + type: ACCESS_POLICY + name: Rule with conditions - exclude a group + description: Updated policy rule + conditions: + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + riskScore: + level: ANY + people: + users: + exclude: + - 00u7yq5goxNFTiMjW1d7 + include: [] + groups: + include: [] + exclude: + - 00g8vta8qzkxPEfKC1d7 + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + elCondition: + condition: security.risk.level == 'HIGH' + update-auth-policy-rule-condition-response: + summary: Authentication policy - Update rule with conditions + description: The response body from an updated conditions object of an authentication policy rule. + value: + id: rulezuo73ySrHndLb1d7 + status: ACTIVE + name: Rule with conditions - exclude a group + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: [] + groups: + exclude: + - 00u7yq5goxNFTiMjW1d7 + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + exclude: [] + riskScore: + level: ANY + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + required: true + types: + - password + reauthenticateIn: PT2H + type: ACCESS_POLICY _links: self: - href: https://${yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 - hints: - allow: - - GET - - DELETE - user: - href: https://${yourOktaDomain}/api/v1/users/00uabcdefg1234567890 - hints: - allow: - - GET - - name: Another API Token - userId: 00uabcdefg1234567890 - tokenWindow: PT5M - id: 00T1234567890abcdefg - clientName: Okta API - expiresAt: 2021-11-11T20:43:10.000Z - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z - _links: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + update-user-profile-request: + value: + profile: + firstName: Isaac + email: isaac.brock@update.example.com + mobilePhone: 555-415-1337 + update-user-set-password-request: + value: + credentials: + password: + value: uTVM,TPw55 + update-user-set-recovery-question-and-answer: + value: + credentials: + recovery_question: + question: How many roads must a man walk down? + answer: forty two + user-example: + summary: User example + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-06-24T16:39:18.000Z' + activated: '2013-06-24T16:39:19.000Z' + statusChanged: '2013-06-24T16:39:19.000Z' + lastLogin: '2013-06-24T17:39:19.000Z' + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + login: isaac.brock@example.com + firstName: Isaac + lastName: Brock + nickName: issac + displayName: Isaac Brock + email: isaac.brock@example.com + secondEmail: isaac@example.org + profileUrl: http://www.example.com/profile + preferredLanguage: en-US + userType: Employee + organization: Okta + title: Director + division: R&D + department: Engineering + costCenter: '10' + employeeNumber: '187' + mobilePhone: +1-555-415-1337 + primaryPhone: +1-555-514-1337 + streetAddress: 301 Brannan St. + city: San Francisco + state: CA + zipCode: '94107' + countryCode: US + credentials: + password: {} + recovery_question: + question: What's my childhood elementary school? + provider: + type: OKTA + name: OKTA + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA + userNameTemplateResponseBaseEx: + value: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + wellKnownSSFMetadataExample: + summary: Well-Known SSF Metadata example + value: + configuration_endpoint: https://{yourOktaDomain}/api/v1/ssf/stream + delivery_methods_supported: + - https://schemas.openid.net/secevent/risc/delivery-method/push + - urn:ietf:rfc:8935 + issuer: https://{yourOktaDomain} + jwks_uri: https://{yourOktaDomain}/oauth2/v1/keys + parameters: + OktaResponse: + name: Content-Type + in: header + description: |- + Specifies the media type of the resource. Optional `okta-response` value can be included for performance optimization. + + Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck. + + Enum values for `okta-response`: + * `omitCredentials`: Omits the credentials subobject from the response. + * `omitCredentialsLinks`: Omits the following HAL links from the response: Change Password, Change Recovery Question, Forgot Password, Reset Password, Reset Factors, Unlock. + * `omitTransitioningToStatus`: Omits the `transitioningToStatus` field from the response. + required: false + schema: + type: string + examples: + Omit credentials subobject and credentials links: + value: application/json; okta-response=omitCredentials,omitCredentialsLinks + summary: Omits the credentials subobject and credentials links from the response. Does not apply performance optimization. + Omit credentials, credentials links, and `transitioningToStatus` field: + value: application/json; okta-response="omitCredentials,omitCredentialsLinks, omitTransitioningToStatus" + summary: Omits the credentials, credentials links, and `transitioningToStatus` field from the response. Applies performance optimization. + UISchemaId: + name: id + description: The unique ID of the UI Schema + in: path + required: true + schema: + type: string + example: uis4a7liocgcRgcxZ0g7 + appInstanceId: + name: appInstanceId + in: path + description: ID of the AD AppInstance in Okta + schema: + type: string + required: true + assignmentId: + name: assignmentId + description: '`id` of the Realm Assignment' + in: path + required: true + schema: + type: string + example: rul2jy7jLUlnO3ng00g4 + authenticatorEnrollmentId: + name: authenticatorEnrollmentId + in: path + required: true + description: ID for a WebAuthn Preregistration Factor in Okta + schema: + type: string + domain: + name: domain + in: path + description: The okta domain name of your org or one of your custom domains + required: true + schema: + type: string + inlineHookType: + name: type + description: One of the supported inline hook types + in: query + schema: + type: string + enum: + - com.okta.import.transform + - com.okta.oauth2.tokens.transform + - com.okta.saml.tokens.transform + - com.okta.user.credential.password.import + - com.okta.user.pre-registration + - com.okta.telephony.provider + limitParameter: + name: limit + in: query + schema: + type: string + description: Defines the number of policy rules returned. See [Pagination](https://developer.okta.com/docs/api/#pagination). + pathApiServiceId: + name: apiServiceId + in: path + schema: + type: string + required: true + description: '`id` of the API Service Integration instance' + example: 000lr2rLjZ6NsGn1P0g3 + pathApiTokenId: + name: apiTokenId + in: path + schema: + type: string + example: 00Tabcdefg1234567890 + required: true + description: id of the API Token + pathAppId: + name: appId + description: Application ID + in: path + required: true + schema: + type: string + example: 0oafxqCAJWWGELFTYASJ + pathAppName: + name: appName + description: Application name for the app type + in: path + required: true + schema: + type: string + example: oidc_client + pathAppUserId: + name: userId + description: ID of an existing Okta user + in: path + required: true + schema: + type: string + example: 00u13okQOVWZJGDOAUVR + pathAssociatedServerId: + name: associatedServerId + description: '`id` of the associated Authorization Server' + in: path + required: true + schema: + type: string + example: aus6xt9jKPmCyn6kg0g4 + pathAuthServerId: + name: authServerId + description: '`id` of the Authorization Server' + in: path + required: true + schema: + type: string + example: GeGRTEr7f3yu2n7grw22 + pathAuthenticatorId: + name: authenticatorId + description: '`id` of the Authenticator' + in: path + required: true + schema: + type: string + example: aut1nd8PQhGcQtSxB0g4 + pathBehaviorId: + name: behaviorId + in: path + schema: + type: string + example: abcd1234 + required: true + description: id of the Behavior Detection Rule + pathBrandId: + name: brandId + in: path + required: true + schema: + type: string + description: The ID of the brand + pathBundleId: + name: bundleId + in: path + schema: + type: string + example: 08ab2db568c7c300079fefd0 + required: true + description: The `id` of a bundle + pathCaptchaId: + name: captchaId + in: path + schema: + type: string + required: true + description: The unique key used to identify your CAPTCHA instance + pathClaimId: + name: claimId + description: '`id` of Claim' + in: path + required: true + schema: + type: string + example: hNJ3Uk76xLagWkGx5W3N + pathClientId: + name: clientId + description: '`client_id` of the app' + in: path + required: true + schema: + type: string + example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD + pathClientSecretId: + name: secretId + in: path + schema: + type: string + required: true + description: Unique `id` of the OAuth 2.0 Client Secret + example: ocs2f4zrZbs8nUa7p0g4 + pathContactType: + name: contactType + in: path + required: true + schema: + type: string + description: Type of contact + enum: + - BILLING + - TECHNICAL + example: BILLING + pathCredentialKeyId: + name: keyId + description: '`id` of the certificate key' + in: path + required: true + schema: + type: string + example: P7jXpG-LG2ObNgY9C0Mn2uf4InCQTmRZMDCZoVNxdrk + pathCsrId: + name: csrId + description: '`id` of the CSR' + in: path + required: true + schema: + type: string + example: fd7x1h7uTcZFx22rU1f7 + pathCustomizationId: + name: customizationId + in: path + required: true + schema: + type: string + description: The ID of the email customization + pathDeviceAssuranceId: + in: path + name: deviceAssuranceId + required: true + description: Id of the device assurance policy + schema: + type: string + pathDeviceCheckId: + in: path + name: deviceCheckId + required: true + description: Id of the Device Check + schema: + type: string + pathDeviceId: + name: deviceId + in: path + schema: + type: string + example: guo4a5u7JHHhjXrMK0g4 + required: true + description: '`id` of the device' + pathDomainId: + name: domainId + description: '`id` of the Domain' + in: path + required: true + schema: + type: string + example: OmWNeywfTzElSLOBMZsL + pathEmailDomainId: + name: emailDomainId + in: path + required: true + schema: + type: string + description: The ID of the email domain. + pathEmailServerId: + name: emailServerId + in: path + required: true + schema: + type: string + description: ID of your SMTP Server configuration + pathEntitlementId: + name: entitlementId + in: path + schema: + type: string + example: 0obfxqCAJWWGELFTYASJ + required: true + description: The `id` of a bundle entitlement + pathEventHookId: + name: eventHookId + description: '`id` of the Event Hook' + in: path + required: true + schema: + type: string + example: who8vt36qfNpCGz9H1e6 + pathFactorId: + name: factorId + description: ID of an existing user Factor + in: path + required: true + schema: + type: string + example: zAgrsaBe0wVGRugDYtdv + pathFeatureId: + name: featureId + description: '`id` of the feature' + in: path + required: true + schema: + type: string + example: R5HjqNn1pEqWGy48E9jg + pathFeatureName: + name: featureName + description: Name of the Feature + in: path + required: true + schema: + $ref: '#/components/schemas/ApplicationFeatureType' + pathFirstPartyAppName: + name: appName + description: | + The key name for the Okta app.
+ Supported apps: + * Okta Admin Console (`admin-console`) + in: path + required: true + schema: + type: string + example: admin-console + pathGrantId: + name: grantId + description: Grant ID + in: path + required: true + schema: + type: string + example: iJoqkwx50mrgX4T9LcaH + pathGroupId: + name: groupId + description: The `id` of the group + in: path + required: true + schema: + type: string + example: 00g1emaKYZTWRYYRRTSK + pathGroupRuleId: + name: groupRuleId + description: The `id` of the group rule + in: path + required: true + schema: + type: string + example: 0pr3f7zMZZHPgUoWO0g4 + pathHookKeyId: + name: id + description: ID of the Hook Key + in: path + required: true + schema: + type: string + example: XreKU5laGwBkjOTehusG + pathId: + name: id + description: '`id`, `login`, or `login shortname` (as long as it is unambiguous) of a user' + in: path + required: true + schema: + type: string + pathIdentitySourceId: + name: identitySourceId + in: path + required: true + description: The ID of the Identity Source for which the session is created + example: 0oa3l6l6WK6h0R0QW0g4 + schema: + type: string + pathIdentitySourceSessionId: + name: sessionId + in: path + required: true + description: The ID of the Identity Source Session + example: aps1qqonvr2SZv6o70h8 + schema: + type: string + pathIdpCsrId: + name: idpCsrId + description: '`id` of the IdP CSR' + in: path + required: true + schema: + type: string + example: 1uEhyE65oV3H6KM9gYcN + pathIdpId: + name: idpId + description: '`id` of IdP' + in: path + required: true + schema: + type: string + example: 0oa62bfdjnK55Z5x80h7 + pathInlineHookId: + name: inlineHookId + description: '`id` of the Inline Hook' + in: path + required: true + schema: + type: string + example: Y7Rzrd4g4xj6WdKzrBHH + pathJsonWebKeyId: + name: keyId + in: path + schema: + type: string + required: true + description: Unique `id` of the OAuth 2.0 Client JSON Web Key + example: pks2f4zrZbs8nUa7p0g4 + pathKeyId: + name: keyId + description: ID of the Key Credential for the application + in: path + required: true + schema: + type: string + example: sjP9eiETijYz110VkhHN + pathKid: + name: kid + description: Unique `id` of the IdP Key Credential + in: path + required: true + schema: + type: string + example: KmMo85SSsU7TZzOShcGb + pathLifecycle: + name: lifecycle + description: Whether to `ENABLE` or `DISABLE` the feature + in: path + required: true + schema: + $ref: '#/components/schemas/FeatureLifecycle' + pathLinkedObjectName: + name: linkedObjectName + description: Primary or Associated name + in: path + required: true + schema: + type: string + pathLogStreamId: + name: logStreamId + in: path + schema: + type: string + example: 0oa1orzg0CHSgPcjZ0g4 + required: true + description: Unique identifier for the Log Stream + pathLogStreamType: + name: logStreamType + in: path + required: true + schema: + $ref: '#/components/schemas/LogStreamType' + pathMappingId: + name: mappingId + description: '`id` of the Mapping' + in: path + required: true + schema: + type: string + example: cB6u7X8mptebWkffatKA + pathMemberId: + name: memberId + in: path + schema: + type: string + example: irb1qe6PGuMc7Oh8N0g4 + required: true + description: '`id` of the Member' + pathMethodType: + name: methodType + description: Type of authenticator method + in: path + required: true + schema: + $ref: '#/components/schemas/AuthenticatorMethodType' + pathNotificationType: + name: notificationType + in: path + required: true + schema: + $ref: '#/components/schemas/NotificationType' + pathOAuthProvisioningAppName: + name: appName + in: path + required: true + schema: + $ref: '#/components/schemas/OAuthProvisioningEnabledApp' + pathOperation: + name: operation + in: path + required: true + schema: + type: string + pathOwnerId: + description: The `id` of the group owner + name: ownerId + in: path + required: true + schema: + type: string + example: 00u1emaK22TWRYd3TtG + pathPermissionType: + name: permissionType + in: path + schema: + type: string + example: okta.users.manage + required: true + description: An okta permission type + pathPolicyId: + name: policyId + description: '`id` of the Policy' + in: path + required: true + schema: + type: string + example: 00plrilJ7jZ66Gn0X0g3 + pathPolicyMappingId: + name: mappingId + description: '`id` of the policy resource Mapping' + in: path + required: true + schema: + type: string + example: maplr2rLjZ6NsGn1P0g3 + pathPoolId: + name: poolId + in: path + description: Id of the agent pool for which the settings will apply + schema: + type: string + required: true + pathPrimaryRelationshipName: + name: primaryRelationshipName + description: Name of the `primary` relationship being assigned + in: path + required: true + schema: + type: string + example: manager + pathPrimaryUserId: + name: primaryUserId + description: User ID to be assigned to the `primary` relationship for the `associated` user + in: path + required: true + schema: + type: string + pathPrincipalRateLimitId: + name: principalRateLimitId + in: path + schema: + type: string + example: abcd1234 + required: true + description: id of the Principal Rate Limit + pathPublicKeyId: + name: keyId + description: id" of the Public Key + in: path + required: true + schema: + type: string + example: FcH2P9Eg7wr0o8N2FuV0 + pathPushProviderId: + in: path + name: pushProviderId + required: true + description: Id of the push provider + schema: + type: string + pathQueryRoleExpand: + name: expand + description: 'An optional parameter used to return targets configured for the standard Role Assignment in the `embedded` property. Supported values: `targets/groups` or `targets/catalog/apps`' + in: query + required: false + schema: + type: string + examples: + groupTarget: + value: targets/groups + summary: Return Group targets + appTarget: + value: targets/catalog/apps + summary: Return App targets + pathRealmId: + name: realmId + description: '`id` of the Realm' + in: path + required: true + schema: + type: string + example: vvrcFogtKCrK9aYq3fgV + pathRelationshipName: + name: relationshipName + description: Name of the `primary` or `associated` relationship being queried + in: path + required: true + schema: + type: string + examples: + manager: + value: manager + summary: Example of a `primary` name + subordinate: + value: subordinate + summary: Example of an `associated` name + pathResourceId: + name: resourceId + in: path + schema: + type: string + example: ire106sQKoHoXXsAe0g4 + required: true + description: '`id` of the Resource' + pathResourceSelectorId: + name: resourceSelectorId + in: path + schema: + type: string + example: rsl1hx31gVEa6x10v0g5 + required: true + description: '`id` of a Resource Selector' + pathResourceSetIdOrLabel: + name: resourceSetIdOrLabel + in: path + schema: + type: string + example: iamoJDFKaJxGIr0oamd9g + required: true + description: '`id` or `label` the Resource Set' + pathRiskProviderId: + name: riskProviderId + in: path + schema: + type: string + example: 00rp12r4skkjkjgsn + required: true + description: '`id` of the Risk Provider object' + pathRoleAssignmentId: + name: roleAssignmentId + description: The `id` of the role assignment + in: path + required: true + schema: + type: string + example: JBCUYUC7IRCVGS27IFCE2SKO + pathRoleId: + name: roleId + description: '`id` of the role' + in: path + required: true + schema: + type: string + example: 3Vg1Pjp3qzw4qcCK5EdO + pathRoleIdOrLabel: + name: roleIdOrLabel + in: path + schema: + type: string + example: cr0Yq6IJxGIr0ouum0g3 + required: true + description: '`id` or `label` of the Role' + pathRoleRef: + name: roleRef + in: path + description: A reference to an existing role. Standard roles require a `roleType`, while Custom Roles require a `roleId`. See [Standard Roles](/openapi/okta-management/guides/roles/#standard-roles). + required: true + schema: + oneOf: + - title: roleType + type: string + $ref: '#/components/schemas/RoleType' + - title: roleId + type: string + pathRuleId: + name: ruleId + description: '`id` of the Policy Rule' + in: path + required: true + schema: + type: string + example: ruld3hJ7jZh4fn0st0g3 + pathSchemaId: + name: schemaId + in: path + required: true + schema: + type: string + pathScopeId: + name: scopeId + description: '`id` of Scope' + in: path + required: true + schema: + type: string + example: 0TMRpCWXRKFjP7HiPFNM + pathSecretId: + name: secretId + in: path + schema: + type: string + required: true + description: '`id` of the API Service Integration instance Secret' + example: ocs2f4zrZbs8nUa7p0g4 + pathSection: + name: section + in: path + required: true + schema: + type: string + pathSecurityEventProviderId: + name: securityEventProviderId + in: path + schema: + type: string + example: sse1qg25RpusjUP6m0g5 + required: true + description: '`id` of the Security Events Provider instance' + pathSessionId: + name: sessionId + description: '`id` of the Session' + in: path + required: true + schema: + type: string + example: l7FbDVqS8zHSy65uJD85 + pathSubmissionId: + name: submissionId + description: OIN Integration ID + in: path + required: true + schema: + type: string + example: acme_submissionapp_1 + pathTargetGroupId: + name: targetGroupId + in: path + required: true + schema: + type: string + example: 00g1e9dfjHeLAsdX983d + pathTemplateId: + name: templateId + description: '`id` of the Template' + in: path + required: true + schema: + type: string + example: 6NQUJ5yR3bpgEiYmq8IC + pathTemplateName: + name: templateName + in: path + required: true + schema: + type: string + description: The name of the email template + pathThemeId: + name: themeId + in: path + required: true + schema: + type: string + description: The ID of the theme + pathTokenId: + name: tokenId + description: '`id` of Token' + in: path + required: true + schema: + type: string + example: sHHSth53yJAyNSTQKDJZ + pathTransactionId: + name: transactionId + description: ID of an existing Factor verification transaction + in: path + required: true + schema: + type: string + example: gPAQcN3NDjSGOCAeG2Jv + pathTrustedOriginId: + name: trustedOriginId + description: '`id` of the Trusted Origin' + in: path + required: true + schema: + type: string + example: 7j2PkU1nyNIDe26ZNufR + pathTypeId: + name: typeId + in: path + required: true + schema: + type: string + description: The unique key for the User Type + pathUpdateId: + name: updateId + in: path + description: Id of the update + schema: + type: string + required: true + pathUserId: + name: userId + description: ID of an existing Okta user + in: path + required: true + schema: + type: string + example: 00ub0oNGTSWTBKOLGLNR + pathUserIdOrLogin: + name: userIdOrLogin + description: |- + If for the `self` link, the ID of the User for whom you want to get the primary User ID. If for the `associated` relation, the User ID or login value of the User assigned the associated relationship. + + This can be `me` to represent the current session User. + in: path + required: true + schema: + type: string + examples: + manager: + value: 00u5zex6ztMbOZhF50h7 + summary: Example ID of `primary` + subordinate: + value: 00u5zex6ztMbOZhF50h7 + summary: Example ID of `associated` + pathZoneId: + name: zoneId + in: path + schema: + type: string + required: true + description: '`id` of the Network Zone' + example: nzowc1U5Jh5xuAK0o0g3 + privilegedAccountId: + name: id + in: path + description: ID of an existing Privileged Account + required: true + schema: + type: string + privilegedResourceId: + name: id + in: path + description: ID of an existing privileged resource + required: true + schema: + type: string + queryAfter: + name: after + in: query + schema: + type: string + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). + queryAppAfter: + name: after + in: query + description: Specifies the pagination cursor for the next page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](/#pagination). + schema: + type: string + example: 16275000448691 + queryAppGrantsExpand: + name: expand + in: query + description: 'An optional parameter to return scope details in the `_embedded` property. Valid value: `scope`' + schema: + type: string + example: scope + queryAppLimit: + name: limit + in: query + schema: + type: integer + format: int32 + minimum: 1 + maximum: 500 + default: 50 + description: | + Specifies the number of objects to return per page. + If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). + See [Pagination](/#pagination). + queryAppUserExpand: + name: expand + in: query + description: |- + An optional query parameter to return the corresponding [User](/openapi/okta-management/management/tag/User/) object in the `_embedded` property. + Valid value: `user` + schema: + type: string + example: user + queryAppUserQ: + name: q + in: query + schema: + type: string + example: sam + description: | + Specifies a filter for the list of Application Users returned based on their profile attributes. + The value of `q` is matched against the beginning of the following profile attributes: `userName`, `firstName`, `lastName`, and `email`. + This filter only supports the `startsWith` operation that matches the `q` string against the beginning of the attribute values. + > **Note:** For OIDC apps, user profiles don't contain the `firstName` or `lastName` attributes. Therefore, the query only matches against the `userName` or `email` attributes. + queryAppsExpand: + name: expand + in: query + description: |- + An optional parameter used for link expansion to embed more resources in the response. + Only supports `expand=user/{userId}` and must be used with the `user.id eq "{userId}"` filter query for the same user. + Returns the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property. + schema: + type: string + example: user/0oa1gjh63g214q0Hq0g4 + queryExpand: + name: expand + in: query + schema: + type: string + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' + queryExpandBrand: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - themes + - domains + - emailDomain + description: Specifies additional metadata to be included in the response + queryExpandEmailDomain: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - brands + description: Specifies additional metadata to be included in the response + queryExpandEmailTemplate: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - settings + - customizationCount + description: Specifies additional metadata to be included in the response + queryExpandPageRoot: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - default + - customized + - customizedUrl + - preview + - previewUrl + description: Specifies additional metadata to be included in the response + queryFilter: + name: q + in: query + description: Searches the records for matching value + schema: + type: string + queryGroupAssignmentLimit: + name: limit + in: query + description: |- + Specifies the number of objects to return per page. + If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). + See [Pagination](/#pagination). + examples: + min: + value: 20 + summary: Minimum limit value + hundred: + value: 100 + summary: Sample limit value + max: + value: 200 + summary: Maximum limit value + schema: + type: integer + format: int32 + default: 20 + minimum: 20 + maximum: 200 + queryGroupAssignmentWithGroupExpand: + name: expand + in: query + description: |- + An optional query parameter to return the corresponding assigned [Group](/openapi/okta-management/management/tag/Group/) or + the group assignment metadata details in the `_embedded` property. + schema: + type: string + example: group + examples: + group: + value: group + summary: Embedded assigned Group + metadata: + value: metadata + summary: Embedded group assignment metadata + queryGroupAssignmentWithMetadataExpand: + name: expand + in: query + description: |- + An optional query parameter to return the corresponding assigned [Group](/openapi/okta-management/management/tag/Group/) or + the group assignment metadata details in the `_embedded` property. + schema: + type: string + example: metadata + examples: + group: + value: group + summary: Embedded assigned Group + metadata: + value: metadata + summary: Embedded group assignment metadata + queryLanguage: + name: language + schema: + $ref: '#/components/schemas/Language' + in: query + description: The language to use for the email. Defaults to the current user's language if unspecified. + queryLimit: + name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 20 + description: A limit on the number of objects to return + queryLimitPerPoolType: + name: limitPerPoolType + in: query + schema: + type: integer + default: 5 + required: false + description: Maximum number of AgentPools being returned + queryPoolType: + name: poolType + in: query + schema: + $ref: '#/components/schemas/AgentType' + required: false + description: Agent type to search for + queryScheduled: + name: scheduled + in: query + description: Scope the list only to scheduled or ad-hoc updates. If the parameter is not provided we will return the whole list of updates. + schema: + type: boolean + required: false + queryUserExpand: + name: expand + in: query + description: 'An optional parameter to include metadata in the `_embedded` attribute. Valid value: `blocks`' + required: false + schema: + type: string + example: blocks + simulateParameter: + name: expand + description: Use `expand=EVALUATED` to include a list of evaluated but not matched policies and policy rules. Use `expand=RULE` to include details about why a rule condition wasn't matched. + in: query + schema: + type: string + example: EVALUATED + yubikeyTokenId: + name: tokenId + description: ID of a Yubikey token + in: path + required: true + schema: + type: string + example: ykkxdtCA1fKVxyu6R0g3 + requestBodies: + AuthenticatorRequestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorBase' + examples: + Duo: + $ref: '#/components/examples/AuthenticatorRequestDuo' + required: true + responses: + ErrorAppUserForbidden403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AppUserProvEx: + $ref: '#/components/examples/ErrorAppUserForbiddenAction' + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorAppUserUpdateBadRequest400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AppUserUpdateCredEx: + $ref: '#/components/examples/ErrorAppUserUpdateBadRequest' + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + AuthenticatorResponse: + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorBase' + examples: + Duo: + $ref: '#/components/examples/AuthenticatorResponseDuo' + Email: + $ref: '#/components/examples/AuthenticatorResponseEmail' + Password: + $ref: '#/components/examples/AuthenticatorResponsePassword' + Phone: + $ref: '#/components/examples/AuthenticatorResponsePhone' + WebAuthn: + $ref: '#/components/examples/AuthenticatorResponseWebAuthn' + SecurityQuestion: + $ref: '#/components/examples/AuthenticatorResponseSecurityQuestion' + AuthenticatorResponseInactiveWebAuthn: + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorBase' + examples: + WebAuthn: + $ref: '#/components/examples/AuthenticatorResponseInactiveWebAuthn' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorMissingRequiredParameter400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + MissingRequiredParameter: + $ref: '#/components/examples/ErrorMissingRequiredParameter' + ErrorInvalidToken401: + description: Unauthorized + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidTokenProvided: + $ref: '#/components/examples/ErrorInvalidTokenProvided' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + Error502NoConnectedAgents: + description: There are no connected agents. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AgentTimeOut: + $ref: '#/components/examples/ErrorAgentTimeOut' + Error504AgentTimeOut: + description: Timed out waiting for agent. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AgentTimeOut: + $ref: '#/components/examples/ErrorNoConnectedAgents' + DRStatusResponse: + description: OK + content: + application/json: + schema: + description: List of domains and their disaster recovery status + type: array + items: + $ref: '#/components/schemas/DRStatusItem' + headers: + Link: + description: A link to the next page of responses + schema: + type: string + ErrorResponse: + description: | + 400 - When request validation fails
+ 401 - When the user is not authenticated or the feature is not enabled
+ 403 - When the user is not authorized
+ 429 - When rate limits are exceeded
+ 500 - When an internal server error is encountred
+ 501 - When the operation is not supported
+ content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + GetFactorResponse: + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactor' + examples: + SMS: + $ref: '#/components/examples/FactorResponseSms' + Email: + $ref: '#/components/examples/FactorEmail' + Error-FF-NotEnabled-Response-401: + description: Unauthorized + content: + application/json: + examples: + Unauthorized: + value: + errorCode: E0000015 + errorSummary: You do not have permission to access the feature you are requesting + errorLink: E0000015 + errorId: oaeStOuPPxDRUm3PJhf-tL7bQ + errorCauses: [] + ErrorInternalServer500: + description: Internal Server Error + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InternalServerError: + $ref: '#/components/examples/ErrorInternalServer' + NzErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/NzErrorApiValidationFailed' + NzErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/NzErrorResourceNotFound' + schemas: + AAGUIDGroupObject: + description: | + + The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + + This feature has several limitations when enrolling a security key: + - Enrollment is currently unsupported on Firefox. + - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + - If prompted during enrollment, users must allow Okta to see the make and model of the security key. + type: object + properties: + aaguids: + description: A list of YubiKey hardware FIDO2 Authenticator Attestation Global Unique Identifiers (AAGUIDs). The available [AAGUIDs](https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs) (opens new window) are provided by the FIDO Alliance Metadata Service. + type: array + items: + type: string + description: AAGUID + name: + type: string + description: A name to identify the group of YubiKey hardware FIDO2 AAGUIDs + APIServiceIntegrationInstance: + type: object + properties: + configGuideUrl: + type: string + description: The URL to the API service integration configuration guide + example: https://{docDomain}/my-app-cie/configuration-guide + readOnly: true + createdAt: + type: string + description: Timestamp when the API Service Integration instance was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + createdBy: + type: string + description: The user ID of the API Service Integration instance creator + example: 00uu3u0ujW1P6AfZC2d5 + readOnly: true + grantedScopes: + type: array + description: The list of Okta management scopes granted to the API Service Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management). + items: + type: string + example: + - okta.logs.read + id: + type: string + description: The ID of the API Service Integration instance + readOnly: true + example: 0oa72lrepvp4WqEET1d9 + name: + type: string + description: The name of the API service integration that corresponds with the `type` property. This is the full name of the API service integration listed in the Okta Integration Network (OIN) catalog. + readOnly: true + example: My App Cloud Identity Engine + type: + type: string + description: The type of the API service integration. This string is an underscore-concatenated, lowercased API service integration name. For example, `my_api_log_integration`. + example: my_app_cie + _links: + $ref: '#/components/schemas/APIServiceIntegrationLinks' + readOnly: true + APIServiceIntegrationInstanceSecret: + type: object + properties: + client_secret: + type: string + description: The OAuth 2.0 client secret string. The client secret string is returned in the response of a Secret creation request. In other responses (such as list, activate, or deactivate requests), the client secret is returned as an undisclosed hashed value. + example: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + readOnly: true + created: + type: string + description: Timestamp when the API Service Integration instance Secret was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + id: + type: string + description: The ID of the API Service Integration instance Secret + example: ocs2f4zrZbs8nUa7p0g4 + readOnly: true + lastUpdated: + type: string + description: Timestamp when the API Service Integration instance Secret was updated + example: '2023-02-21T20:08:24.000Z' + readOnly: true + secret_hash: + type: string + description: OAuth 2.0 client secret string hash + example: yk4SVx4sUWVJVbHt6M-UPA + readOnly: true + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the API Service Integration instance Secret + example: ACTIVE + _links: + $ref: '#/components/schemas/APIServiceIntegrationSecretLinks' + readOnly: true + required: + - id + - status + - client_secret + - created + - lastUpdated + - secret_hash + - _links + APIServiceIntegrationLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + properties: + client: + $ref: '#/components/schemas/HrefObjectClientLink' + logo: + $ref: '#/components/schemas/HrefObjectLogoLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + APIServiceIntegrationSecretLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + delete: + $ref: '#/components/schemas/HrefObjectDeleteLink' + readOnly: true + APNSConfiguration: + properties: + fileName: + type: string + description: (Optional) File name for Admin Console display + keyId: + type: string + description: 10-character Key ID obtained from the Apple developer account + teamId: + type: string + description: 10-character Team ID used to develop the iOS app + tokenSigningKey: + type: string + description: APNs private authentication token signing key + writeOnly: true + APNSPushProvider: + allOf: + - $ref: '#/components/schemas/PushProvider' + - type: object + properties: + configuration: + $ref: '#/components/schemas/APNSConfiguration' + AccessPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + type: string + description: Policy conditions aren't supported. Conditions are applied at the rule level for this policy type. + default: null + nullable: true + _embedded: + type: object + properties: + resourceType: + type: string + description: The resource that this policy controls. For the [Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/#example-response), `END_USER_ACCOUNT_MANAGEMENT` is returned. For other policies, `APP` is returned. + additionalProperties: + type: object + properties: {} + AccessPolicyConstraint: + type: object + properties: + authenticationMethods: + description: This property specifies the precise authenticator and method for authentication. + type: array + items: + $ref: '#/components/schemas/AuthenticationMethodObject' + excludedAuthenticationMethods: + description: This property specifies the precise authenticator and method to exclude from authentication. + items: + $ref: '#/components/schemas/AuthenticationMethodObject' + methods: + description: The Authenticator methods that are permitted + items: + type: string + enum: + - PASSWORD + - SECURITY_QUESTION + - SMS + - VOICE + - EMAIL + - PUSH + - SIGNED_NONCE + - OTP + - TOTP + - WEBAUTHN + - DUO + - IDP + - CERT + type: array + reauthenticateIn: + description: The duration after which the user must re-authenticate regardless of user activity. This re-authentication interval overrides the Verification Method object's `reauthenticateIn` interval. The supported values use ISO 8601 period format for recurring time intervals (for example, `PT1H`). + type: string + required: + description: This property indicates whether the knowledge or possession factor is required by the assurance. It's optional in the request, but is always returned in the response. By default, this field is `true`. If the knowledge or possession constraint has values for `excludedAuthenticationMethods` the `required` value is false. + type: boolean + types: + description: The Authenticator types that are permitted + items: + type: string + enum: + - SECURITY_KEY + - PHONE + - EMAIL + - PASSWORD + - SECURITY_QUESTION + - APP + - FEDERATED + type: array + AccessPolicyConstraints: + type: object + properties: + knowledge: + $ref: '#/components/schemas/KnowledgeConstraint' + possession: + $ref: '#/components/schemas/PossessionConstraint' + AccessPolicyLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app access policy resource + AccessPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + $ref: '#/components/schemas/AccessPolicyRuleActions' + conditions: + $ref: '#/components/schemas/AccessPolicyRuleConditions' + AccessPolicyRuleActions: + allOf: + - $ref: '#/components/schemas/PolicyRuleActions' + - type: object + properties: + appSignOn: + $ref: '#/components/schemas/AccessPolicyRuleApplicationSignOn' + AccessPolicyRuleApplicationSignOn: + type: object + properties: + access: + $ref: '#/components/schemas/AccessPolicyRuleApplicationSignOnAccess' + verificationMethod: + $ref: '#/components/schemas/VerificationMethod' + AccessPolicyRuleApplicationSignOnAccess: + type: string + x-okta-known-values: + - ALLOW + - DENY + AccessPolicyRuleConditions: + allOf: + - type: object + properties: + device: + $ref: '#/components/schemas/DeviceAccessPolicyRuleCondition' + elCondition: + $ref: '#/components/schemas/AccessPolicyRuleCustomCondition' + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + platform: + $ref: '#/components/schemas/PlatformPolicyRuleCondition' + riskScore: + $ref: '#/components/schemas/RiskScorePolicyRuleCondition' + userType: + $ref: '#/components/schemas/UserTypeCondition' + AccessPolicyRuleCustomCondition: + properties: + condition: + type: string + description: expression to match + required: + - condition + AcsEndpoint: + description: An array of ACS endpoints. You can configure a maximum of 100 endpoints. + type: object + properties: + index: + type: integer + description: Index of the URL in the array of ACS endpoints + example: 0 + url: + type: string + description: URL of the ACS + maxLength: 1024 + example: https://www.example.com/sso/saml + required: + - url + - index + Actions: + type: object + properties: + assignUserToRealm: + $ref: '#/components/schemas/AssignUserToRealm' + AdminConsoleSettings: + title: Okta Admin Console Settings + description: Settings specific to the Okta Admin Console + type: object + properties: + sessionIdleTimeoutMinutes: + description: The maximum idle time before the Okta Admin Console session expires. Must be no more than 12 hours. + type: integer + minimum: 5 + maximum: 720 + default: 15 + sessionMaxLifetimeMinutes: + description: The absolute maximum session lifetime of the Okta Admin Console. Must be no more than 7 days. + type: integer + minimum: 5 + maximum: 10080 + default: 720 + Agent: + description: Agent details + type: object + properties: + id: + type: string + readOnly: true + isHidden: + type: boolean + isLatestGAedVersion: + type: boolean + lastConnection: + type: string + format: date-time + name: + type: string + operationalStatus: + $ref: '#/components/schemas/OperationalStatus' + poolId: + type: string + type: + $ref: '#/components/schemas/AgentType' + updateMessage: + type: string + updateStatus: + $ref: '#/components/schemas/AgentUpdateInstanceStatus' + version: + type: string + _links: + $ref: '#/components/schemas/LinksSelf' + AgentAction: + description: Details about the AD Group membership update + type: object + properties: + id: + type: string + description: ID of the AD group to update + parameters: + $ref: '#/components/schemas/Parameters' + AgentPool: + description: An AgentPool is a collection of agents that serve a common purpose. An AgentPool has a unique ID within an org, and contains a collection of agents disjoint to every other AgentPool (i.e. no two AgentPools share an Agent). + type: object + properties: + agents: + type: array + items: + $ref: '#/components/schemas/Agent' + id: + type: string + readOnly: true + name: + type: string + operationalStatus: + $ref: '#/components/schemas/OperationalStatus' + type: + $ref: '#/components/schemas/AgentType' + AgentPoolUpdate: + description: Various information about agent auto update configuration + type: object + properties: + agents: + type: array + items: + $ref: '#/components/schemas/Agent' + agentType: + $ref: '#/components/schemas/AgentType' + enabled: + type: boolean + id: + type: string + readOnly: true + name: + type: string + notifyAdmin: + type: boolean + reason: + type: string + schedule: + $ref: '#/components/schemas/AutoUpdateSchedule' + sortOrder: + type: integer + status: + $ref: '#/components/schemas/AgentUpdateJobStatus' + targetVersion: + type: string + _links: + $ref: '#/components/schemas/LinksSelf' + AgentPoolUpdateSetting: + description: Setting for auto-update + type: object + properties: + agentType: + $ref: '#/components/schemas/AgentType' + continueOnError: + type: boolean + latestVersion: + type: string + minimalSupportedVersion: + type: string + poolId: + type: string + readOnly: true + poolName: + type: string + releaseChannel: + $ref: '#/components/schemas/ReleaseChannel' + AgentType: + description: Agent types that are being monitored + type: string + x-okta-known-values: + - AD + - IWA + - LDAP + - MFA + - OPP + - RUM + - Radius + AgentUpdateInstanceStatus: + description: Status for one agent regarding the status to auto-update that agent + type: string + x-okta-known-values: + - Cancelled + - Failed + - InProgress + - PendingCompletion + - Scheduled + - Success + AgentUpdateJobStatus: + description: Overall state for the auto-update job from admin perspective + type: string + x-okta-known-values: + - Cancelled + - Failed + - InProgress + - Paused + - Scheduled + - Success + AllowedForEnum: + description: The allowed types of uses for the Authenticator + type: string + x-okta-known-values: + - any + - none + - recovery + - sso + AndroidZeroTrust: + description: Android Zero Trust integration provider + type: object + properties: + deviceIntegrityLevel: + $ref: '#/components/schemas/DeviceIntegrity' + networkProxyDisabled: + description: Indicates whether a device has a network proxy disabled + type: boolean + playProtectVerdict: + $ref: '#/components/schemas/PlayProtectVerdict' + requireMajorVersionUpdate: + description: | + Indicates whether the device needs to be on the latest major version available to the device + + **Note:** This option requires an `osVersion.dynamicVersionRequirement` value to be supplied with the `osVersion.dynamicVersionRequirement.type` as either `MINIMUM` or `EXACT`. + type: boolean + requirePatchVersionUpdate: + description: | + Indicates whether the device needs to be on the latest patch version available to the device + + **Note:** This property mirrors `osVersion.dynamicVersionRequirement.latestSecurityPatch` and is meant for informational purposes only. + type: boolean + readOnly: true + screenLockComplexity: + $ref: '#/components/schemas/ScreenLockComplexity' + usbDebuggingDisabled: + description: Indicates whether Android Debug Bridge (adb) over USB is disabled + type: boolean + wifiSecured: + description: Indicates whether a device is on a password-protected Wi-Fi network + type: boolean + ApiToken: + title: API Token + description: An API token for an Okta User. This token is NOT scoped any further and can be used for any API the user has permissions to call. + type: object + properties: + clientName: + type: string + readOnly: true + created: + type: string + format: date-time + readOnly: true + expiresAt: + type: string + format: date-time + readOnly: true + id: + type: string + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + name: + type: string + network: + type: object + description: The Network Condition of the API Token + properties: + connection: + type: string + description: The connection type of the Network Condition + include: + type: array + description: List of included IP network zones + items: + type: string + exclude: + type: array + description: List of excluded IP network zones + items: + type: string + tokenWindow: + $ref: '#/components/schemas/TimeDuration' + userId: + type: string + _link: + $ref: '#/components/schemas/LinksSelf' + required: + - name + ApiTokenUpdate: + title: API Token Update + description: An API Token Update Object for an Okta user. This token is NOT scoped any further and can be used for any API that the user has permissions to call. + type: object + properties: + clientName: + type: string + description: The client name associated with the API Token + readOnly: true + created: + type: string + description: The creation date of the API Token + format: date-time + readOnly: true + name: + type: string + description: The name associated with the API Token + network: + type: object + description: The Network Condition of the API Token + properties: + connection: + type: string + description: The connection type of the Network Condition + include: + type: array + description: List of included IP network zones + items: + type: string + exclude: + type: array + description: List of excluded IP network zones + items: + type: string + userId: + type: string + description: The userId of the user who created the API Token + AppAccountContainerDetails: + description: Container details for resource type APP_ACCOUNT + type: object + properties: + appName: + type: string + description: The application name + readOnly: true + example: google + containerId: + type: string + description: The application ID associated with the privileged account + example: 0oa103099SBEb3Z2b0g4 + displayName: + type: string + description: Human-readable name of the container that owns the privileged resource + readOnly: true + example: Google App1 + globalAppId: + type: string + description: The application global ID + readOnly: true + example: 964b82aa-85b4-5645-b790-83312c473480 + passwordPushSupported: + type: boolean + description: Indicates if the application supports password push + readOnly: true + example: true + provisioningEnabled: + type: boolean + description: Indicates if provisioning is enabled for this application + readOnly: true + example: true + status: + $ref: '#/components/schemas/AppInstanceContainerStatus' + _links: + $ref: '#/components/schemas/appLink' + required: + - containerId + AppAndInstanceConditionEvaluatorAppOrInstance: + type: object + properties: + id: + type: string + description: ID of the app + readOnly: false + name: + type: string + description: Name of the app type + type: + $ref: '#/components/schemas/AppAndInstanceType' + AppAndInstancePolicyRuleCondition: + type: object + properties: + exclude: + type: array + description: The list of applications to exclude + items: + $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' + include: + type: array + description: The list of apps or app instances to match on + items: + $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' + AppAndInstanceType: + description: Type of app + type: string + x-okta-known-values: + - APP + - APP_TYPE + AppCsrPkcs10: + description: Base64URL-encoded CSR in DER format + format: base64 + type: string + AppCustomHrefObject: + type: object + properties: + hints: + type: object + description: Describes allowed HTTP verbs for the `href` + properties: + allow: + type: array + items: + type: string + href: + type: string + description: Link URI + title: + type: string + description: Link name + type: + type: string + description: The media type of the link. If omitted, it is implicitly `application/json`. + required: + - href + readOnly: true + AppInstanceContainerStatus: + description: Current status of the application instance + type: string + readOnly: true + x-okta-known-values: + - ACTIVE + - DELETED + - INACTIVE + AppInstancePolicyRuleCondition: + type: object + properties: + exclude: + type: array + items: + type: string + include: + type: array + items: + type: string + AppLink: + type: object + properties: + appAssignmentId: + type: string + readOnly: true + appInstanceId: + type: string + readOnly: true + appName: + type: string + readOnly: true + credentialsSetup: + type: boolean + readOnly: true + hidden: + type: boolean + readOnly: true + id: + type: string + readOnly: true + label: + type: string + readOnly: true + linkUrl: + type: string + readOnly: true + logoUrl: + type: string + readOnly: true + sortOrder: + type: integer + readOnly: true + AppResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: + type: string + description: Link name + example: My App + AppUser: + title: Application User + description: The Application User object defines a user's app-specific profile and credentials for an app + type: object + properties: + created: + allOf: + - $ref: '#/components/schemas/createdProperty' + - example: '2014-06-24T15:27:59.000Z' + credentials: + $ref: '#/components/schemas/AppUserCredentials' + externalId: + type: string + description: |- + The ID of the user in the target app that's linked to the Okta Application User object. + This value is the native app-specific identifier or primary key for the user in the target app. + + The `externalId` is set during import when the user is confirmed (reconciled) or during provisioning when the user is created in the target app. + This value isn't populated for SSO app assignments (for example, SAML or SWA) because it isn't synchronized with a target app. + readOnly: true + example: 70c14cc17d3745e8a9f98d599a68329c + id: + type: string + description: Unique identifier for the Okta User + example: 00u11z6WHMYCGPCHCRFK + lastSync: + type: string + description: Timestamp of the last synchronization operation. This value is only updated for apps with the `IMPORT_PROFILE_UPDATES` or `PUSH PROFILE_UPDATES` feature. + format: date-time + readOnly: true + example: '2014-06-24T15:27:59.000Z' + lastUpdated: + allOf: + - $ref: '#/components/schemas/lastUpdatedProperty' + - example: '2014-06-24T15:28:14.000Z' + passwordChanged: + type: string + description: Timestamp when the Application User password was last changed + format: date-time + readOnly: true + nullable: true + example: '2014-06-24T15:27:59.000Z' + profile: + $ref: '#/components/schemas/AppUserProfile' + scope: + type: string + description: Indicates if the assignment is direct (`USER`) or by group membership (`GROUP`). + enum: + - USER + - GROUP + example: USER + status: + $ref: '#/components/schemas/AppUserStatus' + statusChanged: + type: string + description: Timestamp when the Application User status was last changed + format: date-time + readOnly: true + example: '2014-06-24T15:28:14.000Z' + syncState: + $ref: '#/components/schemas/AppUserSyncState' + _embedded: + type: object + description: Embedded resources related to the Application User using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/LinksAppAndUser' + AppUserAssignRequest: + allOf: + - $ref: '#/components/schemas/AppUser' + - required: + - id + AppUserCredentials: + description: | + Specifies a user's credentials for the app. + This parameter can be omitted for apps with [sign-on mode](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/signOnMode&t=response) (`signOnMode`) or [authentication schemes](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/credentials/scheme&t=response) (`credentials.scheme`) that don't require credentials. + type: object + properties: + password: + $ref: '#/components/schemas/AppUserPasswordCredential' + userName: + type: string + description: |- + The user's username in the app + + > **Note:** The [userNameTemplate](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/userNameTemplate&t=request) in the Application object defines the default username generated when a user is assigned to that app. + > If you attempt to assign a username or password to an app with an incompatible [authentication scheme](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/scheme&t=request), the following error is returned: + > "Credentials should not be set on this resource based on the scheme." + minLength: 1 + maxLength: 100 + example: testuser@example.com + AppUserCredentialsRequestPayload: + title: Credentials + description: Updates the assigned user credentials + type: object + properties: + credentials: + $ref: '#/components/schemas/AppUserCredentials' + AppUserPasswordCredential: + description: The user's password. This is a write-only property. An empty `password` object is returned to indicate that a password value exists. + type: object + properties: + value: + description: Password value + type: string + format: password + writeOnly: true + AppUserProfile: + description: | + Specifies the default and custom profile properties for a user. + Properties that are visible in the Admin Console for an app assignment can also be assigned through the API. + Some properties are reference properties that are imported from the target app and can't be configured. + See [profile](/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response). + additionalProperties: true + type: object + AppUserProfileRequestPayload: + title: Profile + description: |- + Updates the assigned user profile + > **Note:** The Okta API currently doesn't support entity tags for conditional updates. As long as you're the only user updating the the user profile, Okta recommends you fetch the most recent profile with [Retrieve an Application User](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/getApplicationUser), apply your profile update, and then `POST` back the updated profile. + type: object + properties: + profile: + $ref: '#/components/schemas/AppUserProfile' + AppUserStatus: + description: Status of an Application User + example: ACTIVE + type: string + x-enumDescriptions: + ACTIVE: The Application User is provisioned and is enabled to use the app. This status also occurs if the app has the `IMPORT_PROFILE_UPDATES` feature enabled and user import is confirmed, or if the app doesn't have provisioning enabled. + INACTIVE: The Application User is provisioned, but isn't enabled to use the app. Application Users in this status can be reactivated with a password reset or permanently deleted. + IMPORTED: The Application User is created based on imported data. + MATCHED: The imported user is matched with an existing Application User. + UNASSIGNED: The Application User was imported, but the user-matching operation was skipped. + SUSPENDED: The Application User is provisioned, but isn't enabled to use the app. Application Users in this status can be reactivated without a password reset. + PENDING: The Application User is provisioned, but in a pending state and can't use the app. The status moves to `ACTIVE` when the Application User is activated. + APPROVED: The Application User was created but not provisioned. This status can occur when manual provisioning acknowledgment is required. + REVOKED: The Application User is disabled and waiting for deprovisioning acknowledgment. The Application User can be deleted after deprovisioning acknowledgment. + IMPLICIT: The Application User is now migrated to use implicit app assignment. + STAGED: The Application User doesn't have `externalId` set and the background provisioning operation is queued. This applies to apps with the `PUSH_NEW_USERS` feature enabled. + PROVISIONED: The background provisioning operation completed and the Application User was assigned an `externalId` successfully. + DEPROVISIONED: The user was removed by the provisioning operation and the `externalId` property is unassigned. + readOnly: true + x-okta-known-values: + - ACTIVE + - APPROVED + - DEPROVISIONED + - IMPLICIT + - IMPORTED + - INACTIVE + - MATCHED + - PENDING + - PROVISIONED + - REVOKED + - STAGED + - SUSPENDED + - UNASSIGNED + AppUserSyncState: + description: |- + The synchronization state for the Application User. + The Application User's `syncState` depends on whether the `PROFILE_MASTERING` feature is enabled for the app. + + > **Note:** User provisioning currently must be configured through the Admin Console. + example: SYNCHRONIZED + type: string + x-enumDescriptions: + DISABLED: The provisioning feature is disabled for the app (`PROFILE_MASTERING` feature is disabled). + OUT_OF_SYNC: The Application User has changes that haven't been pushed to the target app. + SYNCING: A background provisioning operation is running to update the user's profile in the target app. + SYNCHRONIZED: All changes to the Application User profile have successfully been synchronized with the target app. + ERROR: A background provisioning operation failed to update the user's profile in the target app. You must resolve the provisioning task in the Admin Console before you retry the operation. + readOnly: true + x-okta-known-values: + - DISABLED + - ERROR + - OUT_OF_SYNC + - SYNCHRONIZED + - SYNCING + AppUserUpdateRequest: + oneOf: + - $ref: '#/components/schemas/AppUserCredentialsRequestPayload' + - $ref: '#/components/schemas/AppUserProfileRequestPayload' + AppleClientSigning: + description: |- + Information used to generate the secret JSON Web Token for the token requests to Apple IdP + > **Note:** The `privateKey` property is required for a CREATE request. For an UPDATE request, it can be null and keeps the existing value if it's null. The `privateKey` property isn't returned for LIST and GET requests or UPDATE requests if it's null. + type: object + properties: + kid: + type: string + description: The Key ID that you obtained from Apple when you created the private key for the client + maxLength: 1024 + example: test key id + privateKey: + type: string + description: The PKCS \#8 encoded private key that you created for the client and downloaded from Apple + maxLength: 1024 + example: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + teamId: + type: string + description: The Team ID associated with your Apple developer account + maxLength: 1024 + example: test team id + Application: + type: object + properties: + accessibility: + $ref: '#/components/schemas/ApplicationAccessibility' + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the Application object was created + features: + type: array + description: | + Enabled app features + > **Note:** Some apps can support optional provisioning features. See [Application Features](/openapi/okta-management/management/tag/ApplicationFeatures/) + items: + type: string + enum: + - GROUP_PUSH + - IMPORT_NEW_USERS + - IMPORT_PROFILE_UPDATES + - IMPORT_USER_SCHEMA + - PROFILE_MASTERING + - PUSH_NEW_USERS + - PUSH_PASSWORD_UPDATES + - PUSH_PROFILE_UPDATES + - PUSH_USER_DEACTIVATION + - REACTIVATE_USERS + - OUTBOUND_DEL_AUTH + - DESKTOP_SSO + - FEDERATED_PROFILE + - SUPPRESS_ACTIVATION_EMAIL + - PUSH_PENDING_USERS + - MFA + - UPDATE_EXISTING_USERNAME + - EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH + - EXCHANGE_ACTIVE_SYNC + - IMPORT_SYNC + - IMPORT_SYNC_CONTACTS + - DEVICE_COMPLIANCE + - VPN_CONFIG + - IMPORT_SCHEMA_ENUM_VALUES + - SCIM_PROVISIONING + - DEVICE_FILTER_IN_SIGN_ON_RULES + - PROFILE_TEMPLATE_UPGRADE + - DEFAULT_PUSH_STATUS_TO_PUSH + - REAL_TIME_SYNC + - SSO + - AUTHN_CONTEXT + - JIT_PROVISIONING + - GROUP_SYNC + - OPP_SCIM_INCREMENTAL_IMPORTS + - IN_MEMORY_APP_USER + - LOG_STREAMING + - OAUTH_INTEGRATION + - IDP + - PUSH_NEW_USERS_WITHOUT_PASSWORD + - SKYHOOK_SERVICE + - ENTITLEMENT_MANAGEMENT + - PUSH_NEW_USERS_WITH_HASHED_PASSWORD + x-enumDescriptions: + GROUP_PUSH: Creates or links a group in the app when a mapping is defined for a group in Okta. Okta is the source for group memberships and all group members in Okta who are also assigned to the app are synced as group members to the app. + IMPORT_NEW_USERS: Creates or links a user in Okta to a user from the app + IMPORT_PROFILE_UPDATES: Updates a linked user's app profile during manual or scheduled imports + IMPORT_USER_SCHEMA: Discovers the profile schema for a user from the app automatically + PROFILE_MASTERING: Designates the app as the identity lifecycle and profile attribute authority for linked users. The user's profile in Okta is read-only. + PUSH_NEW_USERS: Creates or links a user account in the app when assigning the app to a user in Okta + PUSH_PASSWORD_UPDATES: Updates the user's app password when their password changes in Okta + PUSH_PROFILE_UPDATES: Updates a user's profile in the app when the user's profile changes in Okta (the profile source) + PUSH_USER_DEACTIVATION: Deactivates a user's account in the app when unassigned from the app in Okta or deactivated + REACTIVATE_USERS: Reactivates an existing inactive user when provisioning a user to the app + OUTBOUND_DEL_AUTH: Okta user authentication requests are delegated to a third-party app + DESKTOP_SSO: Okta user authentication requests are handled by desktop SSO negotiation (if possible) + FEDERATED_PROFILE: App User profiles are synchronized at sign-in and profile-view instances instead of during bulk imports + SUPPRESS_ACTIVATION_EMAIL: Activation emails aren't sent to users sourced by AD and orgs with DelAuth enabled + PUSH_PENDING_USERS: Users are in PENDING state in Okta and are created but not active in the sourced app user + MFA: App can verify credentials as a second factor + UPDATE_EXISTING_USERNAME: App can update the user name for existing users + EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH: Exclude username update during profile push + EXCHANGE_ACTIVE_SYNC: App supports synchronizing credentials with OMM enrolled devices + IMPORT_SYNC: Synchronize import events + IMPORT_SYNC_CONTACTS: Synchronize contacts + DEVICE_COMPLIANCE: Apps support device compliance rules + VPN_CONFIG: App supports pushing VPN configuration to OMM enrolled devices + IMPORT_SCHEMA_ENUM_VALUES: App supports downloading schema enum values. You can download custom objects and integrating them with UD without being tied to the type metadata system. + SCIM_PROVISIONING: App supports generic SCIM client provisioning and can leverage SCIM standard for provisioning and push custom attributes to a third-party app + DEVICE_FILTER_IN_SIGN_ON_RULES: App supports filtering by client type in app sign-on rules + PROFILE_TEMPLATE_UPGRADE: App supports profile template upgrades. This is primarily to help roll out the profile template upgrade feature for individual apps + DEFAULT_PUSH_STATUS_TO_PUSH: App defaults Push status to `PUSH`. This feature is for apps, such as SharePoint, that want to receive App User profile updates even though they didn't implement traditional PUSH_PROFILE_UPDATES in the client API. + REAL_TIME_SYNC: Apps support real-time synchronization + SSO: Apps support establishing a subject based on claims from an IdP + AUTHN_CONTEXT: Apps support establishing an authentication context based on claims from an IdP + JIT_PROVISIONING: Apps support provisioning a user based on claims from an IdP + GROUP_SYNC: Apps support syncing group information based on claims from an IdP + OPP_SCIM_INCREMENTAL_IMPORTS: Apps support incremental imports. Used for SCIM app instances + IN_MEMORY_APP_USER: Apps support in-memory App Users. This feature is used as an alternative to Implicit App Assignment for a non-persisted App User. + LOG_STREAMING: Apps support Log Streaming + OAUTH_INTEGRATION: App is an OAuth 2.0 Integration + IDP: Apps support IdP functionalities + PUSH_NEW_USERS_WITHOUT_PASSWORD: Don't send generated password for new users + SKYHOOK_SERVICE: Use the Skyhook microservice for LCM operations + ENTITLEMENT_MANAGEMENT: Marker to showcase which OIN apps are entitlement enabled + PUSH_NEW_USERS_WITH_HASHED_PASSWORD: Send hashed password for new users. This feature is only used for CIS to CIC migration. + id: + type: string + readOnly: true + description: Unique ID for the app instance + label: + $ref: '#/components/schemas/ApplicationLabel' + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the Application object was last updated + licensing: + $ref: '#/components/schemas/ApplicationLicensing' + orn: + type: string + readOnly: true + description: The Okta resource name (ORN) for the current app instance + profile: + type: object + description: |- + Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps). + For example, add an app manager contact email address or define an allowlist of groups that you can then reference using the Okta Expression Language `getFilteredGroups` function. + + > **Notes:** + > * `profile` isn't encrypted, so don't store sensitive data in it. + > * `profile` doesn't limit the level of nesting in the JSON schema you created, but there is a practical size limit. Okta recommends a JSON schema size of 1 MB or less for best performance. + additionalProperties: true + signOnMode: + $ref: '#/components/schemas/ApplicationSignOnMode' + status: + $ref: '#/components/schemas/ApplicationLifecycleStatus' + visibility: + $ref: '#/components/schemas/ApplicationVisibility' + _embedded: + type: object + description: Embedded resources related to the app using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. If the `expand=user/{userId}` query parameter is specified, then the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) is embedded. + properties: + user: + type: object + description: The specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) assigned to the app + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/ApplicationLinks' + required: + - signOnMode + - label + discriminator: + propertyName: signOnMode + mapping: + AUTO_LOGIN: '#/components/schemas/AutoLoginApplication' + BASIC_AUTH: '#/components/schemas/BasicAuthApplication' + BOOKMARK: '#/components/schemas/BookmarkApplication' + BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication' + OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication' + SAML_1_1: '#/components/schemas/Saml11Application' + SAML_2_0: '#/components/schemas/SamlApplication' + SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication' + WS_FEDERATION: '#/components/schemas/WsFederationApplication' + ApplicationAccessibility: + description: Specifies access settings for the app + type: object + properties: + errorRedirectUrl: + type: string + description: Custom error page URL for the app + loginRedirectUrl: + type: string + description: |- + Custom login page URL for the app + > **Note:** The `loginRedirectUrl` property is deprecated in Identity Engine. This property is used with the custom app login feature. Orgs that actively use this feature can continue to do so. See [Okta-hosted sign-in (redirect authentication)](https://developer.okta.com/docs/guides/redirect-authentication/) or [configure IdP routing rules](https://help.okta.com/okta_help.htm?type=oie&id=ext-cfg-routing-rules) to redirect users to the appropriate sign-in app for orgs that don't use the custom app login feature. + selfService: + type: boolean + description: Represents whether the app can be self-assignable by users + ApplicationCredentials: + description: Credentials for the specified `signOnMode` + type: object + properties: + signing: + $ref: '#/components/schemas/ApplicationCredentialsSigning' + userNameTemplate: + $ref: '#/components/schemas/ApplicationCredentialsUsernameTemplate' + ApplicationCredentialsOAuthClient: + type: object + properties: + autoKeyRotation: + type: boolean + description: Requested key rotation mode + default: true + client_id: + type: string + maxLength: 100 + minLength: 6 + description: |- + Unique identifier for the OAuth 2.0 client app + + > **Notes:** + > * If you don't specify the `client_id`, this immutable property is populated with the [Application instance ID](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=4/id&t=response). + > * The `client_id` must consist of alphanumeric characters or the following special characters: `$-_.+!*'(),`. + > * You can't use the reserved word `ALL_CLIENTS`. + client_secret: + type: string + maxLength: 100 + minLength: 14 + description: |- + OAuth 2.0 client secret string (used for confidential clients) + + > **Notes:** If a `client_secret` isn't provided on creation, and the `token_endpoint_auth_method` requires one, Okta generates a random `client_secret` for the client app. + > The `client_secret` is only shown when an OAuth 2.0 client app is created or updated (and only if the `token_endpoint_auth_method` requires a client secret). + pkce_required: + type: boolean + description: Requires Proof Key for Code Exchange (PKCE) for additional verification. If `token_endpoint_auth_method` is `none`, then `pkce_required` must be `true`. The default is `true` for browser and native app types. + default: true + token_endpoint_auth_method: + $ref: '#/components/schemas/OAuthEndpointAuthenticationMethod' + ApplicationCredentialsScheme: + description: | + Apps with `BASIC_AUTH`, `BROWSER_PLUGIN`, or `SECURE_PASSWORD_STORE` sign-on modes have credentials vaulted by Okta and can be configured with the following schemes. + type: string + x-enumDescriptions: + ADMIN_SETS_CREDENTIALS: Admin sets username and password + EDIT_PASSWORD_ONLY: Admin sets username, user sets password + EDIT_USERNAME_AND_PASSWORD: User sets username and password + EXTERNAL_PASSWORD_SYNC: Admin sets username, password is the same as user's Okta password + SHARED_USERNAME_AND_PASSWORD: Users share a single username and password set by the admin + x-okta-known-values: + - ADMIN_SETS_CREDENTIALS + - EDIT_PASSWORD_ONLY + - EDIT_USERNAME_AND_PASSWORD + - EXTERNAL_PASSWORD_SYNC + - SHARED_USERNAME_AND_PASSWORD + ApplicationCredentialsSigning: + description: | + App signing key properties + > **Note:** Only apps with SAML_2_0, SAML_1_1, WS_FEDERATION, or OPENID_CONNECT `signOnMode` support the key rotation feature. + type: object + properties: + kid: + type: string + description: |- + Key identifier used for signing assertions + > **Note:** Currently, only the X.509 JWK format is supported for apps with SAML_2_0 `signOnMode`. + lastRotated: + type: string + description: Timestamp when the signing key was last rotated + format: date-time + readOnly: true + nextRotation: + type: string + description: The scheduled time for the next signing key rotation + format: date-time + readOnly: true + rotationMode: + type: string + description: The mode of key rotation + use: + $ref: '#/components/schemas/ApplicationCredentialsSigningUse' + ApplicationCredentialsSigningUse: + description: Specifies the intended use of the key + type: string + x-okta-known-values: + - sig + ApplicationCredentialsUsernameTemplate: + description: The template used to generate the username when the app is assigned through a group or directly to a user + type: object + properties: + pushStatus: + type: string + description: Determines if the username is pushed to the app on updates for CUSTOM `type` + enum: + - PUSH + - DONT_PUSH + - NOT_CONFIGURED + template: + type: string + description: |- + Mapping expression used to generate usernames. + + The following are supported mapping expressions that are used with the `BUILT_IN` template type: + + | Name | Template Expression | + | ------------------------------- | ---------------------------------------------- | + | AD Employee ID | `${source.employeeID}` | + | AD SAM Account Name | `${source.samAccountName}` | + | AD SAM Account Name (lowercase) | `${fn:toLowerCase(source.samAccountName)}` | + | AD User Principal Name | `${source.userName}` | + | AD User Principal Name prefix | `${fn:substringBefore(source.userName, "@")}` | + | Email | `${source.email}` | + | Email (lowercase) | `${fn:toLowerCase(source.email)}` | + | Email prefix | `${fn:substringBefore(source.email, "@")}` | + | LDAP UID + custom suffix | `${source.userName}${instance.userSuffix}` | + | Okta username | `${source.login}` | + | Okta username prefix | `${fn:substringBefore(source.login, "@")}` | + default: ${source.login} + type: + type: string + description: Type of mapping expression. Empty string is allowed. + enum: + - NONE + - BUILT_IN + - CUSTOM + default: BUILT_IN + userSuffix: + type: string + description: An optional suffix appended to usernames for `BUILT_IN` mapping expressions + ApplicationFeature: + description: | + The Feature object is used to configure app feature settings. + type: object + properties: + description: + type: string + description: Description of the feature + example: Settings for provisioning users from Okta to a downstream app + readOnly: true + name: + $ref: '#/components/schemas/ApplicationFeatureType' + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED + - example: ENABLED + - readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - readOnly: true + discriminator: + propertyName: name + mapping: + USER_PROVISIONING: '#/components/schemas/UserProvisioningApplicationFeature' + INBOUND_PROVISIONING: '#/components/schemas/InboundProvisioningApplicationFeature' + ApplicationFeatureType: + description: | + Key name of the feature + + | Feature name | Description | + | --------- | ------------- | + | USER_PROVISIONING | User profiles are pushed from Okta to the third-party app. Represents the **To App** provisioning feature setting in the Admin Console. | + | INBOUND_PROVISIONING | User profiles are imported from the third-party app into Okta. This feature represents the **To Okta** provisioning feature setting in the Admin Console. | + + Select the feature: + example: USER_PROVISIONING + type: string + x-okta-known-values: + - USER_PROVISIONING + - USER_PROVISIONING + - INBOUND_PROVISIONING + ApplicationGroupAssignment: + title: Application Group Assignment + description: The Application Group object that defines a group of users' app-specific profile and credentials for an app + type: object + properties: + id: + type: string + description: ID of the [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) + readOnly: true + example: 00g4hb1HChfUriNgW0g4 + lastUpdated: + allOf: + - $ref: '#/components/schemas/lastUpdatedProperty' + - example: '2014-06-24T15:28:14.000Z' + priority: + type: integer + description: |- + Priority assigned to the group. If an app has more than one group assigned to the same user, then the group with the higher priority has its profile applied to the [Application User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/). + If a priority value isn't specified, then the next highest priority is assigned by default. + See [Assign attribute group priority](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-app-group-priority) and the [sample priority use case](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-combine-values-use). + example: 99 + profile: + $ref: '#/components/schemas/GroupAssignmentProfile' + _embedded: + type: object + description: |- + Embedded resource related to the Application Group using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + If the `expand=group` query parameter is specified, then the [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) object is embedded. + If the `expand=metadata` query parameter is specified, then the group assignment metadata is embedded. + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + $ref: '#/components/schemas/HrefObjectAppLink' + group: + $ref: '#/components/schemas/HrefObjectGroupLink' + ApplicationLabel: + description: User-defined display name for app + type: string + ApplicationLayout: + type: object + properties: + elements: + type: array + items: + type: object + additionalProperties: {} + label: + type: string + options: + type: object + additionalProperties: {} + rule: + type: object + properties: + effect: + type: string + condition: + $ref: '#/components/schemas/ApplicationLayoutRuleCondition' + scope: + type: string + type: + type: string + ApplicationLayoutRuleCondition: + type: object + properties: + schema: + type: object + additionalProperties: {} + scope: + type: string + ApplicationLayouts: + type: object + properties: + _links: + type: object + properties: + general: + $ref: '#/components/schemas/ApplicationLayoutsLinksItem' + signOn: + $ref: '#/components/schemas/ApplicationLayoutsLinksItem' + provisioning: + $ref: '#/components/schemas/ApplicationLayoutsLinksItem' + readOnly: true + ApplicationLayoutsLinksItem: + items: + $ref: '#/components/schemas/HrefObject' + type: array + ApplicationLicensing: + description: Licenses for the app + type: object + properties: + seatCount: + type: integer + description: Number of licenses purchased for the app + ApplicationLifecycleStatus: + description: App instance status + type: string + readOnly: true + x-okta-known-values: + - ACTIVE + - DELETED + - INACTIVE + ApplicationLinks: + description: Discoverable resources related to the app + properties: + accessPolicy: + $ref: '#/components/schemas/AccessPolicyLink' + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + appLinks: + type: array + description: List of app link resources + items: + $ref: '#/components/schemas/HrefObject' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + groups: + $ref: '#/components/schemas/GroupsLink' + help: + $ref: '#/components/schemas/HelpLink' + logo: + type: array + description: List of app logo resources + items: + $ref: '#/components/schemas/HrefObject' + metadata: + $ref: '#/components/schemas/MetadataLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + users: + $ref: '#/components/schemas/UsersLink' + readOnly: true + ApplicationSettings: + description: App settings + type: object + properties: + identityStoreId: + type: string + description: Identifies an additional identity store app, if your app supports it. The `identityStoreId` value must be a valid identity store app ID. This identity store app must be created in the same org as your app. + implicitAssignment: + type: boolean + description: Controls whether Okta automatically assigns users to the app based on the user's role or group membership. + inlineHookId: + type: string + description: Identifier of an inline hook. Inline hooks are outbound calls from Okta to your own custom code, triggered at specific points in Okta process flows. They allow you to integrate custom functionality into those flows. See [Inline hooks](/openapi/okta-management/management/tag/InlineHook/). + notes: + $ref: '#/components/schemas/ApplicationSettingsNotes' + notifications: + $ref: '#/components/schemas/ApplicationSettingsNotifications' + ApplicationSettingsNotes: + description: App notes visible to either the admin or end user + type: object + properties: + admin: + type: string + description: An app message that's visible to admins + enduser: + type: string + description: A message that's visible in the End-User Dashboard + ApplicationSettingsNotifications: + description: Specifies notifications settings for the app + type: object + properties: + vpn: + $ref: '#/components/schemas/ApplicationSettingsNotificationsVpn' + ApplicationSettingsNotificationsVpn: + description: Sends customizable messages with conditions to end users when a VPN connection is required + type: object + properties: + helpUrl: + type: string + description: An optional URL to a help page to assist your end users in signing in to your company VPN + message: + type: string + description: A VPN requirement message that's displayed to users + network: + $ref: '#/components/schemas/ApplicationSettingsNotificationsVpnNetwork' + required: + - network + ApplicationSettingsNotificationsVpnNetwork: + description: Defines network zones for VPN notification + type: object + properties: + connection: + type: string + description: Specifies the VPN connection details required to access the app + enum: + - DISABLED + - ANYWHERE + - ON_NETWORK + - OFF_NETWORK + - ZONE + x-enumDescriptions: + DISABLED: The default state. Retain this setting for apps that don't require a VPN connection. + ANYWHERE: Displays VPN connection information regardless of the browser's client IP. The notification appears before the end user can access the app. + ON_NETWORK: Displays VPN connection information only when a browser's client IP matches the configured Public Gateway IPs. The notification appears before the end user can access the app. + OFF_NETWORK: Displays VPN connection information only when the browser's client IP doesn't match the configured Public Gateway IPs. The notification appears before the end user can access the app. + exclude: + type: array + description: Defines the IP addresses or network ranges that are excluded from the VPN requirement + items: + type: string + include: + type: array + description: Defines the IP addresses or network ranges that are required to use the VPN + items: + type: string + ApplicationSignOnMode: + description: | + Authentication mode for the app + + | signOnMode | Description | + | ---------- | ----------- | + | AUTO_LOGIN | Secure Web Authentication (SWA) | + | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin | + | BOOKMARK | Just a bookmark (no-authentication) | + | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser Plugin | + | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) | + | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not supported for custom apps) | + | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO | + | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST (plugin not required) | + | WS_FEDERATION | Federated Authentication with WS-Federation Passive Requestor Profile | + + Select the `signOnMode` for your custom app: + type: string + x-okta-known-values: + - AUTO_LOGIN + - BASIC_AUTH + - BOOKMARK + - BROWSER_PLUGIN + - OPENID_CONNECT + - SAML_1_1 + - SAML_2_0 + - SECURE_PASSWORD_STORE + - WS_FEDERATION + ApplicationType: + description: 'The type of client application. Default value: `web`.' + type: string + x-okta-known-values: + - browser + - native + - service + - web + ApplicationVisibility: + description: Specifies visibility settings for the app + type: object + properties: + appLinks: + type: object + description: Links or icons that appear on the End-User Dashboard if they're set to `true`. + additionalProperties: + type: boolean + autoLaunch: + type: boolean + description: Automatically signs in to the app when user signs into Okta + autoSubmitToolbar: + type: boolean + description: Automatically sign in when user lands on the sign-in page + hide: + $ref: '#/components/schemas/ApplicationVisibilityHide' + ApplicationVisibilityHide: + description: Hides the app for specific end-user apps + type: object + properties: + iOS: + type: boolean + description: Okta Mobile for iOS or Android (pre-dates Android) + default: false + example: false + web: + type: boolean + description: Okta End-User Dashboard on a web browser + default: false + example: true + AssignGroupOwnerRequestBody: + type: object + properties: + id: + description: The `id` of the group owner + type: string + type: + $ref: '#/components/schemas/GroupOwnerType' + AssignRoleRequest: + type: object + properties: + type: + $ref: '#/components/schemas/RoleType' + AssignUserToRealm: + type: object + properties: + realmId: + type: string + AssociatedServerMediated: + type: object + properties: + trusted: + type: array + description: A list of the authorization server IDs + items: + type: string + AssuranceMethod: + allOf: + - $ref: '#/components/schemas/VerificationMethod' + - type: object + properties: + constraints: + items: + $ref: '#/components/schemas/AccessPolicyConstraints' + type: array + factorMode: + $ref: '#/components/schemas/AssuranceMethodFactorMode' + inactivityPeriod: + type: string + description: The inactivity duration after which the user must re-authenticate. Use the ISO 8601 period format (for example, PT2H). + reauthenticateIn: + type: string + description: The duration after which the user must re-authenticate, regardless of user activity. Keep in mind that the re-authentication intervals for constraints take precedent over this value. Use the ISO 8601 period format for recurring time intervals (for example, PT2H, PT0S, PT43800H, and so on). + AssuranceMethodFactorMode: + type: string + x-okta-known-values: + - 1FA + - 2FA + AttackProtectionAuthenticatorSettings: + type: object + properties: + verifyKnowledgeSecondWhen2faRequired: + type: boolean + description: If true, requires users to verify a possession factor before verifying a knowledge factor when the assurance requires two-factor authentication (2FA). + default: false + AuthServerLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + claims: + allOf: + - description: Link to the authorization server claims + - $ref: '#/components/schemas/HrefObject' + deactivate: + allOf: + - $ref: '#/components/schemas/HrefObjectDeactivateLink' + metadata: + description: Link to the authorization server metadata + type: array + items: + $ref: '#/components/schemas/HrefObject' + policies: + allOf: + - description: Link to the authorization server policies + - $ref: '#/components/schemas/HrefObject' + rotateKey: + allOf: + - description: Link to the authorization server key rotation + - $ref: '#/components/schemas/HrefObject' + scopes: + allOf: + - description: Link to the authorization server scopes + - $ref: '#/components/schemas/HrefObject' + AuthenticationMethod: + type: object + properties: + hardwareProtection: + type: string + description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + id: + type: string + description: An ID that identifies the authenticator + key: + type: string + description: A label that identifies the authenticator + method: + type: string + description: Specifies the method used for the authenticator + phishingResistant: + type: string + description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + userVerification: + type: string + description: Indicates the user interaction requirement (PIN or biometrics) to ensure verification of a possession factor + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + required: + - key + - method + AuthenticationMethodChain: + type: object + properties: + authenticationMethods: + items: + $ref: '#/components/schemas/AuthenticationMethod' + type: array + next: + type: array + description: The next steps of the authentication method chain. This is an array of `AuthenticationMethodChain`. Only supports one item in the array. + items: + type: object + reauthenticateIn: + type: string + description: |- + Specifies how often the user should be prompted for authentication using duration format for the time period. + For example, `PT2H30M` for two and a half hours. This parameter can't be set at the same time as the `reauthenticateIn` property on the `verificationMethod`. + AuthenticationMethodChainMethod: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + allOf: + - $ref: '#/components/schemas/VerificationMethod' + - type: object + properties: + chains: + items: + $ref: '#/components/schemas/AuthenticationMethodChain' + type: array + description: Authentication method chains. Only supports 5 items in the array. Each chain can support maximum 3 steps. + reauthenticateIn: + description: |- + Specifies how often the user should be prompted for authentication using duration format for the time period. + For example, `PT2H30M` for two and a half hours. Don't set this parameter if you're setting the `reauthenticateIn` parameter in `chains`. + type: string + AuthenticationMethodObject: + type: object + properties: + key: + type: string + description: A label that identifies the authenticator + method: + type: string + description: Specifies the method used for the authenticator + required: + - key + AuthenticationProvider: + description: Specifies the authentication provider that validates the user's password credential. The user's current provider is managed by the **Delegated Authentication** settings for your org. The provider object is **read-only**. + type: object + properties: + name: + type: string + description: The name of the authentication provider + readOnly: true + example: OKTA + type: + $ref: '#/components/schemas/AuthenticationProviderType' + readOnly: true + AuthenticationProviderType: + description: The type of authentication provider + type: string + x-enumDescriptions: + ACTIVE_DIRECTORY: Specifies the directory instance name as the `name` property + FEDERATION: Doesn't support a `password` or `recovery question` credential and must authenticate through a trusted Identity Provider + IMPORT: Specifies a hashed password that was imported from an external source + LDAP: Specifies the directory instance name as the `name` property + OKTA: Specifies the Okta Identity Provider + SOCIAL: Doesn't support a `password` or `recovery question` credential and must authenticate through a trusted Identity Provider + readOnly: true + x-okta-known-values: + - ACTIVE_DIRECTORY + - FEDERATION + - IMPORT + - LDAP + - OKTA + - SOCIAL + AuthenticatorBase: + type: object + properties: + created: + description: Timestamp when the Authenticator was created + format: date-time + readOnly: true + type: string + id: + description: A unique identifier for the Authenticator + readOnly: true + type: string + key: + $ref: '#/components/schemas/AuthenticatorKeyEnum' + lastUpdated: + description: Timestamp when the Authenticator was last modified + format: date-time + readOnly: true + type: string + name: + description: Display name of the Authenticator + type: string + status: + description: Status of the Authenticator + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/AuthenticatorType' + _links: + description: Link relations for this object + $ref: '#/components/schemas/AuthenticatorLinks' + discriminator: + propertyName: key + mapping: + custom_app: '#/components/schemas/AuthenticatorKeyCustomApp' + duo: '#/components/schemas/AuthenticatorKeyDuo' + okta_email: '#/components/schemas/AuthenticatorKeyEmail' + google_otp: '#/components/schemas/AuthenticatorKeyGoogleOtp' + external_idp: '#/components/schemas/AuthenticatorKeyExternalIdp' + okta_password: '#/components/schemas/AuthenticatorKeyPassword' + okta_verify: '#/components/schemas/AuthenticatorKeyOktaVerify' + onprem_mfa: '#/components/schemas/AuthenticatorKeyOnprem' + phone_number: '#/components/schemas/AuthenticatorKeyPhone' + security_key: '#/components/schemas/AuthenticatorKeySecurityKey' + security_question: '#/components/schemas/AuthenticatorKeySecurityQuestion' + symantec_vip: '#/components/schemas/AuthenticatorKeySymantecVip' + smart_card_idp: '#/components/schemas/AuthenticatorKeySmartCard' + webauthn: '#/components/schemas/AuthenticatorKeyWebauthn' + yubikey_token: '#/components/schemas/AuthenticatorKeyYubikey' + AuthenticatorEnrollmentPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyConditions' + settings: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettings' + AuthenticatorEnrollmentPolicyAuthenticatorSettings: + type: object + properties: + constraints: + description: Constraints for the authenticator + nullable: true + minimum: 0 + type: object + properties: + aaguidGroups: + type: array + description: The list of FIDO2 WebAuthn authenticator groups allowed for enrollment + items: + type: string + uniqueItems: true + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + enroll: + type: object + description: Enrollment requirements for the authenticator + properties: + self: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorStatus' + key: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorType' + AuthenticatorEnrollmentPolicyAuthenticatorStatus: + description: Requirements for the user-initiated enrollment + default: NOT_ALLOWED + type: string + x-okta-known-values: + - NOT_ALLOWED + - OPTIONAL + - REQUIRED + AuthenticatorEnrollmentPolicyAuthenticatorType: + description: A label that identifies the authenticator + type: string + x-okta-known-values: + - custom_app + - custom_otp + - duo + - external_idp + - google_otp + - okta_email + - okta_password + - okta_verify + - onprem_mfa + - phone_number + - rsa_token + - security_question + - symantec_vip + - webauthn + - yubikey_token + AuthenticatorEnrollmentPolicyConditions: + allOf: + - type: object + properties: + people: + type: object + description: Identifies Users and Groups that are used together + properties: + groups: + type: object + description: Specifies a set of Groups whose Users are to be included or excluded + properties: + include: + type: array + description: Groups to be included + items: + type: string + AuthenticatorEnrollmentPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActions' + conditions: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleConditions' + AuthenticatorEnrollmentPolicyRuleActionEnroll: + description: Specifies whether the User is to be enrolled the first time they `LOGIN`, the next time they are in the `CHALLENGE` process, or `NEVER` + type: object + properties: + self: + type: string + enum: + - CHALLENGE + - LOGIN + - NEVER + AuthenticatorEnrollmentPolicyRuleActions: + allOf: + - $ref: '#/components/schemas/PolicyRuleActions' + - type: object + properties: + enroll: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActionEnroll' + AuthenticatorEnrollmentPolicyRuleConditions: + type: object + properties: + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + people: + type: object + description: Identifies Users and Groups that are used together + properties: + users: + type: object + description: Specifies a set of Users to be included or excluded + properties: + exclude: + type: array + description: Users to be excluded + items: + type: string + AuthenticatorEnrollmentPolicySettings: + description: '**Note:** In Identity Engine, the Multifactor (MFA) Enrollment Policy name has changed to authenticator enrollment policy. The policy type of `MFA_ENROLL` remains unchanged. However, the `settings` data is updated for authenticators. Policy `settings` are included only for those authenticators that are enabled.' + type: object + properties: + authenticators: + description: | + List of authenticator policy settings + + For orgs with the Authenticator enrollment policy feature enabled, the new default authenticator enrollment policy created by Okta contains the `authenticators` property in the policy settings. Existing default authenticator enrollment policies from a migrated Classic Engine org remain unchanged. The policies still use the `factors` property in their settings. The `authenticators` parameter allows you to configure all available authenticators, including authentication and recovery. The `factors` parameter only allows you to configure multifactor authentication. + items: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorSettings' + type: array + type: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettingsType' + AuthenticatorEnrollmentPolicySettingsType: + description: | + Type of policy configuration object + + The `type` property in the policy `settings` is only applicable to the authenticator enrollment policy available in Identity Engine. + default: FACTORS + type: string + x-okta-known-values: + - AUTHENTICATORS + - FACTORS + AuthenticatorIdentity: + description: Represents a particular authenticator serving as a constraint on a method + type: object + properties: + key: + type: string + AuthenticatorKeyCustomApp: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + agreeToTerms: + type: boolean + description: A value of `true` indicates that the administrator accepts the [terms](https://www.okta.com/privacy-policy/)for creating a new authenticator. Okta requires that you accept the terms when creating a new `custom_app` authenticator. Other authenticators don't require this field. + provider: + type: object + properties: + type: + type: string + description: Provider type + enum: + - PUSH + configuration: + type: object + description: The configuration of the provider + properties: + apns: + type: object + properties: + id: + type: string + description: ID of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) + appBundleId: + type: string + description: AppBundleId of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) + debugAppBundleId: + type: string + description: DebugAppBundleId of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) + fcm: + type: object + properties: + id: + type: string + description: ID of the FCM (Firebase Cloud Messaging Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) + settings: + type: object + properties: + userVerification: + $ref: '#/components/schemas/CustomAppUserVerificationEnum' + appInstanceId: + type: string + description: The application instance ID. For custom_app, you need to create an OIDC native app using the [Apps API](https://developer.okta.com/docs/reference/api/apps/) with `Authorization Code` and `Refresh Token` grant types. You can leave both `Sign-in redirect URIs` and `Sign-out redirect URIs` as the default values. + AuthenticatorKeyDuo: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + provider: + type: object + properties: + type: + type: string + description: Provider type + enum: + - DUO + configuration: + type: object + properties: + host: + type: string + description: The Duo Security API hostname + integrationKey: + type: string + description: The Duo Security integration key + secretKey: + type: string + description: The Duo Security secret key + userNameTemplate: + type: object + properties: + template: + type: string + description: The Duo Security user template name + AuthenticatorKeyEmail: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + settings: + type: object + properties: + allowedFor: + $ref: '#/components/schemas/AllowedForEnum' + tokenLifetimeInMinutes: + description: Specifies the lifetime of an email token. Default value is 5 minutes. + type: number + default: 5 + AuthenticatorKeyEnum: + description: A human-readable string that identifies the Authenticator + type: string + x-okta-known-values: + - custom_app + - duo + - external_idp + - google_otp + - okta_email + - okta_password + - okta_verify + - onprem_mfa + - phone_number + - security_key + - security_question + - smart_card_idp + - symantec_vip + - webauthn + - yubikey_token + AuthenticatorKeyExternalIdp: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyGoogleOtp: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyOktaVerify: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + settings: + type: object + properties: + channelBinding: + $ref: '#/components/schemas/ChannelBinding' + compliance: + $ref: '#/components/schemas/Compliance' + userVerification: + $ref: '#/components/schemas/UserVerificationEnum' + appInstanceId: + type: string + description: The application instance ID + AuthenticatorKeyOnprem: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyPassword: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyPhone: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + settings: + type: object + properties: + allowedFor: + $ref: '#/components/schemas/AllowedForEnum' + AuthenticatorKeySecurityKey: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeySecurityQuestion: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + settings: + type: object + properties: + allowedFor: + $ref: '#/components/schemas/AllowedForEnum' + AuthenticatorKeySmartCard: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeySymantecVip: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyWebauthn: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyYubikey: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorLinks: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + methods: + description: Link to Authenticator methods + allOf: + - $ref: '#/components/schemas/HrefObject' + AuthenticatorMethodAlgorithm: + type: string + x-okta-known-values: + - ES256 + - RS256 + AuthenticatorMethodBase: + type: object + properties: + status: + description: The status of the authenticator method + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/AuthenticatorMethodType' + _links: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + discriminator: + propertyName: type + mapping: + sms: '#/components/schemas/AuthenticatorMethodSimple' + voice: '#/components/schemas/AuthenticatorMethodSimple' + email: '#/components/schemas/AuthenticatorMethodSimple' + push: '#/components/schemas/AuthenticatorMethodPush' + signed_nonce: '#/components/schemas/AuthenticatorMethodSignedNonce' + totp: '#/components/schemas/AuthenticatorMethodTotp' + otp: '#/components/schemas/AuthenticatorMethodOtp' + password: '#/components/schemas/AuthenticatorMethodSimple' + webauthn: '#/components/schemas/AuthenticatorMethodWebAuthn' + security_question: '#/components/schemas/AuthenticatorMethodSimple' + idp: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' + duo: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' + cert: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' + AuthenticatorMethodConstraint: + description: 'Limits the authenticators that can be used for a given method. Currently, only the `otp` method supports constraints, and Google authenticator (key : ''google_otp'') is the only allowed authenticator.' + type: object + properties: + allowedAuthenticators: + type: array + items: + $ref: '#/components/schemas/AuthenticatorIdentity' + method: + enum: + - otp + AuthenticatorMethodOtp: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' + - type: object + properties: + acceptableAdjacentIntervals: + type: integer + description: The number of acceptable adjacent intervals, also known as the clock drift interval. This setting allows you to build in tolerance for any time difference between the token and the server. For example, with a `timeIntervalInSeconds` of 60 seconds and an `acceptableAdjacentIntervals` value of 5, Okta accepts passcodes within 300 seconds (60 * 5) before or after the end user enters their code. + minimum: 0 + maximum: 10 + algorithm: + $ref: '#/components/schemas/OtpTotpAlgorithm' + encoding: + $ref: '#/components/schemas/OtpTotpEncoding' + factorProfileId: + type: string + description: The `id` value of the factor profile + example: aut1nd8PQhGcQtSxB0g4 + passCodeLength: + $ref: '#/components/schemas/OtpTotpPassCodeLength' + protocol: + $ref: '#/components/schemas/OtpProtocol' + timeIntervalInSeconds: + $ref: '#/components/schemas/OtpTotpTimeIntervalInSeconds' + AuthenticatorMethodProperty: + type: string + x-okta-known-values: + - DEVICE_BOUND + - HARDWARE_PROTECTED + - PHISHING_RESISTANT + - USER_PRESENCE + - USER_VERIFYING + AuthenticatorMethodPush: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + - type: object + properties: + settings: + type: object + properties: + algorithms: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodAlgorithm' + keyProtection: + $ref: '#/components/schemas/PushMethodKeyProtection' + transactionTypes: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodTransactionType' + AuthenticatorMethodSignedNonce: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + - type: object + properties: + settings: + type: object + properties: + algorithms: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodAlgorithm' + keyProtection: + $ref: '#/components/schemas/PushMethodKeyProtection' + showSignInWithOV: + $ref: '#/components/schemas/ShowSignInWithOV' + AuthenticatorMethodSimple: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + AuthenticatorMethodTotp: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + - type: object + properties: + settings: + type: object + properties: + timeIntervalInSeconds: + $ref: '#/components/schemas/OtpTotpTimeIntervalInSeconds' + encoding: + $ref: '#/components/schemas/OtpTotpEncoding' + algorithm: + $ref: '#/components/schemas/OtpTotpAlgorithm' + passCodeLength: + $ref: '#/components/schemas/OtpTotpPassCodeLength' + AuthenticatorMethodTransactionType: + type: string + x-okta-known-values: + - CIBA + - LOGIN + AuthenticatorMethodType: + description: The type of authenticator method + type: string + x-okta-known-values: + - cert + - duo + - email + - idp + - otp + - password + - push + - security_question + - signed_nonce + - sms + - totp + - voice + - webauthn + AuthenticatorMethodWebAuthn: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + - type: object + properties: + settings: + type: object + properties: + aaguidGroups: + description: The FIDO2 AAGUID groups available to the WebAuthn authenticator + type: array + items: + $ref: '#/components/schemas/AAGUIDGroupObject' + userVerification: + $ref: '#/components/schemas/UserVerificationEnum' + attachment: + $ref: '#/components/schemas/WebAuthnAttachment' + AuthenticatorMethodWithVerifiableProperties: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + - type: object + properties: + verifiableProperties: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodProperty' + AuthenticatorSimple: + allOf: + - $ref: '#/components/schemas/AuthenticatorBase' + AuthenticatorType: + description: The type of Authenticator + type: string + x-okta-known-values: + - app + - email + - federated + - password + - phone + - security_key + - security_question + AuthorizationServer: + type: object + properties: + audiences: + type: array + description: The recipients that the tokens are intended for. This becomes the `aud` claim in an access token. Okta currently supports only one audience. + items: + type: string + created: + type: string + format: date-time + readOnly: true + credentials: + $ref: '#/components/schemas/AuthorizationServerCredentials' + description: + type: string + description: The description of the custom authorization server + id: + type: string + description: The ID of the custom authorization server + readOnly: true + issuer: + type: string + description: The complete URL for the custom authorization server. This becomes the `iss` claim in an access token. + issuerMode: + type: string + description: |- + Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL. + + `issuerMode` is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses. + + When set to `ORG_URL`, then in responses, `issuer` is the Okta org domain URL: `https://${yourOktaDomain}`. + + When set to `CUSTOM_URL`, then in responses, `issuer` is the custom domain URL configured in the administration user interface. + + When set to `DYNAMIC`, then in responses, `issuer` is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain. + + After you configure a custom URL domain, all new custom authorization servers use `CUSTOM_URL` by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use `DYNAMIC` by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled. + lastUpdated: + type: string + format: date-time + readOnly: true + name: + type: string + description: The name of the custom authorization server + status: + $ref: '#/components/schemas/LifecycleStatus' + _links: + $ref: '#/components/schemas/AuthServerLinks' + AuthorizationServerCredentials: + type: object + properties: + signing: + $ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig' + AuthorizationServerCredentialsRotationMode: + description: The Key rotation mode for the authorization server + type: string + x-okta-known-values: + - AUTO + - MANUAL + AuthorizationServerCredentialsSigningConfig: + type: object + properties: + kid: + type: string + description: The ID of the JSON Web Key used for signing tokens issued by the authorization server + readOnly: true + lastRotated: + type: string + description: The timestamp when the authorization server started using the `kid` for signing tokens + format: date-time + readOnly: true + nextRotation: + type: string + description: The timestamp when the authorization server changes the Key for signing tokens. This is only returned when `rotationMode` is set to `AUTO`. + format: date-time + readOnly: true + rotationMode: + $ref: '#/components/schemas/AuthorizationServerCredentialsRotationMode' + use: + $ref: '#/components/schemas/AuthorizationServerCredentialsUse' + AuthorizationServerCredentialsUse: + description: How the key is used + type: string + x-okta-known-values: + - sig + AuthorizationServerJsonWebKey: + type: object + properties: + alg: + description: 'The algorithm used with the Key. Valid value: `RS256`' + type: string + e: + description: RSA key value (public exponent) for Key binding + type: string + readOnly: true + kid: + description: Unique identifier for the key + type: string + readOnly: true + kty: + description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`' + type: string + readOnly: true + 'n': + description: RSA modulus value that is used by both the public and private keys and provides a link between them + type: string + status: + description: |- + An `ACTIVE` Key is used to sign tokens issued by the authorization server. Supported values: `ACTIVE`, `NEXT`, or `EXPIRED`
+ A `NEXT` Key is the next Key that the authorization server uses to sign tokens when Keys are rotated. The `NEXT` Key might not be listed if it hasn't been generated. + An `EXPIRED` Key is the previous Key that the authorization server used to sign tokens. The `EXPIRED` Key might not be listed if no Key has expired or the expired Key was deleted. + type: string + use: + description: 'Acceptable use of the key. Valid value: `sig`' + type: string + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' + AuthorizationServerPolicy: + allOf: + - type: object + properties: + id: + type: string + description: ID of the Policy + type: + type: string + description: Indicates that the Policy is an authorization server Policy + enum: + - OAUTH_AUTHORIZATION_POLICY + name: + type: string + description: Name of the Policy + conditions: + $ref: '#/components/schemas/AuthorizationServerPolicyConditions' + description: + type: string + description: Description of the Policy + priority: + type: integer + description: Specifies the order in which this Policy is evaluated in relation to the other Policies in a custom authorization server + status: + type: string + description: Specifies whether requests have access to this Policy + enum: + - ACTIVE + - INACTIVE + system: + type: boolean + description: Specifies whether Okta created this Policy + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the Policy was created + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the Policy was last updated + _links: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + rules: + allOf: + - description: Link to the authorization server policy's rules + - $ref: '#/components/schemas/HrefObject' + AuthorizationServerPolicyConditions: + type: object + properties: + clients: + $ref: '#/components/schemas/ClientPolicyCondition' + AuthorizationServerPolicyPeopleCondition: + description: Identifies Users and Groups that are used together + type: object + properties: + groups: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleGroupCondition' + users: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleUserCondition' + AuthorizationServerPolicyRule: + type: object + properties: + actions: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions' + conditions: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions' + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the rule was created + id: + type: string + description: Identifier of the rule + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the rule was last modified + name: + type: string + description: Name of the rule + priority: + type: integer + description: Priority of the rule + status: + type: string + description: Status of the rule + enum: + - ACTIVE + - INACTIVE + system: + type: boolean + description: Set to `true` for system rules. You can't delete system rules. + type: + type: string + description: Rule type + enum: + - RESOURCE_ACCESS + _links: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + AuthorizationServerPolicyRuleActions: + allOf: + - $ref: '#/components/schemas/PolicyRuleActions' + - type: object + properties: + token: + $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleAction' + AuthorizationServerPolicyRuleConditions: + type: object + properties: + grantTypes: + $ref: '#/components/schemas/GrantTypePolicyRuleCondition' + people: + $ref: '#/components/schemas/AuthorizationServerPolicyPeopleCondition' + scopes: + $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' + AuthorizationServerPolicyRuleGroupCondition: + description: Specifies a set of Groups whose Users are to be included + type: object + properties: + include: + type: array + description: Groups to be included + items: + type: string + AuthorizationServerPolicyRuleRequest: + allOf: + - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + - type: object + required: + - name + - conditions + - type + AuthorizationServerPolicyRuleUserCondition: + description: Specifies a set of Users to be included + type: object + properties: + include: + description: Users to be included + type: array + items: + type: string + AuthorizationServerResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: + type: string + description: Link name + example: Example Authorization Server + AutoAssignAdminAppSetting: + description: The org setting that automatically assigns the Okta Admin Console when an admin role is assigned + type: object + properties: + autoAssignAdminAppSetting: + type: boolean + description: Automatically assigns the Okta Admin Console to the user when an admin role is assigned + AutoLoginApplication: + allOf: + - $ref: '#/components/schemas/Application' + - type: object + properties: + credentials: + $ref: '#/components/schemas/SchemeApplicationCredentials' + name: + type: string + description: A unique key is generated for the custom SWA app instance when you use AUTO_LOGIN `signOnMode`. + readOnly: true + settings: + $ref: '#/components/schemas/AutoLoginApplicationSettings' + AutoLoginApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + properties: + signOn: + $ref: '#/components/schemas/AutoLoginApplicationSettingsSignOn' + AutoLoginApplicationSettingsSignOn: + type: object + properties: + loginUrl: + type: string + description: Primary URL of the sign-in page for this app + redirectUrl: + type: string + description: Secondary URL of the sign-in page for this app + required: + - loginUrl + AutoUpdateSchedule: + description: The schedule of auto-update configured by admin. + type: object + properties: + cron: + type: string + delay: + description: delay in days + type: integer + duration: + description: duration in minutes + type: integer + lastUpdated: + description: last time when the updated finished (success or failed, exclude cancelled), null if job haven't finished once yet. + type: string + format: date-time + timezone: + type: string + AwsAccountId: + description: Your AWS account ID + minLength: 12 + maxLength: 12 + example: 123456789012 + type: string + AwsEventSourceName: + description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge + minLength: 1 + maxLength: 75 + example: your-event-source-name + type: string + pattern: ^[a-zA-Z0-9.\-_]$ + AwsRegion: + description: The destination AWS region where your event source is located + type: string + x-okta-known-values: + - ap-northeast-1 + - ap-northeast-2 + - ap-northeast-3 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 + - ca-central-1 + - eu-central-1 + - eu-north-1 + - eu-west-1 + - eu-west-2 + - eu-west-3 + - sa-east-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + BaseContext: + description: This object contains a number of sub-objects, each of which provide some type of contextual information. + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + session: + description: Details of the user session + type: object + properties: + id: + description: The unique identifier for the user's session + type: string + example: 102LN9Bnuc4S_ewfc9BYwageA + userId: + description: The unique identifier for the user + type: string + example: 00uq8tMo3zV0OfJON0g3 + login: + description: The username used to identify the user. This is often the user's email address. + type: string + example: user@example.com + createdAt: + description: Timestamp of when the session was created + type: string + format: date-time + example: '2019-03-28T16:45:55.000Z' + expiresAt: + description: Timestamp of when the session expires + type: string + format: date-time + example: '2019-03-28T21:15:23.000Z' + status: + description: Represents the current status of the user's session + type: string + example: ACTIVE + lastPasswordVerification: + description: Timestamp of when the user was last authenticated + type: string + format: date-time + example: '2019-03-28T16:45:55.000Z' + amr: + description: The authentication method reference + type: array + items: + type: string + example: + - PASSWORD + idp: + $ref: '#/components/schemas/SessionIdentityProvider' + mfaActive: + description: Describes whether multifactor authentication was enabled + type: boolean + example: false + user: + description: Identifies the Okta user that the token was generated to authenticate and provides details of their Okta user profile + type: object + properties: + id: + description: The unique identifier for the user + type: string + example: 00uq8tMo3zV0OfJON0g3 + passwordChanged: + description: The timestamp when the user's password was last updated + type: string + format: date-time + example: '2018-09-11T23:19:12.000Z' + profile: + type: object + properties: + login: + description: The username used to identify the user. This is often the user's email address. + type: string + example: user@example.com + firstName: + description: The first name of the user + type: string + example: John + lastName: + description: The last name of the user + type: string + example: Smith + locale: + description: |- + The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. + A locale value is a concatenation of the [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes) two-letter language code, an underscore, and the [ISO 3166-1](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) two-letter country code. For example, `en_US` specifies the language English and country US. This value is `en_US` by default. + type: string + example: en_US + timeZone: + description: The user's timezone + type: string + example: America/Los_Angeles + _links: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled. + type: object + properties: + groups: + description: URL to retrieve the individual user's group memberships + allOf: + - $ref: '#/components/schemas/HrefObject' + factors: + description: URL to retrieve individual user's factor enrollments + allOf: + - $ref: '#/components/schemas/HrefObject' + BaseEmailDomain: + type: object + properties: + displayName: + type: string + userName: + type: string + required: + - displayName + - userName + BaseEmailServer: + type: object + properties: + alias: + type: string + description: Human-readable name for your SMTP server + example: CustomServer1 + enabled: + type: boolean + description: If `true`, routes all email traffic through your SMTP server + host: + type: string + description: Hostname or IP address of your SMTP server + example: 192.168.160.1 + port: + type: integer + description: Port number of your SMTP server + example: 587 + username: + type: string + description: Username used to access your SMTP server + example: aUser + BaseToken: + type: object + properties: + claims: + description: Claims included in the token. Consists of name-value pairs for each included claim. For descriptions of the claims that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#claims). + type: object + lifetime: + description: Lifetime of the token + type: object + properties: + expiration: + description: Time in seconds until the token expires + type: integer + BasicApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + properties: + app: + $ref: '#/components/schemas/BasicApplicationSettingsApplication' + BasicApplicationSettingsApplication: + type: object + properties: + authURL: + type: string + description: The URL of the authenticating site for this app + url: + type: string + description: The URL of the sign-in page for this app + required: + - authURL + - url + BasicAuthApplication: + x-okta-defined-as: + name: template_basic_auth + allOf: + - $ref: '#/components/schemas/Application' + - type: object + properties: + credentials: + $ref: '#/components/schemas/SchemeApplicationCredentials' + name: + type: string + description: '`template_basic_auth` is the key name for a Basic Authentication scheme app instance' + enum: + - template_basic_auth + settings: + $ref: '#/components/schemas/BasicApplicationSettings' + required: + - name + - settings + BeforeScheduledActionPolicyRuleCondition: + type: object + properties: + duration: + $ref: '#/components/schemas/Duration' + lifecycleAction: + $ref: '#/components/schemas/ScheduledUserLifecycleAction' + BehaviorRule: + title: Behavior Detection Rule + type: object + properties: + created: + type: string + format: date-time + readOnly: true + id: + type: string + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + name: + type: string + maxLength: 128 + status: + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/BehaviorRuleType' + _link: + $ref: '#/components/schemas/LinksSelf' + required: + - name + - type + discriminator: + propertyName: type + mapping: + ANOMALOUS_LOCATION: '#/components/schemas/BehaviorRuleAnomalousLocation' + ANOMALOUS_IP: '#/components/schemas/BehaviorRuleAnomalousIP' + ANOMALOUS_DEVICE: '#/components/schemas/BehaviorRuleAnomalousDevice' + VELOCITY: '#/components/schemas/BehaviorRuleVelocity' + BehaviorRuleAnomalousDevice: + allOf: + - $ref: '#/components/schemas/BehaviorRule' + - type: object + properties: + settings: + $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousDevice' + BehaviorRuleAnomalousIP: + allOf: + - $ref: '#/components/schemas/BehaviorRule' + - type: object + properties: + settings: + $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousIP' + BehaviorRuleAnomalousLocation: + allOf: + - $ref: '#/components/schemas/BehaviorRule' + - type: object + properties: + settings: + $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousLocation' + BehaviorRuleSettings: + title: Behavior Detection Rule Settings + type: object + BehaviorRuleSettingsAnomalousDevice: + allOf: + - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased' + BehaviorRuleSettingsAnomalousIP: + allOf: + - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased' + - type: object + properties: + maxEventsUsedForEvaluation: + type: integer + minimum: 0 + maximum: 100 + default: 50 + BehaviorRuleSettingsAnomalousLocation: + allOf: + - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased' + - type: object + properties: + granularity: + $ref: '#/components/schemas/LocationGranularity' + radiusKilometers: + type: integer + description: Required when `granularity` is `LAT_LONG`. Radius from the provided coordinates in kilometers. + required: + - granularity + BehaviorRuleSettingsHistoryBased: + allOf: + - $ref: '#/components/schemas/BehaviorRuleSettings' + - title: Behavior Detection Rule Settings based on Event History + type: object + properties: + maxEventsUsedForEvaluation: + type: integer + minimum: 1 + maximum: 100 + default: 20 + minEventsNeededForEvaluation: + type: integer + minimum: 0 + maximum: 10 + default: 0 + BehaviorRuleSettingsVelocity: + allOf: + - $ref: '#/components/schemas/BehaviorRuleSettings' + - title: Behavior Detection Rule Settings based on device velocity in kilometers per hour. + type: object + properties: + velocityKph: + type: integer + minimum: 1 + default: 805 + required: + - velocityKph + BehaviorRuleType: + type: string + x-okta-known-values: + - ANOMALOUS_DEVICE + - ANOMALOUS_IP + - ANOMALOUS_LOCATION + - VELOCITY + BehaviorRuleVelocity: + allOf: + - $ref: '#/components/schemas/BehaviorRule' + - type: object + properties: + settings: + $ref: '#/components/schemas/BehaviorRuleSettingsVelocity' + BindingMethod: + description: The method used to bind the out-of-band channel with the primary channel. + type: string + x-okta-known-values: + - none + - prompt + - transfer + BookmarkApplication: + x-okta-defined-as: + name: bookmark + allOf: + - $ref: '#/components/schemas/Application' + - type: object + properties: + credentials: + $ref: '#/components/schemas/ApplicationCredentials' + name: + type: string + description: '`bookmark` is the key name for a Bookmark app' + enum: + - bookmark + settings: + $ref: '#/components/schemas/BookmarkApplicationSettings' + required: + - name + - settings + BookmarkApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + properties: + app: + $ref: '#/components/schemas/BookmarkApplicationSettingsApplication' + BookmarkApplicationSettingsApplication: + type: object + properties: + requestIntegration: + type: boolean + description: Would you like Okta to add an integration for this app? + default: false + url: + type: string + description: The URL of the launch page for this app + required: + - url + BouncesRemoveListError: + type: object + properties: + emailAddress: + type: string + description: An email address with a validation error + reason: + type: string + description: Validation error reason + BouncesRemoveListObj: + type: object + properties: + emailAddresses: + type: array + description: A list of email addresses to remove from the email-service bounce list + items: + type: string + description: Email address + BouncesRemoveListResult: + type: object + properties: + errors: + type: array + description: A list of emails that wasn't added to the email-bounced remove list and the error reason + items: + $ref: '#/components/schemas/BouncesRemoveListError' + Brand: + type: object + properties: + agreeToCustomPrivacyPolicy: + type: boolean + description: Consent for updating the custom privacy URL. Not required when resetting the URL. + customPrivacyPolicyUrl: + type: string + description: Custom privacy policy URL + default: null + defaultApp: + $ref: '#/components/schemas/DefaultApp' + emailDomainId: + type: string + description: The ID of the email domain + id: + readOnly: true + type: string + description: The Brand ID + isDefault: + readOnly: true + type: boolean + description: If `true`, the Brand is used for the Okta subdomain + locale: + $ref: '#/components/schemas/Language' + name: + type: string + description: The name of the Brand + removePoweredByOkta: + type: boolean + default: false + description: Removes "Powered by Okta" from the sign-in page in redirect authentication deployments, and "© [current year] Okta, Inc." from the Okta End-User Dashboard + BrandDomains: + title: BrandDomains + items: + $ref: '#/components/schemas/DomainResponse' + type: array + BrandRequest: + type: object + properties: + agreeToCustomPrivacyPolicy: + type: boolean + description: Consent for updating the custom privacy URL. Not required when resetting the URL. + customPrivacyPolicyUrl: + type: string + description: Custom privacy policy URL + defaultApp: + $ref: '#/components/schemas/DefaultApp' + emailDomainId: + type: string + description: The ID of the email domain + locale: + $ref: '#/components/schemas/Language' + name: + type: string + description: The name of the Brand + removePoweredByOkta: + type: boolean + default: false + description: Removes "Powered by Okta" from the sign-in page in redirect authentication deployments, and "© [current year] Okta, Inc." from the Okta End-User Dashboard + required: + - name + BrandWithEmbedded: + allOf: + - $ref: '#/components/schemas/Brand' + type: object + properties: + _embedded: + type: object + properties: + themes: + type: array + items: + $ref: '#/components/schemas/ThemeResponse' + domains: + items: + $ref: '#/components/schemas/DomainResponse' + type: array + emailDomain: + $ref: '#/components/schemas/EmailDomainResponse' + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + themes: + $ref: '#/components/schemas/HrefObject' + BrowserPluginApplication: + allOf: + - $ref: '#/components/schemas/Application' + - type: object + properties: + credentials: + $ref: '#/components/schemas/SchemeApplicationCredentials' + name: + type: string + description: The key name for the app definition + enum: + - template_swa + - template_swa3field + x-enumDescriptions: + template_swa: The key name for a SWA app instance that requires a browser plugin + template_swa3field: The key name for a SWA app instance that requires a browser plugin and supports three CSS selectors + settings: + $ref: '#/components/schemas/SwaApplicationSettings' + required: + - name + - settings + BulkDeleteRequestBody: + type: object + properties: + entityType: + type: string + enum: + - USERS + profiles: + type: array + items: + $ref: '#/components/schemas/IdentitySourceUserProfileForDelete' + BulkUpsertRequestBody: + type: object + properties: + entityType: + type: string + enum: + - USERS + profiles: + type: array + items: + type: object + properties: + externalId: + type: string + description: The external ID of the entity that needs to be created or updated in Okta + maxLength: 512 + profile: + $ref: '#/components/schemas/IdentitySourceUserProfileForUpsert' + BundleEntitlement: + type: object + properties: + description: + type: string + id: + type: string + name: + type: string + role: + type: string + _links: + allOf: + - properties: + values: + $ref: '#/components/schemas/HrefObject' + BundleEntitlementsResponse: + type: object + properties: + entitlements: + type: array + items: + $ref: '#/components/schemas/BundleEntitlement' + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + next: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the next resource self: - href: https://${yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg - hints: - allow: - - GET - - DELETE - user: - href: https://${yourOktaDomain}/api/v1/users/00uabcdefg1234567890 - hints: - allow: - - GET - ApiTokenMetadataResponse: - value: - name: My API Token - userId: 00uXXXXXXXXXXXXXXXXX - tokenWindow: P30D - id: 00Tabcdefg1234567890 - clientName: Okta API - expiresAt: 2021-12-11T20:38:10.000Z - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + $ref: '#/components/schemas/HrefObjectSelfLink' + bundle: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the bundle resource + ByDateTimeExpiry: + allOf: + - $ref: '#/components/schemas/DateTime' + ByDurationExpiry: + allOf: + - $ref: '#/components/schemas/TimeDuration' + description: |- + A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). + Must be between 1 and 180 days inclusive. + CAPTCHAInstance: + title: CAPTCHAInstance + description: '' + type: object + properties: + id: + description: The unique key for the CAPTCHA instance + type: string + readOnly: true + name: + description: The name of the CAPTCHA instance + type: string + secretKey: + description: The secret key issued from the CAPTCHA provider to perform server-side validation for a CAPTCHA token + type: string + writeOnly: true + siteKey: + description: The site key issued from the CAPTCHA provider to render a CAPTCHA on a page + type: string + type: + $ref: '#/components/schemas/CAPTCHAType' + _links: + $ref: '#/components/schemas/LinksSelf' + CAPTCHAType: + description: The type of CAPTCHA provider + type: string + x-okta-known-values: + - HCAPTCHA + - RECAPTCHA_V2 + CSRLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of a CSR object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + properties: + publish: + $ref: '#/components/schemas/HrefCsrPublishLink' + self: + $ref: '#/components/schemas/HrefCsrSelfLink' + readOnly: true + CaepDeviceComplianceChangeEvent: + description: The subject's device compliance was revoked + type: object + properties: + current_status: + type: string + description: Current device compliance status + enum: + - compliant + - not-compliant + example: non-compliant + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: + type: string + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + previous_status: + type: string + description: Previous device compliance status + enum: + - compliant + - not-compliant + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + - current_status + - previous_status + CaepSecurityEvent: + type: object + properties: + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: + type: string + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + CaepSessionRevokedEvent: + description: The session of the subject was revoked + type: object + properties: + current_ip: + type: string + description: Current IP of the session + example: 123.4.5.6 + current_user_agent: + type: string + description: Current User Agent of the session + example: CurrentUserAgent + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: + type: string + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + last_known_ip: + type: string + description: Last known IP of the session + example: 123.4.5.6 + last_known_user_agent: + type: string + description: Last known User Agent of the session + example: LastUserAgent + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + CapabilitiesCreateObject: + description: | + Determines whether Okta assigns a new app account to each user managed by Okta. + + Okta doesn't create a new account if it detects that the username specified in Okta already exists in the app. + The user's Okta username is assigned by default. + type: object + properties: + lifecycleCreate: + $ref: '#/components/schemas/LifecycleCreateSettingObject' + CapabilitiesImportRulesObject: + description: Defines user import rules + type: object + properties: + userCreateAndMatch: + $ref: '#/components/schemas/CapabilitiesImportRulesUserCreateAndMatchObject' + CapabilitiesImportRulesUserCreateAndMatchObject: + description: Rules for matching and creating users + type: object + properties: + allowPartialMatch: + type: boolean + description: Allows user import upon partial matching. Partial matching occurs when the first and last names of an imported user match those of an existing Okta user, even if the username or email attributes don't match. + autoActivateNewUsers: + type: boolean + description: If set to `true`, imported new users are automatically activated. + autoConfirmExactMatch: + type: boolean + description: If set to `true`, exact-matched users are automatically confirmed on activation. If set to `false`, exact-matched users need to be confirmed manually. + autoConfirmNewUsers: + type: boolean + description: If set to `true`, imported new users are automatically confirmed on activation. This doesn't apply to imported users that already exist in Okta. + autoConfirmPartialMatch: + type: boolean + description: If set to `true`, partially matched users are automatically confirmed on activation. If set to `false`, partially matched users need to be confirmed manually. + exactMatchCriteria: + type: string + description: Determines the attribute to match users + enum: + - EMAIL + - USERNAME + CapabilitiesImportSettingsObject: + description: Defines import settings + type: object + properties: + schedule: + $ref: '#/components/schemas/ImportScheduleObject' + username: + $ref: '#/components/schemas/ImportUsernameObject' + CapabilitiesInboundProvisioningObject: + title: INBOUND_PROVISIONING + description: Defines the configuration for the INBOUND_PROVISIONING feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: object + properties: + importRules: + $ref: '#/components/schemas/CapabilitiesImportRulesObject' + importSettings: + $ref: '#/components/schemas/CapabilitiesImportSettingsObject' + required: + - importSettings + - importRules + CapabilitiesObject: + title: USER_PROVISIONING + description: Defines the configurations for the USER_PROVISIONING feature + type: object + properties: + create: + $ref: '#/components/schemas/CapabilitiesCreateObject' + update: + $ref: '#/components/schemas/CapabilitiesUpdateObject' + CapabilitiesUpdateObject: + description: Determines whether updates to a user's profile are pushed to the app + type: object + properties: + lifecycleDeactivate: + $ref: '#/components/schemas/LifecycleDeactivateSettingObject' + password: + $ref: '#/components/schemas/PasswordSettingObject' + profile: + $ref: '#/components/schemas/ProfileSettingObject' + CatalogApplication: + type: object + properties: + category: + type: string + description: + type: string + displayName: + type: string + features: + type: array + items: + type: string + id: + type: string + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + name: + type: string + signOnModes: + type: array + items: + type: string + status: + $ref: '#/components/schemas/CatalogApplicationStatus' + verificationStatus: + type: string + website: + type: string + _links: + $ref: '#/components/schemas/LinksSelf' + CatalogApplicationStatus: + type: string + x-okta-known-values: + - ACTIVE + - INACTIVE + ChallengeType: + type: string + x-okta-known-values: + - http://auth0.com/oauth/grant-type/mfa-oob + - http://auth0.com/oauth/grant-type/mfa-otp + ChangeEnum: + description: Determines whether a change in a user's password also updates the user's password in the app + default: KEEP_EXISTING + example: CHANGE + type: string + x-okta-known-values: + - CHANGE + - KEEP_EXISTING + ChangePasswordRequest: + type: object + properties: + newPassword: + $ref: '#/components/schemas/PasswordCredential' + oldPassword: + $ref: '#/components/schemas/PasswordCredential' + revokeSessions: + type: boolean + description: When set to `true`, revokes all user sessions, except for the current session + default: false + Channel: + description: The out-of-band channel for use with authentication. Required for all `/oob-authenticate` requests and any `/challenge` request with an out-of-band authenticator. + type: string + x-okta-known-values: + - push + - sms + - voice + ChannelBinding: + type: object + properties: + required: + $ref: '#/components/schemas/RequiredEnum' + style: + type: string + enum: + - NUMBER_CHALLENGE + ChildOrg: + type: object + properties: + admin: + $ref: '#/components/schemas/OrgCreationAdmin' + created: + description: Timestamp when the org was created + type: string + format: date-time + readOnly: true + example: '2022-08-25T00:05:00.000Z' + edition: + description: Edition for the org. `SKU` is the only supported value. + type: string + enum: + - SKU + example: SKU + id: + type: string + description: Org ID + readOnly: true + example: 00o1n8sbwArJ7OQRw406 + lastUpdated: + description: Timestamp when the org was last updated + type: string + format: date-time + readOnly: true + example: '2022-08-25T00:05:00.000Z' + name: + description: |- + Unique name of the org. + This name appears in the HTML `` tag of the new org sign-in page. + Only less than 4-width UTF-8 encoded characters are allowed. + type: string + format: utf-8 + minimum: 1 + maximum: 100 + example: My Child Org 1 + settings: + description: Settings associated with the created org + readOnly: true + type: object + additionalProperties: true + status: + description: Status of the org. `ACTIVE` is returned after the org is created. + type: string + readOnly: true + enum: + - ACTIVE + subdomain: + description: Subdomain of the org. Must be unique and include no spaces. + type: string + minimum: 1 + maximum: 57 + example: my-child-org-1 + token: + description: |- + API token associated with the child org super admin account. + Use this API token to provision resources (such as policies, apps, and groups) on the newly created child org. + This token is revoked if the super admin account is deactivated. + > **Note:** If this API token expires, sign in to the Admin Console as the super admin user and create a new API token. See [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/). + type: string + readOnly: true + tokenType: + description: Type of returned `token`. See [Okta API tokens](https://developer.okta.com/docs/guides/create-an-api-token/main/#okta-api-tokens). + type: string + readOnly: true + example: SSWS + enum: + - SSWS + website: + description: Default website for the org + type: string + example: https://www.okta.com + _links: + description: Specifies available link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + type: object + additionalProperties: true + required: + - admin + - edition + - name + - subdomain + ChromeBrowserVersion: + description: Current version of the Chrome Browser + type: object + properties: + minimum: + type: string + Claim: + type: string + Client: + type: object + properties: + application_type: + $ref: '#/components/schemas/ApplicationType' + client_id: + type: string + description: Unique key for the client application. The `client_id` is immutable. When you create a client Application, you can't specify the `client_id` because Okta uses the application ID for the `client_id`. + readOnly: true + client_id_issued_at: + type: integer + readOnly: true + description: Time at which the `client_id` was issued (measured in unix seconds) + client_name: + type: string + description: Human-readable string name of the client application + client_secret: + type: string + readOnly: true + description: OAuth 2.0 client secret string (used for confidential clients). The `client_secret` is shown only on the response of the creation or update of a client Application (and only if the `token_endpoint_auth_method` is one that requires a client secret). You can't specify the `client_secret`. If the `token_endpoint_auth_method` requires one, Okta generates a random `client_secret` for the client Application. + nullable: true + client_secret_expires_at: + type: integer + readOnly: true + description: Time at which the `client_secret` expires or 0 if it doesn't expire (measured in unix seconds) + minimum: 0 + nullable: true + frontchannel_logout_session_required: + type: boolean + description: Include user session details + frontchannel_logout_uri: + type: string + description: URL where Okta sends the logout request + nullable: true + grant_types: + type: array + description: 'Array of OAuth 2.0 grant type strings. Default value: `[authorization_code]`' + items: + $ref: '#/components/schemas/GrantType' + initiate_login_uri: + type: string + description: URL that a third party can use to initiate a login by the client + jwks_uri: + type: string + description: URL string that references a [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta + logo_uri: + type: string + description: URL string that references a logo for the client consent dialog (not the sign-in dialog) + nullable: true + policy_uri: + type: string + description: URL string of a web page providing the client's policy document + nullable: true + post_logout_redirect_uris: + type: string + description: Array of redirection URI strings for use for relying party initiated logouts + items: + type: string + redirect_uris: + type: array + description: 'Array of redirection URI strings for use in redirect-based flows. All redirect URIs must be absolute URIs and must not include a fragment component. At least one redirect URI and response type is required for all client types, with the following exceptions: If the client uses the Resource Owner Password flow (if `grant_type` contains the value password) or the Client Credentials flow (if `grant_type` contains the value `client_credentials`), then no redirect URI or response type is necessary. In these cases, you can pass either null or an empty array for these attributes.' + items: + type: string + request_object_signing_alg: + type: array + description: The type of [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) algorithm that must be used for signing request objects + items: + $ref: '#/components/schemas/SigningAlgorithm' + response_types: + type: array + description: 'Array of OAuth 2.0 response type strings. Default value: `[code]`' + items: + $ref: '#/components/schemas/ResponseType' + token_endpoint_auth_method: + $ref: '#/components/schemas/EndpointAuthMethod' + tos_uri: + type: string + description: URL string of a web page providing the client's terms of service document + nullable: true + ClientPolicyCondition: + description: Specifies which clients are included in the Policy + type: object + properties: + include: + type: array + description: Which clients are included in the Policy + items: + type: string + ClientPrivilegesSetting: + description: The org setting that assigns the super admin role by default to a public client app + type: object + properties: + clientPrivilegesSetting: + type: boolean + description: If true, assigns the super admin role by default to new public client apps + example: true + CodeChallengeMethod: + type: string + x-okta-known-values: + - S256 + Compliance: + type: object + properties: + fips: + $ref: '#/components/schemas/FipsEnum' + Conditions: + type: object + properties: + expression: + $ref: '#/components/schemas/Expression' + profileSourceId: + type: string + ContentSecurityPolicySetting: + type: object + properties: + mode: + type: string + enum: + - enforced + - report_only + reportUri: + type: string + srcList: + type: array + items: + type: string + ContextPolicyRuleCondition: + allOf: + - $ref: '#/components/schemas/DevicePolicyRuleCondition' + - type: object + properties: + expression: + type: string + CreateBrandRequest: + title: CreateBrandRequest + type: object + properties: + name: + type: string + description: The name of the Brand + required: + - name + CreateGroupRuleRequest: + type: object + properties: + actions: + $ref: '#/components/schemas/GroupRuleAction' + conditions: + $ref: '#/components/schemas/GroupRuleConditions' + name: + type: string + description: Name of the Group rule + minLength: 1 + maxLength: 50 + type: + type: string + enum: + - group_rule + CreateIamRoleRequest: + type: object + properties: + description: + type: string + description: Description of the role + label: + type: string + description: Unique label for the role + permissions: + type: array + description: Array of permissions that the Role grants. See [Permissions](/openapi/okta-management/guides/roles/#permissions). + items: + $ref: '#/components/schemas/RolePermissionType' + required: + - label + - description + - permissions + CreateRealmAssignmentRequest: + type: object + properties: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' + name: + type: string + priority: + type: integer + CreateRealmRequest: + type: object + properties: + profile: + $ref: '#/components/schemas/RealmProfile' + CreateResourceSetRequest: + type: object + properties: + description: + type: string + description: Description of the Resource Set + label: + type: string + description: Unique name for the Resource Set + resources: + type: array + description: The endpoint (URL) that references all resource objects included in the Resource Set. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn). + maximum: 1000 + items: + type: string + required: + - description + - label + - resources + CreateSessionRequest: + type: object + properties: + sessionToken: + type: string + description: The session token obtained during authentication + CreateUISchema: + description: The request body properties for the new UI Schema + type: object + properties: + uiSchema: + $ref: '#/components/schemas/UISchemaObject' + CreateUpdateIamRolePermissionRequest: + type: object + properties: + conditions: + $ref: '#/components/schemas/PermissionConditions' + CreateUserRequest: + type: object + properties: + credentials: + $ref: '#/components/schemas/UserCredentials' + groupIds: + type: array + items: + type: string + profile: + $ref: '#/components/schemas/UserProfile' + realmId: + type: string + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the realm in which the user is residing + example: guo1bfiNtSnZYILxO0g4 + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + type: + type: object + description: |- + The ID of the user type. Add this value if you want to create a user with a non-default [User Type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/). + The user type determines which [schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can + only be assigned a different user type by an administrator through a full replacement (`PUT`) operation. + properties: + id: + type: string + description: The ID of the user type + required: + - profile + Created: + format: date-time + description: Timestamp when the object was created + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true + CredentialSyncInfo: + type: object + properties: + errorCode: + type: string + description: The error code for the type of error + readOnly: true + errorReason: + type: string + description: A short description of the error + readOnly: true + secretVersionId: + type: string + description: The version ID of the password secret from the OPA vault. + minLength: 1 + maxLength: 36 + example: 9f8400-e29b-41d4-a716-926655440034 + syncState: + $ref: '#/components/schemas/CredentialSyncState' + example: NOT_SYNCED + syncTime: + type: string + description: Timestamp when the credential was changed + format: date-time + readOnly: true + example: '2024-06-10T11:30:01.000Z' + CredentialSyncState: + description: Current credential sync status of the privileged resource + type: string + x-enumDescriptions: + NOT_SYNCED: Credentials are not yet synced + SYNCING: Credentials are currently being synced + SYNCED: Credentials are successfully synced + SYNC_FAILED: Credential sync failed + readOnly: true + x-okta-known-values: + - NOT_SYNCED + - SYNCED + - SYNCING + - SYNC_FAILED + Csr: + type: object + properties: + created: + $ref: '#/components/schemas/createdProperty' + csr: + type: string + readOnly: true + example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + id: + type: string + readOnly: true + example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + kty: + type: string + readOnly: true + example: RSA + _links: + $ref: '#/components/schemas/CSRLinks' + readOnly: true + nullable: false + CsrMetadata: + type: object + properties: + subject: + $ref: '#/components/schemas/CsrMetadataSubject' + subjectAltNames: + $ref: '#/components/schemas/CsrMetadataSubjectAltNames' + CsrMetadataSubject: + type: object + properties: + commonName: + type: string + description: Common name of the subject + example: SP Issuer + countryName: + type: string + description: Country name or code + example: US + localityName: + type: string + description: Locality (city) name + example: San Francisco + organizationalUnitName: + type: string + description: Name of the smaller organization, for example, the department or the division + example: Dev + organizationName: + type: string + description: Large organization name + example: Okta, Inc. + stateOrProvinceName: + type: string + description: State or province name + example: California + CsrMetadataSubjectAltNames: + type: object + properties: + dnsNames: + type: array + description: DNS names of the subject + items: + type: string + example: dev.okta.com + CsrPublishHrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + type: string + enum: + - POST + CsrSelfHrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + type: string + enum: + - GET + - DELETE + CustomAppUserVerificationEnum: + description: User verification setting + type: string + x-okta-known-values: + - PREFERRED + - REQUIRED + CustomRole: + title: Custom Role Assignment + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + id: + type: string + description: Binding Object ID + readOnly: true + label: + type: string + description: Label for the custom role assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + resource-set: + type: string + description: Resource Set ID + readOnly: true + role: + type: string + description: Custom Role ID + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the Custom Role Assignment + type: + type: string + description: CUSTOM for a custom role + enum: + - CUSTOM + _links: + $ref: '#/components/schemas/LinksCustomRoleResponse' + CustomRoleAssignmentSchema: + title: Custom Role + type: object + properties: + resource-set: + type: string + description: Resource Set ID + role: + type: string + description: Custom Role ID + type: + type: string + description: The type of role. Specify `CUSTOM` for a custom role. + enum: + - CUSTOM + CustomizablePage: + type: object + properties: + pageContent: + type: string + description: The HTML for the page + DNSRecord: + description: DNS TXT and CNAME records to be registered for the Domain + type: object + properties: + expiration: + description: DNS TXT record expiration + type: string + fqdn: + description: DNS record name + type: string + example: _oktaverification.login.example.com + recordType: + $ref: '#/components/schemas/DNSRecordType' + values: + description: DNS record value + type: array + items: + type: string + example: + - 79496f234c814638b1cc44f51a782781 + DNSRecordType: + example: TXT + type: string + x-okta-known-values: + - CNAME + - TXT + DRStatusItem: + description: Provides the status whether a domain has been failed over or not + type: object + properties: + domain: + type: string + description: domain + isFailedOver: + type: boolean + description: Indicates if the domain has been failed over + nullable: false + DTCChromeOS: + description: Google Chrome Device Trust Connector provider + type: object + properties: + allowScreenLock: + description: Indicates whether the AllowScreenLock enterprise policy is enabled + type: boolean + browserVersion: + $ref: '#/components/schemas/ChromeBrowserVersion' + builtInDnsClientEnabled: + description: Indicates if a software stack is used to communicate with the DNS server + type: boolean + chromeRemoteDesktopAppBlocked: + description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy + type: boolean + deviceEnrollmentDomain: + description: Enrollment domain of the customer that is currently managing the device + type: string + diskEncrypted: + description: Indicates whether the main disk is encrypted + type: boolean + keyTrustLevel: + $ref: '#/components/schemas/KeyTrustLevelOSMode' + managedDevice: + description: Indicates whether the device is enrolled in ChromeOS device management + type: boolean + osFirewall: + description: Indicates whether a firewall is enabled at the OS-level on the device + type: boolean + osVersion: + $ref: '#/components/schemas/OSVersionFourComponents' + passwordProtectionWarningTrigger: + $ref: '#/components/schemas/PasswordProtectionWarningTrigger' + realtimeUrlCheckMode: + description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled + type: boolean + safeBrowsingProtectionLevel: + $ref: '#/components/schemas/SafeBrowsingProtectionLevel' + screenLockSecured: + description: Indicates whether the device is password-protected + type: boolean + siteIsolationEnabled: + description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled + type: boolean + DTCMacOS: + description: Google Chrome Device Trust Connector provider + type: object + properties: + browserVersion: + $ref: '#/components/schemas/ChromeBrowserVersion' + builtInDnsClientEnabled: + description: Indicates if a software stack is used to communicate with the DNS server + type: boolean + chromeRemoteDesktopAppBlocked: + description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy + type: boolean + deviceEnrollmentDomain: + description: Enrollment domain of the customer that is currently managing the device + type: string + diskEncrypted: + description: Indicates whether the main disk is encrypted + type: boolean + keyTrustLevel: + $ref: '#/components/schemas/KeyTrustLevelBrowserKey' + osFirewall: + description: Indicates whether a firewall is enabled at the OS-level on the device + type: boolean + osVersion: + $ref: '#/components/schemas/OSVersionThreeComponents' + passwordProtectionWarningTrigger: + $ref: '#/components/schemas/PasswordProtectionWarningTrigger' + realtimeUrlCheckMode: + description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled + type: boolean + safeBrowsingProtectionLevel: + $ref: '#/components/schemas/SafeBrowsingProtectionLevel' + screenLockSecured: + description: Indicates whether the device is password-protected + type: boolean + siteIsolationEnabled: + description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled + type: boolean + DTCWindows: + description: Google Chrome Device Trust Connector provider + type: object + properties: + browserVersion: + $ref: '#/components/schemas/ChromeBrowserVersion' + builtInDnsClientEnabled: + description: Indicates if a software stack is used to communicate with the DNS server + type: boolean + chromeRemoteDesktopAppBlocked: + description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy + type: boolean + crowdStrikeAgentId: + description: Agent ID of an installed CrowdStrike agent + type: string + crowdStrikeCustomerId: + description: Customer ID of an installed CrowdStrike agent + type: string + deviceEnrollmentDomain: + description: Enrollment domain of the customer that is currently managing the device + type: string + diskEncrypted: + description: Indicates whether the main disk is encrypted + type: boolean + keyTrustLevel: + $ref: '#/components/schemas/KeyTrustLevelBrowserKey' + osFirewall: + description: Indicates whether a firewall is enabled at the OS-level on the device + type: boolean + osVersion: + $ref: '#/components/schemas/OSVersionFourComponents' + passwordProtectionWarningTrigger: + $ref: '#/components/schemas/PasswordProtectionWarningTrigger' + realtimeUrlCheckMode: + description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled + type: boolean + safeBrowsingProtectionLevel: + $ref: '#/components/schemas/SafeBrowsingProtectionLevel' + screenLockSecured: + description: Indicates whether the device is password-protected + type: boolean + secureBootEnabled: + description: Indicates whether the device's startup software has its Secure Boot feature enabled + type: boolean + siteIsolationEnabled: + description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled + type: boolean + thirdPartyBlockingEnabled: + description: Indicates whether Chrome is blocking third-party software injection + type: boolean + windowsMachineDomain: + description: Windows domain that the current machine has joined + type: string + windowsUserDomain: + description: Windows domain for the current OS user + type: string + DateTime: + description: An [ISO-8601](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations) formatted date and time. + format: date-time + example: '2024-12-01T00:00:00Z' + type: string + DefaultApp: + type: object + properties: + appInstanceId: + type: string + description: ID for the App instance + appLinkName: + type: string + description: Name for the app instance + classicApplicationUri: + type: string + description: Application URI for classic Orgs + DesktopMFAEnforceNumberMatchingChallengeOrgSetting: + type: object + properties: + desktopMFAEnforceNumberMatchingChallengeEnabled: + type: boolean + description: Indicates whether or not the Desktop MFA Enforce Number Matching Challenge push notifications feature is enabled + default: false + DesktopMFARecoveryPinOrgSetting: + type: object + properties: + desktopMFARecoveryPinEnabled: + type: boolean + description: Indicates whether or not the Desktop MFA Recovery PIN feature is enabled + default: false + DetailedHookKeyInstance: + title: DetailedHookKeyInstance + description: A key object with public key details + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the key was created + readOnly: true + nullable: true + id: + type: string + description: The unique Okta ID of this key record + readOnly: true + nullable: false + isUsed: + type: string + format: boolean + description: Whether this key is currently in use by other applications + nullable: false + readOnly: true + keyId: + type: string + description: The alias of the public key + nullable: false + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the key was updated + readOnly: true + nullable: true + name: + type: string + description: Display name of the key + readOnly: false + nullable: false + minLength: 1 + maxLength: 255 + _embedded: + $ref: '#/components/schemas/_embedded' + DetectedRiskEvents: + type: string + x-okta-known-values: + - ADMIN_REPORTED_USER_RISK + - BRUTE_FORCE_ATTACK + - ENTITY_CRITICAL_ACTION_FROM_HIGH_THREAT_IP + - OKTA_THREAT_INTELLIGENCE + - SECURITY_EVENTS_PROVIDER_REPORTED_RISK + - SESSION_INFLUENCED_USER_RISK + - SUSPICIOUS_APP_ACCESS + - USER_REPORTED_SUSPICIOUS_ACTIVITY + Device: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the device was created + readOnly: true + id: + type: string + description: Unique key for the device + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the device record was last updated. Updates occur when Okta collects and saves device signals during authentication, and when the lifecycle state of the device changes. + readOnly: true + profile: + $ref: '#/components/schemas/DeviceProfile' + resourceAlternateId: + type: string + readOnly: true + resourceDisplayName: + $ref: '#/components/schemas/DeviceDisplayName' + resourceId: + type: string + description: Alternate key for the `id` + readOnly: true + resourceType: + type: string + default: UDDevice + readOnly: true + status: + $ref: '#/components/schemas/DeviceStatus' + _links: + $ref: '#/components/schemas/LinksSelfAndFullUsersLifecycle' + DeviceAccessPolicyRuleCondition: + description: <x-lifecycle class="oie"></x-lifecycle> Specifies the device condition to match on + type: object + properties: + assurance: + $ref: '#/components/schemas/DevicePolicyRuleConditionAssurance' + managed: + type: boolean + description: Indicates if the device is managed. A device is considered managed if it's part of a device management system. + registered: + type: boolean + description: | + Indicates if the device is registered. A device is registered if the User enrolls with Okta Verify that's installed on the device. + When the `managed` property is passed, you must also include the `registered` property and set it to `true`. + DeviceAssurance: + title: DeviceAssurance + type: object + properties: + createdBy: + type: string + readOnly: true + createdDate: + type: string + readOnly: true + id: + type: string + readOnly: true + lastUpdate: + type: string + readOnly: true + lastUpdatedBy: + type: string + readOnly: true + name: + type: string + description: Display name of the device assurance policy + platform: + $ref: '#/components/schemas/Platform' + _links: + $ref: '#/components/schemas/LinksSelf' + discriminator: + propertyName: platform + mapping: + WINDOWS: '#/components/schemas/DeviceAssuranceWindowsPlatform' + MACOS: '#/components/schemas/DeviceAssuranceMacOSPlatform' + CHROMEOS: '#/components/schemas/DeviceAssuranceChromeOSPlatform' + IOS: '#/components/schemas/DeviceAssuranceIOSPlatform' + ANDROID: '#/components/schemas/DeviceAssuranceAndroidPlatform' + DeviceAssuranceAndroidPlatform: + allOf: + - $ref: '#/components/schemas/DeviceAssurance' + - type: object + properties: + diskEncryptionType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/DiskEncryptionTypeAndroid' + jailbreak: + type: boolean + osVersion: + $ref: '#/components/schemas/OSVersion' + screenLockType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/ScreenLockType' + secureHardwarePresent: + type: boolean + DeviceAssuranceChromeOSPlatform: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + allOf: + - $ref: '#/components/schemas/DeviceAssurance' + - type: object + properties: + thirdPartySignalProviders: + type: object + description: Settings for third-party signal providers (based on the `CHROMEOS` platform) + properties: + dtc: + $ref: '#/components/schemas/DTCChromeOS' + DeviceAssuranceIOSPlatform: + allOf: + - $ref: '#/components/schemas/DeviceAssurance' + - type: object + properties: + jailbreak: + type: boolean + osVersion: + $ref: '#/components/schemas/OSVersion' + screenLockType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/ScreenLockType' + DeviceAssuranceMacOSPlatform: + allOf: + - $ref: '#/components/schemas/DeviceAssurance' + - type: object + properties: + diskEncryptionType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/DiskEncryptionTypeDesktop' + osVersion: + $ref: '#/components/schemas/OSVersion' + screenLockType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/ScreenLockType' + secureHardwarePresent: + type: boolean + thirdPartySignalProviders: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: object + description: Settings for third-party signal providers (based on the `MACOS` platform) + properties: + dtc: + $ref: '#/components/schemas/DTCMacOS' + DeviceAssuranceWindowsPlatform: + allOf: + - $ref: '#/components/schemas/DeviceAssurance' + - type: object + properties: + diskEncryptionType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/DiskEncryptionTypeDesktop' + osVersion: + $ref: '#/components/schemas/OSVersionFourComponents' + osVersionConstraints: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + type: array + description: | + <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>Specifies the Windows version requirements for the assurance policy. Each requirement must correspond to a different major version (Windows 11 or Windows 10). If a requirement isn't specified for a major version, then devices on that major version satisfy the condition. + + There are two types of OS requirements: + * **Static**: A specific Windows version requirement that doesn't change until you update the policy. A static OS Windows requirement is specified with `majorVersionConstraint` and `minimum`. + * **Dynamic**: A Windows version requirement that is relative to the latest major release and security patch. A dynamic OS Windows requirement is specified with `majorVersionConstraint` and `dynamicVersionRequirement`. + + > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. The `osVersionConstraints` property is only supported for the Windows platform. You can't specify both `osVersion.minimum` and `osVersionConstraints` properties at the same time. + items: + $ref: '#/components/schemas/OSVersionConstraint' + minItems: 1 + maxItems: 2 + screenLockType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/ScreenLockType' + secureHardwarePresent: + type: boolean + thirdPartySignalProviders: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: object + description: Settings for third-party signal providers (based on the `WINDOWS` platform) + properties: + dtc: + $ref: '#/components/schemas/DTCWindows' + DeviceCheck: + title: DeviceCheck + type: object + properties: + createdBy: + type: string + readOnly: true + description: User who created the Device Check + example: 00u217pyf72CdUrBt1c5 + createdDate: + type: string + readOnly: true + description: Time the Device Check was created + example: '2019-10-02T18:03:07.000Z' + description: + type: string + description: Description of the Device Check + example: Query macOS devices to check if firewall is enabled + id: + type: string + readOnly: true + description: The ID of the Device Check + example: dch3m8o4rWhwReDeM1c5 + lastUpdate: + type: string + readOnly: true + description: Time the Device Check was updated + example: '2019-10-02T18:03:07.000Z' + lastUpdatedBy: + type: string + readOnly: true + description: User who updated the Device Check + example: 00u217pyf72CdUrBt1c5 + name: + type: string + description: Display name of the Device Check + example: Device Check macOS + platform: + $ref: '#/components/schemas/DeviceChecksPlatform' + query: + type: string + description: OSQuery for the Device Check + example: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; + variableName: + type: string + description: Unique name of the Device Check + example: macOSFirewall + _links: + $ref: '#/components/schemas/LinksSelf' + DeviceChecksPlatform: + type: string + x-okta-known-values: + - MACOS + - WINDOWS + DeviceDisplayName: + description: Display name of the device + type: object + properties: + sensitive: + type: boolean + value: + type: string + DeviceIntegrity: + description: Indicates how well a device can enforce app integrity + type: string + x-enumDescriptions: + MEETS_BASIC_INTEGRITY: The app is running on a device that passes basic system integrity checks. The device may not meet Android compatibility requirements and may not be approved to run Google Play services. + MEETS_DEVICE_INTEGRITY: The app is running on an Android-powered device with Google Play services. The device passes system integrity checks and meets Android compatibility requirements. + MEETS_STRONG_INTEGRITY: The app is running on an Android-powered device with Google Play services. It has a strong guarantee of system integrity such as a hardware-backed proof of boot integrity. The device passes system integrity checks and meets Android compatibility requirements. + x-okta-known-values: + - MEETS_BASIC_INTEGRITY + - MEETS_DEVICE_INTEGRITY + - MEETS_STRONG_INTEGRITY + DeviceList: + allOf: + - $ref: '#/components/schemas/Device' + - properties: + _embedded: + type: object + description: List of associated users for the device if the `expand=user` query parameter is specified in the request. Use `expand=userSummary` to get only a summary of each associated user for the device. + properties: + users: + description: Users for the device + type: array + items: + $ref: '#/components/schemas/DeviceUser' + readOnly: true + DevicePlatform: + description: OS platform of the device + type: string + x-okta-known-values: + - ANDROID + - IOS + - MACOS + - WINDOWS + DevicePolicyMDMFramework: + type: string + x-okta-known-values: + - AFW + - NATIVE + - SAFE + DevicePolicyPlatformType: + type: string + x-okta-known-values: + - ANDROID + - IOS + - OSX + - WINDOWS + DevicePolicyRuleCondition: + type: object + properties: + migrated: + type: boolean + platform: + $ref: '#/components/schemas/DevicePolicyRuleConditionPlatform' + rooted: + type: boolean + trustLevel: + $ref: '#/components/schemas/DevicePolicyTrustLevel' + DevicePolicyRuleConditionAssurance: + type: object + properties: + include: + type: array + items: + type: string + DevicePolicyRuleConditionPlatform: + type: object + properties: + supportedMDMFrameworks: + type: array + items: + $ref: '#/components/schemas/DevicePolicyMDMFramework' + types: + type: array + items: + $ref: '#/components/schemas/DevicePolicyPlatformType' + DevicePolicyTrustLevel: + type: string + x-okta-known-values: + - ANY + - TRUSTED + DeviceProfile: + type: object + properties: + diskEncryptionType: + $ref: '#/components/schemas/DiskEncryptionTypeDef' + displayName: + type: string + description: Display name of the device + minLength: 1 + maxLength: 255 + imei: + type: string + description: International Mobile Equipment Identity (IMEI) of the device + minLength: 14 + maxLength: 17 + integrityJailbreak: + type: boolean + description: Indicates if the device is jailbroken or rooted. Only applicable to `IOS` and `ANDROID` platforms + manufacturer: + type: string + description: Name of the manufacturer of the device + maxLength: 127 + meid: + type: string + description: Mobile equipment identifier of the device + maxLength: 14 + model: + type: string + description: Model of the device + maxLength: 127 + osVersion: + type: string + description: Version of the device OS + maxLength: 127 + platform: + $ref: '#/components/schemas/DevicePlatform' + registered: + type: boolean + description: Indicates if the device is registered at Okta + secureHardwarePresent: + type: boolean + description: Indicates if the device contains a secure hardware functionality + serialNumber: + type: string + description: Serial number of the device + maxLength: 127 + sid: + type: string + description: Windows Security identifier of the device + maxLength: 256 + tpmPublicKeyHash: + type: string + description: Windows Trusted Platform Module hash value + udid: + type: string + description: macOS Unique Device identifier of the device + maxLength: 47 + required: + - displayName + - platform + - registered + DeviceStatus: + description: The state object of the device + type: string + x-enumDescriptions: + ACTIVE: Use activated devices to create and delete Device user links + DEACTIVATED: Deactivation causes a Device to lose all device user links. Set the Device status to DEACTIVATED before deleting it. + SUSPENDED: Use suspended devices to create and delete device user links. You can only unsuspend or deactivate suspended devices. + UNSUSPENDED: Returns a suspended Device to ACTIVE. + x-okta-known-values: + - ACTIVE + - DEACTIVATED + - SUSPENDED + - UNSUSPENDED + DeviceUser: + type: object + properties: + created: + type: string + description: Timestamp when device was created + managementStatus: + type: string + description: The management status of the device + enum: + - MANAGED + - NOT_MANAGED + x-enumDescriptions: + MANAGED: The device has management software installed + NOT_MANAGED: The device doesn't have management software installed + screenLockType: + type: string + description: Screen lock type of the device + enum: + - NONE + - PASSCODE + - BIOMETRIC + user: + $ref: '#/components/schemas/User' + DigestAlgorithm: + description: Algorithm used to generate the key. Only required for the PBKDF2 algorithm. + type: string + x-okta-known-values: + - SHA256_HMAC + - SHA512_HMAC + DiskEncryptionTypeAndroid: + type: string + x-okta-known-values: + - FULL + - USER + DiskEncryptionTypeDef: + description: |- + Type of encryption used on the device + > **Note:** The following values map to Disk Encryption ON: `FULL`, `USER`, `ALL_INTERNAL_VOLUMES`. All other values map to Disk Encryption OFF. + type: string + x-enumDescriptions: + NONE: No encryption has been set. + FULL: Disk is fully encrypted. Only applicable to `IOS` and `ANDROID` platforms. + USER: Encryption key is tied to the user or profile. Only applicable to `ANDROID` platform. + ALL_INTERNAL_VOLUMES: All internal disks are encrypted. Only applicable to `WINDOWS` and `MACOS` platforms. + SYSTEM_VOLUME: Only the system volume is encrypted. Only applicable to `WINDOWS` and `MACOS` platforms. + x-okta-known-values: + - ALL_INTERNAL_VOLUMES + - FULL + - NONE + - SYSTEM_VOLUME + - USER + DiskEncryptionTypeDesktop: + type: string + x-okta-known-values: + - ALL_INTERNAL_VOLUMES + DomainCertificate: + description: Defines the properties of the certificate + type: object + properties: + certificate: + description: Certificate content + type: string + example: '"-----BEGIN CERTIFICATE-----\nMIIFNzCCBB+gAwIBAgHTAAXomJWRama3ypu8TIxdA9wzMA0GCSqGSIb3DQEBCwUA\nMDIzCzAJCgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTAyMTAwNTEzMDVaFw0yMTA1MTEwNTEzMDVaMCQxIjAgBgNVBAMT\nGWFuaXRhdGVzdC5zaWdtYW5ldGNvcnAudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQC5cyk6x63iBJSWvtgsOBqIxfO8euPHcRnyWsL9dsvnbNyOnyvc\nqFWxdiW3sh2cItzYtoN1Zfgj5lWGOVXbHxP0VaNG9fHVX3+NHP6LFHQz92BzAYQm\npqi9zaP/aKJklk6LdPFbVLGhuZfm34+ijW9YsgLTKR2WTaZJK5QtamVVmP+VsSCl\na2ifFzjz2FCkMMEc/Y0zUyP+en/mbL71K+VnpZdlEC1s38EvjRTFKFZTKVw5wpWg\nCZQq/AZYj9RxR23IIuRcUJ8TQ2pyoc3kIXPWjiIarSgBlA8G9kCsxgzXP2RyLwKr\nIBIo+qyHweifpPYW28ipdSbPjiypAMdpbGLDAgMBAAGjggJTMIICTzAOBgNVHQ8B\nAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB\n/wQCMAAwHQYDVR0OBBYEFPVZKiovtIK4Av/IBUQeLUs29pT6MB8GA1UdIwQYMBaA\nFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcw\nAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMu\naS5sZW5jci5vcmcvMCQGA1UdEQQdMBuCGWFuaXRhdGVzdC5zaWdtYW5ldGNvcnAu\ndXMwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF\nBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQC\nBIH0BIHxAO8AdgBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXeK\nkmOsAAAEAwBHMEUCIQDSudPEWXk969BT8yz3ag6BJWCMRU5tefEw9nXEQMsh5gIg\nUmfGIuUlcNNI5PydVIHj+zns+SR8P7zfd3FIxW4gK0QAdQD2XJQv0XcwIhRUGAgw\nlFaO400TGTO/3wwvIAvMTvFk4wAAAXeKkmOlAAAEAwBGMEQCIHQkr2qOGuInvonv\nW4vvdI61nraax5V6SC3E0D2JSO91AiBVhpX4BBafRAh36r7l8LrxAfxBM3CjBmAC\nq8fUrWfIWDANBgkqhkiG9w0BAQsFAAOCAQEAgGDMKXofKpDdv5kkID3s5GrKdzaj\njFmb/6kyqd1E6eGXZAewCP1EF5BVvR6lBP2aRXiZ6sJVZktoIfztZnbxBGgbPHfv\nR3iXIG6fxkklzR9Y8puPMBFadANE/QV78tIRAlyaqeSNsoxHi7ssQjHTP111B2lf\n3KmuTpsruut1UesEJcPReLk/1xTkRx262wAncach5Wp+6GWWduTZYJbsNFyrK1RP\nYQ0qYpP9wt2qR+DGaRUBG8i1XLnZS8pkyxtKhVw/a5Fowt+NqCpEBjjJiWJRSGnG\nNSgRtSXq11j8O4JONi8EXe7cEtvzUiLR5PL3itsK2svtrZ9jIwQ95wOPaA==\n-----END CERTIFICATE-----",' + certificateChain: + description: Certificate chain + type: string + example: '"-----BEGIN CERTIFICATE-----\nMIIFPjCCBCbjAwIBAgISA7RikMltj36DkLk1DUzjwfYBMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTEwMTExOTQ3MjRaFw0yMjAxMDkxOTQ3MjNaMCgxJjAkBgNVBAMT\nHWFuaXRhdGVzdHJhaW4uc2lnbWFuZXRjb3JwLnVzMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEA40EsG7YrFlsH3XdZKirdKKOC7/cca5g9L4rwyA/PlfeU\nB7mJhbQI/a3yZbtY+GjHmedBx15aPtyq+NFZLOkiRCXx0k2zNIJB4yC6Jr/Yp8C2\nrXO6mrCcuqpX7SuDPBtrfdYcIg8G6m0wjj1V1p2/XR8G//CBe8I2XTaTpHsx/VC8\nMNOAA27aSbeX4Nz6TQ69rFuxRG+neUbcz2hQKwroCsCHi6iBmqRkg19Uh8315Cx2\nBUqY0JecpP42KMiktzIoSlqS9yZSuNQh1kP1tPwkEzbs/t3FrfCnnRx5RDr2pJpV\nnonL3sB3TVotS3nFgPNHCfp65O0Bg/3ZpU9IvUpcdQIDAQABo4ICVjCCAlIwDgYD\nVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV\nHRMBAf8EAjAAMB0GA1UdDgQWBBSzWt3Dvp71cKA2Z54ESjjyM4dp+jAfBgNVHSME\nGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB\nBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov\nL3IzLmkubGVuY3Iub3JnLzAoBgNVHREEITAfgh1hbml0YXRlc3RyYWluLnNpZ21h\nbmV0Y29ycC51czBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo\nMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQIGCisG\nAQQB1nkCBAIEgfMEgfAA7gB1AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgia\nN9kTAAABfHEcLqAAAAQDAEYwRAIgMlyQ61FjuIKDfATjz0wfkskChD0csVe0TStq\nmC7NbLACICp3CYMvvDiWt1pr5pzCwTQO8F6v0/qNjmH4mjCutAgyAHUARqVV63X6\nkSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF8cRwvRAAABAMARjBEAiAZd6Vn\n7MLXT7JeIxZrfbNARrf5oCM4UAVjjJeaUhB1MwIgSLW5cVAZvkiwbQW+vIutFjBz\na8cNb/i+nM7RxFW+JPgwDQYJKoZIhvcNAQELBQADggEBAIlHZiHIuOvYFteqpwvR\n0ElqinIpkYsfI+0O5FwHBXz7vMCPGtfdlcX5M10eW3aEBo9lR59mjDMsMufbTb60\nJuSnguelkUoq4WzqjZI+2uy/FTztI5GPpXmXW3IyzbqmCWQt7u8N607g1TYLBaLL\nrbFIhl+LbTJAa//mxI6bb4l/86j/kSjht6U0OIde7ylscb+3MHobbpIWJYp8Jr1D\nubm/0glL46ExnuLbIKojLhDBnG/wHVunB0rJxGh1vPvwD75O1nSIdxuNlVcGwws+\n7wsOyPA1s0VWzrMN1olLMyIPFCwPvfCm1E8Dje1AXMpmyDlqjEoQsoMUH//GKF0S\nTgM=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\nWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\nR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\nsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\nNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\nZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\nAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\nAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\nFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\nAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\nOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\ngt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\nPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\nikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\nCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\nlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\navAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\nyJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\nyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\nhCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\nHlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\nov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\nwYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\nLtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\nbHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\nsR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\nXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\nFQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\nSLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\nPRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\nTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\nSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\nc3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\nATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\nb3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\nU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\nMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\nWCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\nhe8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\nDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n-----END CERTIFICATE-----"' + privateKey: + description: Certificate private key + type: string + example: '"-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0AAQEFAASCBKgwghSkAgEAAoIBAQC5cyk6y63iBJSW\nstgsOBqIxfO8euPHcRnyWsL9dsvnbNyOnyvcqFWxdiW3sh2cItzYtoN1Zfgj5lWG\nOVXbHxP0VaNG9fHVX3+NHP6LFHQz92BzAYQmpqi9zaP/aKJklk6LdPFbVLGhuZfm\n34+ijW9YsgLTKR2WTaZJK5QtamVVmP+VsSCla2ifFzjz2FCkMMEc/Y0zUyP+en/m\nbL71K+VnpZdlEC1s38EvjRTFKFZTKVw5wpWgCZQq/AZYj9RxR23IIuRcUJ8TQ2py\noc3kIXPWjiIarSgBlA8G9kCsxgzXP2RyLwKrIBIo+qyHweifpPYW28ipdSbPjiyp\nAMdpbGLDAgMBAAECggEAUXVfT91z6IqghhKwO8QtC5T/+fN06B8rCYSKj/FFoZL0\n0oTiLFuYwImoCadoUDQUE/Efj0rKE2LSgFHg/44IItQXE01m+5WmHmL1ADxsyoLH\nz9yDosKj7jNM7RyV8F8Bg0pL1hU+rU4rhhL/MaS0mx4eFYjC4UmcWBmXTdelSVJa\nkvXvQLT5y86bqh7tqMjM/kALTWRz5CgNJFk/ONA1yo5RTX9S7SIXimBgAvuGqP8i\nMPEhJou7U3DfzXVfvP8byqNdsZs6ZNhG3wXspl61mRyrY+51SOaNLA7Bkji7x4bH\nNw6mJI0IJTAP9oc1Z8fYeMuxT1bfuD7VOupSP0mAMQKBgQDk+KuyQkmPymeP/Wwu\nII4DUpleVzxTK9obMQQoCEEElbQ6+jTb+8ixP0bWLvBXg/rX734j7OWfn/bljWLH\nXLrSoqQZF1+XMVeY4g4wx9UuTK/D2n791zdOgQivxbIPdWL3a4ap86ar8uyMgJu8\nBLXfFBAOc+9myqUkbeO7wt0e6QKBgQDPV04jPtIJoMrggpQDNreGrANKOmsXWxj4\nOHW13QNdJ2KGQpoTdoqQ8ZmlxuA8Bf2RjHsnB2kgGVTVQR74zRib4MByhvsdhvVm\nF2LNsJoIDfqtv3c+oj13VonRUGuzUeJpwT/snyaL+jQ/ZZcYz0jDgDhIODTcFYj8\nDMSD5SHgywKBgHH6MwWuJ44TNBAiF2qyu959jGjAxf+k0ZI9iRMgYLUWjDvbdtqW\ncCWDGRDfFraJtSEuTz003GzkJPPJuIUC7OCTI1p2HxhU8ITi6itwHfdJJyk4J4TW\nT+qdIqTUpTk6tsPw23zYE3x+lS+viVZDhgEArKl1HpOthh0nMnixnH6ZAoGBAKGn\nV+xy1h9bldFk/TFkP8Jn6ki9MzGKfPVKT7vzDORcCJzU4Hu8OFy5gSmW3Mzvfrsz\n4/CR/oxgM5vwoc0pWr5thJ3GT5K93iYypX3o6q7M91zvonDa3UFl3x2qrc2pUfVS\nDhzWGJ+Z+5JSCnP1aK3EEh18dPoCcELTUYPj6X3xAoGBALAllTb3RCIaqIqk+s3Y\n6KDzikgwGM6j9lmOI2MH4XmCVym4Z40YGK5nxulDh2Ihn/n9zm13Z7ul2DJwgQSO\n0zBc7/CMOsMEBaNXuKL8Qj4enJXMtub4waQ/ywqHIdc50YaPI5Ax8dD/10h9M6Qc\nnUFLNE8pXSnsqb0eOL74f3uQ\n-----END PRIVATE KEY-----"' + type: + $ref: '#/components/schemas/DomainCertificateType' + required: + - certificate + - certificateChain + - privateKey + - type + DomainCertificateMetadata: + description: Certificate metadata for the domain + type: object + properties: + expiration: + description: Certificate expiration + type: string + example: '2021-05-11T05:13:05.000Z' + fingerprint: + description: Certificate fingerprint + type: string + example: 73:68:82:7B:83:2E:48:29:A5:5E:E8:40:41:80:B3:AA:03:C4:42:43:05:73:45:BC:AA:47:00:23:A3:70:E5:C4 + subject: + description: Certificate subject + type: string + example: CN=login.example.com + DomainCertificateSourceType: + description: Certificate source type that indicates whether the certificate is provided by the user or Okta. + type: string + x-okta-known-values: + - MANUAL + - OKTA_MANAGED + DomainCertificateType: + description: Certificate type + type: string + x-okta-known-values: + - PEM + DomainLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + brand: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The associated brand + certificate: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The certificate link references the domain certificate + verify: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The verify link verifies the domain and transitions the domain status to `VERIFIED` + DomainListResponse: + description: Defines a list of domains with a subset of the properties for each domain. + type: object + properties: + domains: + description: Each element of the array defines an individual domain. + type: array + items: + $ref: '#/components/schemas/DomainResponse' + DomainRequest: + type: object + properties: + certificateSourceType: + $ref: '#/components/schemas/DomainCertificateSourceType' + domain: + description: Custom domain name + type: string + example: login.example.com + required: + - certificateSourceType + - domain + DomainResponse: + description: The properties that define an individual domain. + type: object + properties: + brandId: + description: The ID number of the brand + type: string + example: bndul904tTZ6kWVhP0g3 + certificateSourceType: + $ref: '#/components/schemas/DomainCertificateSourceType' + dnsRecords: + type: array + items: + $ref: '#/components/schemas/DNSRecord' + domain: + description: Custom domain name + type: string + example: login.example.com + id: + description: Unique ID of the domain + type: string + example: OcDz6iRyjkaCTXkdo0g3 + publicCertificate: + $ref: '#/components/schemas/DomainCertificateMetadata' + validationStatus: + $ref: '#/components/schemas/DomainValidationStatus' + _links: + $ref: '#/components/schemas/DomainLinks' + DomainValidationStatus: + description: Status of the domain + example: VERIFIED + type: string + x-okta-known-values: + - COMPLETED + - IN_PROGRESS + - NOT_STARTED + - VERIFIED + Duration: + type: object + properties: + number: + type: integer + unit: + type: string + DynamicNetworkZone: + allOf: + - $ref: '#/components/schemas/NetworkZone' + - title: Dynamic Network Zone + - type: object + properties: + asns: + allOf: + - $ref: '#/components/schemas/NetworkZoneAsns' + - description: An array of ASNs for a Network Zone + proxyType: + type: string + description: The proxy type used for a Dynamic Network Zone + enum: + - 'null' + - Any + - Tor + - NotTorAnonymizer + x-enumDescriptions: + 'null': (Or `""`) No proxy used + Any: Use any proxy type for the Dynamic Zone. + Tor: Use Tor Anonymizer proxy for the Dynamic Zone. + NotTorAnonymizer: Use a non Tor Anonymizer proxy for the Dynamic Zone. + locations: + allOf: + - $ref: '#/components/schemas/NetworkZoneLocationArray' + - description: An array of geolocations for a Dynamic Network Zone + ECKeyJWK: + description: Elliptic Curve Key in JWK format, currently used during enrollment to encrypt fulfillment requests to Yubico, or during activation to verify Yubico's JWS objects in fulfillment responses. The currently agreed protocol uses P-384. + type: object + properties: + crv: + type: string + enum: + - P-384 + kid: + type: string + description: The unique identifier of the key + kty: + type: string + enum: + - EC + description: The type of public key + use: + type: string + description: The intended use for the key. The ECKeyJWK is always `enc` because Okta uses it to encrypt requests to Yubico. + enum: + - enc + x: + type: string + description: The public x coordinate for the elliptic curve point + 'y': + type: string + description: The public y coordinate for the elliptic curve point + required: + - x + - 'y' + - kty + - crv + - use + - kid + EmailContent: + type: object + properties: + body: + type: string + description: | + The HTML body of the email. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + + <x-lifecycle class="ea"></x-lifecycle> Not required if Custom languages for Okta Email Templates is enabled. A `null` body is replaced with a default value from one of the following in priority order: + + 1. An existing default email customization, if one exists + 2. Okta-provided translated content for the specified language, if one exists + 3. Okta-provided translated content for the brand locale, if it's set + 4. Okta-provided content in English + subject: + type: string + description: | + The email subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + + <x-lifecycle class="ea"></x-lifecycle> Not required if Custom languages for Okta Email Templates is enabled. A `null` subject is replaced with a default value from one of the following in priority order: + + 1. An existing default email customization, if one exists + 2. Okta-provided translated content for the specified language, if one exists + 3. Okta-provided translated content for the brand locale, if it's set + 4. Okta-provided content in English + required: + - subject + - body + EmailCustomization: + allOf: + - $ref: '#/components/schemas/EmailContent' + - type: object + properties: + created: + type: string + format: date-time + readOnly: true + description: The UTC time at which this email customization was created. + id: + type: string + readOnly: true + description: A unique identifier for this email customization + isDefault: + type: boolean + description: Whether this is the default customization for the email template. Each customized email template must have exactly one default customization. Defaults to `true` for the first customization and `false` thereafter. + language: + $ref: '#/components/schemas/Language' + lastUpdated: + type: string + format: date-time + readOnly: true + description: The UTC time at which this email customization was last updated. + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + self: + $ref: '#/components/schemas/HrefObject' + template: + $ref: '#/components/schemas/HrefObject' + preview: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' + required: + - language + EmailDefaultContent: + allOf: + - $ref: '#/components/schemas/EmailContent' + - type: object + properties: + _links: + type: object + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + template: + $ref: '#/components/schemas/HrefObject' + preview: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' + EmailDomain: + allOf: + - $ref: '#/components/schemas/BaseEmailDomain' + type: object + properties: + brandId: + type: string + domain: + type: string + validationSubdomain: + type: string + description: Subdomain for the email sender's custom mail domain. Specify your subdomain when you configure a custom mail domain. + default: mail + required: + - domain + - brandId + EmailDomainDNSRecord: + type: object + properties: + fqdn: + type: string + recordType: + $ref: '#/components/schemas/EmailDomainDNSRecordType' + verificationValue: + type: string + EmailDomainDNSRecordType: + type: string + x-okta-known-values: + - CNAME + - TXT + EmailDomainResponse: + allOf: + - $ref: '#/components/schemas/BaseEmailDomain' + type: object + properties: + dnsValidationRecords: + type: array + items: + $ref: '#/components/schemas/EmailDomainDNSRecord' + domain: + type: string + id: + type: string + validationStatus: + $ref: '#/components/schemas/EmailDomainStatus' + validationSubdomain: + type: string + description: The subdomain for the email sender's custom mail domain + default: mail + EmailDomainResponseWithEmbedded: + allOf: + - $ref: '#/components/schemas/EmailDomainResponse' + type: object + properties: + _embedded: + type: object + properties: + brands: + type: array + items: + $ref: '#/components/schemas/Brand' + readOnly: true + EmailDomainStatus: + type: string + x-okta-known-values: + - DELETED + - ERROR + - NOT_STARTED + - POLLING + - VERIFIED + EmailPreview: + type: object + properties: + body: + type: string + readOnly: true + description: The email's HTML body + subject: + type: string + readOnly: true + description: The email's subject + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + contentSource: + $ref: '#/components/schemas/HrefObject' + template: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' + defaultContent: + $ref: '#/components/schemas/HrefObject' + EmailServerListResponse: + type: object + properties: + email-servers: + type: array + items: + $ref: '#/components/schemas/EmailServerResponse' + EmailServerPost: + allOf: + - $ref: '#/components/schemas/EmailServerRequest' + - required: + - host + - port + - username + - password + - alias + EmailServerRequest: + allOf: + - $ref: '#/components/schemas/BaseEmailServer' + - properties: + password: + type: string + description: Password used to access your SMTP server + EmailServerResponse: + allOf: + - $ref: '#/components/schemas/BaseEmailServer' + - properties: + id: + type: string + description: ID of your SMTP server + EmailSettings: + type: object + properties: + recipients: + type: string + enum: + - ALL_USERS + - ADMINS_ONLY + - NO_USERS + required: + - recipients + EmailSettingsResponse: + type: object + properties: + recipients: + type: string + enum: + - ALL_USERS + - ADMINS_ONLY + - NO_USERS + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + self: + $ref: '#/components/schemas/HrefObject' + template: + $ref: '#/components/schemas/HrefObject' + EmailTemplateResponse: + type: object + properties: + name: + type: string + readOnly: true + description: The name of this email template + _embedded: + type: object + properties: + settings: + $ref: '#/components/schemas/EmailSettingsResponse' + customizationCount: + type: integer + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + settings: + $ref: '#/components/schemas/HrefObject' + defaultContent: + $ref: '#/components/schemas/HrefObject' + customizations: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' + EmailTemplateTouchPointVariant: + description: | + Variant for email templates. You can publish a theme for email templates with different combinations of assets. Variants are preset combinations of those assets. + default: OKTA_DEFAULT + type: string + x-enumDescriptions: + FULL_THEME: Uses the Okta logo and Okta colors in email templates + OKTA_DEFAULT: Uses the logo from the Theme. Uses `primaryColorHex` as the background color for buttons. + x-okta-known-values: + - FULL_THEME + - OKTA_DEFAULT + EmailTestAddresses: + type: object + properties: + from: + type: string + description: Email address that sends test emails + example: sender@host.com + to: + type: string + description: Email address that receives test emails + example: receiver@host.com + required: + - from + - to + EnabledStatus: + description: Setting status + type: string + x-okta-known-values: + - DISABLED + - ENABLED + EndUserDashboardTouchPointVariant: + description: | + Variant for the Okta End-User Dashboard. You can publish a theme for end-user dashboard with different combinations of assets. Variants are preset combinations of those assets. + default: OKTA_DEFAULT + type: string + x-enumDescriptions: + FULL_THEME: Uses the logo and favicon from the Theme. Uses `primaryColorHex` for the logo and the side navigation bar background color. + LOGO_ON_FULL_WHITE_BACKGROUND: Uses the logo and favicon from the Theme. Uses white background color for the logo and the side navigation bar background color. + OKTA_DEFAULT: Uses the Okta logo and favicon. Uses a white background color for the logo and the side navigation bar background color. + WHITE_LOGO_BACKGROUND: Uses the logo and favicon from the Theme, with a white background color for the logo. Uses `primaryColorHex` for the side navigation bar background color. + x-okta-known-values: + - FULL_THEME + - LOGO_ON_FULL_WHITE_BACKGROUND + - OKTA_DEFAULT + - WHITE_LOGO_BACKGROUND + EndpointAuthMethod: + description: Requested authentication method for OAuth 2.0 endpoints. + type: string + x-okta-known-values: + - client_secret_basic + - client_secret_jwt + - client_secret_post + - none + - private_key_jwt + EnhancedDynamicNetworkZone: + allOf: + - $ref: '#/components/schemas/NetworkZone' + - title: Enhanced Dynamic Network Zone + - type: object + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + properties: + asns: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: object + description: The list of ASNs associated with an Enhanced Dynamic Network Zone + properties: + include: + allOf: + - $ref: '#/components/schemas/NetworkZoneAsns' + - description: An array of ASNs to include for an Enhanced Dynamic Network Zone + locations: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: object + description: The list of geolocations to include or exclude for an Enhanced Dynamic Network Zone + properties: + include: + allOf: + - $ref: '#/components/schemas/NetworkZoneLocationArray' + - description: An array of geolocations to include for an Enhanced Dynamic Network Zone + exclude: + allOf: + - $ref: '#/components/schemas/NetworkZoneLocationArray' + - description: An array of geolocations to exclude for an Enhanced Dynamic Network Zone + ipServiceCategories: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: object + description: IP services, such as a proxy or VPN, to include or exclude for an Enhanced Dynamic Network Zone + properties: + include: + type: array + description: IP services to include for an Enhanced Dynamic Network Zone + items: + $ref: '#/components/schemas/IPServiceCategory' + maximum: 75 + exclude: + type: array + description: IP services to exclude for an Enhanced Dynamic Network Zone + items: + $ref: '#/components/schemas/IPServiceCategory' + maximum: 75 + EnrollmentActivationRequest: + description: Enrollment Initialization Request + type: object + properties: + credResponses: + description: List of credential responses from the fulfillment provider + type: array + items: + $ref: '#/components/schemas/WebAuthnCredResponse' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + pinResponseJwe: + description: Encrypted JWE of PIN response from the fulfillment provider + type: string + serial: + description: Serial number of the YubiKey + type: string + userId: + description: ID of an existing Okta user + type: string + version: + description: Firmware version of the YubiKey + type: string + yubicoSigningJwks: + description: List of usable signing keys from Yubico (in JWKS format) used to verify the JWS inside the JWE + type: array + items: + $ref: '#/components/schemas/ECKeyJWK' + EnrollmentActivationResponse: + description: Enrollment Initialization Response + type: object + properties: + authenticatorEnrollmentIds: + description: List of IDs for preregistered WebAuthn Factors in Okta + type: array + items: + type: string + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + EnrollmentInitializationRequest: + description: Enrollment Initialization Request + type: object + properties: + enrollmentRpIds: + description: List of Relying Party hostnames to register on the YubiKey. + type: array + items: + type: string + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + yubicoTransportKeyJWK: + $ref: '#/components/schemas/ECKeyJWK' + EnrollmentInitializationResponse: + description: Yubico Transport Key in the form of a JWK, used to encrypt our fulfillment request to Yubico. The currently agreed protocol uses P-384. + type: object + properties: + credRequests: + description: List of credential requests for the fulfillment provider + type: array + items: + $ref: '#/components/schemas/WebAuthnCredRequest' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + pinRequestJwe: + description: Encrypted JWE of PIN request for the fulfillment provider + type: string + userId: + description: ID of an existing Okta user + type: string + EntitlementValue: + type: object + properties: + id: + type: string + name: + type: string + value: + type: string + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + group: + $ref: '#/components/schemas/HrefObjectGroupLink' + app: + $ref: '#/components/schemas/HrefObjectAppLink' + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + EntitlementValuesResponse: + type: object + properties: + entitlementValues: + type: array + items: + $ref: '#/components/schemas/EntitlementValue' + _links: + anyOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + - properties: + bundle: + $ref: '#/components/schemas/HrefObject' + entitlements: + $ref: '#/components/schemas/HrefObject' + EntityRiskPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + type: string + description: Policy conditions aren't supported for this policy type. + default: null + nullable: true + EntityRiskPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + type: object + description: The action to take based on the risk event + properties: + entityRisk: + type: object + description: The object that contains the `actions` array + properties: + actions: + type: array + description: The `entityRisk` object's `actions` array can be empty or contain one of two `action` object value pairs. This object determines the specific response to a risk event. + items: + $ref: '#/components/schemas/EntityRiskPolicyRuleActionsObject' + conditions: + $ref: '#/components/schemas/EntityRiskPolicyRuleConditions' + EntityRiskPolicyRuleActionRunWorkflow: + type: object + properties: + action: + type: string + enum: + - RUN_WORKFLOW + workflow: + type: object + description: This action runs a workflow + properties: + id: + type: integer + description: The `id` of the workflow that runs. + EntityRiskPolicyRuleActionTerminateAllSessions: + type: object + properties: + action: + type: string + description: This action revokes or terminates all of the user's active sessions. + enum: + - TERMINATE_ALL_SESSIONS + EntityRiskPolicyRuleActionsObject: + type: object + properties: + action: + type: string + enum: + - RUN_WORKFLOW + - TERMINATE_ALL_SESSIONS + discriminator: + propertyName: action + mapping: + RUN_WORKFLOW: '#/components/schemas/EntityRiskPolicyRuleActionRunWorkflow' + TERMINATE_ALL_SESSIONS: '#/components/schemas/EntityRiskPolicyRuleActionTerminateAllSessions' + EntityRiskPolicyRuleConditions: + allOf: + - type: object + properties: + entityRisk: + $ref: '#/components/schemas/EntityRiskScorePolicyRuleCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + riskDetectionTypes: + $ref: '#/components/schemas/RiskDetectionTypesPolicyRuleCondition' + EntityRiskScorePolicyRuleCondition: + description: <x-lifecycle class="oie"></x-lifecycle> The risk score level of the entity risk policy rule + type: object + properties: + level: + type: string + enum: + - ANY + - LOW + - MEDIUM + - HIGH + required: + - level + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: A unique identifier for this error. This can be used by Okta Support to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: A short description of what caused this error. Sometimes this contains dynamically-generated information about your specific error. + ErrorCause: + type: object + properties: + errorSummary: + type: string + ErrorPage: + allOf: + - $ref: '#/components/schemas/CustomizablePage' + - type: object + properties: + contentSecurityPolicySetting: + $ref: '#/components/schemas/ContentSecurityPolicySetting' + ErrorPageTouchPointVariant: + description: | + Variant for the error page. You can publish a theme for error page with different combinations of assets. Variants are preset combinations of those assets. + default: OKTA_DEFAULT + type: string + x-enumDescriptions: + BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the Theme + BACKGROUND_SECONDARY_COLOR: Uses the logo and favicon from the Theme. Uses `secondaryColorHex` as the background color for the error page. + OKTA_DEFAULT: Uses the Okta logo, favicon, and background color + x-okta-known-values: + - BACKGROUND_IMAGE + - BACKGROUND_SECONDARY_COLOR + - OKTA_DEFAULT + ErrorResponse: + type: object + properties: + errorCause: + type: string + description: The reason or cause for the error in the org domain for the dr operation + nullable: true + errorCode: + type: string + description: An error code unique to the error + errorId: + type: string + description: The unique identifier of this error + nullable: true + errorLink: + type: string + description: An indicator where to look out to troubleshoot the error + nullable: true + errorSummary: + type: string + description: An error code description, detailing the error + required: + - errorCode + - errorSummary + EventHook: + type: object + properties: + channel: + $ref: '#/components/schemas/EventHookChannel' + created: + description: Timestamp of the event hook creation + type: string + format: date-time + readOnly: true + createdBy: + description: The ID of the user who created the event hook + type: string + readOnly: true + description: + description: Description of the event hook + type: string + nullable: true + events: + $ref: '#/components/schemas/EventSubscriptions' + id: + type: string + description: Unique key for the event hook + readOnly: true + lastUpdated: + description: Date of the last event hook update + type: string + format: date-time + readOnly: true + name: + description: Display name for the event hook + type: string + status: + description: Status of the event hook + type: string + enum: + - ACTIVE + - INACTIVE + readOnly: true + verificationStatus: + $ref: '#/components/schemas/EventHookVerificationStatus' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + deactivate: + $ref: '#/components/schemas/HrefObject' + verify: + $ref: '#/components/schemas/HrefObject' + required: + - name + - events + - channel + EventHookChannel: + type: object + properties: + config: + $ref: '#/components/schemas/EventHookChannelConfig' + type: + $ref: '#/components/schemas/EventHookChannelType' + version: + description: Version of the channel. Currently the only supported version is `1.0.0``. + type: string + required: + - type + - config + - version + EventHookChannelConfig: + type: object + properties: + authScheme: + $ref: '#/components/schemas/EventHookChannelConfigAuthScheme' + headers: + description: |- + Optional list of key/value pairs for headers that can be sent with the request to the external service. For example, + `X-Other-Header` is an example of an optional header, with a value of `my-header-value`, that you want Okta to pass to your + external service. + type: array + items: + $ref: '#/components/schemas/EventHookChannelConfigHeader' + method: + description: The method of the Okta event hook request + type: string + readOnly: true + uri: + description: The external service endpoint called to execute the event hook handler + type: string + required: + - uri + EventHookChannelConfigAuthScheme: + description: |- + The authentication scheme used for this request. + + To use Basic Auth for authentication, set `type` to `HEADER`, + `key` to `Authorization`, and `value` to the Base64-encoded string of "username:password". Ensure that you include + the scheme (including space) as part of the `value` parameter. For example, `Basic YWRtaW46c3VwZXJzZWNyZXQ=`. + type: object + properties: + key: + description: The name for the authorization header + type: string + type: + $ref: '#/components/schemas/EventHookChannelConfigAuthSchemeType' + value: + description: |- + The header value. This secret key is passed to your external service endpoint for security verification. + This property is not returned in the response. + type: string + writeOnly: true + EventHookChannelConfigAuthSchemeType: + description: The authentication scheme type. Currently only supports `HEADER`. + type: string + x-okta-known-values: + - HEADER + EventHookChannelConfigHeader: + nullable: true + type: object + properties: + key: + description: The optional field or header name + type: string + value: + description: The value for the key + type: string + EventHookChannelType: + description: The channel type. Currently supports `HTTP`. + type: string + x-okta-known-values: + - HTTP + EventHookFilterMap: + description: The object that maps the filter to the event type + items: + $ref: '#/components/schemas/EventHookFilterMapObject' + type: array + EventHookFilterMapObject: + type: object + properties: + condition: + $ref: '#/components/schemas/EventHookFilterMapObjectCondition' + event: + type: string + description: The filtered event type + EventHookFilterMapObjectCondition: + type: object + properties: + expression: + type: string + description: The Okta Expression language statement that filters the event type + version: + type: string + nullable: true + description: Internal field + readOnly: true + EventHookFilters: + nullable: true + description: |- + The optional filter defined on a specific event type + + > **Note:** Event hook filters is a [self-service Early Access (EA)](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) to enable. + If you want to disable this feature, it's recommended to first remove all event filters. + type: object + properties: + eventFilterMap: + $ref: '#/components/schemas/EventHookFilterMap' + type: + type: string + description: The type of filter. Currently only supports `EXPRESSION_LANGUAGE` + readOnly: true + EventHookSubscribedEventTypes: + description: |- + The subscribed event types that trigger the event hook. When you register an event hook + you need to specify which events you want to subscribe to. To see the list of event types + currently eligible for use in event hooks, use the [Event Types catalog](https://developer.okta.com/docs/reference/api/event-types/#catalog) + and search with the parameter `event-hook-eligible`. + items: + type: string + type: array + EventHookVerificationStatus: + description: Verification status of the event hook. `UNVERIFIED` event hooks won't receive any events. + type: string + readOnly: true + x-okta-known-values: + - UNVERIFIED + - VERIFIED + EventSubscriptionType: + description: The events object type. Currently supports `EVENT_TYPE`. + type: string + x-okta-known-values: + - EVENT_TYPE + EventSubscriptions: + type: object + properties: + filter: + $ref: '#/components/schemas/EventHookFilters' + items: + $ref: '#/components/schemas/EventHookSubscribedEventTypes' + type: + $ref: '#/components/schemas/EventSubscriptionType' + required: + - type + - items + ExpiresAt: + format: date-time + description: Timestamp when the object expires + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true + Expression: + type: object + properties: + value: + type: string + FCMConfiguration: + properties: + fileName: + type: string + description: (Optional) File name for Admin Console display + projectId: + type: string + description: Project ID of FCM configuration + readOnly: true + serviceAccountJson: + type: object + description: JSON containing the private service account key and service account details. See [Creating and managing service account keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for more information on creating service account keys in JSON. + writeOnly: true + FCMPushProvider: + allOf: + - $ref: '#/components/schemas/PushProvider' + - type: object + properties: + configuration: + $ref: '#/components/schemas/FCMConfiguration' + FailbackRequestSchema: + description: List of domains to failback + items: + type: string + description: Okta or custom domain to failback + example: yourOktaDomain.okta.com + type: array + FailbackResponseSchema: + description: successful failback message + type: string + FailoverRequestSchema: + description: List of domains to failover + items: + type: string + description: Okta or custom domain to failover + example: yourOktaDomain.okta.com + type: array + FailoverResponseSchema: + description: successful failover message + type: string + Feature: + description: Specifies feature release cycle information + type: object + properties: + description: + type: string + description: Brief description of the feature and what it provides + id: + type: string + description: Unique identifier for this feature + readOnly: true + name: + type: string + description: Name of the feature + stage: + $ref: '#/components/schemas/FeatureStage' + status: + $ref: '#/components/schemas/EnabledStatus' + type: + $ref: '#/components/schemas/FeatureType' _links: - self: - href: https://${yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 - hints: - allow: - - GET - - DELETE - user: - href: https://${yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX - hints: - allow: - - GET - BehaviorRuleRequest: - value: - name: My Behavior Rule - type: VELOCITY - BehaviorRuleResponse: - value: - id: abcd1234 - name: My Behavior Rule - type: VELOCITY + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + dependents: + description: Link to feature dependents + type: object + readOnly: true + properties: + href: + description: Link URI + type: string + readOnly: true + dependencies: + description: Link to feature dependencies + type: object + readOnly: true + properties: + href: + description: Link URI + type: string + readOnly: true + FeatureLifecycle: + example: ENABLE + type: string + x-okta-known-values: + - DISABLE + - ENABLE + FeatureStage: + description: |- + Current release cycle stage of a feature + + If a feature's stage value is `EA`, the state is `null` and not returned. If the value is `BETA`, the state is `OPEN` or `CLOSED` depending on whether the `BETA` feature is manageable. + + > **Note:** If a feature's stage is `OPEN BETA`, you can update it only in Preview cells. If a feature's stage is `CLOSED BETA`, you can disable it only in Preview cells. + type: object + properties: + state: + $ref: '#/components/schemas/FeatureStageState' + value: + $ref: '#/components/schemas/FeatureStageValue' + FeatureStageState: + description: Indicates the release state of the feature + type: string + x-okta-known-values: + - CLOSED + - OPEN + FeatureStageValue: + description: Current release stage of the feature + type: string + x-okta-known-values: + - BETA + - EA + FeatureType: + description: Type of feature + type: string + x-okta-known-values: + - self-service + FipsEnum: + type: string + x-okta-known-values: + - OPTIONAL + - REQUIRED + ForgotPasswordResponse: + type: object + properties: + resetPasswordUrl: + type: string + readOnly: true + FulfillmentData: + description: Fulfillment provider details + type: object + properties: + customizationId: + description: ID for the set of custom configurations of the requested Factor + type: string + inventoryProductId: + description: ID for the specific inventory bucket of the requested Factor + type: string + productId: + description: ID for the make and model of the requested Factor + type: string + FulfillmentRequest: + description: Fulfillment Request + type: object + properties: + fulfillmentData: + $ref: '#/components/schemas/FulfillmentData' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + GoogleApplication: + title: Google Workspace + x-tags: + - Application + x-okta-defined-as: + name: google + example: + name: google + label: Sample Google App + signOnMode: SAML_2_0 settings: - velocityKph: 805 - status: ACTIVE - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z - _link: - self: - href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234 - hints: - allow: - - GET - - POST - - PUT - - DELETE - CAPTCHAInstanceRequestHCaptcha: - value: - name: myHCaptcha - secretKey: xxxxxxxxxxx - siteKey: xxxxxxxxxxx - type: HCAPTCHA - CAPTCHAInstanceRequestReCaptcha: - value: - name: myReCaptcha - secretKey: xxxxxxxxxxx - siteKey: yyyyyyyyyyyyyyy - type: RECAPTCHA_V2 - CAPTCHAInstanceResponseHCaptcha: - value: - id: abcd1234 - name: myHCaptcha - siteKey: xxxxxxxxxxx - type: HCAPTCHA - _link: - self: - href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234 - hints: - allow: - - GET - - POST - - PUT - - DELETE - CAPTCHAInstanceResponseReCaptcha: - value: - id: abcd4567 - name: myReCaptcha - siteKey: yyyyyyyyyyyyyyy - type: RECAPTCHA_V2 - _link: - self: - href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 - hints: - allow: - - GET - - POST - - PUT - - DELETE - CreateUpdateEmailCustomizationRequest: - value: - language: fr - subject: Bienvenue dans ${org.name}! - body: <!DOCTYPE html><html><body><p>Bonjour ${user.profile.firstName}. <a href="${activationLink}">Activer le compte</a></p></body></html> - isDefault: false - CreateUpdateEmailCustomizationResponse: - value: - language: fr - subject: Bienvenue dans ${org.name}! - body: <!DOCTYPE html><html><body><p>Bonjour ${user.profile.firstName}. <a href="${activationLink}">Activer le compte</a></p></body></html> - isDefault: false - id: oel11u6DqUiMbQkpl0g4 - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + app: + domain: my-company-domain + description: | + Schema for the Google Workspace app (key name: `google`) + + To create a Google Workspace app, use the [Create an Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Google Workspace app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + enum: + - google + example: google + signOnMode: + enum: + - BROWSER_PLUGIN + - SAML_2_0 + example: BROWSER_PLUGIN + settings: + $ref: '#/components/schemas/GoogleApplicationSettings' + GoogleApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/GoogleApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + GoogleApplicationSettingsApplication: + description: Google app instance properties + type: object + properties: + domain: + type: string + description: Your Google company domain + rpId: + type: string + description: RPID + required: + - domain + GovernanceBundle: + type: object + properties: + description: + type: string + id: + type: string + name: + type: string + orn: + type: string + status: + type: string + _links: + allOf: + - properties: + entitlements: + $ref: '#/components/schemas/HrefObject' + GovernanceBundleCreateRequest: + type: object + properties: + description: + type: string + entitlements: + type: array + items: + $ref: '#/components/schemas/IAMBundleEntitlement' + name: + type: string + GovernanceBundleUpdateRequest: + type: object + properties: + description: + type: string + entitlements: + type: array + items: + $ref: '#/components/schemas/IAMBundleEntitlement' + name: + type: string + GovernanceBundlesResponse: + type: object + properties: + bundles: + type: array + items: + $ref: '#/components/schemas/GovernanceBundle' _links: - self: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 - hints: - allow: - - GET - - PUT - - DELETE - template: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation - hints: - allow: - - GET - preview: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview - hints: - allow: - - GET - test: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test - hints: - allow: - - POST - DeviceAssuranceAndroidRequest: - value: - name: Device Assurance Android - osVersion: - minimum: 12.4.5 - diskEncryptionType: - include: - - USER - - FULL - jailbreak: false - platform: ANDROID - screenLockType: - include: - - BIOMETRIC - secureHardwarePresent: true - DeviceAssuranceIosRequest: - value: - name: Device Assurance IOS - osVersion: - minimum: 12.4.5 - jailbreak: false - platform: IOS - screenLockType: - include: - - BIOMETRIC - DeviceAssuranceMacOSRequest: - value: - name: Device Assurance macOS - osVersion: - minimum: 12.4.5 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: MACOS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true - DeviceAssuranceResponse: - value: - id: dae3m8o4rWhwReDeM1c5 - name: Device Assurance Example - lastUpdate: 2022-01-01T00:00:00.000Z - createdUpdate: 2022-01-01T00:00:00.000Z - lastUpdatedBy: 00u217pyf72CdUrBt1c5 - createdBy: 00u217pyf72CdUrBt1c5 - osVersion: - minimum: 12.4.5.9 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: WINDOWS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true + anyOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + GovernanceSourceType: + description: The grant type + type: string + x-okta-known-values: + - CUSTOM + - ENTITLEMENT-BUNDLE + GrantOrTokenStatus: + description: Status + example: ACTIVE + type: string + readOnly: true + x-okta-known-values: + - ACTIVE + - REVOKED + GrantResourcesHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants + GrantType: + description: Determines the mechanism Okta uses to authorize the creation of the tokens. + type: string + x-okta-known-values: + - authorization_code + - client_credentials + - implicit + - interaction_code + - password + - refresh_token + - urn:ietf:params:oauth:grant-type:device_code + - urn:ietf:params:oauth:grant-type:jwt-bearer + - urn:ietf:params:oauth:grant-type:saml2-bearer + - urn:ietf:params:oauth:grant-type:token-exchange + - urn:openid:params:grant-type:ciba + - urn:okta:params:oauth:grant-type:otp + - urn:okta:params:oauth:grant-type:oob + - http://auth0.com/oauth/grant-type/mfa-otp + - http://auth0.com/oauth/grant-type/mfa-oob + GrantTypePolicyRuleCondition: + description: Array of grant types that this condition includes. Determines the mechanism that Okta uses to authorize the creation of the tokens. + type: object + properties: + include: + type: array + description: Array of grant types that this condition includes. + items: + type: string + Group: + type: object + properties: + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the Group was created + id: + type: string + readOnly: true + example: 0gabcd1234 + description: Unique ID for the Group + lastMembershipUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the Groups memberships were last updated + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the Group's Profile was last updated + objectClass: + type: array + readOnly: true + description: Determines the Group's `profile` + items: + type: string + profile: + $ref: '#/components/schemas/GroupProfile' + type: + $ref: '#/components/schemas/GroupType' + _embedded: + type: object + description: Embedded resources related to the Group + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + description: '[Discoverable resources](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links&t=response) related to the Group' + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + apps: + $ref: '#/components/schemas/HrefObject' + logo: + type: array + items: + $ref: '#/components/schemas/HrefObject' + source: + $ref: '#/components/schemas/HrefObject' + users: + $ref: '#/components/schemas/HrefObject' + GroupAssignmentProfile: + description: |- + Specifies the profile properties applied to [Application Users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) that are assigned to the app through group membership. + Some reference properties are imported from the target app and can't be configured. See [profile](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response). + additionalProperties: true + type: object + GroupCondition: + description: Specifies a set of Groups whose Users are to be included or excluded + type: object + properties: + exclude: + type: array + description: Groups to be excluded + items: + type: string + include: + type: array + description: Groups to be included + items: + type: string + required: + - exclude + - include + GroupOwner: + type: object + properties: + displayName: + description: The display name of the group owner + type: string + readOnly: true + id: + description: The `id` of the group owner + type: string + lastUpdated: + description: Timestamp when the group owner was last updated + type: string + format: date-time + readOnly: true + originId: + description: The ID of the app instance if the `originType` is `APPLICATION`. This value is `NULL` if `originType` is `OKTA_DIRECTORY`. + type: string + originType: + $ref: '#/components/schemas/GroupOwnerOriginType' + resolved: + description: If `originType`is APPLICATION, this parameter is set to `FALSE` until the owner’s `originId` is reconciled with an associated Okta ID. + type: boolean + type: + $ref: '#/components/schemas/GroupOwnerType' + GroupOwnerOriginType: + description: The source where group ownership is managed + type: string + x-okta-known-values: + - APPLICATION + - OKTA_DIRECTORY + GroupOwnerType: + description: The entity type of the owner + type: string + x-okta-known-values: + - GROUP + - USER + GroupPolicyRuleCondition: + description: Specifies a set of Groups whose Users are to be included or excluded + type: object + properties: + exclude: + type: array + description: Groups to be excluded + items: + type: string + include: + type: array + description: Groups to be included + items: + type: string + GroupProfile: + description: |- + Specifies required and optional properties for a Group. The `objectClass` of a Group determines which additional properties are available. + + You can extend Group Profiles with custom properties, but you must first add the properties to the Group Profile schema before you can reference them. Use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/)to manage schema extensions. + + Custom properties can contain HTML tags. It is the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. + anyOf: + - $ref: '#/components/schemas/OktaUserGroupProfile' + - $ref: '#/components/schemas/OktaActiveDirectoryGroupProfile' + GroupRule: + type: object + properties: + actions: + $ref: '#/components/schemas/GroupRuleAction' + conditions: + $ref: '#/components/schemas/GroupRuleConditions' + created: + type: string + format: date-time + readOnly: true + description: Creation date for group rule + id: + type: string + readOnly: true + description: ID of the group rule + lastUpdated: + type: string + format: date-time + readOnly: true + description: Date group rule was last updated + name: + type: string + description: Name of the Group rule + minLength: 1 + maxLength: 50 + status: + $ref: '#/components/schemas/GroupRuleStatus' + type: + type: string + description: Type to indicate a Group rule operation. Only `group_rule` is allowed. + GroupRuleAction: + description: Defines which users and groups to assign + type: object + properties: + assignUserToGroups: + $ref: '#/components/schemas/GroupRuleGroupAssignment' + GroupRuleConditions: + description: Defines group rule conditions + type: object + properties: + expression: + $ref: '#/components/schemas/GroupRuleExpression' + people: + $ref: '#/components/schemas/GroupRulePeopleCondition' + GroupRuleExpression: + description: Defines Okta specific [group-rules expression](https://developer.okta.com/docs/reference/okta-expression-language/#expressions-in-group-rules) + type: object + properties: + type: + type: string + description: Expression type. Only valid value is '`urn:okta:expression:1.0`'. + value: + type: string + description: Okta expression that would result in a Boolean value + example: user.role==\"Engineer\" + GroupRuleGroupAssignment: + description: Contains the `groupIds` array + type: object + properties: + groupIds: + description: Array of `groupIds` to which Users are added + type: array + items: + type: string + GroupRuleGroupCondition: + description: Currently not supported + type: object + properties: + exclude: + type: array + description: Currently not supported + items: + type: string + GroupRulePeopleCondition: + description: Defines conditions for `people` in a group rule + type: object + properties: + groups: + $ref: '#/components/schemas/GroupRuleGroupCondition' + users: + $ref: '#/components/schemas/GroupRuleUserCondition' + GroupRuleStatus: + description: Status of group rule + type: string + x-okta-known-values: + - ACTIVE + - INACTIVE + - INVALID + GroupRuleUserCondition: + description: Defines conditions specific to user exclusion + type: object + properties: + exclude: + type: array + description: Excluded `userIds` when processing rules + items: + type: string + GroupSchema: + type: object + properties: + $schema: + readOnly: true + type: string + description: JSON Schema version identifier + created: + readOnly: true + type: string + description: Timestamp when the Schema was created + definitions: + $ref: '#/components/schemas/GroupSchemaDefinitions' + description: + type: string + description: Description for the Schema + id: + readOnly: true + type: string + description: URI of Group Schema + lastUpdated: + readOnly: true + type: string + description: Timestamp when the Schema was last updated + name: + readOnly: true + type: string + description: Name of the Schema + properties: + $ref: '#/components/schemas/UserSchemaProperties' + description: Group object properties + title: + type: string + description: User-defined display name for the Schema + type: + readOnly: true + type: string + description: Type of [root Schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4) _links: - self: - href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 - hints: - allow: - - DELETE - - GET - - PUT - DeviceAssuranceWindowsRequest: - value: - name: Device Assurance Windows - osVersion: - minimum: 12.4.5.9 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: WINDOWS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true - EmailCustomizationResponse: - value: - language: en - isDefault: true - subject: Welcome to ${org.name}! - body: <!DOCTYPE html><html><body><p>Hello, ${user.profile.firstName}. Click <a href="${activationLink}">here</a> to activate your account.</body></html> - id: oel11u6DqUiMbQkpl0g4 - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + $ref: '#/components/schemas/LinksSelf' + x-okta-allow-null-property-value-for-updates: true + GroupSchemaAttribute: + type: object + properties: + description: + type: string + description: Description of the property + enum: + items: + anyOf: + - type: string + - type: integer + type: array + nullable: true + description: |- + Enumerated value of the property. + + The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements. + externalName: + type: string + description: Name of the property as it exists in an external application + externalNamespace: + type: string + description: Namespace from the external application + format: + description: Identifies the type of data represented by the string + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeFormat' + items: + $ref: '#/components/schemas/UserSchemaAttributeItems' + nullable: true + master: + description: Identifies where the property is mastered + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMaster' + maxLength: + type: integer + nullable: true + description: Maximum character length of a string property + minLength: + type: integer + nullable: true + description: Minimum character length of a string property + mutability: + description: Defines the mutability of the property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString' + oneOf: + items: + $ref: '#/components/schemas/UserSchemaAttributeEnum' + type: array + nullable: true + description: |- + Non-empty array of valid JSON schemas. + + Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format: + + ``` + { + "const": "enumValue", + "title": "display name" + } + ```json + + When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order. + + ``` + {"enum": ["S","M","L","XL"], + "oneOf": [ + {"const": "S", "title": "Small"}, + {"const": "M", "title": "Medium"}, + {"const": "L", "title": "Large"}, + {"const": "XL", "title": "Extra Large"} + ] + } + ```json + + The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value. + permissions: + description: Access control permissions for the property + items: + $ref: '#/components/schemas/UserSchemaAttributePermission' + type: array + nullable: true + required: + type: boolean + nullable: true + description: Determines whether the property is required + scope: + description: Determines whether a group attribute can be set at the individual or group level + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeScope' + title: + type: string + minLength: 1 + description: User-defined display name for the property + type: + description: Type of property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeType' + unique: + description: Determines whether property values must be unique + type: boolean + nullable: true + GroupSchemaBase: + type: object + properties: + id: + readOnly: true + type: string + description: The subschema name + properties: + description: The `#base` object properties + allOf: + - $ref: '#/components/schemas/GroupSchemaBaseProperties' + required: + items: + type: string + type: array + description: A collection indicating required property names + readOnly: true + type: + description: The object type + type: string + readOnly: true + GroupSchemaBaseProperties: + description: All Okta-defined Profile properties are defined in a Profile subschema with the resolution scope `#base`. These properties can't be removed or edited, regardless of any attempt to do so. + type: object + properties: + description: + description: Human readable description of the Group + allOf: + - $ref: '#/components/schemas/GroupSchemaAttribute' + name: + description: Unique identifier for the Group + allOf: + - $ref: '#/components/schemas/GroupSchemaAttribute' + GroupSchemaCustom: + description: All custom Profile properties are defined in a Profile subschema with the resolution scope `#custom` + type: object + properties: + id: + readOnly: true + type: string + description: The subschema name + properties: + additionalProperties: + $ref: '#/components/schemas/GroupSchemaAttribute' + type: object + description: The `#custom` object properties + required: + items: + type: string + type: array + description: A collection indicating required property names + readOnly: true + type: + type: string + description: The object type + readOnly: true + GroupSchemaDefinitions: + type: object + properties: + base: + $ref: '#/components/schemas/GroupSchemaBase' + custom: + $ref: '#/components/schemas/GroupSchemaCustom' + GroupType: + description: Determines how a Group's Profile and memberships are managed + type: string + x-enumDescriptions: + APP_GROUP: Group Profile and memberships are imported and must be managed within the app (such as Active Directory or LDAP) that imported the Group + BUILT_IN: Group Profile and memberships are managed by Okta and can't be modified + OKTA_GROUP: Group Profile and memberships are directly managed in Okta via static assignments or indirectly through Group rules + x-okta-known-values: + - APP_GROUP + - BUILT_IN + - OKTA_GROUP + GroupsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Application Groups](/openapi/okta-management/management/tag/ApplicationGroups/#tag/ApplicationGroups/operation/listApplicationGroupAssignments) resource + HelpLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app help resource + HookKey: + title: HookKeyInstance + description: |- + The `id` property in the response as `id` serves as the unique ID for the key, which you can specify when invoking other CRUD operations. + + The `keyId` provided in the response is the alias of the public key that you can use to get details of the public key data in a separate call. + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the key was created + readOnly: true + nullable: true + id: + type: string + description: The unique identifier for the key + readOnly: true + nullable: false + isUsed: + type: string + format: boolean + description: Whether this key is currently in use by other applications + nullable: false + readOnly: true + keyId: + type: string + description: The alias of the public key + nullable: false + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the key was updated + readOnly: true + nullable: true + name: + type: string + description: Display name of the key + readOnly: false + nullable: false + minLength: 1 + maxLength: 255 + HostedPage: + type: object + properties: + type: + $ref: '#/components/schemas/HostedPageType' + url: + type: string + required: + - type + HostedPageType: + type: string + x-okta-known-values: + - EXTERNALLY_HOSTED + - OKTA_DEFAULT + HrefCsrPublishLink: + title: Link Object + description: Link to publish CSR + type: object + properties: + hints: + $ref: '#/components/schemas/CsrPublishHrefHints' + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + required: + - href + readOnly: true + HrefCsrSelfLink: + title: Link Object + description: Link to the resource (self) + type: object + properties: + hints: + $ref: '#/components/schemas/CsrSelfHrefHints' + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + required: + - href + readOnly: true + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HrefHintsGuidanceObject: + allOf: + - $ref: '#/components/schemas/HrefHints' + - description: Describes allowed HTTP verbs and guidance for the `href` + - type: object + properties: + guidance: + type: array + description: | + Specifies the URI to invoke for granting scope consent required to complete the OAuth 2.0 connection + items: + type: string + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + href: + type: string + description: Link URI + name: + type: string + description: Link name + templated: + type: boolean + description: Indicates whether the Link Object's `href` property is a URI template. + type: + type: string + description: The media type of the link. If omitted, it is implicitly `application/json`. + required: + - href + readOnly: true + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectAppLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app resource + HrefObjectAssigneeLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the assignee resource + HrefObjectAuthorizeLink: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + description: Link to authorize scopes + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHintsGuidanceObject' + href: + type: string + description: Link URI + required: + - href + readOnly: true + HrefObjectClientLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the client resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + HrefObjectDeleteLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to delete the resource + HrefObjectGovernanceResourcesLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resources + HrefObjectGrantAerialConsent: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to grant Okta Aerial access to your Org + HrefObjectGroupLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the group resource + HrefObjectLogoLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the logo resource + HrefObjectMappingsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the mappings resource + HrefObjectMemberLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the member resource + HrefObjectPermissionsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the permissions resource + HrefObjectResourceSetLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource-set resource + HrefObjectRetrieveAerialConsent: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to retrieve Okta Aerial consent for your Org + HrefObjectRevokeAerialConsent: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to revoke Okta Aerial consent for your Org + HrefObjectRoleLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the role resource + HrefObjectRulesLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the rules resource + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObjectSuspendLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to suspend the resource + HrefObjectUnsuspendLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to unsuspend the resource + HrefObjectUserLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the user resource + HttpMethod: + type: string + x-okta-known-values: + - DELETE + - GET + - POST + - PUT + IAMBundleEntitlement: + type: object + properties: + resourceSets: + type: array + items: + type: string + role: + type: string + targets: + type: array + items: + type: string + IPNetworkZone: + allOf: + - $ref: '#/components/schemas/NetworkZone' + - title: IP Network Zone + - type: object + properties: + gateways: + type: array + items: + $ref: '#/components/schemas/NetworkZoneAddress' + description: |- + The IP addresses (range or CIDR form) for an IP Network Zone. + The maximum array length is 150 entries for admin-created IP zones, 1000 entries for IP blocklist zones, and 5000 entries for the default system IP Zone. + proxies: + type: array + items: + $ref: '#/components/schemas/NetworkZoneAddress' + nullable: true + description: |- + The IP addresses (range or CIDR form) that are allowed to forward a request from gateway addresses for an IP Network Zone. + These proxies are automatically trusted by Threat Insights and used to identify the client IP of a request. + The maximum array length is 150 entries for admin-created zones and 5000 entries for the default system IP Zone. + IPServiceCategory: + description: An IP service offered by a provider, such as a proxy or VPN + type: string + x-okta-known-values: + - ALL_ANONYMIZERS + - ALL_ANONYMIZERS_EXCEPT_TOR + - ALL_IP_SERVICES + - ALL_PROXIES_VPNS + - ANONYMIZER_TOR + - APPLE_ICLOUD_RELAY_PROXY + - AVAST_VPN + - GLOBALPROTECT_VPN + - GOOGLE_VPN + - MULLVAD_VPN + - NORD_VPN + - OXYLABS_PROXY + - SAMSUNG_VPN + - SURFSHARK_VPN + - SYMANTEC_VPN + - TRENDMICRO_VPN + - ULTRASURF_VPN + IamRole: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the role was created + readOnly: true + description: + type: string + description: Description of the role + id: + type: string + description: Unique key for the role + readOnly: true + label: + type: string + description: Unique label for the role + lastUpdated: + type: string + format: date-time + description: Timestamp when the role was last updated + readOnly: true _links: - self: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 - hints: - allow: - - GET - - PUT - - DELETE - template: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation - hints: - allow: - - GET - preview: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview - hints: - allow: - - GET - test: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test - hints: - allow: - - POST - EmailSettingsResponse: - value: - recipients: ALL_USERS + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + permissions: + $ref: '#/components/schemas/HrefObject' + required: + - label + - description + IamRoles: + type: object + properties: + roles: + type: array + items: + $ref: '#/components/schemas/IamRole' _links: - self: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/settings - hints: - allow: - - GET - - PUT - template: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation - hints: - allow: - - GET - EmailTemplateDefaultContentResponse: - value: - subject: Welcome to ${org.name}! - body: <!DOCTYPE html><html><body><p>Hello, ${user.profile.firstName}. Click <a href="${activationLink}">here</a> to activate your account.</body></html> + $ref: '#/components/schemas/LinksNext' + IdPCertificateCredential: + type: object + properties: + x5c: + $ref: '#/components/schemas/X5c' + required: + - x5c + IdPCsr: + description: Defines a CSR for a signature or decryption credential for an IdP + type: object + properties: + created: + $ref: '#/components/schemas/Created' + csr: + description: Base64-encoded CSR in DER format + type: string + readOnly: true + example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + id: + description: Unique identifier for the CSR + type: string + readOnly: true + example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + kty: + description: Cryptographic algorithm family for the CSR's keypair + type: string + example: RSA _links: - self: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/default-content - hints: - allow: - - GET - template: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation - hints: - allow: - - GET - preview: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/default-content/preview - hints: - allow: - - GET - ErrorAccessDenied: - value: - errorCode: E0000006 - errorSummary: You do not have permission to perform the requested action - errorLink: E0000006 - errorId: sampleNUSD_8fdkFd8fs8SDBK - errorCauses: [] - ErrorApiValidationFailed: - value: - errorCode: E0000001 - errorSummary: 'Api validation failed: {0}' - errorLink: E0000001 - errorId: sampleiCF-8D5rLW6myqiPItW - errorCauses: [] - ErrorCAPTCHALimitOfOne: - value: - errorCode: E0000165 - errorSummary: CAPTCHA count limit reached. At most one CAPTCHA instance is allowed per Org. - errorLink: E0000165 - errorId: oaejrB1fWL1S7mc-2KcG-SOtw - errorCauses: [] - ErrorCAPTCHAOrgWideSetting: - value: - errorCode: E0000149 - errorSummary: Current CAPTCHA is associated with org-wide settings, cannot be removed. - errorLink: E0000149 - errorId: samplezsusshPdiTWiITwqBt8 - errorCauses: [] - ErrorCreateUserWithExpiredPasswordWithNullPassword: - value: - errorCode: E0000124 - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified - errorLink: E0000124 - errorId: oaeXxuZgXBySvqi1FvtkwoYCA - errorCauses: - - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified - ErrorCreateUserWithExpiredPasswordWithoutActivation: - value: - errorCode: E0000125 - errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true - errorLink: E0000125 - errorId: oaeDd77L9R-TJaD7j_rXsQ31w - errorCauses: - - errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true - ErrorCreateUserWithTooManyManyGroupsResponse: - value: - errorCode: E0000093 - errorSummary: Target count limit exceeded - errorLink: E0000093 - errorId: oaePVSLIYnIQsC0B-ptBIllVA - errorCauses: - - errorSummary: The number of group targets is too large. - ErrorDeviceAssuranceInUse: - value: - errorSummary: Device assurance is in use and cannot be deleted. - errorId: oaenwA1ra80S9W-pvbh4m6haA - errorCauses: [] - ErrorEmailCustomizationCannotClearDefault: - value: - errorCode: E0000185 - errorSummary: The isDefault parameter of the default email template customization can't be set to false. - errorLink: E0000185 - errorId: oaejrB1fWL1S7mc-2KcG-SOtw - errorCauses: [] - ErrorEmailCustomizationCannotDeleteDefault: - value: - errorCode: E0000184 - errorSummary: A default email template customization can't be deleted. - errorLink: E0000184 - errorId: oaeAdRqprFuTyKokyYPbURJkA - errorCauses: [] - ErrorEmailCustomizationDefaultAlreadyExists: - value: - errorCode: E0000182 - errorSummary: A default email template customization already exists. - errorLink: E0000182 - errorId: oaeXYwTiMvASsC3O4HCzjFaCA - errorCauses: [] - ErrorEmailCustomizationLanguageAlreadyExists: - value: - errorCode: E0000183 - errorSummary: An email template customization for that language already exists. - errorLink: E0000183 - errorId: oaeUcGELffqRay0u1OPdnPypw - errorCauses: [] - ErrorInvalidEmailTemplateRecipients: - value: - errorCode: E0000189 - errorSummary: This template does not support the recipients value. - errorLink: E0000189 - errorId: oae8L1-UkcNTeGi5xVQ28_lww - errorCauses: [] - ErrorPushProviderUsedByCustomAppAuthenticator: - value: - errorCode: E0000187 - errorSummary: Cannot delete push provider because it is being used by a custom app authenticator. - errorLink: E0000187 - errorId: oaenwA1ra80S9W-pvbh4m6haA - errorCauses: [] - ErrorResourceNotFound: - value: - errorCode: E0000007 - errorSummary: 'Not found: {0}' - errorLink: E0000007 - errorId: sampleMlLvGUj_YD5v16vkYWY - errorCauses: [] - ErrorTooManyRequests: - value: - errorCode: E0000047 - errorSummary: You exceeded the maximum number of requests. Try again in a while. - errorLink: E0000047 - errorId: sampleQPivGUj_ND5v78vbYWW - errorCauses: [] - GetEmailTemplateResponse: - value: - name: UserActivation + type: object + additionalProperties: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + publish: + description: Publish the CSR + allOf: + - $ref: '#/components/schemas/HrefObject' + IdPCsrPkcs10: + description: Base64URL-encoded CSR in DER format + format: base64 + type: string + IdPKeyCredential: + description: A [JSON Web Key](https://tools.ietf.org/html/rfc7517) for a signature or encryption credential for an IdP + additionalProperties: true + type: object + properties: + created: + $ref: '#/components/schemas/Created' + e: + description: The exponent value for the RSA public key + type: string + example: AQAB + expiresAt: + $ref: '#/components/schemas/ExpiresAt' + kid: + description: Unique identifier for the key + type: string + example: your-key-id + kty: + description: 'Identifies the cryptographic algorithm family used with the key (Supported value: `RSA`)' + type: string + example: RSA + lastUpdated: + $ref: '#/components/schemas/LastUpdated' + 'n': + description: The modulus value for the RSA public key + type: string + example: '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + use: + description: 'Intended use of the public key (Supported value: `sig`)' + type: string + example: sig + x5c: + $ref: '#/components/schemas/X5c' + x5t#S256: + description: Base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate + type: string + example: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdentityProvider: + type: object + properties: + created: + $ref: '#/components/schemas/Created' + id: + type: string + readOnly: true + description: Unique key for the IdP + example: 0oaWma58liwx40w6boYD + issuerMode: + $ref: '#/components/schemas/IdentityProviderIssuerMode' + lastUpdated: + $ref: '#/components/schemas/LastUpdated' + name: + type: string + maxLength: 100 + description: Unique name for the IdP + example: Sample Identity Provider + policy: + $ref: '#/components/schemas/IdentityProviderPolicy' + properties: + $ref: '#/components/schemas/IdentityProviderProperties' + protocol: + description: IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages + oneOf: + - $ref: '#/components/schemas/ProtocolSaml' + - $ref: '#/components/schemas/ProtocolOAuth' + - $ref: '#/components/schemas/ProtocolOidc' + - $ref: '#/components/schemas/ProtocolMtls' + status: + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/IdentityProviderType' _links: - self: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation - hints: - allow: - - GET - settings: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/settings - hints: - allow: - - GET - - PUT - defaultContent: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/default-content - hints: - allow: - - GET - customizations: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations - hints: - allow: - - GET - - POST - - DELETE - test: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test - hints: - allow: - - POST - ListEmailCustomizationResponse: - value: - - language: en - isDefault: true - subject: Welcome to ${org.name}! - body: <!DOCTYPE html><html><body><p>Hello, ${user.profile.firstName}. Click <a href="${activationLink}">here</a> to activate your account.</body></html> - id: oel11u6DqUiMbQkpl0g4 - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z - _links: - self: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 - hints: - allow: - - GET - - PUT - - DELETE - template: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation - hints: - allow: - - GET - preview: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview - hints: - allow: - - GET - test: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test - hints: - allow: - - POST - ListEmailTemplateResponse: - value: - - name: UserActivation - _links: - self: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation - hints: - allow: - - GET - settings: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/settings - hints: - allow: - - GET - - PUT - defaultContent: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/default-content - hints: - allow: - - GET - customizations: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations - hints: - allow: - - GET - - POST - - DELETE - test: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test - hints: - allow: - - POST - ListUsersResponse: - value: - - id: 00u118oQYT4TBGuay0g4 - status: ACTIVE - created: 2022-04-04T15:56:05.000Z - activated: null - statusChanged: null - lastLogin: 2022-05-04T19:50:52.000Z - lastUpdated: 2022-05-05T18:15:44.000Z - passwordChanged: 2022-04-04T16:00:22.000Z - type: - id: oty1162QAr8hJjTaq0g4 - profile: - firstName: Alice - lastName: Smith - mobilePhone: null - secondEmail: null - login: alice.smith@example.com - email: alice.smith@example.com - credentials: - password: {} - provider: - type: OKTA - name: OKTA - _links: - self: - href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 - PreviewEmailCustomizationResponse: - value: - subject: Welcome to Okta! - body: <!DOCTYPE html><html><body><p>Hello, John. Click <a href="https://${yourOktaDomain}/...">here</a> to activate your account.</body></html> + type: object + additionalProperties: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + acs: + description: SAML 2.0 Assertion Consumer Service URL for the Okta SP + allOf: + - $ref: '#/components/schemas/HrefObject' + authorize: + description: OAuth 2.0 authorization endpoint for the IdP OAuth 2.0 Authorization Code flow + allOf: + - $ref: '#/components/schemas/HrefObject' + clientRedirectUri: + description: Redirect URI for the OAuth 2.0 Authorization Code flow + allOf: + - $ref: '#/components/schemas/HrefObject' + metadata: + description: 'Federation metadata document for the IdP (for example: SAML 2.0 Metadata)' + allOf: + - $ref: '#/components/schemas/HrefObject' + users: + description: IdP users + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: Deactivate IdP + allOf: + - $ref: '#/components/schemas/HrefObject' + activate: + description: Activate IdP + allOf: + - $ref: '#/components/schemas/HrefObject' + keys: + description: IdP keys + allOf: + - $ref: '#/components/schemas/HrefObject' + IdentityProviderApplicationUser: + type: object + properties: + created: + $ref: '#/components/schemas/Created' + externalId: + type: string + description: Unique IdP-specific identifier for the User + readOnly: true + maxLength: 512 + example: saml.jackson@example.com + id: + type: string + description: Unique key of the User + readOnly: true + lastUpdated: + $ref: '#/components/schemas/LastUpdated' + profile: + type: object + description: |- + IdP-specific profile for the User. + + Identity Provider User profiles are IdP-specific but may be customized by the Profile Editor in the Admin Console. + + > **Note:** Okta variable names have reserved characters that may conflict with the name of an IdP assertion attribute. You can use the **External name** to define the attribute name as defined in an IdP assertion such as a SAML attribute name. + additionalProperties: + type: object + properties: {} + example: + lastName: Jackson + subjectNameQualifier: example.com + subjectSpNameQualifier: urn:federation:example + authnContextClassRef: null + subjectNameId: saml.jackson@example.com + subjectConfirmationAddress: null + displayName: Saml Jackson + mobilePhone: +1-415-555-5141 + email: saml.jackson@example.com + subjectNameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + firstName: Saml + subjectSpProvidedId: null + subjectConfirmationMethod: null + _embedded: + type: object + description: Embedded resources related to the IdP User + additionalProperties: + type: object + properties: {} + readOnly: true _links: - self: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview - hints: - allow: - - GET - template: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation - hints: - allow: - - GET - test: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test - hints: - allow: - - POST - PreviewEmailTemplateDefaultContentResponse: - value: - subject: Welcome to Okta! - body: <!DOCTYPE html><html><body><p>Hello, John. Click <a href="https://${yourOktaDomain}/...">here</a> to activate your account.</body></html> + type: object + additionalProperties: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + - properties: + idp: + description: The IdP instance + example: + href: https://{yourOktaDomain}/api/v1/idps/0oa1k5d68qR2954hb0g4 + allOf: + - $ref: '#/components/schemas/HrefObject' + user: + description: The linked Okta User + example: + href: https://{yourOktaDomain}/api/v1/users/00ulwodIu7wCfdiVR0g3 + allOf: + - $ref: '#/components/schemas/HrefObject' + IdentityProviderIssuerMode: + description: Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP + default: DYNAMIC + type: string + x-enumDescriptions: + ORG_URL: In the authorize request to the social IdP, Okta uses the Okta org's original domain URL (`https://${yourOktaDomain}`) as the domain in the `redirect_uri`. + CUSTOM_URL: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri`. You can set `issuerMode` to `CUSTOM_URL` only if you have a custom URL domain configured. + DYNAMIC: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri` if the request was made from the custom domain URL. Otherwise, Okta uses the Okta org's original domain URL if the request was made from the Okta org domain. + x-okta-known-values: + - CUSTOM_URL + - DYNAMIC + - ORG_URL + IdentityProviderPolicy: + description: |- + Policy settings for the IdP. + The following provisioning and account linking actions are supported by each IdP provider: + | IdP type | User provisioning actions | Group provisioning actions | Account link actions | Account link filters | + | ----------------------------------------------------------------- | ------------------------- | ------------------------------------- | -------------------- | -------------------- | + | `SAML2` | `AUTO` or `DISABLED` | `NONE`, `ASSIGN`, `APPEND`, or `SYNC` | `AUTO`, `DISABLED` | `groups` | + | `X509` | `DISABLED` | No support for JIT provisioning | | | + | All social IdP types (any IdP type that isn't `SAML2` or `X509`) | `AUTO`, `DISABLED` | `NONE` or `ASSIGN` | `AUTO`, `DISABLED` | `groups` | + allOf: + - type: object + properties: + accountLink: + $ref: '#/components/schemas/PolicyAccountLink' + maxClockSkew: + type: integer + description: Maximum allowable clock skew when processing messages from the IdP + example: 120000 + provisioning: + $ref: '#/components/schemas/Provisioning' + subject: + $ref: '#/components/schemas/PolicySubject' + IdentityProviderPolicyProvider: + type: string + x-okta-known-values: + - ANY + - OKTA + - SPECIFIC_IDP + IdentityProviderPolicyRuleCondition: + type: object + properties: + idpIds: + type: array + items: + type: string + provider: + $ref: '#/components/schemas/IdentityProviderPolicyProvider' + IdentityProviderProperties: + nullable: true + description: The properties in the Identity Provider Properties object vary depending on the IdP type + type: object + properties: + aalValue: + type: string + nullable: true + description: |- + The [authentication assurance level](https://developers.login.gov/oidc/#aal-values) (AAL) value for the Login.gov IdP. + See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. + additionalAmr: + type: array + description: The additional Assurance Methods References (AMR) values for Smart Card IdPs. Applies to `X509` IdP type. + nullable: true + items: + type: string + enum: + - sc + - hwk + - pin + - mfa + x-enumDescriptions: + sc: Smart card + hwk: Hardware-secured key + pin: Personal identification number + mfa: Multifactor authentication + ialValue: + type: string + nullable: true + description: |- + The [type of identity verification](https://developers.login.gov/oidc/#ial-values) (IAL) value for the Login.gov IdP. + See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. + IdentityProviderType: + description: |- + The Identity Provider object's `type` property identifies the social or enterprise Identity Provider used for authentication. + Each Identity Provider uses a specific protocol, therefore the `protocol` property must correspond with the IdP `type`. + If the protocol is OAuth 2.0-based, the Protocol object's `scopes` property must also correspond with the scopes supported by the IdP `type`. + For policy actions supported by each IdP type, see [IdP type policy actions](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy&t=request). + + | Type | Description | Corresponding protocol | Corresponding protocol scopes | + | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -------------------------------------------------------------------- | + | `AMAZON` | [Amazon](https://developer.amazon.com/settings/console/registration?return_to=/) as the Identity Provider | OpenID Connect | `profile`, `profile:user_id` | + | `APPLE` | [Apple](https://developer.apple.com/sign-in-with-apple/) as the Identity Provider | OpenID Connect | `names`, `email`, `openid` | + | `DISCORD` | [Discord](https://discord.com/login) as the Identity Provider | OAuth 2.0 | `identify`, `email` | + | `FACEBOOK` | [Facebook](https://developers.facebook.com) as the Identity Provider | OAuth 2.0 | `public_profile`, `email` | + | `GITHUB` | [GitHub](https://github.com/join) as the Identity Provider | OAuth 2.0 | `user` | + | `GITLAB` | [GitLab](https://gitlab.com/users/sign_in) as the Identity Provider | OpenID Connect | `openid`, `read_user`, `profile`, `email` | + | `GOOGLE` | [Google](https://accounts.google.com/signup) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` | + | `LINKEDIN` | [LinkedIn](https://developer.linkedin.com/) as the Identity Provider | OAuth 2.0 | `r_emailaddress`, `r_liteprofile` | + | `LOGINGOV` | [Login.gov](https://developers.login.gov/) as the Identity Provider | OpenID Connect | `email`, `profile`, `profile:name` | + | `LOGINGOV_SANDBOX` | [Login.gov's identity sandbox](https://developers.login.gov/testing/) as the Identity Provider | OpenID Connect | `email`, `profile`, `profile:name` | + | `MICROSOFT` | [Microsoft Enterprise SSO](https://azure.microsoft.com/) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile`, `https://graph.microsoft.com/User.Read` | + | `OIDC` | IdP provider that supports [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) | OpenID Connect | `openid`, `email`, `profile` | + | `PAYPAL` | [Paypal](https://www.paypal.com/signin) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` | + | `PAYPAL_SANDBOX` | [Paypal Sandbox](https://developer.paypal.com/tools/sandbox/) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` | + | `SALESFORCE` | [SalesForce](https://login.salesforce.com/) as the Identity Provider | OAuth 2.0 | `id`, `email`, `profile` | + | `SAML2` | Enterprise IdP provider that supports the [SAML 2.0 Web Browser SSO Profile](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) | SAML 2.0 | | + | `SPOTIFY` | [Spotify](https://developer.spotify.com/) as the Identity Provider | OpenID Connect | `user-read-email`, `user-read-private` | + | `X509` | [Smart Card IdP](https://tools.ietf.org/html/rfc5280) | Mutual TLS | | + | `XERO` | [Xero](https://www.xero.com/us/signup/api/) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` | + | `YAHOO` | [Yahoo](https://login.yahoo.com/) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` | + | `YAHOOJP` | [Yahoo Japan](https://login.yahoo.co.jp/config/login) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` | + type: string + x-okta-known-values: + - AMAZON + - APPLE + - DISCORD + - FACEBOOK + - GITHUB + - GITLAB + - GOOGLE + - LINKEDIN + - LOGINGOV + - LOGINGOV_SANDBOX + - MICROSOFT + - OIDC + - PAYPAL + - PAYPAL_SANDBOX + - SALESFORCE + - SAML2 + - SPOTIFY + - X509 + - XERO + - YAHOO + - YAHOOJP + IdentitySourceSession: + type: object + properties: + created: + type: string + description: The timestamp when the Identity Source Session was created + format: date-time + readOnly: true + id: + type: string + description: The ID of the Identity Source Session + readOnly: true + identitySourceId: + type: string + description: The ID of the custom Identity Source for which the session is created + readOnly: true + importType: + type: string + description: The type of import. All imports are `INCREMENTAL` imports. + readOnly: true + lastUpdated: + type: string + description: The timestamp when the Identity Source Session was created + format: date-time + readOnly: true + status: + $ref: '#/components/schemas/IdentitySourceSessionStatus' + IdentitySourceSessionStatus: + type: string + x-enumDescriptions: + CREATED: This is a new Identity Source Session that hasn't been processed. You can upload bulk data in this stage. + IN_PROGRESS: The bulk data is being uploaded to Okta. + TRIGGERED: Okta is processing the import data in this session. You can't load bulk data in this stage. + COMPLETED: The bulk data was processed and imported into Okta. + CLOSED: The Identity Source Session was canceled and isn't available for further activity. + EXPIRED: This Identity Source Session had the `CREATED` status and timed-out after 24 hours of inactivity. + ERROR: The processing of import data in the session encountered an error. You need to open a new session to upload the data again. + x-okta-known-values: + - CLOSED + - COMPLETED + - CREATED + - ERROR + - EXPIRED + - IN_PROGRESS + - TRIGGERED + IdentitySourceUserProfileForDelete: + type: object + properties: + externalId: + type: string + description: The external ID of the entity that needs to be deleted in Okta + maxLength: 512 + IdentitySourceUserProfileForUpsert: + type: object + properties: + email: + type: string + format: email + description: Email address of the user + minLength: 5 + maxLength: 100 + firstName: + type: string + description: First name of the user + minLength: 1 + maxLength: 50 + nullable: true + homeAddress: + type: string + description: Home address of the user + maxLength: 4096 + nullable: true + lastName: + type: string + description: Last name of the user + minLength: 1 + maxLength: 50 + nullable: true + mobilePhone: + type: string + description: Mobile phone number of the user + maxLength: 100 + nullable: true + secondEmail: + type: string + description: Alternative email address of the user + format: email + minLength: 5 + maxLength: 100 + userName: + type: string + description: Username of the user + maxLength: 100 + IdpDiscoveryPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + type: string + description: Policy conditions aren't supported for this policy type. + default: null + nullable: true + IdpDiscoveryPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + $ref: '#/components/schemas/IdpPolicyRuleAction' + conditions: + $ref: '#/components/schemas/IdpDiscoveryPolicyRuleCondition' + IdpDiscoveryPolicyRuleCondition: + allOf: + - type: object + properties: + app: + $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + userIdentifier: + $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' + platform: + $ref: '#/components/schemas/PlatformPolicyRuleCondition' + IdpPolicyRuleAction: + type: object + properties: + idp: + type: object + properties: + providers: + items: + $ref: '#/components/schemas/IdpPolicyRuleActionProvider' + type: array + description: List of configured Identity Providers that a given Rule can route to. Ability to define multiple providers is a part of the Okta Identity Engine. This allows users to choose a Provider when they sign in. Contact support for information on the Identity Engine. + idpSelectionType: + description: Determines whether the rule should use expression language or a specific IdP + $ref: '#/components/schemas/IdpSelectionType' + matchCriteria: + items: + $ref: '#/components/schemas/IdpPolicyRuleActionMatchCriteria' + type: array + description: Required if `idpSelectionType` is set to `DYNAMIC` + IdpPolicyRuleActionMatchCriteria: + type: object + properties: + propertyName: + type: string + description: The IdP property that the evaluated string should match to + providerExpression: + type: string + description: | + You can provide an Okta Expression Language expression with the Login Context that's evaluated with the IdP. For example, the value `login.identifier` refers to the user's username. If the user is signing in with the username `john.doe@mycompany.com`, the expression `login.identifier.substringAfter(@))` is evaluated to the domain name of the user, for example: `mycompany.com`. + IdpPolicyRuleActionProvider: + type: object + properties: + id: + type: string + description: IdP types of `OKTA`, `AgentlessDSSO`, and `IWA` don't require an ID. + name: + type: string + description: Provider `name` in Okta. Optional. Supported in `IDENTITY ENGINE`. + type: + $ref: '#/components/schemas/IdentityProviderType' + IdpSelectionType: + description: Determines whether the rule should use expression language or a specific IdP + type: string + x-okta-known-values: + - DYNAMIC + - SPECIFIC + IframeEmbedScopeAllowedApps: + type: string + x-okta-known-values: + - OKTA_ENDUSER + ImageUploadResponse: + type: object + properties: + url: + readOnly: true + type: string + ImportScheduleObject: + description: Import schedule configuration + type: object + properties: + fullImport: + allOf: + - $ref: '#/components/schemas/ImportScheduleSettings' + - description: Determines the full import schedule + incrementalImport: + allOf: + - $ref: '#/components/schemas/ImportScheduleSettings' + - description: Determines the incremental import schedule + status: + $ref: '#/components/schemas/EnabledStatus' + ImportScheduleSettings: + type: object + properties: + expression: + type: string + description: The import schedule in UNIX cron format + example: 00 21 * * Mon,Thu,Fri,Sat + timezone: + type: string + description: The import schedule time zone in Internet Assigned Numbers Authority (IANA) time zone name format + minLength: 1 + maxLength: 64 + example: America/Los_Angeles + required: + - expression + ImportUsernameObject: + description: Determines the Okta username for the imported user + type: object + properties: + userNameExpression: + type: string + description: For `usernameFormat=CUSTOM`, specifies the Okta Expression Language statement for a username format that imported users use to sign in to Okta + usernameFormat: + type: string + description: Determines the username format when users sign in to Okta + default: EMAIL + enum: + - EMAIL + - CUSTOM + required: + - usernameFormat + InactivityPolicyRuleCondition: + type: object + properties: + number: + type: integer + unit: + type: string + InboundProvisioningApplicationFeature: + allOf: + - $ref: '#/components/schemas/ApplicationFeature' + - type: object + - properties: + capabilities: + $ref: '#/components/schemas/CapabilitiesInboundProvisioningObject' + InlineHook: + description: An inline hook object that specifies the details of the inline hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannel' + created: + type: string + format: date-time + readOnly: true + description: Date of the inline hook creation + id: + type: string + readOnly: true + description: The unique identifier for the inline hook + lastUpdated: + type: string + format: date-time + readOnly: true + description: Date of the last inline hook update + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + status: + $ref: '#/components/schemas/InlineHookStatus' + type: + $ref: '#/components/schemas/InlineHookType' + version: + type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. + readOnly: true _links: - self: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/default-content/preview - hints: - allow: - - GET - template: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation - hints: - allow: - - GET - defaultContent: - href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test/default-content - hints: - allow: - - POST - PrincipalRateLimitEntityRequestEmptyPercentages: - value: - principalId: token1234 - principalType: SSWS_TOKEN - PrincipalRateLimitEntityRequestSSWSToken: - value: - principalId: token1234 - principalType: SSWS_TOKEN - defaultPercentage: 50 - defaultConcurrencyPercentage: 75 - PrincipalRateLimitEntityResponseSSWSToken: - value: - id: abcd1234 - orgId: org1234 - principalId: token1234 - principalType: SSWS_TOKEN - defaultPercentage: 50 - defaultConcurrencyPercentage: 75 - createdDate: '2022-05-19T20:05:32.720Z' - createdBy: user1234 - lastUpdate: '2022-05-20T21:13:07.410Z' - lastUpdatedBy: user4321 - PushProviderAPNsRequest: - value: - name: APNs Example - providerType: APNS - configuration: - keyId: KEY_ID - teamId: TEAM_ID - tokenSigningKey: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' - fileName: fileName.p8 - PushProviderAPNsResponse: - value: - id: ppctekcmngGaqeiBxB0g4 - name: APNs Example - providerType: APNS - lastUpdatedDate: 2022-01-01T00:00:00.000Z - configuration: - keyId: KEY_ID - teamId: TEAM_ID - fileName: fileName.p8 + $ref: '#/components/schemas/InlineHookLinks' + InlineHookBasePayload: + type: object + properties: + cloudEventVersion: + description: The inline hook cloud version + example: 0.1 + type: string + contentType: + description: The inline hook request header content + example: application/JSON + type: string + eventId: + type: string + description: The individual inline hook request ID + example: 3o9jBzq1SmOGmmsDsqyyeQ + eventTime: + type: string + description: The time the inline hook request was sent + example: '2020-01-17T21:23:56.000Z' + eventTypeVersion: + description: The inline hook version + example: 1 + type: string + InlineHookChannel: + type: object + properties: + type: + $ref: '#/components/schemas/InlineHookChannelType' + version: + type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. + discriminator: + propertyName: type + mapping: + HTTP: '#/components/schemas/InlineHookChannelHttp' + OAUTH: '#/components/schemas/InlineHookChannelOAuth' + InlineHookChannelConfig: + description: Properties of the communications channel that are used to contact your external service + type: object + properties: + headers: + type: array + description: An optional list of key/value pairs for headers that you can send with the request to the external service + items: + $ref: '#/components/schemas/InlineHookChannelConfigHeaders' + method: + type: string + description: The method of the Okta inline hook request + uri: + type: string + description: The external service endpoint that executes the inline hook handler. It must begin with `https://` and be reachable by Okta. No white space is allowed in the URI. + maximum: 1024 + InlineHookChannelConfigAuthSchemeBody: + description: The authentication scheme to use for this request + nullable: true + type: object + properties: + key: + type: string + description: The header name for the authorization server + type: + type: string + description: The authentication scheme type. Supported type—`HEADER`. + value: + type: string + description: The header value. This secret value is passed to your external service endpoint. Your external service can check it as a security measure. + InlineHookChannelConfigAuthSchemeResponse: + description: The authentication scheme to use for this request + nullable: true + type: object + properties: + key: + type: string + description: The header name for the authorization server + type: + type: string + description: The authentication scheme type. Supported type—`HEADER` + InlineHookChannelConfigCreate: + description: Properties of the communications channel that are used to contact your external service + type: object + properties: + headers: + type: array + description: An optional list of key/value pairs for headers that you can send with the request to the external service. + items: + $ref: '#/components/schemas/InlineHookChannelConfigHeaders' + method: + type: string + description: The method of the Okta inline hook request + uri: + type: string + description: The external service endpoint that executes the inline hook handler. It must begin with `https://` and be reachable by Okta. No white space is allowed in the URI. + maximum: 1024 + InlineHookChannelConfigHeaders: + type: object + properties: + key: + type: string + description: The optional field or header name + value: + type: string + description: The value for the key + InlineHookChannelCreate: + type: object + properties: + type: + $ref: '#/components/schemas/InlineHookChannelType' + version: + type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. + discriminator: + propertyName: type + mapping: + HTTP: '#/components/schemas/InlineHookChannelHttpCreate' + OAUTH: '#/components/schemas/InlineHookChannelOAuthCreate' + InlineHookChannelHttp: + allOf: + - $ref: '#/components/schemas/InlineHookChannel' + - type: object + properties: + config: + $ref: '#/components/schemas/InlineHookHttpConfig' + InlineHookChannelHttpCreate: + allOf: + - $ref: '#/components/schemas/InlineHookChannelCreate' + - type: object + properties: + config: + $ref: '#/components/schemas/InlineHookHttpConfigCreate' + InlineHookChannelOAuth: + allOf: + - $ref: '#/components/schemas/InlineHookChannel' + - type: object + properties: + config: + $ref: '#/components/schemas/InlineHookOAuthChannelConfig' + InlineHookChannelOAuthCreate: + allOf: + - $ref: '#/components/schemas/InlineHookChannelCreate' + - type: object + properties: + config: + $ref: '#/components/schemas/InlineHookOAuthChannelConfigCreate' + InlineHookChannelType: + type: string + x-okta-known-values: + - HTTP + - OAUTH + InlineHookCreate: + description: An inline hook object that specifies the details of the inline hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannelCreate' + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + type: + $ref: '#/components/schemas/InlineHookType' + version: + type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. + InlineHookCreateResponse: + description: An inline hook object that specifies the details of the inline hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannel' + created: + type: string + format: date-time + readOnly: true + description: Date of the inline hook creation + id: + type: string + readOnly: true + description: The unique identifier for the inline hook + lastUpdated: + type: string + format: date-time + readOnly: true + description: Date of the last inline hook update + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + status: + $ref: '#/components/schemas/InlineHookStatus' + type: + $ref: '#/components/schemas/InlineHookType' + version: + type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. + readOnly: true _links: - self: - href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 - hints: - allow: - - DELETE - - GET - - PUT - PushProviderFCMRequest: - value: - name: FCM Example - providerType: FCM - configuration: - serviceAccountJson: - type: service_account - project_id: PROJECT_ID - private_key_id: KEY_ID - private_key: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' - client_email: SERVICE_ACCOUNT_EMAIL - client_id: CLIENT_ID - auth_uri: https://accounts.google.com/o/oauth2/auth - token_uri: https://accounts.google.com/o/oauth2/token - auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs - client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL - fileName: fileName.json - PushProviderFCMResponse: - value: - id: ppctekcmngGaqeiBxB0g4 - name: FCM Example - providerType: FCM - lastUpdatedDate: 2022-01-01T00:00:00.000Z - configuration: - projectId: PROJECT_ID - fileName: fileName.p8 + $ref: '#/components/schemas/InlineHookLinksCreate' + InlineHookHttpConfig: + allOf: + - $ref: '#/components/schemas/InlineHookChannelConfig' + type: object + properties: + authScheme: + $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeResponse' + InlineHookHttpConfigCreate: + allOf: + - $ref: '#/components/schemas/InlineHookChannelConfigCreate' + type: object + properties: + authScheme: + $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeBody' + InlineHookLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + description: URL to activate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: URL to deactivate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + delete: + description: URL to delete the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + execute: + description: URL to test the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + InlineHookLinksCreate: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + deactivate: + description: URL to deactivate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + execute: + description: URL to test the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + InlineHookOAuthBasicConfig: + allOf: + - $ref: '#/components/schemas/InlineHookChannelConfig' + type: object + properties: + authType: + type: string + clientId: + type: string + description: A publicly exposed string provided by the service that's used to identify the OAuth app and build authorization URLs + scope: + type: string + description: Include the scopes that allow you to perform the actions on the hook endpoint that you want to access + tokenUrl: + type: string + description: The URI where inline hooks can exchange an authorization code for access and refresh tokens + InlineHookOAuthChannelConfig: + type: object + properties: + authType: + type: string + description: The authentication method for the token endpoint + discriminator: + propertyName: authType + mapping: + client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfig' + private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig' + InlineHookOAuthChannelConfigCreate: + type: object + properties: + authType: + type: string + description: The authentication method for the token endpoint + discriminator: + propertyName: authType + mapping: + client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfigCreate' + private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig' + InlineHookOAuthClientSecretConfig: + allOf: + - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' + type: object + properties: + authScheme: + type: string + description: Not applicable. Must be `null`. + nullable: true + InlineHookOAuthClientSecretConfigCreate: + allOf: + - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' + type: object + properties: + clientSecret: + type: string + description: A private value provided by the service used to authenticate the identity of the app to the service + method: + type: string + description: The method of the Okta inline hook request. Only accepts `POST`. + InlineHookOAuthPrivateKeyJwtConfig: + allOf: + - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' + type: object + properties: + authScheme: + type: string + description: Not applicable. Must be `null`. + nullable: true + hookKeyId: + type: string + description: An ID value of the hook key pair generated from the [Hook Keys API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/HookKey/#tag/HookKey) + method: + type: string + description: The method of the Okta inline hook request. Only accepts `POST`. + InlineHookPayload: + type: object + x-okta-extensible: true + InlineHookReplace: + description: An inline hook object that specifies the details of the inline hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannelCreate' + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + version: + type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. + InlineHookRequestObject: + description: The API request that triggered the inline hook + type: object + properties: + id: + type: string + description: The unique identifier that Okta assigned to the API request + ipAddress: + type: string + description: The IP address of the client that made the API request + method: + type: string + description: The HTTP request method of the API request + url: + type: object + description: The URL of the API endpoint + properties: + value: + type: string + description: The URL value of the API endpoint + InlineHookResponse: + type: object + properties: + commands: + type: array + items: + $ref: '#/components/schemas/InlineHookResponseCommands' + InlineHookResponseCommandValue: + type: object + properties: + op: + type: string + path: + type: string + value: + type: string + InlineHookResponseCommands: + type: object + properties: + type: + type: string + value: + type: array + items: + $ref: '#/components/schemas/InlineHookResponseCommandValue' + InlineHookStatus: + type: string + x-okta-known-values: + - ACTIVE + - INACTIVE + InlineHookType: + description: One of the inline hook types + type: string + x-okta-known-values: + - com.okta.import.transform + - com.okta.oauth2.tokens.transform + - com.okta.saml.tokens.transform + - com.okta.telephony.provider + - com.okta.user.credential.password.import + - com.okta.user.pre-registration + IssuerMode: + type: string + x-okta-known-values: + - CUSTOM_URL + - DYNAMIC + - ORG_URL + JsonPatchOperation: + description: The update action + type: object + properties: + op: + $ref: '#/components/schemas/PatchAction' + path: + type: string + description: The resource path of the attribute to update + value: + type: object + description: The update operation value + JsonWebKey: + type: object + properties: + created: + $ref: '#/components/schemas/createdProperty' + e: + description: RSA key value (public exponent) for Key binding + type: string + readOnly: true + expiresAt: + description: Timestamp when the certificate expires + type: string + format: date-time + readOnly: true + kid: + description: Unique identifier for the certificate + type: string + readOnly: true + kty: + description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`' + type: string + readOnly: true + lastUpdated: + type: string + format: date-time + $ref: '#/components/schemas/lastUpdatedProperty' + 'n': + description: RSA modulus value that is used by both the public and private keys and provides a link between them + type: string + use: + description: 'Acceptable use of the certificate. Valid value: `sig`' + type: string + readOnly: true + x5c: + description: X.509 certificate chain that contains a chain of one or more certificates + type: array + items: + type: string + readOnly: true + x5t#S256: + description: X.509 certificate SHA-256 thumbprint, which is the base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of an X.509 certificate + type: string + readOnly: true + JwkUse: + type: object + properties: + use: + $ref: '#/components/schemas/JwkUseType' + JwkUseType: + description: Purpose of the certificate. The only supported value is `sig`. + type: string + x-okta-known-values: + - sig + KeepCurrent: + type: object + properties: + keepCurrent: + description: Skip deleting the user's current session when set to `true` + type: boolean + default: true + KeepMeSignedIn: + type: object + properties: + postAuth: + description: Whether the post-authentication Keep Me Signed In flow is allowed + type: string + enum: + - ALLOWED + - NOT_ALLOWED + postAuthPromptFrequency: + description: If allowed, how often to display the post-authentication Keep Me Signed In prompt + default: P30D + $ref: '#/components/schemas/TimeDuration' + KeyRequest: + type: object + properties: + name: + description: Display name for the key + type: string + uniqueItems: true + readOnly: false + minLength: 1 + maxLength: 255 + nullable: false + KeyTrustLevelBrowserKey: + description: Represents the attestation strength used by the Chrome Verified Access API + example: CHROME_BROWSER_HW_KEY + type: string + x-enumDescriptions: + CHROME_BROWSER_HW_KEY: Identity of the device was attested using a key pair that is OS encapsulated by a hardware layer + CHROME_BROWSER_OS_KEY: Identity of the device was attested using a key pair that is simply stored on the device but not in any specific hardware layer + x-okta-known-values: + - CHROME_BROWSER_HW_KEY + - CHROME_BROWSER_OS_KEY + KeyTrustLevelOSMode: + description: Represents the attestation strength used by the Chrome Verified Access API + example: CHROME_OS_VERIFIED_MODE + type: string + x-enumDescriptions: + CHROME_OS_VERIFIED_MODE: Identity of the device was attested using an enterprise-emitted certificate, and the device is in Verified mode + CHROME_OS_DEVELOPER_MODE: Identity of the device was attested using an enterprise-emitted certificate, and the device is in Developer mode + x-okta-known-values: + - CHROME_OS_DEVELOPER_MODE + - CHROME_OS_VERIFIED_MODE + KnowledgeConstraint: + allOf: + - $ref: '#/components/schemas/AccessPolicyConstraint' + Language: + description: The language specified as an [IETF BCP 47 language tag](https://datatracker.ietf.org/doc/html/rfc5646) + type: string + LastUpdated: + format: date-time + description: Timestamp when the object was last updated + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true + LifecycleCreateSettingObject: + description: Determines whether to update a user in the app when a user in Okta is updated + type: object + properties: + status: + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED + LifecycleDeactivateSettingObject: + description: Determines whether deprovisioning occurs when the app is unassigned + type: object + properties: + status: + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED + LifecycleExpirationPolicyRuleCondition: + type: object + properties: + lifecycleStatus: + type: string + number: + type: integer + unit: + type: string + LifecycleStatus: + type: string + x-okta-known-values: + - ACTIVE + - INACTIVE + LinkedHrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + href: + type: string + description: Link URI + required: + - href + readOnly: true + LinkedObject: + title: LinkedObject + type: object + properties: + associated: + $ref: '#/components/schemas/LinkedObjectDetails' + primary: + $ref: '#/components/schemas/LinkedObjectDetails' _links: - self: - href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 - hints: - allow: - - DELETE - - GET - - PUT - parameters: - pathApiTokenId: - name: apiTokenId - in: path - schema: - type: string - example: 00Tabcdefg1234567890 - required: true - description: id of the API Token - pathBehaviorId: - name: behaviorId - in: path - schema: - type: string - example: abcd1234 - required: true - description: id of the Behavior Detection Rule - pathBrandId: - name: brandId - in: path - required: true - schema: - type: string - description: The ID of the brand. - pathCaptchaId: - name: captchaId - in: path - schema: - type: string - example: abcd1234 - required: true - description: id of the CAPTCHA - pathCustomizationId: - name: customizationId - in: path - required: true - schema: - type: string - description: The ID of the email customization. - pathDeviceAssuranceId: - in: path - name: deviceAssuranceId - required: true - description: Id of the Device Assurance Policy - schema: - type: string - pathEmailDomainId: - name: emailDomainId - in: path - required: true - schema: - type: string - description: The ID of the email domain. - pathPoolId: - name: poolId - in: path - description: Id of the agent pool for which the settings will apply - schema: - type: string - required: true - pathPrincipalRateLimitId: - name: principalRateLimitId - in: path - schema: - type: string - example: abcd1234 - required: true - description: id of the Principal Rate Limit - pathPushProviderId: - in: path - name: pushProviderId - required: true - description: Id of the push provider - schema: - type: string - pathTemplateName: - name: templateName - in: path - required: true - schema: - type: string - description: The name of the email template. - pathUpdateId: - name: updateId - in: path - description: Id of the update - schema: - type: string - required: true - pathUserId: - name: userId - in: path - required: true - schema: - type: string - queryAfter: - name: after - in: query - schema: - type: string - description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/reference/core-okta-api/#pagination) for more information. - queryExpandEmailTemplate: - name: expand - in: query - style: form - explode: false - required: false - schema: - type: array - items: + $ref: '#/components/schemas/LinkedObjectLinksSelf' + LinkedObjectDetails: + title: LinkedObjectDetails + type: object + properties: + description: + type: string + description: Description of the `primary` or the `associated` relationship + name: + type: string + description: 'API name of the `primary` or the `associated` link. The `name` parameter can''t start with a number and can only contain the following characters: `a-z`, `A-Z`,` 0-9`, and `_`.' + title: + type: string + description: Display name of the `primary` or the `associated` link + type: + $ref: '#/components/schemas/LinkedObjectDetailsType' + required: + - name + - title + - type + LinkedObjectDetailsType: + description: The object type for this relationship + type: string + x-enumDescriptions: + USER: Specifies the type of object + x-okta-known-values: + - USER + LinkedObjectLinksSelf: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/LinkedHrefObject' + LinksActivate: + type: object + properties: + activate: + allOf: + - description: Activates an enrolled Factor. See [Activate a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/activateFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksAerialConsentGranted: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + revoke: + $ref: '#/components/schemas/HrefObjectRevokeAerialConsent' + LinksAerialConsentRevoked: + allOf: + - type: object + properties: + grant: + $ref: '#/components/schemas/HrefObjectGrantAerialConsent' + LinksAppAndUser: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of resources related to the Application User. + type: object + properties: + app: + $ref: '#/components/schemas/HrefObjectAppLink' + group: + $ref: '#/components/schemas/HrefObjectGroupLink' + user: + $ref: '#/components/schemas/HrefObjectUserLink' + readOnly: true + LinksAssignee: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' + LinksCancel: + type: object + properties: + cancel: + allOf: + - description: Cancels a `push` factor challenge with a `WAITING` status + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksCustomRoleResponse: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' + member: + $ref: '#/components/schemas/HrefObjectMemberLink' + permissions: + $ref: '#/components/schemas/HrefObjectPermissionsLink' + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + role: + $ref: '#/components/schemas/HrefObjectRoleLink' + LinksDeactivate: + type: object + properties: + deactivate: + allOf: + - description: Deactivates the Factor. See [Unenroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/unenrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksEnroll: + type: object + properties: + enroll: + allOf: + - description: Enrolls a supported Factor. See [Enroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/enrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksFactor: + type: object + properties: + factor: + allOf: + - description: Link to the Factor resource + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksGovernanceResources: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the resources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + resources: + $ref: '#/components/schemas/HrefObjectGovernanceResourcesLink' + readOnly: true + LinksGovernanceSources: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the sources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectUserLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + LinksNext: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. Use the `LinksNext` object for dynamic discovery of related resources and lifecycle operations. + type: object + properties: + next: + $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksNextForRoleAssignments: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + next: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The next page of results if [pagination](#pagination) is required + readOnly: true + LinksPoll: + type: object + properties: + poll: + allOf: + - description: Polls the Factor resource for status information. Always use the `poll` link instead of manually constructing your own URL. + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksQrcode: + type: object + properties: + qrcode: + allOf: + - description: QR code that encodes the push activation code needed for enrollment on the device + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksQuestions: + type: object + properties: + question: + allOf: + - description: Lists all supported security questions. See [List all Supported Security Questions](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/listSupportedSecurityQuestions). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksResend: + type: object + properties: + resend: + allOf: + - description: Resends the factor enrollment challenge. See [Resend a Factor enrollment](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/resendEnrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksSelf: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + LinksSelfAndFullUsersLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + suspend: + $ref: '#/components/schemas/HrefObjectSuspendLink' + unsuspend: + $ref: '#/components/schemas/HrefObjectUnsuspendLink' + users: + description: Link to Device users + allOf: + - $ref: '#/components/schemas/HrefObject' + LinksSelfAndLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + LinksSelfAndRoles: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + roles: + $ref: '#/components/schemas/HrefObjectRoleLink' + LinksSelfForRoleAssignment: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + LinksSelfLifecycleAndAuthorize: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + authorize: + $ref: '#/components/schemas/HrefObjectAuthorizeLink' + LinksSend: + type: object + properties: + send: + allOf: + - description: Sends an activation link through email or sms for users who can't scan the QR code + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksUser: + type: object + properties: + user: + allOf: + - description: Returns information on the specified user + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksUserRef: + type: object + properties: + user: + $ref: '#/components/schemas/HrefObjectUserLink' + LinksVerify: + type: object + properties: + verify: + allOf: + - description: Verifies the Factor resource. See [Verify a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + ListProfileMappings: + description: |- + A collection of the profile mappings that include a subset of the profile mapping object's properties. The Profile Mapping object describes a mapping between an Okta User's and an App User's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). + + > **Note:** Same type source/target mappings aren't supported by this API. Profile mappings must either be Okta->App or App->Okta. + type: object + properties: + id: + type: string + description: Unique identifier for profile mapping + readOnly: true + source: + $ref: '#/components/schemas/ProfileMappingSource' + target: + $ref: '#/components/schemas/ProfileMappingTarget' + _links: + $ref: '#/components/schemas/LinksSelf' + LoadingPageTouchPointVariant: + description: | + Variant for the Okta loading page. You can publish a theme for Okta loading page with different combinations of assets. Variants are preset combinations of those assets. + default: OKTA_DEFAULT + type: string + x-enumDescriptions: + NONE: Uses no loading page animation during the redirect + OKTA_DEFAULT: Uses the default Okta loading page animation during the redirect + x-okta-known-values: + - NONE + - OKTA_DEFAULT + LocationGranularity: + type: string + x-okta-known-values: + - CITY + - COUNTRY + - LAT_LONG + - SUBDIVISION + LogActor: + description: Describes the user, app, client, or other entity (actor) who performs an action on a target. The actor is dependent on the action that is performed. All events have actors. + type: object + properties: + alternateId: + description: Alternative ID of the actor + type: string + readOnly: true + detailEntry: + description: Further details about the actor + type: object + additionalProperties: true + readOnly: true + displayName: + description: Display name of the actor + type: string + readOnly: true + id: + description: ID of the actor + type: string + readOnly: true + type: + description: Type of actor + type: string + readOnly: true + LogAuthenticationContext: + description: |- + All authentication relies on validating one or more credentials that prove the authenticity of the actor's identity. Credentials are sometimes provided by the actor, as is the case with passwords, and at other times provided by a third party, and validated by the authentication provider. + + The authenticationContext contains metadata about how the actor is authenticated. For example, an authenticationContext for an event, where a user authenticates with Integrated Windows Authentication (IWA), looks like the following: + ``` + { + "authenticationProvider": "ACTIVE_DIRECTORY", + "authenticationStep": 0, + "credentialProvider": null, + "credentialType": "IWA", + "externalSessionId": "102N1EKyPFERROGvK9wizMAPQ", + "interface": null, + "issuer": null + } + ``` + In this case, the user enters an IWA credential to authenticate against an Active Directory instance. All of the user's future-generated events in this sign-in session are going to share the same `externalSessionId`. + + Among other operations, this response object can be used to scan for suspicious sign-in activity or perform analytics on user authentication habits (for example, how often authentication scheme X is used versus authentication scheme Y). + type: object + properties: + authenticationProvider: + $ref: '#/components/schemas/LogAuthenticationProvider' + authenticationStep: + description: The zero-based step number in the authentication pipeline. Currently unused and always set to `0`. + type: integer + readOnly: true + credentialProvider: + $ref: '#/components/schemas/LogCredentialProvider' + credentialType: + $ref: '#/components/schemas/LogCredentialType' + externalSessionId: + description: A proxy for the actor's [session ID](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) + type: string + readOnly: true + interface: + description: The third-party user interface that the actor authenticates through, if any. + type: string + readOnly: true + issuer: + $ref: '#/components/schemas/LogIssuer' + LogAuthenticationProvider: + description: The system that proves the identity of an actor using the credentials provided to it + type: string + x-okta-known-values: + - ACTIVE_DIRECTORY + - FACTOR_PROVIDER + - FEDERATION + - LDAP + - OKTA_AUTHENTICATION_PROVIDER + - SOCIAL + LogClient: + description: When an event is triggered by an HTTP request, the `client` object describes the [client](https://datatracker.ietf.org/doc/html/rfc2616) that issues the HTTP request. For instance, the web browser is the client when a user accesses Okta. When this request is received and processed, a sign-in event is fired. When the event isn't sourced to an HTTP request, such as an automatic update, the `client` object field is blank. + type: object + properties: + device: + description: Type of device that the client operates from (for example, computer) + type: string + readOnly: true + geographicalContext: + $ref: '#/components/schemas/LogGeographicalContext' + id: + description: For OAuth requests, this is the ID of the OAuth [client](https://datatracker.ietf.org/doc/html/rfc6749#section-1.1) making the request. For SSWS token requests, this is the ID of the agent making the request. + type: string + readOnly: true + ipAddress: + description: IP address that the client is making its request from + type: string + readOnly: true + userAgent: + $ref: '#/components/schemas/LogUserAgent' + zone: + description: The `name` of the [Zone](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/NetworkZone/#tag/NetworkZone/operation/getNetworkZone) that the client's location is mapped to + type: string + readOnly: true + LogCredentialProvider: + description: A credential provider is a software service that manages identities and their associated credentials. When authentication occurs through credentials provided by a credential provider, the credential provider is recorded here. + type: string + x-okta-known-values: + - DUO + - GOOGLE + - OKTA_AUTHENTICATION_PROVIDER + - OKTA_CREDENTIAL_PROVIDER + - RSA + - SYMANTEC + - YUBIKEY + LogCredentialType: + description: The underlying technology/scheme used in the credential + type: string + x-okta-known-values: + - ASSERTION + - CERTIFICATE + - DEVICE_UDID + - EMAIL + - IWA + - JWT + - OAuth 2.0 + - OKTA_CLIENT_SESSION + - OTP + - PASSWORD + - PRE_SHARED_SYMMETRIC_KEY + - SMS + LogDebugContext: + description: |- + For some kinds of events (for example, OLM provisioning, sign-in request, second factor SMS, and so on), the fields that are provided in other response objects aren't sufficient to adequately describe the operations that the event has performed. In such cases, the `debugContext` object provides a way to store additional information. + + For example, an event where a second factor SMS token is sent to a user may have a `debugContext` that looks like the following: + ``` + { + "debugData": { + "requestUri": "/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify", + "smsProvider": "TELESIGN", + "transactionId": "268632458E3C100F5F5F594C6DC689D4" + } + } + ``` + By inspecting the debugData field, you can find the URI that is used to trigger the second factor SMS (`/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify`), the SMS provider (`TELESIGN`), and the ID used by Telesign to identify this transaction (`268632458E3C100F5F5F594C6DC689D4`). + + If for some reason the information that is needed to implement a feature isn't provided in other response objects, you should scan the `debugContext.debugData` field for potentially useful fields. + > **Important:** The information contained in `debugContext.debugData` is intended to add context when troubleshooting customer platform issues. Both key names and values may change from release to release and aren't guaranteed to be stable. Therefore, they shouldn't be viewed as a data contract but as a debugging aid instead. + type: object + properties: + debugData: + type: object + description: A dynamic field that contains miscellaneous information that is dependent on the event type. + additionalProperties: true + readOnly: true + LogDevice: + description: The entity that describes a device enrolled with passwordless authentication using Okta Verify. + example: + LogDeviceObject: + $ref: '#/components/examples/LogDeviceObject' + type: object + properties: + device_integrator: + description: The integration platform or software used with the device + type: object + readOnly: true + disk_encryption_type: + $ref: '#/components/schemas/LogDiskEncryptionType' + id: + description: ID of the device + type: string + readOnly: true + jailbreak: + description: If the device has removed software restrictions + type: boolean + readOnly: true + managed: + description: Indicates if the device is configured for device management and is registered with Okta + type: boolean + readOnly: true + name: + type: string + readOnly: true + os_platform: + type: string + readOnly: true + os_version: + type: string + readOnly: true + registered: + description: Indicates if the device is registered with an Okta org and is bound to an Okta Verify instance on the device + type: boolean + readOnly: true + screen_lock_type: + $ref: '#/components/schemas/LogScreenLockType' + secure_hardware_present: + description: The availability of hardware security on the device + type: boolean + readOnly: true + LogDiskEncryptionType: + type: string + x-okta-known-values: + - ALL_INTERNAL_VALUES + - FULL + - NONE + - SYSTEM_VOLUME + - USER + LogEvent: + type: object + properties: + actor: + $ref: '#/components/schemas/LogActor' + authenticationContext: + $ref: '#/components/schemas/LogAuthenticationContext' + client: + $ref: '#/components/schemas/LogClient' + debugContext: + $ref: '#/components/schemas/LogDebugContext' + displayMessage: + description: The display message for an event + type: string + readOnly: true + eventType: + description: Type of event that is published + type: string + readOnly: true + legacyEventType: + description: Associated Events API Action `objectType` attribute value + type: string + readOnly: true + outcome: + $ref: '#/components/schemas/LogOutcome' + published: + description: Timestamp when the event is published + type: string + format: date-time + readOnly: true + request: + $ref: '#/components/schemas/LogRequest' + securityContext: + $ref: '#/components/schemas/LogSecurityContext' + severity: + $ref: '#/components/schemas/LogSeverity' + target: + type: array + readOnly: true + items: + $ref: '#/components/schemas/LogTarget' + transaction: + $ref: '#/components/schemas/LogTransaction' + uuid: + description: Unique identifier for an individual event + type: string + readOnly: true + version: + description: Versioning indicator + type: string + readOnly: true + LogGeographicalContext: + description: Geographical context describes a set of geographic coordinates. In addition to containing latitude and longitude data, the `GeographicalContext` object also contains address data of postal code-level granularity. Within the `Client` object, the geographical context refers to the physical location of the client when it sends the request that triggers this event. All `Transaction` events with `type` equal to `WEB` have a geographical context set. `Transaction` events with `type` equal to `JOB` don't have a geographical context set. The geographical context data can be missing if the geographical data for a request can't be resolved. + type: object + properties: + city: + description: The city that encompasses the area that contains the geolocation coordinates, if available (for example, Seattle, San Francisco) + type: string + readOnly: true + country: + description: Full name of the country that encompasses the area that contains the geolocation coordinates (for example, France, Uganda) + type: string + readOnly: true + geolocation: + $ref: '#/components/schemas/LogGeolocation' + postalCode: + description: Postal code of the area that encompasses the geolocation coordinates + type: string + readOnly: true + state: + description: Full name of the state or province that encompasses the area that contains the geolocation coordinates (for example, Montana, Ontario) + type: string + readOnly: true + LogGeolocation: + description: The latitude and longitude of the geolocation where an action was performed. The object is formatted according to the [ISO-6709](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en) standard. + type: object + properties: + lat: + description: Latitude which uses two digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Latitude) + type: number + format: double + readOnly: true + lon: + description: Longitude which uses three digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Longitude) + type: number + format: double + readOnly: true + LogIpAddress: + type: object + properties: + geographicalContext: + $ref: '#/components/schemas/LogGeographicalContext' + ip: + description: IP address + type: string + readOnly: true + source: + description: Details regarding the source + type: string + readOnly: true + version: + description: IP address version + type: string + readOnly: true + LogIssuer: + description: Describes the issuer of the authorization server when the authentication is performed through OAuth. This is the location where well-known resources regarding the details of the authorization servers are published. + type: object + properties: + id: + description: Varies depending on the type of authentication. If authentication is SAML 2.0, `id` is the issuer in the SAML assertion. For social login, `id` is the issuer of the token. + type: string + readOnly: true + type: + description: Information on the `issuer` and source of the SAML assertion or token + type: string + readOnly: true + LogOutcome: + type: object + properties: + reason: + description: Reason for the result, for example, `INVALID_CREDENTIALS` + type: string + readOnly: true + minLength: 1 + maxLength: 255 + result: + description: Result of the action + type: string + readOnly: true + enum: + - SUCCESS + - FAILURE + - SKIPPED + - ALLOW + - DENY + - CHALLENGE + - UNKNOWN + LogRequest: + description: The `Request` object describes details that are related to the HTTP request that triggers this event, if available. When the event isn't sourced to an HTTP request, such as an automatic update on the Okta servers, the `Request` object still exists, but the `ipChain` field is empty. + type: object + properties: + ipChain: + description: If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format of clientIp, proxy1, proxy2, and so on. This field is useful when working with trusted proxies. + type: array + readOnly: true + items: + $ref: '#/components/schemas/LogIpAddress' + LogScreenLockType: + type: string + x-okta-known-values: + - BIOMETRIC + - NONE + - PASSCODE + LogSecurityContext: + description: The `securityContext` object provides security information that is directly related to the evaluation of the event's IP reputation. IP reputation is a trustworthiness rating that evaluates how likely a sender is to be malicious and is based on the sender's IP address. As the name implies, the `securityContext` object is useful for security applications-flagging and inspecting suspicious events. + type: object + properties: + asNumber: + description: The [Autonomous system](https://docs.telemetry.mozilla.org/datasets/other/asn_aggregates/reference) number that's associated with the autonomous system the event request was sourced to + type: integer + readOnly: true + asOrg: + description: The organization that is associated with the autonomous system that the event request is sourced to + type: string + readOnly: true + domain: + description: The domain name that's associated with the IP address of the inbound event request + type: string + readOnly: true + isp: + description: The Internet service provider that's used to send the event's request + type: string + readOnly: true + isProxy: + description: Specifies whether an event's request is from a known proxy + type: boolean + readOnly: true + LogSeverity: + description: Indicates how severe the event is + type: string + x-okta-known-values: + - DEBUG + - ERROR + - INFO + - WARN + LogStream: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the Log Stream object was created + readOnly: true + example: '2022-10-21T16:59:59.000Z' + id: + type: string + description: Unique identifier for the Log Stream + readOnly: true + example: 0oa1orzg0CHSgPcjZ0g4 + lastUpdated: + type: string + format: date-time + description: Timestamp when the Log Stream object was last updated + readOnly: true + example: '2022-10-21T17:15:10.000Z' + name: + $ref: '#/components/schemas/LogStreamName' + status: type: string + description: Lifecycle status of the Log Stream object enum: + - ACTIVE + - INACTIVE + readOnly: true + type: + $ref: '#/components/schemas/LogStreamType' + _links: + $ref: '#/components/schemas/LogStreamLinksSelfAndLifecycle' + required: + - created + - id + - lastUpdated + - name + - status + - type + - _links + discriminator: + propertyName: type + mapping: + aws_eventbridge: '#/components/schemas/LogStreamAws' + splunk_cloud_logstreaming: '#/components/schemas/LogStreamSplunk' + LogStreamActivateLink: + allOf: + - $ref: '#/components/schemas/LogStreamLinkObject' + - description: Link to activate the resource + LogStreamAws: + allOf: + - $ref: '#/components/schemas/LogStream' + - type: object + properties: + settings: + $ref: '#/components/schemas/LogStreamSettingsAws' + required: - settings - - customizationCount - description: Specifies additional metadata to be included in the response. - queryLanguage: - name: language - schema: - $ref: '#/components/schemas/Language' - in: query - description: The language to use for the email. Defaults to the current user's language if unspecified. - queryLimit: - name: limit - in: query - schema: - type: integer - minimum: 1 - maximum: 200 - default: 20 - description: A limit on the number of objects to return. - queryLimitPerPoolType: - name: limitPerPoolType - in: query - schema: - type: integer - default: 5 - required: false - description: Maximum number of AgentPools being returned - queryPoolType: - name: poolType - in: query - schema: - $ref: '#/components/schemas/AgentType' - required: false - description: Agent type to search for - queryScheduled: - name: scheduled - in: query - description: Scope the list only to scheduled or ad-hoc updates. If the parameter is not provided we will return the whole list of updates. - schema: - type: boolean - required: false - schemas: - APNSConfiguration: + LogStreamAwsPutSchema: + allOf: + - $ref: '#/components/schemas/LogStreamPutSchema' + - type: object + properties: + settings: + $ref: '#/components/schemas/LogStreamSettingsAws' + required: + - settings + LogStreamDeactivateLink: + allOf: + - $ref: '#/components/schemas/LogStreamLinkObject' + - description: Link to deactivate the resource + LogStreamLinkObject: + title: Log Stream Link object + type: object properties: - fileName: + href: type: string - description: (Optional) File name for Admin Console display - keyId: + description: The URI of the resource + method: type: string - description: 10-character Key ID obtained from the Apple developer account - teamId: + description: HTTP method allowed for the resource + enum: + - GET + - POST + required: + - href + readOnly: true + LogStreamLinksSelfAndLifecycle: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + type: object + properties: + activate: + $ref: '#/components/schemas/LogStreamActivateLink' + deactivate: + $ref: '#/components/schemas/LogStreamDeactivateLink' + self: + $ref: '#/components/schemas/LogStreamSelfLink' + required: + - self + readOnly: true + LogStreamName: + description: Unique name for the Log Stream object + example: My AWS EventBridge log stream + type: string + LogStreamPutSchema: + type: object + properties: + name: + $ref: '#/components/schemas/LogStreamName' + type: + $ref: '#/components/schemas/LogStreamType' + required: + - name + - type + discriminator: + propertyName: type + mapping: + aws_eventbridge: '#/components/schemas/LogStreamAwsPutSchema' + splunk_cloud_logstreaming: '#/components/schemas/LogStreamSplunkPutSchema' + LogStreamSchema: + type: object + properties: + $schema: type: string - description: 10-character Team ID used to develop the iOS app - tokenSigningKey: + readOnly: true + description: JSON Schema version identifier + errorMessage: + type: object + description: A collection of error messages for individual properties in the schema. Okta implements a subset of [ajv-errors](https://github.com/ajv-validator/ajv-errors). + id: type: string - description: APNs private authentication token signing key - writeOnly: true - APNSPushProvider: + readOnly: true + description: URI of Log Stream Schema + oneOf: + items: + $ref: '#/components/schemas/UserSchemaAttributeEnum' + type: array + nullable: true + description: |- + Non-empty array of valid JSON schemas. + + Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format: + + ``` + { + "const": "enumValue", + "title": "display name" + } + ```json + pattern: + type: string + description: For `string` Log Stream Schema property type, specifies the regular expression used to validate the property + properties: + type: object + description: Log Stream Schema properties object + required: + type: array + items: + type: string + description: Required properties for this Log Stream Schema object + title: + type: string + description: Name of the Log Streaming integration + type: + type: string + readOnly: true + description: Type of Log Stream Schema property + _links: + $ref: '#/components/schemas/LinksSelf' + LogStreamSelfLink: allOf: - - $ref: '#/components/schemas/PushProvider' + - $ref: '#/components/schemas/LogStreamLinkObject' + - description: Link to the resource (self) + LogStreamSettingsAws: + description: Specifies the configuration for the `aws_eventbridge` Log Stream type. This configuration can't be modified after creation. + type: object + properties: + accountId: + $ref: '#/components/schemas/AwsAccountId' + eventSourceName: + $ref: '#/components/schemas/AwsEventSourceName' + region: + $ref: '#/components/schemas/AwsRegion' + required: + - accountId + - eventSourceName + - region + LogStreamSettingsSplunk: + description: Specifies the configuration for the `splunk_cloud_logstreaming` Log Stream type. + type: object + properties: + edition: + $ref: '#/components/schemas/SplunkEdition' + host: + $ref: '#/components/schemas/SplunkHost' + token: + $ref: '#/components/schemas/SplunkToken' + required: + - edition + - host + - token + LogStreamSettingsSplunkPut: + description: Specifies the configuration for the `splunk_cloud_logstreaming` Log Stream type. + type: object + properties: + edition: + $ref: '#/components/schemas/SplunkEdition' + host: + $ref: '#/components/schemas/SplunkHost' + required: + - edition + - host + LogStreamSplunk: + allOf: + - $ref: '#/components/schemas/LogStream' - type: object properties: - configuration: - $ref: '#/components/schemas/APNSConfiguration' - AccessPolicy: + settings: + $ref: '#/components/schemas/LogStreamSettingsSplunk' + required: + - settings + LogStreamSplunkPutSchema: allOf: - - $ref: '#/components/schemas/Policy' + - $ref: '#/components/schemas/LogStreamPutSchema' - type: object properties: - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - AccessPolicyConstraint: + settings: + $ref: '#/components/schemas/LogStreamSettingsSplunkPut' + required: + - settings + LogStreamType: + description: |- + Specifies the streaming provider used + + Supported providers: + * `aws_eventbridge` ([AWS EventBridge](https://aws.amazon.com/eventbridge)) + * `splunk_cloud_logstreaming` ([Splunk Cloud](https://www.splunk.com/en_us/software/splunk-cloud-platform.html)) + + Select the provider type to see provider-specific configurations in the `settings` property: + type: string + x-okta-known-values: + - aws_eventbridge + - splunk_cloud_logstreaming + LogTarget: + description: The entity that an actor performs an action on. Targets can be anything, such as an app user, a sign-in token, or anything else. + type: object + properties: + alternateId: + type: string + description: The alternate ID of the target + readOnly: true + changeDetails: + type: object + example: + LogTargetChangeDetails: + $ref: '#/components/examples/LogTargetChangeDetails' + description: |- + Details on the target's changes. Not all event types support the `changeDetails` property, and not all + `target` objects contain the `changeDetails` property. You must include a property within the object. + + > **Note:** When querying the `changeDetails` property, you can't search on the `to` or `from` objects alone. You must include a property within the object. + properties: + from: + type: object + description: The original properties of the target + additionalProperties: true + to: + type: object + description: The updated properties of the target + additionalProperties: true + detailEntry: + type: object + description: Further details on the target + additionalProperties: true + readOnly: true + displayName: + type: string + description: The display name of the target + readOnly: true + id: + type: string + description: The ID of the target + readOnly: true + type: + type: string + description: The type of target + readOnly: true + LogTransaction: + description: |- + A `transaction` object comprises contextual information associated with its respective event. + This information is useful for understanding sequences of correlated events. + For example, a `transaction` object such as the following: + ``` + { + "id": "Wn4f-0RQ8D8lTSLkAmkKdQAADqo", + "type": "WEB", + "detail": null + } + ``` + indicates that a `WEB` request with `id` `Wn4f-0RQ8D8lTSLkAmkKdQAADqo` has created this event. + + A `transaction` object with a `requestApiTokenId` in the `detail` object, for example : + ``` + { + "id": "YjSlblAAqnKY7CdyCkXNBgAAAIU", + "type": "WEB", + "detail": { + "requestApiTokenId": "00T94e3cn9kSEO3c51s5" + } + } + ``` + indicates that this event was the result of an action performed through an API using the token identified by 00T94e3cn9kSEO3c51s5. The token ID is visible in the Admin Console, **Security** > **API**. See [API token management](https://help.okta.com/okta_help.htm?id=Security_API). For more information on API tokens, see [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/). + type: object + properties: + detail: + description: Details for this transaction. + type: object + additionalProperties: true + readOnly: true + id: + description: Unique identifier for this transaction. + type: string + readOnly: true + type: + description: Describes the kind of transaction. `WEB` indicates a web request. `JOB` indicates an asynchronous task. + type: string + readOnly: true + LogUserAgent: + description: | + "A user agent is software (a software agent) that is acting on behalf of a user." ([Definition of User Agent](https://developer.mozilla.org/en-US/docs/Glossary/User_agent)) + + In the Okta event data object, the `UserAgent` object provides specifications about the client software that makes event-triggering HTTP requests. User agent identification is often useful for identifying interoperability problems between servers and clients, and also for browser and operating system usage analytics. type: object properties: - methods: - items: - type: string - type: array - reauthenticateIn: + browser: + description: If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX) type: string - types: - items: - type: string - type: array - AccessPolicyConstraints: + readOnly: true + os: + description: The operating system that the client runs on (for example, Windows 10) + type: string + readOnly: true + rawUserAgent: + description: A raw string representation of the user agent that is formatted according to [section 5.5.3 of HTTP/1.1 Semantics and Content](https://datatracker.ietf.org/doc/html/rfc7231#section-5.5.3). Both the `browser` and the `OS` fields can be derived from this field. + type: string + readOnly: true + MDMEnrollmentPolicyEnrollment: + type: string + x-okta-known-values: + - ANY_OR_NONE + - OMM + MDMEnrollmentPolicyRuleCondition: type: object properties: - knowledge: - $ref: '#/components/schemas/KnowledgeConstraint' - possession: - $ref: '#/components/schemas/PossessionConstraint' - AccessPolicyRule: - allOf: - - $ref: '#/components/schemas/PolicyRule' - - type: object - properties: - actions: - $ref: '#/components/schemas/AccessPolicyRuleActions' - conditions: - $ref: '#/components/schemas/AccessPolicyRuleConditions' - AccessPolicyRuleActions: + blockNonSafeAndroid: + type: boolean + enrollment: + $ref: '#/components/schemas/MDMEnrollmentPolicyEnrollment' + MetadataLink: allOf: - - $ref: '#/components/schemas/PolicyRuleActions' - - type: object - properties: - appSignOn: - $ref: '#/components/schemas/AccessPolicyRuleApplicationSignOn' - AccessPolicyRuleApplicationSignOn: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [SAML metadata](/openapi/okta-management/management/tag/ApplicationSSO/#tag/ApplicationSSO/operation/previewSAMLmetadataForApplication) for SSO + MtlsCredentials: + description: Certificate chain description for verifying assertions from the Smart Card type: object properties: - access: - type: string - verificationMethod: - $ref: '#/components/schemas/VerificationMethod' - AccessPolicyRuleConditions: - allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - - type: object - properties: - device: - $ref: '#/components/schemas/DeviceAccessPolicyRuleCondition' - elCondition: - $ref: '#/components/schemas/AccessPolicyRuleCustomCondition' - userType: - $ref: '#/components/schemas/UserTypeCondition' - AccessPolicyRuleCustomCondition: + trust: + $ref: '#/components/schemas/MtlsTrustCredentials' + MtlsEndpoints: + type: object properties: - condition: - type: string - AcsEndpoint: + sso: + $ref: '#/components/schemas/MtlsSsoEndpoint' + MtlsSsoEndpoint: + description: The Single Sign-On (SSO) endpoint is the IdP's `SingleSignOnService` endpoint type: object properties: - index: - type: integer url: type: string - ActivateFactorRequest: + maxLength: 1014 + example: https://{yourOktaDomain}.okta.com/login/cert + MtlsTrustCredentials: type: object properties: - attestation: - type: string - clientData: - type: string - passCode: - type: string - registrationData: + audience: type: string - stateToken: + description: Not used + example: null + issuer: type: string - Agent: - description: Agent details + description: Description of the certificate issuer + maxLength: 1024 + example: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + revocation: + $ref: '#/components/schemas/MtlsTrustCredentialsRevocation' + revocationCacheLifetime: + type: number + description: Time in minutes to cache the certificate revocation information + maximum: 4320 + example: 2880 + MtlsTrustCredentialsRevocation: + description: Mechanism to validate the certificate + example: CRL + type: string + x-okta-known-values: + - CRL + - DELTA_CRL + - OCSP + NetworkZone: type: object properties: + created: + type: string + format: date-time + description: Timestamp when the object was created + readOnly: true id: type: string + description: Unique identifier for the Network Zone readOnly: true - isHidden: - type: boolean - isLatestGAedVersion: - type: boolean - lastConnection: + lastUpdated: type: string format: date-time + description: Timestamp when the object was last modified + readOnly: true name: type: string - operationalStatus: - $ref: '#/components/schemas/OperationalStatus' - poolId: - type: string + description: Unique name for this Network Zone + maxLength: 128 + status: + $ref: '#/components/schemas/NetworkZoneStatus' + system: + type: boolean + readOnly: true + description: | + Indicates a system Network Zone: + * `true` for system Network Zones + * `false` for custom Network Zones + + The Okta org provides the following default system Network Zones: + * `LegacyIpZone` + * `BlockedIpZone` + * `DefaultEnhancedDynamicZone` + + Admins can modify the name of the default system Network Zone and add up to 5000 gateway or proxy IP entries. type: - $ref: '#/components/schemas/AgentType' - updateMessage: - type: string - updateStatus: - $ref: '#/components/schemas/AgentUpdateInstanceStatus' - version: - type: string + $ref: '#/components/schemas/NetworkZoneType' + usage: + $ref: '#/components/schemas/NetworkZoneUsage' _links: - $ref: '#/components/schemas/HrefObject' - AgentPool: - description: An AgentPool is a collection of agents that serve a common purpose. An AgentPool has a unique ID within an org, and contains a collection of agents disjoint to every other AgentPool (i.e. no two AgentPools share an Agent). + $ref: '#/components/schemas/LinksSelfAndLifecycle' + required: + - name + - type + discriminator: + propertyName: type + mapping: + IP: '#/components/schemas/IPNetworkZone' + DYNAMIC: '#/components/schemas/DynamicNetworkZone' + DYNAMIC_V2: '#/components/schemas/EnhancedDynamicNetworkZone' + NetworkZoneAddress: + description: Specifies the value of an IP address expressed using either `range` or `CIDR` form. type: object properties: - agents: - type: array - items: - $ref: '#/components/schemas/Agent' - id: + type: + $ref: '#/components/schemas/NetworkZoneAddressType' + value: type: string - readOnly: true - name: + description: Value in CIDR/range form, depending on the `type` specified + NetworkZoneAddressType: + description: Format of the IP addresses + type: string + x-okta-known-values: + - CIDR + - RANGE + NetworkZoneAsns: + items: + type: string + maximum: 75 + type: array + NetworkZoneLocation: + type: object + properties: + country: type: string - operationalStatus: - $ref: '#/components/schemas/OperationalStatus' - type: - $ref: '#/components/schemas/AgentType' - AgentPoolUpdate: - description: Various information about agent auto update configuration + description: |- + The two-character ISO-3166-1 country code. + Don't use continent codes since they are treated as generic codes for undesignated countries. + <br>For example: `US` + maxLength: 2 + minLength: 2 + region: + type: string + description: |- + (Optional) The ISO-3166-2 region code appended to the country code (`countryCode-regionCode`), or `null` if empty. + Don't use continent codes since they are treated as generic codes for undesignated regions. + <br>For example: `CA` (for `US-CA` country and region code) + NetworkZoneLocationArray: + items: + $ref: '#/components/schemas/NetworkZoneLocation' + maximum: 75 + nullable: true + type: array + NetworkZoneStatus: + description: Network Zone status + type: string + x-okta-known-values: + - ACTIVE + - INACTIVE + NetworkZoneType: + description: The type of Network Zone + type: string + x-okta-known-values: + - DYNAMIC + - IP + - DYNAMIC_V2 + NetworkZoneUsage: + description: The usage of the Network Zone + type: string + x-okta-known-values: + - BLOCKLIST + - POLICY + NotificationType: + description: The type of notification + type: string + x-enumDescriptions: + AD_AGENT: System notification sent when an AD agent disconnects or reconnects + AGENT_AUTO_UPDATE_NOTIFICATION: System notification sent when an agent automatically updates + APP_IMPORT: System notification sent with the status of an app user import + CONNECTOR_AGENT: System notification sent when an on-premises provisioning or Okta on-prem MFA agent disconnects or reconnects + IWA_AGENT: System notification sent when an IGA agent disconnects or reconnects + LDAP_AGENT: System notification sent when an LDAP agent disconnects or reconnects + OKTA_ANNOUNCEMENT: Okta communication sent for announcements and release notes + OKTA_ISSUE: Okta communication sent for trust incident alerts and updates + OKTA_UPDATE: Okta communication sent for scheduled system updates + RATELIMIT_NOTIFICATION: System notification sent when an org reaches rate limit warning or violation thresholds + REPORT_SUSPICIOUS_ACTIVITY: System notification sent when a user reports suspicious activity + USER_DEPROVISION: System notification sent when a user is deprovisioned from apps + USER_LOCKED_OUT: System notification sent when a user is locked out from logging in to Okta + x-okta-known-values: + - AD_AGENT + - AGENT_AUTO_UPDATE_NOTIFICATION + - AGENT_AUTO_UPDATE_NOTIFICATION_LDAP + - APP_IMPORT + - CONNECTOR_AGENT + - IWA_AGENT + - LDAP_AGENT + - OKTA_ANNOUNCEMENT + - OKTA_ISSUE + - OKTA_UPDATE + - RATELIMIT_NOTIFICATION + - REPORT_SUSPICIOUS_ACTIVITY + - USER_DEPROVISION + - USER_LOCKED_OUT + OAuth2Actor: + description: User that created the object type: object properties: - agents: - type: array - items: - $ref: '#/components/schemas/Agent' - agentType: - $ref: '#/components/schemas/AgentType' - enabled: - type: boolean id: type: string + description: User ID readOnly: true - name: - type: string - notifyAdmin: - type: boolean - reason: - type: string - schedule: - $ref: '#/components/schemas/AutoUpdateSchedule' - sortOrder: - type: integer - status: - $ref: '#/components/schemas/AgentUpdateJobStatus' - targetVersion: + example: 00u5t60iloOHN9pBi0h7 + type: type: string - _links: - $ref: '#/components/schemas/HrefObject' - AgentPoolUpdateSetting: - description: Setting for auto-update + description: Type of user + example: User + readOnly: true + OAuth2Claim: type: object properties: - agentType: - $ref: '#/components/schemas/AgentType' - continueOnError: + alwaysIncludeInToken: type: boolean - latestVersion: - type: string - minimalSupportedVersion: - type: string - poolId: - type: string - readOnly: true - poolName: - type: string - releaseChannel: - $ref: '#/components/schemas/ReleaseChannel' - AgentType: - description: Agent types that are being monitored - type: string - x-okta-known-values: - - AD - - IWA - - LDAP - - MFA - - OPP - - RUM - - Radius - AgentUpdateInstanceStatus: - description: Status for one agent regarding the status to auto-update that agent + description: Specifies whether to include Claims in the token. The value is always `TRUE` for access token Claims. If the value is set to `FALSE` for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the `authorization_code`. The client instead uses the access token to get Claims from the `/userinfo` endpoint. + claimType: + $ref: '#/components/schemas/OAuth2ClaimType' + conditions: + $ref: '#/components/schemas/OAuth2ClaimConditions' + group_filter_type: + $ref: '#/components/schemas/OAuth2ClaimGroupFilterType' + id: + type: string + description: ID of the Claim + readOnly: true + name: + type: string + description: Name of the Claim + status: + $ref: '#/components/schemas/LifecycleStatus' + system: + description: When `true`, indicates that Okta created the Claim + type: boolean + value: + description: Specifies the value of the Claim. This value must be a string literal if `valueType` is `GROUPS`, and the string literal is matched with the selected `group_filter_type`. The value must be an Okta EL expression if `valueType` is `EXPRESSION`. + type: string + valueType: + $ref: '#/components/schemas/OAuth2ClaimValueType' + _links: + $ref: '#/components/schemas/LinksSelf' + OAuth2ClaimConditions: + description: Specifies the scopes for the Claim + type: object + properties: + scopes: + type: array + items: + type: string + OAuth2ClaimGroupFilterType: + description: |- + Specifies the type of group filter if `valueType` is `GROUPS` + + If `valueType` is `GROUPS`, then the groups returned are filtered according to the value of `group_filter_type`. + + If you have complex filters for Groups, you can [create a Groups allowlist](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/) to put them all in a Claim. type: string + x-enumDescriptions: + STARTS_WITH: Group names start with `value` (not case-sensitive). For example, if `value` is `group1`, then `group123` and `Group123` are included. + EQUALS: Group name is the same as `value` (not case-sensitive). For example, if `value` is `group1`, then `group1` and `Group1` are included, but `group123` isn't. + CONTAINS: Group names contain `value` (not case-sensitive). For example, if `value` is `group1`, then `MyGroup123` and `group1` are included. + REGEX: Group names match the regular expression in `value` (case-sensitive). For example if `value` is `/^[a-z0-9_-]{3,16}$/`, then any Group name that has at least three letters, no more than 16, and contains lowercase letters, a hyphen, or numbers is a match. x-okta-known-values: - - Cancelled - - Failed - - InProgress - - PendingCompletion - - Scheduled - - Success - AgentUpdateJobStatus: - description: Overall state for the auto-update job from admin perspective + - CONTAINS + - EQUALS + - REGEX + - STARTS_WITH + OAuth2ClaimType: + description: Specifies whether the Claim is for an access token (`RESOURCE`) or an ID token (`IDENTITY`) type: string x-okta-known-values: - - Cancelled - - Failed - - InProgress - - Paused - - Scheduled - - Success - AllowedForEnum: + - IDENTITY + - RESOURCE + OAuth2ClaimValueType: + description: Specifies whether the Claim is an Okta Expression Language (EL) expression (`EXPRESSION`), a set of groups (`GROUPS`), or a system claim (`SYSTEM`) type: string x-okta-known-values: - - any - - none - - recovery - - sso - ApiToken: - title: API Token - description: An API token for an Okta User. This token is NOT scoped any further and can be used for any API the user has permissions to call. + - EXPRESSION + - GROUPS + - SYSTEM + OAuth2Client: type: object properties: - clientName: + client_id: + description: Unique key for the client application. The `client_id` is immutable. type: string readOnly: true - created: + example: 0oabskvc6442nkvQO0h7 + client_name: + description: Human-readable string name of the client application type: string - format: date-time readOnly: true - expiresAt: + example: My App + client_uri: type: string - format: date-time readOnly: true + example: https://www.example.com + logo_uri: + description: URL string that references a logo for the client consent dialog (not the sign-in dialog) + type: string + readOnly: true + example: https://www.example.com/logo.png + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + grants: + description: Link to the grant resources + allOf: + - $ref: '#/components/schemas/GrantResourcesHrefObject' + tokens: + description: Link to the token resources + allOf: + - $ref: '#/components/schemas/TokenResourcesHrefObject' + OAuth2ClientJsonWebKey: + type: object + properties: + alg: + type: string + description: Algorithm used in the key + example: RS256 + nullable: false + created: + type: string + description: Timestamp when the OAuth Client 2.0 JSON Web Key was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + e: + type: string + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false id: type: string + description: The unique ID of the OAuth Client JSON Web Key + example: pks2f4zrZbs8nUa7p0g4 readOnly: true + nullable: false + kid: + type: string + description: Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS + example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + nullable: true + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false lastUpdated: type: string - format: date-time + description: Timestamp when the OAuth Client 2.0 JSON Web Key was updated + example: '2023-02-21T20:08:24.000Z' readOnly: true - name: + nullable: false + 'n': type: string - tokenWindow: - $ref: '#/components/schemas/TimeDuration' - userId: + description: RSA key value (modulus) for key binding + example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + status: type: string - _link: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client JSON Web Key + example: ACTIVE + nullable: false + default: ACTIVE + use: + type: string + description: Acceptable use of the JSON Web Key + example: sig + nullable: false + _links: + $ref: '#/components/schemas/OAuthClientSecretLinks' readOnly: true - required: - - name - AppAndInstanceConditionEvaluatorAppOrInstance: + nullable: false + OAuth2ClientJsonWebKeyRequestBody: type: object properties: - id: + alg: type: string - readOnly: true - name: + description: Algorithm used in the key + example: RS256 + nullable: false + e: type: string - type: - $ref: '#/components/schemas/AppAndInstanceType' - AppAndInstancePolicyRuleCondition: - type: object - properties: - exclude: - type: array - items: - $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' - include: - type: array - items: - $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' - AppAndInstanceType: - type: string - x-okta-known-values: - - APP - - APP_TYPE - AppInstancePolicyRuleCondition: - type: object - properties: - exclude: - type: array - items: - type: string - include: - type: array - items: - type: string - AppLink: + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false + kid: + type: string + description: Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS + example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + nullable: true + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + 'n': + type: string + description: RSA key value (modulus) for key binding + example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client JSON Web Key + example: ACTIVE + use: + type: string + description: Acceptable use of the JSON Web Key + example: sig + nullable: false + OAuth2ClientSecret: type: object properties: - appAssignmentId: - type: string - readOnly: true - appInstanceId: + client_secret: type: string + description: The OAuth 2.0 client secret string + example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B readOnly: true - appName: + nullable: false + created: type: string + description: Timestamp when the OAuth Client 2.0 Secret was created + example: '2023-02-21T20:08:24.000Z' readOnly: true - credentialsSetup: - type: boolean - readOnly: true - hidden: - type: boolean - readOnly: true + nullable: false id: type: string + description: The unique ID of the OAuth Client Secret + example: ocs2f4zrZbs8nUa7p0g4 readOnly: true - label: + nullable: false + lastUpdated: type: string + description: Timestamp when the OAuth Client 2.0 Secret was updated + example: '2023-02-21T20:08:24.000Z' readOnly: true - linkUrl: + nullable: false + secret_hash: type: string + description: OAuth 2.0 client secret string hash + example: yk4SVx4sUWVJVbHt6M-UPA readOnly: true - logoUrl: + nullable: false + status: type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client Secret + example: ACTIVE + nullable: false + default: ACTIVE + _links: + $ref: '#/components/schemas/OAuthClientSecretLinks' readOnly: true - sortOrder: - type: integer - readOnly: true - AppUser: + nullable: false + OAuth2ClientSecretRequestBody: + type: object + properties: + client_secret: + type: string + description: The OAuth 2.0 client secret string + example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client Secret + example: ACTIVE + OAuth2RefreshToken: type: object properties: + clientId: + type: string + description: Client ID created: + $ref: '#/components/schemas/createdProperty' + expiresAt: type: string + description: Expiration time of the OAuth 2.0 Token format: date-time readOnly: true - credentials: - $ref: '#/components/schemas/AppUserCredentials' - externalId: - type: string - readOnly: true id: type: string - readOnly: false - lastSync: - type: string - format: date-time + description: ID of the Token object readOnly: true + example: oar579Mcp7OUsNTlo0g3 + issuer: + type: string + description: The complete URL of the authorization server that issued the Token + example: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 lastUpdated: + $ref: '#/components/schemas/lastUpdatedProperty' + scopes: + type: array + description: The scope names attached to the Token + items: + type: string + example: offline_access + status: + $ref: '#/components/schemas/GrantOrTokenStatus' + userId: type: string - format: date-time + description: The ID of the user associated with the Token + example: 00u5t60iloOHN9pBi0h7 + _embedded: + type: object + description: The embedded resources related to the object if the `expand` query parameter is specified + properties: + scopes: + type: array + description: The scope objects attached to the Token + items: + $ref: '#/components/schemas/OAuth2RefreshTokenScope' readOnly: true - passwordChanged: + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + description: Link to the app resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + revoke: + description: Link to revoke the refresh Token + allOf: + - $ref: '#/components/schemas/RevokeRefreshTokenHrefObject' + - properties: + hints: + properties: + allow: + items: + enum: + - DELETE + default: DELETE + client: + description: Link to the client resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + user: + description: Link to the user resource + allOf: + - $ref: '#/components/schemas/UserResourceHrefObject' + authorizationServer: + description: Link to the Token authorization server resource + allOf: + - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject' + OAuth2RefreshTokenScope: + type: object + properties: + description: type: string - format: date-time + description: Description of the Scope + example: Requests a refresh token by default, used to obtain more access tokens without re-prompting the user for authentication + displayName: + type: string + description: Name of the end user displayed in a consent dialog + id: + type: string + description: Scope object ID readOnly: true - profile: + example: scppb56cIl4GvGxy70g3 + name: + type: string + description: Scope name + example: offline_access + _links: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. type: object - additionalProperties: - type: object - properties: {} - scope: + properties: + scope: + description: Link to Scope resource + allOf: + - $ref: '#/components/schemas/OfflineAccessScopeResourceHrefObject' + OAuth2Scope: + type: object + properties: + consent: + $ref: '#/components/schemas/OAuth2ScopeConsentType' + default: + type: boolean + description: Indicates if this Scope is a default scope + default: false + description: type: string - status: + description: Description of the Scope + displayName: + type: string + description: Name of the end user displayed in a consent dialog + id: + type: string + description: Scope object ID + readOnly: true + metadataPublish: + $ref: '#/components/schemas/OAuth2ScopeMetadataPublish' + name: + type: string + description: Scope name + optional: + type: boolean + description: Indicates whether the Scope is optional. When set to `true`, the user can skip consent for the scope. + default: false + system: + type: boolean + description: Indicates if Okta created the Scope + default: false + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - name + OAuth2ScopeConsentGrant: + description: Grant object that represents an app consent scope grant + type: object + properties: + clientId: type: string + description: Client ID of the app integration readOnly: true - statusChanged: + example: oag3ih1zrm1cBFOiq0h6 + created: + $ref: '#/components/schemas/createdProperty' + createdBy: + $ref: '#/components/schemas/OAuth2Actor' + id: type: string - format: date-time + description: ID of the Grant object readOnly: true - syncState: + example: oag3ih1zrm1cBFOiq0h6 + issuer: + type: string + description: The issuer of your org authorization server. This is typically your Okta domain. + example: https://my_test_okta_org.oktapreview.com + lastUpdated: + $ref: '#/components/schemas/lastUpdatedProperty' + scopeId: + type: string + description: The name of the [Okta scope](https://developer.okta.com/docs/api/oauth2/#oauth-20-scopes) for which consent is granted + example: okta.users.read + source: + $ref: '#/components/schemas/OAuth2ScopeConsentGrantSource' + status: + $ref: '#/components/schemas/GrantOrTokenStatus' + userId: type: string + description: User ID that granted consent (if `source` is `END_USER`) readOnly: true + example: 00u5t60iloOHN9pBi0h7 _embedded: type: object - additionalProperties: - type: object - properties: {} + description: Embedded resources related to the Grant + properties: + scope: + type: object + properties: + id: + type: string + description: The name of the Okta scope for which consent is granted + example: okta.users.read readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - AppUserCredentials: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + description: Link to the app resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + client: + description: Link to the client resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + scope: + description: Link to the scope resource + allOf: + - $ref: '#/components/schemas/ScopeResourceHrefObject' + user: + description: Link to the user resource + allOf: + - $ref: '#/components/schemas/UserResourceHrefObject' + authorizationServer: + description: Link to the authorization server resource + allOf: + - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject' + - readOnly: true + required: + - issuer + - scopeId + OAuth2ScopeConsentGrantSource: + description: User type source that granted consent + example: ADMIN + type: string + readOnly: true + x-okta-known-values: + - ADMIN + - END_USER + OAuth2ScopeConsentType: + description: Indicates whether a consent dialog is needed for the Scope + default: IMPLICIT + type: string + x-okta-known-values: + - FLEXIBLE + - IMPLICIT + - REQUIRED + OAuth2ScopeMetadataPublish: + description: Indicates whether the Scope is included in the metadata + default: NO_CLIENTS + type: string + x-okta-known-values: + - ALL_CLIENTS + - NO_CLIENTS + OAuth2ScopesMediationPolicyRuleCondition: + description: Array of scopes that the condition includes type: object properties: - password: - $ref: '#/components/schemas/AppUserPasswordCredential' - userName: - type: string - AppUserPasswordCredential: + include: + type: array + items: + type: string + OAuth2Token: type: object properties: - value: + clientId: type: string - format: password - Application: - type: object - properties: - accessibility: - $ref: '#/components/schemas/ApplicationAccessibility' + description: Client ID + example: 0oabskvc6442nkvQO0h7 + readOnly: true created: + $ref: '#/components/schemas/createdProperty' + expiresAt: type: string + description: Expiration time of the OAuth 2.0 Token format: date-time readOnly: true - features: - type: array - items: - type: string id: type: string + description: ID of the Token object readOnly: true - label: + issuer: type: string + description: The complete URL of the authorization server that issued the Token lastUpdated: - type: string - format: date-time - readOnly: true - licensing: - $ref: '#/components/schemas/ApplicationLicensing' - profile: - type: object - additionalProperties: - type: object - properties: {} - signOnMode: - $ref: '#/components/schemas/ApplicationSignOnMode' + $ref: '#/components/schemas/lastUpdatedProperty' + scopes: + type: array + description: Name of scopes attached to the Token + items: + type: string status: - $ref: '#/components/schemas/ApplicationLifecycleStatus' - visibility: - $ref: '#/components/schemas/ApplicationVisibility' + $ref: '#/components/schemas/GrantOrTokenStatus' + userId: + type: string _embedded: type: object + description: Embedded resources related to the object if the `expand` query parameter is specified additionalProperties: type: object properties: {} readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - discriminator: - propertyName: signOnMode - mapping: - AUTO_LOGIN: '#/components/schemas/AutoLoginApplication' - BASIC_AUTH: '#/components/schemas/BasicAuthApplication' - BOOKMARK: '#/components/schemas/BookmarkApplication' - BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication' - OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication' - SAML_1_1: '#/components/schemas/SamlApplication' - SAML_2_0: '#/components/schemas/SamlApplication' - SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication' - WS_FEDERATION: '#/components/schemas/WsFederationApplication' - ApplicationAccessibility: + $ref: '#/components/schemas/LinksSelf' + OAuthApplicationCredentials: + allOf: + - $ref: '#/components/schemas/ApplicationCredentials' + - type: object + properties: + oauthClient: + $ref: '#/components/schemas/ApplicationCredentialsOAuthClient' + OAuthAuthorizationEndpoint: + description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18) type: object properties: - errorRedirectUrl: - type: string - loginRedirectUrl: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: type: string - selfService: - type: boolean - ApplicationCredentials: + description: URL of the IdP Authorization Server (AS) authorization endpoint + example: https://idp.example.com/authorize + OAuthClientSecretLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + delete: + $ref: '#/components/schemas/HrefObjectDeleteLink' + readOnly: true + OAuthCredentials: + description: Client authentication credentials for an [OAuth 2.0 Authorization Server](https://tools.ietf.org/html/rfc6749#section-2.3) type: object properties: + client: + $ref: '#/components/schemas/OAuthCredentialsClient' signing: - $ref: '#/components/schemas/ApplicationCredentialsSigning' - userNameTemplate: - $ref: '#/components/schemas/ApplicationCredentialsUsernameTemplate' - ApplicationCredentialsOAuthClient: + $ref: '#/components/schemas/AppleClientSigning' + OAuthCredentialsClient: + description: |- + OAuth 2.0 and OpenID Connect Client object + > **Note:** You must complete client registration with the IdP Authorization Server for your Okta IdP instance to obtain client credentials. type: object properties: - autoKeyRotation: - type: boolean client_id: type: string + description: The [Unique identifier](https://tools.ietf.org/html/rfc6749#section-2.2) issued by the AS for the Okta IdP instance + maxLength: 1024 + example: your-client-id client_secret: type: string + description: The [Client secret](https://tools.ietf.org/html/rfc6749#section-2.3.1) issued by the AS for the Okta IdP instance + maxLength: 1024 + example: your-client-secret + pkce_required: + type: boolean + description: Require Proof Key for Code Exchange (PKCE) for additional verification token_endpoint_auth_method: - $ref: '#/components/schemas/OAuthEndpointAuthenticationMethod' - ApplicationCredentialsScheme: + type: string + description: Client authentication methods supported by the token endpoint + enum: + - private_key_jwt + OAuthEndpointAuthenticationMethod: + description: Requested authentication method for the token endpoint + default: client_secret_basic type: string x-okta-known-values: - - ADMIN_SETS_CREDENTIALS - - EDIT_PASSWORD_ONLY - - EDIT_USERNAME_AND_PASSWORD - - EXTERNAL_PASSWORD_SYNC - - SHARED_USERNAME_AND_PASSWORD - ApplicationCredentialsSigning: + - client_secret_basic + - client_secret_jwt + - client_secret_post + - none + - private_key_jwt + OAuthEndpoints: + description: |- + The `OAUTH2` and `OIDC` protocols support the `authorization` and `token` endpoints. Also, the `OIDC` protocol supports the `userInfo` and `jwks` endpoints. + + The IdP Authorization Server (AS) endpoints are currently defined as part of the [IdP provider]((https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request)) and are read-only. + type: object + properties: + authorization: + $ref: '#/components/schemas/OAuthAuthorizationEndpoint' + jwks: + $ref: '#/components/schemas/OidcJwksEndpoint' + token: + $ref: '#/components/schemas/OAuthTokenEndpoint' + userInfo: + $ref: '#/components/schemas/OidcUserInfoEndpoint' + OAuthGrantType: + description: Array of OAuth 2.0 grant type strings + type: string + x-okta-known-values: + - authorization_code + - client_credentials + - implicit + - interaction_code + - password + - refresh_token + - urn:ietf:params:oauth:grant-type:device_code + - urn:ietf:params:oauth:grant-type:jwt-bearer + - urn:ietf:params:oauth:grant-type:saml2-bearer + - urn:ietf:params:oauth:grant-type:token-exchange + - urn:openid:params:grant-type:ciba + OAuthMetadata: + type: object + properties: + authorization_endpoint: + type: string + description: URL of the authorization server's authorization endpoint. + backchannel_authentication_request_signing_alg_values_supported: + description: <div class="x-lifecycle-container"><x-lifecycle class="lea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>A list of signing algorithms that this authorization server supports for signed requests. + type: array + items: + $ref: '#/components/schemas/SigningAlgorithm' + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + backchannel_token_delivery_modes_supported: + description: <div class="x-lifecycle-container"><x-lifecycle class="lea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>The delivery modes that this authorization server supports for Client-Initiated Backchannel Authentication. + type: array + items: + $ref: '#/components/schemas/TokenDeliveryMode' + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + claims_supported: + description: A list of the claims supported by this authorization server. + type: array + items: + $ref: '#/components/schemas/Claim' + code_challenge_methods_supported: + description: A list of PKCE code challenge methods supported by this authorization server. + type: array + items: + $ref: '#/components/schemas/CodeChallengeMethod' + device_authorization_endpoint: + type: string + dpop_signing_alg_values_supported: + description: A list of signing algorithms supported by this authorization server for Demonstrating Proof-of-Possession (DPoP) JWTs. + type: array + items: + type: string + enum: + - ES256 + - ES384 + - ES512 + - RS256 + - RS384 + - RS512 + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + end_session_endpoint: + description: URL of the authorization server's logout endpoint. + type: string + grant_types_supported: + description: A list of the grant type values that this authorization server supports. + type: array + items: + $ref: '#/components/schemas/GrantType' + introspection_endpoint: + description: URL of the authorization server's introspection endpoint. + type: string + introspection_endpoint_auth_methods_supported: + description: A list of client authentication methods supported by this introspection endpoint. + type: array + items: + $ref: '#/components/schemas/EndpointAuthMethod' + issuer: + type: string + description: The authorization server's issuer identifier. In the context of this document, this is your authorization server's base URL. This becomes the `iss` claim in an access token. + jwks_uri: + description: URL of the authorization server's JSON Web Key Set document. + type: string + pushed_authorization_request_endpoint: + type: string + registration_endpoint: + description: URL of the authorization server's JSON Web Key Set document. + type: string + request_object_signing_alg_values_supported: + description: A list of signing algorithms that this authorization server supports for signed requests. + type: array + items: + $ref: '#/components/schemas/SigningAlgorithm' + request_parameter_supported: + description: Indicates if Request Parameters are supported by this authorization server. + type: boolean + response_modes_supported: + description: A list of the `response_mode` values that this authorization server supports. More information here. + type: array + items: + $ref: '#/components/schemas/ResponseMode' + response_types_supported: + description: A list of the `response_type` values that this authorization server supports. Can be a combination of `code`, `token`, and `id_token`. + type: array + items: + $ref: '#/components/schemas/ResponseTypesSupported' + revocation_endpoint: + description: URL of the authorization server's revocation endpoint. + type: string + revocation_endpoint_auth_methods_supported: + description: A list of client authentication methods supported by this revocation endpoint. + type: array + items: + $ref: '#/components/schemas/EndpointAuthMethod' + scopes_supported: + description: A list of the scope values that this authorization server supports. + type: array + items: + $ref: '#/components/schemas/Scope' + subject_types_supported: + description: A list of the Subject Identifier types that this authorization server supports. Valid types include `pairwise` and `public`, but only `public` is currently supported. See the [Subject Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) section in the OpenID Connect specification. + type: array + items: + $ref: '#/components/schemas/SubjectType' + token_endpoint: + description: URL of the authorization server's token endpoint. + type: string + token_endpoint_auth_methods_supported: + description: A list of client authentication methods supported by this token endpoint. + type: array + items: + $ref: '#/components/schemas/EndpointAuthMethod' + OAuthProvisioningEnabledApp: + description: Application name for the provisioning connection + type: string + x-okta-known-values: + - google + - office365 + - slack + - zoomus + OAuthResponseType: + description: Array of OAuth 2.0 response type strings + type: string + x-okta-known-values: + - code + - id_token + - token + OAuthTokenEndpoint: + description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18) + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the IdP Authorization Server (AS) token endpoint + example: https://idp.example.com/token + OINApplication: + type: object + properties: + accessibility: + $ref: '#/components/schemas/ApplicationAccessibility' + credentials: + $ref: '#/components/schemas/SchemeApplicationCredentials' + label: + $ref: '#/components/schemas/ApplicationLabel' + licensing: + $ref: '#/components/schemas/ApplicationLicensing' + name: + type: string + description: The key name for the OIN app definition + profile: + type: object + description: Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps) + additionalProperties: + type: object + properties: {} + signOnMode: + type: string + description: Authentication mode for the app + status: + $ref: '#/components/schemas/ApplicationLifecycleStatus' + visibility: + $ref: '#/components/schemas/ApplicationVisibility' + OINSaml11ApplicationSettingsSignOn: + title: SAML 1.1 settings + description: Contains SAML 1.1 sign-on mode attributes type: object properties: - kid: + audienceOverride: type: string - lastRotated: + description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + defaultRelayState: type: string - format: date-time - readOnly: true - nextRotation: + description: Identifies a specific application resource in an IdP-initiated SSO scenario + recipientOverride: type: string - format: date-time - readOnly: true - rotationMode: + description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + ssoAcsUrlOverride: type: string - use: - $ref: '#/components/schemas/ApplicationCredentialsSigningUse' - ApplicationCredentialsSigningUse: - type: string - x-okta-known-values: - - sig - ApplicationCredentialsUsernameTemplate: + description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + OINSaml20ApplicationSettingsSignOn: + title: SAML 2.0 settings + description: |- + Contains SAML 2.0 sign-on mode attributes. + > **Note:** Set `destinationOverride` to configure any other SAML 2.0 attributes in this section. type: object properties: - pushStatus: - type: string - suffix: + audienceOverride: type: string - template: + description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + configuredAttributeStatements: + type: array + items: + $ref: '#/components/schemas/SamlAttributeStatement' + defaultRelayState: type: string - type: + description: Identifies a specific application resource in an IdP-initiated SSO scenario + destinationOverride: type: string - ApplicationFeature: - type: object - properties: - capabilities: - $ref: '#/components/schemas/CapabilitiesObject' - description: + description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + recipientOverride: type: string - name: + description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + samlAssertionLifetimeSeconds: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: integer + description: Determines the SAML app session lifetimes with Okta + example: 3600 + ssoAcsUrlOverride: type: string - status: - $ref: '#/components/schemas/EnabledStatus' - _links: - additionalProperties: - type: object - readOnly: true - type: object - ApplicationGroupAssignment: + description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + OSVersion: + description: | + Specifies the OS requirement for the policy. + + There are two types of OS requirements: + + * **Static**: A specific OS version requirement that doesn't change until you update the policy. A static OS requirement is specified with the `osVersion.minimum` property. + * **Dynamic**: An OS version requirement that is relative to the latest major OS release and security patch. A dynamic OS requirement is specified with the `osVersion.dynamicVersionRequirement` property. + > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. You can't specify both `osVersion.minimum` and `osVersion.dynamicVersionRequirement` properties at the same time. type: object properties: - id: - type: string - readOnly: true - lastUpdated: - type: string - format: date-time - readOnly: true - priority: - type: integer - profile: - type: object - additionalProperties: - type: object - properties: {} - _embedded: + dynamicVersionRequirement: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>Contains the necessary properties for a dynamic version requirement type: object - additionalProperties: - type: object - properties: {} - readOnly: true - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - ApplicationLayout: + properties: + type: + type: string + description: Indicates the type of the dynamic OS version requirement + enum: + - MINIMUM + - EXACT + - EXACT_ANY_SUPPORTED + x-enumDescriptions: + MINIMUM: The device version must be equal to or newer than the dynamically determined version. `distanceFromLatestMajor` must be specified for this type. + EXACT: The device version must be on the same major version as the dynamically determined version. `distanceFromLatestMajor` must be specified for this type. + EXACT_ANY_SUPPORTED: The device version must be on a major version which is supported. You can't specify `distanceFromLatestMajor` for this type. + distanceFromLatestMajor: + description: Indicates the distance from the latest major version + type: integer + minimum: 0 + maximum: 1 + latestSecurityPatch: + description: Indicates whether the device needs to be on the latest security patch + type: boolean + minimum: + description: The device version must be equal to or newer than the specified version string (maximum of three components for iOS and macOS, and maximum of four components for Android) + type: string + example: 12.4.5 + OSVersionConstraint: type: object properties: - elements: - items: - $ref: '#/components/schemas/ApplicationLayout' - type: array - label: - type: string - options: - type: object - additionalProperties: true - rule: + dynamicVersionRequirement: type: object + description: Contains the necessary properties for a dynamic Windows version requirement properties: - effect: + type: type: string - condition: - $ref: '#/components/schemas/ApplicationLayoutRuleCondition' - scope: + description: Indicates the type of the dynamic Windows version requirement + enum: + - MINIMUM + - EXACT + - EXACT_ANY_SUPPORTED + - NOT_ALLOWED + x-enumDescriptions: + MINIMUM: The device version must be equal to or newer than the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type. + EXACT: The device version must be on the same major version as the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type. + EXACT_ANY_SUPPORTED: The device version must be on a Windows major version which is supported. You can't specify `distanceFromLatestMajor` for this type. + NOT_ALLOWED: The device version isn't allowed. You can't specify `distanceFromLatestMajor` or `latestSecurityPatch` for this type. + distanceFromLatestMajor: + description: Indicates the distance from the latest Windows major version + type: integer + minimum: 0 + maximum: 1 + latestSecurityPatch: + description: Indicates whether the policy requires Windows devices to be on the latest security patch + type: boolean + majorVersionConstraint: type: string - type: + description: Indicates the Windows major version + enum: + - WINDOWS_11 + - WINDOWS_10 + x-enumDescriptions: + WINDOWS_11: The device is on Windows 11 + WINDOWS_10: The device is on Windows 10 or an older Windows version + minimum: + description: The Windows device version must be equal to or newer than the specified version type: string - ApplicationLayoutRuleCondition: + example: 12.4.5.9 + required: + - majorVersionConstraint + OSVersionFourComponents: + description: Current version of the operating system (maximum of four components in the versioning scheme) type: object properties: - schema: - type: object - additionalProperties: true - scope: + minimum: type: string - ApplicationLicensing: + example: 12.4.5.9 + OSVersionThreeComponents: + description: Current version of the operating system (maximum of three components in the versioning scheme) type: object properties: - seatCount: - type: integer - ApplicationLifecycleStatus: - type: string - readOnly: true - x-okta-known-values: - - ACTIVE - - DELETED - - INACTIVE - ApplicationSettings: + minimum: + type: string + example: 12.4.5 + Office365Application: + title: Microsoft Office 365 + x-tags: + - Application + x-okta-defined-as: + name: office365 + description: | + Schema for the Microsoft Office 365 app (key name: `office365`) + + To create a Microsoft Office 365 app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Office 365 app only supports `BROWSER_PLUGIN` and `SAML_1_1` sign-on modes. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + type: string + enum: + - office365 + example: office365 + signOnMode: + enum: + - BROWSER_PLUGIN + - SAML_1_1 + example: BROWSER_PLUGIN + settings: + $ref: '#/components/schemas/Office365ApplicationSettings' + example: + name: office365 + label: Sample Office365 App + signOnMode: SAML_1_1 + settings: + app: + domain: myintegration.okta365test.net + msftTenant: mycompanyinc + Office365ApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/Office365ApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml11ApplicationSettingsSignOn' + Office365ApplicationSettingsApplication: + description: Office365 app instance properties type: object properties: - identityStoreId: + domain: type: string - implicitAssignment: - type: boolean - inlineHookId: + description: The domain for your Office 365 account + msftTenant: type: string - notes: - $ref: '#/components/schemas/ApplicationSettingsNotes' - notifications: - $ref: '#/components/schemas/ApplicationSettingsNotifications' - ApplicationSettingsNotes: + description: Microsoft tenant name + required: + - msftTenant + - domain + Office365ProvisioningSettings: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + title: Microsoft Office 365 provisioning settings + description: Settings required for the Microsoft Office 365 Provisioning Connection type: object properties: - admin: + adminPassword: type: string - enduser: + description: Microsoft Office 365 global administrator password + adminUsername: type: string - ApplicationSettingsNotifications: - type: object - properties: - vpn: - $ref: '#/components/schemas/ApplicationSettingsNotificationsVpn' - ApplicationSettingsNotificationsVpn: + description: Microsoft Office 365 global administrator username + required: + - adminUsername + - adminPassword + OfflineAccessScopeResourceHrefObject: type: object properties: - helpUrl: + href: type: string - message: + description: Link URI + example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: type: string - network: - $ref: '#/components/schemas/ApplicationSettingsNotificationsVpnNetwork' - ApplicationSettingsNotificationsVpnNetwork: + description: Link name + example: offline_access + Oidc: + description: OIDC configuration details type: object properties: - connection: + doc: type: string - exclude: + format: uri + description: The URL to your customer-facing instructions for configuring your OIDC integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines). + example: https://example.com/strawberry/help/oidcSetup + initiateLoginUri: + type: string + format: uri + description: The URL to redirect users when they click on your app from their Okta End-User Dashboard + example: https://${org.subdomain}.example.com/strawberry/oidc/sp-init + postLogoutUris: type: array + description: The sign-out redirect URIs for your app. You can send a request to `/v1/logout` to sign the user out and redirect them to one of these URIs. items: type: string - include: + format: uri + description: 'A sign-out redirect URI. You can use the org properties you defined in the `config` array as variables in your URI. For example: `https://${org.subdomain}.example.com/strawberry/oidc/logged-out`' + example: https://${org.subdomain}.example.com/strawberry/oidc/logged-out + redirectUris: type: array + minItems: 1 + description: List of sign-in redirect URIs items: type: string - ApplicationSignOnMode: - type: string - x-okta-known-values: - - AUTO_LOGIN - - BASIC_AUTH - - BOOKMARK - - BROWSER_PLUGIN - - OPENID_CONNECT - - SAML_1_1 - - SAML_2_0 - - SECURE_PASSWORD_STORE - - WS_FEDERATION - ApplicationVisibility: - type: object - properties: - appLinks: - type: object - additionalProperties: - type: boolean - autoLaunch: - type: boolean - autoSubmitToolbar: - type: boolean - hide: - $ref: '#/components/schemas/ApplicationVisibilityHide' - ApplicationVisibilityHide: - type: object - properties: - iOS: - type: boolean - web: - type: boolean - AssignRoleRequest: - type: object - properties: - type: - $ref: '#/components/schemas/RoleType' - AuthenticationProvider: - type: object - properties: - name: - type: string - type: - $ref: '#/components/schemas/AuthenticationProviderType' - AuthenticationProviderType: - type: string - x-okta-known-values: - - ACTIVE_DIRECTORY - - FEDERATION - - IMPORT - - LDAP - - OKTA - - SOCIAL - Authenticator: - type: object - properties: - created: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - key: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - provider: - $ref: '#/components/schemas/AuthenticatorProvider' - settings: - $ref: '#/components/schemas/AuthenticatorSettings' - status: - $ref: '#/components/schemas/AuthenticatorStatus' - type: - $ref: '#/components/schemas/AuthenticatorType' - _links: - additionalProperties: - type: object - readOnly: true - type: object - AuthenticatorProvider: - properties: - configuration: - $ref: '#/components/schemas/AuthenticatorProviderConfiguration' - type: - type: string - AuthenticatorProviderConfiguration: + format: uri + description: Sign-in redirect URI + example: https://${org.subdomain}.example.com/strawberry/oidc/login + required: + - redirectUris + - doc + OidcAlgorithms: + type: object properties: - authPort: - type: integer - hostName: - type: string - instanceId: - type: string - sharedSecret: - type: string - userNameTemplate: - $ref: '#/components/schemas/AuthenticatorProviderConfigurationUserNameTemplate' - AuthenticatorProviderConfigurationUserNameTemplate: + request: + $ref: '#/components/schemas/OidcRequestAlgorithm' + OidcJwksEndpoint: + description: Endpoint for the JSON Web Key Set (JWKS) document. This document contains signing keys that are used to validate the signatures from the provider. For more information on JWKS, see [JSON Web Key](https://tools.ietf.org/html/rfc7517). + type: object properties: - template: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: type: string - AuthenticatorSettings: + description: URL of the endpoint to the JWK Set + example: https://idp.example.com/keys + OidcRequestAlgorithm: + description: Algorithm settings used to sign an authorization request type: object properties: - allowedFor: - $ref: '#/components/schemas/AllowedForEnum' - appInstanceId: - type: string - channelBinding: - $ref: '#/components/schemas/ChannelBinding' - compliance: - $ref: '#/components/schemas/Compliance' - tokenLifetimeInMinutes: - type: integer - userVerification: - $ref: '#/components/schemas/UserVerificationEnum' - AuthenticatorStatus: - type: string - x-okta-known-values: - - ACTIVE - - INACTIVE - AuthenticatorType: + signature: + $ref: '#/components/schemas/OidcRequestSignatureAlgorithm' + OidcRequestSignatureAlgorithm: + description: |- + Signature Algorithm settings for signing authorization requests sent to the IdP + > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`). + type: object + properties: + algorithm: + $ref: '#/components/schemas/OidcSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' + OidcSigningAlgorithm: type: string x-okta-known-values: - - app - - email - - federated - - password - - phone - - security_key - - security_question - AuthorizationServer: + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + OidcUserInfoEndpoint: + description: Endpoint for getting identity information about the User. For more information on the `/userinfo` endpoint, see [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). type: object properties: - audiences: - type: array - items: - type: string - created: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: type: string - format: date-time - readOnly: true - credentials: - $ref: '#/components/schemas/AuthorizationServerCredentials' + description: URL of the resource server's `/userinfo` endpoint + example: https://idp.example.com/userinfo + OktaActiveDirectoryGroupProfile: + description: |- + Profile for a Group that is imported from Active Directory. + + The `objectClass` for such groups is `okta:windows_security_principal`. + type: object + properties: description: type: string - id: - type: string - readOnly: true - issuer: + example: example.com/West Coast/West Coast Users + description: Description of the Windows Group + dn: type: string - issuerMode: - $ref: '#/components/schemas/IssuerMode' - lastUpdated: + example: CN=West Coast Users,OU=West Coast,DC=example,DC=com + description: The distinguished name of the Windows Group + externalId: type: string - format: date-time - readOnly: true + example: VKzYZ1C+IkSZxIWlrW5ITg== + description: Base-64 encoded GUID (`objectGUID`) of the Windows Group name: type: string - status: - $ref: '#/components/schemas/LifecycleStatus' - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - AuthorizationServerCredentials: + example: West Coast Users + description: Name of the Windows Group + samAccountName: + type: string + example: West Coast Users + description: Pre-Windows 2000 name of the Windows Group + windowsDomainQualifiedName: + type: string + example: EXAMPLE\\West Coast Users + description: Fully qualified name of the Windows Group + OktaDeviceRiskChangeEvent: + description: The device risk level changed type: object properties: - signing: - $ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig' - AuthorizationServerCredentialsRotationMode: - type: string - x-okta-known-values: - - AUTO - - MANUAL - AuthorizationServerCredentialsSigningConfig: + current_level: + type: string + description: Current risk level of the device + enum: + - low + - medium + - high + - secure + - none + example: low + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: + type: string + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + previous_level: + type: string + description: Previous risk level of the device + enum: + - low + - medium + - high + - secure + - none + example: medium + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + - current_level + - previous_level + OktaIpChangeEvent: + description: IP changed for the subject's session type: object properties: - kid: - type: string - lastRotated: + current_ip_address: type: string - format: date-time - readOnly: true - nextRotation: + description: Current IP address of the subject + example: 123.4.5.6 + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: type: string - format: date-time - readOnly: true - rotationMode: - $ref: '#/components/schemas/AuthorizationServerCredentialsRotationMode' - use: - $ref: '#/components/schemas/AuthorizationServerCredentialsUse' - AuthorizationServerCredentialsUse: - type: string - x-okta-known-values: - - sig - AuthorizationServerPolicy: + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + previous_ip_address: + type: string + description: Previous IP address of the subject + example: 123.45.67.8 + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + - current_ip_address + - previous_ip_address + OktaPersonalAdminFeatureSettings: + description: Defines a list of Okta Personal settings that can be enabled or disabled for the org + type: object + properties: + enableEnduserEntryPoints: + type: boolean + description: Allow entry points for an Okta Personal account in a Workforce org + enableExportApps: + type: boolean + description: Allow users to migrate apps from a Workforce account to an Okta Personal account + OktaSignOnPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - AuthorizationServerPolicyRule: + $ref: '#/components/schemas/OktaSignOnPolicyConditions' + OktaSignOnPolicyConditions: + allOf: + - type: object + properties: + people: + type: object + description: Identifies Users and Groups that are used together + properties: + groups: + type: object + description: Specifies a set of Groups whose Users are to be included or excluded + properties: + include: + type: array + description: Groups to be included + items: + type: string + OktaSignOnPolicyFactorPromptMode: + description: | + Indicates if the User should be challenged for a second factor (MFA) based on the device being used, a Factor session lifetime, or on every sign-in attempt + + **Note:** Required only if `requireFactor` is set to `true`. + type: string + x-okta-known-values: + - ALWAYS + - DEVICE + - SESSION + OktaSignOnPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' - type: object properties: actions: - $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions' + $ref: '#/components/schemas/OktaSignOnPolicyRuleActions' conditions: - $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions' - AuthorizationServerPolicyRuleActions: + $ref: '#/components/schemas/OktaSignOnPolicyRuleConditions' + OktaSignOnPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' - type: object properties: - token: - $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleAction' - AuthorizationServerPolicyRuleConditions: + signon: + $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions' + OktaSignOnPolicyRuleConditions: allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - type: object properties: - clients: - $ref: '#/components/schemas/ClientPolicyCondition' - grantTypes: - $ref: '#/components/schemas/GrantTypePolicyRuleCondition' + authContext: + $ref: '#/components/schemas/PolicyRuleAuthContextCondition' + network: + $ref: '#/components/schemas/PolicyNetworkCondition' people: $ref: '#/components/schemas/PolicyPeopleCondition' - scopes: - $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' - AutoLoginApplication: + identityProvider: + $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' + OktaSignOnPolicyRuleSignonActions: + type: object + properties: + access: + type: string + enum: + - ALLOW + - DENY + factorLifetime: + type: integer + description: | + Interval of time that must elapse before the User is challenged for MFA, if the Factor prompt mode is set to `SESSION` + + **Note:** Required only if `requireFactor` is `true`. + factorPromptMode: + $ref: '#/components/schemas/OktaSignOnPolicyFactorPromptMode' + primaryFactor: + $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonPrimaryFactor' + rememberDeviceByDefault: + type: boolean + description: Indicates if Okta should automatically remember the device + default: false + requireFactor: + type: boolean + default: false + description: Indicates if multifactor authentication is required + session: + $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonSessionActions' + OktaSignOnPolicyRuleSignonPrimaryFactor: + description: |- + <x-lifecycle class="oie"></x-lifecycle> Indicates the primary factor used to establish a session for the org. Supported values: `PASSWORD_IDP_ANY_FACTOR` (users can use any factor required by the app authentication policy to establish a session), `PASSWORD_IDP` (users must always use a password to establish a session). + + **Note:** Required only if `access` is set to `ALLOW`. + type: string + x-okta-known-values: + - PASSWORD_IDP + - PASSWORD_IDP_ANY_FACTOR + OktaSignOnPolicyRuleSignonSessionActions: + description: Properties governing the User's session lifetime + type: object + properties: + maxSessionIdleMinutes: + description: Maximum number of minutes that a User session can be idle before the session is ended + type: integer + default: 120 + maxSessionLifetimeMinutes: + description: Maximum number of minutes from User sign in that a user's session is active. Set this to force Users to sign in again after the number of specified minutes. Disable by setting to `0`. This property is read-only for the default rule of the default global session policy. + type: integer + default: 0 + usePersistentCookie: + description: If set to `false`, user session cookies only last the length of a browser session. If set to `true`, user session cookies last across browser sessions. This setting doesn't impact administrators who can never have persistent session cookies. This property is read-only for the default rule of the default global session policy. + type: boolean + default: false + OktaUserGroupProfile: + description: |- + Profile for any Group that is not imported from Active Directory. Specifies the standard + and custom profile properties for a Group. + + The `objectClass` for these groups is `okta:user_group`. + type: object + properties: + description: + type: string + example: All Users West of The Rockies + description: Description of the Group + name: + type: string + example: West Coast Users + description: Name of the Group + x-okta-extensible: true + OktaUserRiskChangeEvent: + description: The user risk level changed + type: object + properties: + current_level: + type: string + description: Current risk level of the user + enum: + - low + - medium + - high + - secure + - none + example: low + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: + type: string + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + previous_level: + type: string + description: Previous risk level of the user + enum: + - low + - medium + - high + - secure + - none + example: medium + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + - current_level + - previous_level + OpenIdConnectApplication: + x-okta-defined-as: + name: oidc_client allOf: - $ref: '#/components/schemas/Application' - type: object properties: credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' + $ref: '#/components/schemas/OAuthApplicationCredentials' name: type: string + description: '`oidc_client` is the key name for an OAuth 2.0 client app instance' + enum: + - oidc_client settings: - $ref: '#/components/schemas/AutoLoginApplicationSettings' - AutoLoginApplicationSettings: + $ref: '#/components/schemas/OpenIdConnectApplicationSettings' + required: + - name + - settings + - credentials + OpenIdConnectApplicationConsentMethod: + description: | + Indicates whether user consent is required or implicit. + A consent dialog appears for the end user depending on the values of three elements: + + * [prompt](/openapi/okta-oauth/oauth/tag/OrgAS/#tag/OrgAS/operation/authorize!in=query&path=prompt&t=request): A query parameter that is used in requests to `/authorize` + * `consent_method` (this property) + * [consent](/openapi/okta-management/management/tag/AuthorizationServerScopes/#tag/AuthorizationServerScopes/operation/createOAuth2Scope!path=consent&t=request): A [Scope](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/AuthorizationServerScopes/) property that allows you to enable or disable user consent for an individual scope + + | `prompt` | `consent_method` | `consent` | Result + | ---------- | ----------- | ---------- | ----------- | + | CONSENT | TRUSTED or REQUIRED | REQUIRED | Prompted | + | CONSENT | TRUSTED or REQUIRED | FLEXIBLE | Prompted | + | CONSENT | TRUSTED | IMPLICIT | Not prompted | + | NONE | TRUSTED | FLEXIBLE, IMPLICIT, or REQUIRED | Not prompted | + | NONE | REQUIRED | FLEXIBLE or REQUIRED | Prompted | + | NONE | REQUIRED | IMPLICIT | Not prompted | + + > **Notes:** + > * If you request a scope that requires consent while using the `client_credentials` flow, an error is returned because the flow doesn't support user consent. + > * If the `prompt` value is set to `NONE`, but the `consent_method` and the consent values are set to `REQUIRED`, then an error occurs. + > * When a scope is requested during a Client Credentials grant flow and `consent` is set to `FLEXIBLE`, the scope is granted in the access token with no consent prompt. This occurs because there is no user involved in a two-legged OAuth 2.0 [Client Credentials](https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/) grant flow. + default: TRUSTED + type: string + x-enumDescriptions: + TRUSTED: The client is fully trusted (for example, a first-party app). The default consent method for app instances created with a [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request + REQUIRED: The client requires consent (for example, a third-party app). The default consent method for app instances created with a [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient) request + x-okta-known-values: + - REQUIRED + - TRUSTED + OpenIdConnectApplicationIdpInitiatedLogin: + description: The type of IdP-initiated sign-in flow that the client supports + type: object + properties: + default_scope: + type: array + description: The scopes to use for the request when `mode` is `OKTA` + items: + type: string + mode: + type: string + description: | + The mode to use for the IdP-initiated sign-in flow. For `OKTA` or `SPEC` modes, the client must have an `initiate_login_uri` registered. + > **Note:** For web and SPA apps, if the mode is `SPEC` or `OKTA`, you must set `grant_types` to `authorization_code`, `implicit`, or `interaction_code`. + enum: + - DISABLED + - SPEC + - OKTA + x-enumDescriptions: + DISABLED: The client doesn't support the IdP-initiated sign-in flow. + SPEC: The client is redirected to the Relying Party's `initiate_login_uri`. + OKTA: Tokens are directly sent to the Relying Party. This corresponds to the **Okta Simplified** option in the Admin Console. + required: + - mode + OpenIdConnectApplicationIssuerMode: + description: Indicates whether the Okta authorization server uses the original Okta org domain URL or a custom domain URL as the issuer of the ID token for this client + type: string + x-enumDescriptions: + CUSTOM_URL: The issuer is returned in the appropriate OIDC token response. This is the default `issuer_mode` when you configured a custom domain for your org. + DYNAMIC: A request for the ID token made from the custom domain has the custom URL as the issuer. A request for the ID token made from an Okta org has the Org URL as the issuer. You can only set `issuer_mode` as DYNAMIC if the Dynamic Issuer Mode feature is enabled. Contact Okta Support to enable this feature. + ORG_URL: The issuer is returned based on the URL of your Okta organization. This is useful when you are using Okta’s default domain and do not have a custom domain configured. + x-okta-known-values: + - CUSTOM_URL + - DYNAMIC + - ORG_URL + OpenIdConnectApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: - signOn: - $ref: '#/components/schemas/AutoLoginApplicationSettingsSignOn' - AutoLoginApplicationSettingsSignOn: + oauthClient: + $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClient' + OpenIdConnectApplicationSettingsClient: type: object properties: - loginUrl: + application_type: + $ref: '#/components/schemas/OpenIdConnectApplicationType' + backchannel_authentication_request_signing_alg: + description: | + The signing algorithm for Client-Initiated Backchannel Authentication (CIBA) signed requests using JWT. If this value isn't set and a JWT-signed request is sent, the request fails. + > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. + type: string + enum: + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + - ES256 + - ES384 + - ES512 + backchannel_custom_authenticator_id: + description: | + The ID of the custom authenticator that authenticates the user + > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. + type: string + maxLength: 20 + minLength: 20 + backchannel_token_delivery_mode: + description: | + The delivery mode for Client-Initiated Backchannel Authentication (CIBA). Currently, only `poll` is supported. + > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. + enum: + - poll + - ping + - push + type: string + client_uri: + type: string + description: URL string of a web page providing information about the client + maxLength: 1024 + consent_method: + $ref: '#/components/schemas/OpenIdConnectApplicationConsentMethod' + dpop_bound_access_tokens: + type: boolean + description: | + Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header. + > **Note:** If `dpop_bound_access_tokens` is true, then `client_credentials` and `implicit` aren't allowed in `grant_types`. + default: false + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + frontchannel_logout_session_required: + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>Determines whether Okta sends `sid` and `iss` in the logout request + type: boolean + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + frontchannel_logout_uri: + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>URL where Okta sends the logout request + type: string + maxLength: 1024 + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + grant_types: + type: array + items: + $ref: '#/components/schemas/OAuthGrantType' + idp_initiated_login: + $ref: '#/components/schemas/OpenIdConnectApplicationIdpInitiatedLogin' + initiate_login_uri: type: string - redirectUrl: + description: URL string that a third party can use to initiate the sign-in flow by the client + issuer_mode: + $ref: '#/components/schemas/OpenIdConnectApplicationIssuerMode' + jwks: + $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClientKeys' + jwks_uri: + description: URL string that references a JSON Web Key Set for validating JWTs presented to Okta type: string - AutoUpdateSchedule: - description: The schedule of auto-update configured by admin. - type: object - properties: - cron: + logo_uri: type: string - delay: - description: delay in days - type: integer - duration: - description: duration in minutes - type: integer - lastUpdated: - description: last time when the updated finished (success or failed, exclude cancelled), null if job haven't finished once yet. + description: The URL string that references a logo for the client. This logo appears on the client tile in the End-User Dashboard. It also appears on the client consent dialog during the client consent flow. + maxLength: 1024 + participate_slo: + description: | + <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>Allows the app to participate in front-channel Single Logout + + > **Note:** You can only enable `participate_slo` for `web` and `browser` application types (`application_type`). + type: boolean + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + policy_uri: type: string - format: date-time - timezone: + description: URL string of a web page providing the client's policy document + post_logout_redirect_uris: + type: array + description: Array of redirection URI strings for relying party-initiated logouts + items: + type: string + redirect_uris: + type: array + description: |- + Array of redirection URI strings for use in redirect-based flows. + > **Note:** At least one `redirect_uris` and `response_types` are required for all client types, with exceptions: if the client uses the [Resource Owner Password ](https://tools.ietf.org/html/rfc6749#section-4.3)flow (`grant_types` contains `password`) or [Client Credentials](https://tools.ietf.org/html/rfc6749#section-4.4)flow (`grant_types` contains `client_credentials`), then no `redirect_uris` or `response_types` is necessary. In these cases, you can pass either null or an empty array for these attributes. + items: + type: string + refresh_token: + $ref: '#/components/schemas/OpenIdConnectApplicationSettingsRefreshToken' + request_object_signing_alg: + description: The type of JSON Web Key Set (JWKS) algorithm that must be used for signing request objects type: string - BaseEmailDomain: - type: object - properties: - displayName: + enum: + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + - ES256 + - ES384 + - ES512 + response_types: + type: array + description: Array of OAuth 2.0 response type strings + items: + $ref: '#/components/schemas/OAuthResponseType' + sector_identifier_uri: type: string - userName: + description: The sector identifier used for pairwise `subject_type`. See [OIDC Pairwise Identifier Algorithm](https://openid.net/specs/openid-connect-messages-1_0-20.html#idtype.pairwise.alg) + maxLength: 1024 + subject_type: + description: Type of the subject + type: string + enum: + - public + - pairwise + tos_uri: type: string + description: URL string of a web page providing the client's terms of service document + wildcard_redirect: + type: string + description: Indicates if the client is allowed to use wildcard matching of `redirect_uris` + enum: + - DISABLED + - SUBDOMAIN + x-enumDescriptions: + DISABLED: All redirect URIs must be absolute URIs and not include a fragment component. + SUBDOMAIN: | + Any configured redirect URIs may contain a single `*` character in the lowest-level domain (for example, `https://redirect-*-domain.example.com/oidc/redirect`) to act as a wildcard. + The wildcard subdomain must have at least one subdomain between it and the top level domain. + The wildcard can match any valid hostname characters, but can't span more than one domain. + For example, if `https://redirect-*-domain.example.com/oidc/redirect` is configured as a redirect URI, then `https://redirect-1-domain.example.com/oidc/redirect` and `https://redirect-sub-domain.example.com/oidc/redirect` match, but `https://redirect-1.sub-domain.example.com/oidc/redirect` doesn't match. + Only the `https` URI scheme can use wildcard redirect URIs. + > **Note:** The use of wildcard subdomains is discouraged as an insecure practice, since it may allow malicious actors to have tokens or authorization codes sent to unexpected or attacker-controlled pages. Exercise caution if you decide to include a wildcard redirect URI in your configuration. required: - - displayName - - userName - BasicApplicationSettings: - allOf: - - $ref: '#/components/schemas/ApplicationSettings' - - type: object - properties: - app: - $ref: '#/components/schemas/BasicApplicationSettingsApplication' - BasicApplicationSettingsApplication: + - grant_types + OpenIdConnectApplicationSettingsClientKeys: + description: A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta type: object properties: - authURL: - type: string - url: - type: string - BasicAuthApplication: - x-okta-defined-as: - name: template_basic_auth - allOf: - - $ref: '#/components/schemas/Application' - - type: object - properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - name: - type: string - default: template_basic_auth - settings: - $ref: '#/components/schemas/BasicApplicationSettings' - BeforeScheduledActionPolicyRuleCondition: + keys: + type: array + items: + $ref: '#/components/schemas/schemas-JsonWebKey' + OpenIdConnectApplicationSettingsRefreshToken: + description: | + Refresh token configuration for an OAuth 2.0 client + + When you create or update an OAuth 2.0 client, you can configure refresh token rotation by setting the `rotation_type` and `leeway` properties. If you don't set these properties when you create an app integration, the default values are used. + When you update an app integration, your previously configured values are used. type: object properties: - duration: - $ref: '#/components/schemas/Duration' - lifecycleAction: - $ref: '#/components/schemas/ScheduledUserLifecycleAction' - BehaviorRule: - title: Behavior Detection Rule + leeway: + type: integer + minimum: 0 + maximum: 60 + description: | + The leeway, in seconds, allowed for the OAuth 2.0 client. + After the refresh token is rotated, the previous token remains valid for the specified period of time so clients can get the new token. + + > **Note:** A leeway of 0 doesn't necessarily mean that the previous token is immediately invalidated. The previous token is invalidated after the new token is generated and returned in the response. + default: 30 + example: 20 + rotation_type: + $ref: '#/components/schemas/OpenIdConnectRefreshTokenRotationType' + required: + - rotation_type + OpenIdConnectApplicationType: + description: |- + The type of client app + Specific `grant_types` are valid for each `application_type`. See [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient). + type: string + x-enumDescriptions: + browser: Single-Page app (SPA) + native: Native app + service: API service app + web: Web app + x-okta-known-values: + - browser + - native + - service + - web + OpenIdConnectRefreshTokenRotationType: + description: The refresh token rotation mode for the OAuth 2.0 client + example: STATIC + type: string + x-enumDescriptions: + ROTATE: The default rotation type for single-page apps (SPAs) + STATIC: The default rotation type for all clients, except SPAs + x-okta-known-values: + - ROTATE + - STATIC + OperationRequest: type: object properties: + assignmentId: + type: string + OperationResponse: + type: object + properties: + assignmentOperation: + type: object + properties: + configuration: + type: object + properties: + actions: + type: object + properties: + assignUserToRealm: + type: object + properties: + realmId: + type: string + conditions: + $ref: '#/components/schemas/Conditions' + id: + type: string + name: + type: string + completed: + type: string + format: date-time + readOnly: true created: type: string format: date-time @@ -15724,2500 +58706,3549 @@ components: id: type: string readOnly: true - lastUpdated: + numUserMoved: + type: number + readOnly: true + realmId: type: string - format: date-time readOnly: true - name: + realmName: type: string - maxLength: 128 + readOnly: true + started: + type: string + format: date-time + readOnly: true status: - $ref: '#/components/schemas/LifecycleStatus' + type: string + readOnly: true + enum: + - COMPLETED + - SCHEDULED + - IN_PROGRESS + - FAILED type: - $ref: '#/components/schemas/BehaviorRuleType' - _link: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' + type: string readOnly: true - required: - - name - - type - discriminator: - propertyName: type - mapping: - ANOMALOUS_LOCATION: '#/components/schemas/BehaviorRuleAnomalousLocation' - ANOMALOUS_IP: '#/components/schemas/BehaviorRuleAnomalousIP' - ANOMALOUS_DEVICE: '#/components/schemas/BehaviorRuleAnomalousDevice' - VELOCITY: '#/components/schemas/BehaviorRuleVelocity' - BehaviorRuleAnomalousDevice: - allOf: - - $ref: '#/components/schemas/BehaviorRule' - - type: object - properties: - settings: - $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousDevice' - BehaviorRuleAnomalousIP: - allOf: - - $ref: '#/components/schemas/BehaviorRule' - - type: object - properties: - settings: - $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousIP' - BehaviorRuleAnomalousLocation: - allOf: - - $ref: '#/components/schemas/BehaviorRule' - - type: object - properties: - settings: - $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousLocation' - BehaviorRuleSettings: - title: Behavior Detection Rule Settings - type: object - BehaviorRuleSettingsAnomalousDevice: - allOf: - - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased' - BehaviorRuleSettingsAnomalousIP: - allOf: - - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased' - - type: object - properties: - maxEventsUsedForEvaluation: - type: integer - minimum: 0 - maximum: 100 - default: 50 - BehaviorRuleSettingsAnomalousLocation: - allOf: - - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased' - - type: object - properties: - granularity: - $ref: '#/components/schemas/LocationGranularity' - radiusKilometers: - type: integer - description: Required when `granularity` is `LAT_LONG`. Radius from the provided coordinates in kilometers. - required: - - granularity - BehaviorRuleSettingsHistoryBased: - allOf: - - $ref: '#/components/schemas/BehaviorRuleSettings' - - title: Behavior Detection Rule Settings based on Event History - type: object - properties: - maxEventsUsedForEvaluation: - type: integer - minimum: 1 - maximum: 100 - default: 20 - minEventsNeededForEvaluation: - type: integer - minimum: 0 - maximum: 10 - default: 0 - BehaviorRuleSettingsVelocity: - allOf: - - $ref: '#/components/schemas/BehaviorRuleSettings' - - title: Behavior Detection Rule Settings based on device velocity in kilometers per hour. - type: object - properties: - velocityKph: - type: integer - minimum: 1 - default: 805 - required: - - velocityKph - BehaviorRuleType: + _links: + $ref: '#/components/schemas/LinksSelf' + OperationalStatus: + description: Operational status of a given agent type: string x-okta-known-values: - - ANOMALOUS_DEVICE - - ANOMALOUS_IP - - ANOMALOUS_LOCATION - - VELOCITY - BehaviorRuleVelocity: - allOf: - - $ref: '#/components/schemas/BehaviorRule' - - type: object - properties: - settings: - $ref: '#/components/schemas/BehaviorRuleSettingsVelocity' - BookmarkApplication: + - DEGRADED + - DISRUPTED + - INACTIVE + - OPERATIONAL + OptInStatusResponse: + type: object + properties: + optInStatus: + type: string + enum: + - OPTING_IN + - OPTED_IN + - OPTING_OUT + - OPTED_OUT + _links: + allOf: + - properties: + optInStatus: + $ref: '#/components/schemas/HrefObject' + Org2OrgApplication: + title: Org2Org + x-tags: + - Application x-okta-defined-as: - name: bookmark + name: okta_org2org + example: + name: okta_org2org + label: Okta Org2Org + signOnMode: SAML_2_0 + settings: + app: + acsUrl: https://example.okta.com/sso/saml2/exampleid + audRestriction: https://www.okta.com/saml2/service-provider/exampleid + baseUrl: https://example.okta.com + description: | + Schema for the Okta Org2Org app (key name: `okta_org2org`) + + To create an Org2Org app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Notes:** + > * The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team. + > * The Okta Org2Org app supports `SAML_2_0` and `AUTO_LOGIN` sign-on modes. allOf: - - $ref: '#/components/schemas/Application' + - $ref: '#/components/schemas/OINApplication' - type: object + - required: + - name + - label + - settings properties: - credentials: - $ref: '#/components/schemas/ApplicationCredentials' name: type: string - default: bookmark + enum: + - okta_org2org + example: okta_org2org + signOnMode: + default: SAML_2_0 + enum: + - SAML_2_0 + - AUTO_LOGIN + x-enumDescriptions: + SAML_2_0: Federated Authentication with SAML 2.0 WebSSO + AUTO_LOGIN: Secure Web Authentication (SWA) settings: - $ref: '#/components/schemas/BookmarkApplicationSettings' - BookmarkApplicationSettings: + $ref: '#/components/schemas/Org2OrgApplicationSettings' + Org2OrgApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object + - required: + - app properties: app: - $ref: '#/components/schemas/BookmarkApplicationSettingsApplication' - BookmarkApplicationSettingsApplication: + $ref: '#/components/schemas/Org2OrgApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + Org2OrgApplicationSettingsApplication: + description: Org2Org app instance properties type: object properties: - requestIntegration: + acsUrl: + type: string + description: The Assertion Consumer Service (ACS) URL of the source org (for `SAML_2_0` sign-on mode) + audRestriction: + type: string + description: The entity ID of the SP (for `SAML_2_0` sign-on mode) + example: https://www.okta.com/saml2/service-provider/exampleid + baseUrl: + type: string + description: The base URL of the target Okta org (for `SAML_2_0` sign-on mode) + creationState: + type: string + description: Used to track and manage the state of the app's creation or the provisioning process between two Okta orgs + preferUsernameOverEmail: type: boolean - url: + description: Indicates that you don't want to use an email address as the username + token: type: string - BouncesRemoveListError: + description: An API token from the target org that's used to secure the connection between the orgs + tokenEncrypted: + type: string + description: Encrypted token to enhance security + required: + - baseUrl + OrgAerialConsent: type: object properties: - emailAddress: - type: string - reason: + accountId: + description: The unique ID of the Aerial account type: string - BouncesRemoveListObj: + required: + - accountId + OrgAerialConsentDetails: type: object properties: - emailAddresses: - type: array - items: - type: string - BouncesRemoveListResult: + accountId: + description: The unique ID of the Aerial account + type: string + grantedBy: + type: string + description: Principal ID of the user who granted the permission + example: 00u23ej02I2RLFxS5406 + grantedDate: + type: string + description: Date when grant was created + example: '2024-07-24T16:01:13.000Z' + _links: + $ref: '#/components/schemas/LinksAerialConsentGranted' + required: + - accountId + OrgAerialConsentRevoked: type: object properties: - errors: - type: array - items: - $ref: '#/components/schemas/BouncesRemoveListError' - Brand: + _links: + $ref: '#/components/schemas/LinksAerialConsentRevoked' + OrgAerialGrantNotFound: type: object properties: - agreeToCustomPrivacyPolicy: - type: boolean - customPrivacyPolicyUrl: + accountId: + description: The unique ID of the Aerial account type: string - defaultApp: - type: object - properties: - appInstanceId: - type: string - appLinkName: - type: string - displayLanguage: - $ref: '#/components/schemas/Language' - id: - readOnly: true + grantedBy: type: string - optOutOfUserCommunications: - type: boolean - removePoweredByOkta: - type: boolean + description: Principal ID of the user who granted the permission + example: 00u23ej02I2RLFxS5406 + grantedDate: + type: string + description: Date when grant was created + example: '2024-07-24T16:01:13.000Z' _links: - additionalProperties: - type: object - readOnly: true - type: object - BrowserPluginApplication: - allOf: - - $ref: '#/components/schemas/Application' - - type: object - properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - name: - type: string - settings: - $ref: '#/components/schemas/SwaApplicationSettings' - CAPTCHAInstance: - title: CAPTCHAInstance + $ref: '#/components/schemas/LinksAerialConsentGranted' + OrgCAPTCHASettings: + title: OrgCAPTCHASettings description: '' type: object properties: - id: - type: string - readOnly: true - name: - type: string - secretKey: - type: string - writeOnly: true - siteKey: + captchaId: + description: The unique key of the associated CAPTCHA instance type: string - type: - $ref: '#/components/schemas/CAPTCHAType' - _link: + enabledPages: + description: An array of pages that have CAPTCHA enabled + type: array + items: + $ref: '#/components/schemas/enabledPagesType' + _links: type: object + description: Link relations for the CAPTCHA settings object properties: self: $ref: '#/components/schemas/HrefObject' readOnly: true - CAPTCHAType: + OrgContactType: + description: Type of contact type: string x-okta-known-values: - - HCAPTCHA - - RECAPTCHA_V2 - CallUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/CallUserFactorProfile' - CallUserFactorProfile: - type: object - properties: - phoneExtension: - type: string - phoneNumber: - type: string - CapabilitiesCreateObject: + - BILLING + - TECHNICAL + OrgContactTypeObj: + anyOf: + - $ref: '#/components/schemas/orgBillingContactType' + - $ref: '#/components/schemas/orgTechnicalContactType' type: object properties: - lifecycleCreate: - $ref: '#/components/schemas/LifecycleCreateSettingObject' - CapabilitiesObject: + contactType: + $ref: '#/components/schemas/OrgContactType' + discriminator: + propertyName: contactType + mapping: + BILLING: '#/components/schemas/orgBillingContactType' + TECHNICAL: '#/components/schemas/orgTechnicalContactType' + OrgContactUser: type: object properties: - create: - $ref: '#/components/schemas/CapabilitiesCreateObject' - update: - $ref: '#/components/schemas/CapabilitiesUpdateObject' - CapabilitiesUpdateObject: + userId: + type: string + description: Contact user ID + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the Contact Type User object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + user: + $ref: '#/components/schemas/HrefObjectUserLink' + OrgCreationAdmin: + description: |- + Profile and credential information for the first super admin user of the child org. + If you plan to configure and manage the org programmatically, create a system user with a dedicated email address and a strong password. + > **Note:** If you don't provide `credentials`, the super admin user is prompted to set up their credentials when they sign in to the org for the first time. + writeOnly: true type: object properties: - lifecycleDeactivate: - $ref: '#/components/schemas/LifecycleDeactivateSettingObject' - password: - $ref: '#/components/schemas/PasswordSettingObject' + credentials: + type: object + description: Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org. + properties: + password: + type: object + description: |- + Specifies a password for a user + > **Note:** For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation. + properties: + value: + type: string + writeOnly: true + description: Password value (which is validated by the password policy) + format: password + example: pa$$word + recovery_question: + $ref: '#/components/schemas/RecoveryQuestionCredential' profile: - $ref: '#/components/schemas/ProfileSettingObject' - CatalogApplication: + type: object + description: |- + Specifies the profile attributes for the first super admin user. The minimal set of required attributes are `email`, `firstName`, `lastName`, and `login`. + See [profile](/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response) for additional profile attributes. + properties: + firstName: + type: string + description: Given name of the User (`givenName`) + minLength: 1 + maxLength: 50 + nullable: true + lastName: + type: string + description: The family name of the User (`familyName`) + minLength: 1 + maxLength: 50 + nullable: true + email: + type: string + description: The primary email address of the User. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + format: email + minLength: 5 + maxLength: 100 + login: + type: string + description: The unique identifier for the User (`username`) + maxLength: 100 + additionalProperties: true + required: + - email + - login + - firstName + - lastName + required: + - profile + OrgOktaCommunicationSetting: type: object properties: - category: - type: string - description: - type: string - displayName: - type: string - features: - type: array - items: - type: string - id: - type: string - readOnly: true - lastUpdated: - type: string - format: date-time + optOutEmailUsers: + type: boolean + description: Indicates whether org users receive Okta communication emails readOnly: true - name: - type: string - signOnModes: - type: array - items: - type: string - status: - $ref: '#/components/schemas/CatalogApplicationStatus' - verificationStatus: - type: string - website: - type: string _links: type: object - additionalProperties: - type: object - properties: {} + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification readOnly: true - CatalogApplicationStatus: - type: string - x-okta-known-values: - - ACTIVE - - INACTIVE - ChangeEnum: + properties: + optIn: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to opt users in to communication emails + optOut: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to opt users out of communication emails + OrgOktaSupportSetting: + description: Status of Okta Support Settings type: string x-okta-known-values: - - CHANGE - - KEEP_EXISTING - ChangePasswordRequest: - type: object - properties: - newPassword: - $ref: '#/components/schemas/PasswordCredential' - oldPassword: - $ref: '#/components/schemas/PasswordCredential' - ChannelBinding: + - DISABLED + - ENABLED + OrgOktaSupportSettingsObj: type: object properties: - required: - $ref: '#/components/schemas/RequiredEnum' - style: + expiration: + format: date-time type: string - ClientPolicyCondition: - type: object - properties: - include: - type: array - items: - type: string - Compliance: - type: object - properties: - fips: - $ref: '#/components/schemas/FipsEnum' - ContextPolicyRuleCondition: - allOf: - - $ref: '#/components/schemas/DevicePolicyRuleCondition' - - type: object + description: Expiration of Okta Support + readOnly: true + nullable: true + support: + $ref: '#/components/schemas/OrgOktaSupportSetting' + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the Okta Support Settings object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true properties: - expression: - type: string - CreateSessionRequest: - type: object - properties: - sessionToken: - type: string - CreateUserRequest: + extend: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to [extend Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/extendOktaSupport) + revoke: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to [revoke Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/revokeOktaSupport) + grant: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to [grant Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/grantOktaSupport) + OrgPreferences: type: object properties: - credentials: - $ref: '#/components/schemas/UserCredentials' - groupIds: - type: array - items: - type: string - profile: - $ref: '#/components/schemas/UserProfile' - type: - $ref: '#/components/schemas/UserType' - required: - - profile - Csr: + showEndUserFooter: + type: boolean + description: Indicates if the footer is shown on the End-User Dashboard + readOnly: true + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + hideEndUserFooter: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to hide the footer in the End-User Dashboard + showEndUserFooter: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to show the footer on the End-User Dashboard + OrgSetting: type: object properties: - created: + address1: + type: string + description: Primary address of the organization associated with the org + address2: type: string + description: Secondary address of the organization associated with the org + city: + type: string + description: City of the organization associated with the org + companyName: + type: string + description: Name of org + country: + type: string + description: County of the organization associated with the org + created: format: date-time readOnly: true - csr: type: string + description: When org was created + endUserSupportHelpURL: + type: string + description: Support link of org + expiresAt: + format: date-time readOnly: true - id: type: string + description: Expiration of org + id: readOnly: true - kty: type: string + description: Org ID + lastUpdated: + format: date-time readOnly: true - CsrMetadata: - type: object - properties: - subject: - $ref: '#/components/schemas/CsrMetadataSubject' - subjectAltNames: - $ref: '#/components/schemas/CsrMetadataSubjectAltNames' - CsrMetadataSubject: - type: object - properties: - commonName: type: string - countryName: + description: When org was last updated + phoneNumber: type: string - localityName: + description: Phone number of the organization associated with the org + postalCode: type: string - organizationalUnitName: + description: Postal code of the organization associated with the org + state: type: string - organizationName: + description: State of the organization associated with the org + status: + readOnly: true type: string - stateOrProvinceName: + description: Status of org + enum: + - ACTIVE + - INACTIVE + subdomain: + readOnly: true type: string - CsrMetadataSubjectAltNames: + description: Subdomain of org + supportPhoneNumber: + type: string + description: Support help phone of the organization associated with the org + website: + type: string + description: Website of the organization associated with the org + _links: + $ref: '#/components/schemas/orgGeneralSettingLinks' + OtpProtocol: + description: The protocol used + type: string + x-okta-known-values: + - SYMANTEC + - TOTP + - YUBICO + OtpTotpAlgorithm: + description: HMAC algorithm + type: string + x-okta-known-values: + - HMacSHA1 + - HMacSHA256 + - HMacSHA512 + OtpTotpEncoding: + description: The shared secret encoding + type: string + x-okta-known-values: + - base32 + - base64 + - hexadecimal + OtpTotpPassCodeLength: + description: Number of digits in an OTP value + minimum: 6 + maximum: 10 + multipleOf: 2 + type: integer + OtpTotpTimeIntervalInSeconds: + description: Time interval for TOTP in seconds + type: integer + PageRoot: type: object properties: - dnsNames: - type: array - items: - type: string - CustomHotpUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object + _embedded: + type: object properties: - factorProfileId: + default: + $ref: '#/components/schemas/CustomizablePage' + customized: + $ref: '#/components/schemas/CustomizablePage' + customizedUrl: type: string - profile: - $ref: '#/components/schemas/CustomHotpUserFactorProfile' - CustomHotpUserFactorProfile: + format: uri + preview: + $ref: '#/components/schemas/CustomizablePage' + previewUrl: + type: string + format: uri + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + default: + $ref: '#/components/schemas/HrefObject' + customized: + $ref: '#/components/schemas/HrefObject' + preview: + $ref: '#/components/schemas/HrefObject' + Parameters: + description: Attributes used for processing AD Group membership update type: object properties: - sharedSecret: + action: type: string - CustomizablePage: + description: The update action to take + enum: + - ADD + - REMOVE + x-enumDescriptions: + ADD: Add to the membership of the group + REMOVE: Remove from the membership of the group + attribute: + type: string + description: The attribute that tracks group memberships in AD. This should be `member` for AD. + values: + type: array + description: List of user IDs whose group memberships to update + items: + type: string + description: ID of an existing user + PasswordCredential: + description: |- + Specifies a password for a user. + + When a user has a valid password, imported hashed password, or password hook, and a response object contains + a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: **Security** > **Authenticators** > **Password** (or for Okta Classic orgs, use **Security** > **Authentication** > **Password**). + + For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation. type: object properties: - pageContent: + hash: + $ref: '#/components/schemas/PasswordCredentialHash' + hook: + $ref: '#/components/schemas/PasswordCredentialHook' + value: type: string - required: - - pageContent - DNSRecord: + writeOnly: true + description: Specifies the password for a user. The password policy validates this password. + format: password + example: pa$$word + PasswordCredentialHash: + description: |- + Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly + from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. + A hashed password may be specified in a password object when creating or updating a user, but not for other operations. + See the **Create user with imported hashed password** section in the [Users API](https://developer.okta.com/docs/reference/api/users/#create-user-with-imported-hashed-password) description. When updating a user with a hashed password, the usermust be in the `STAGED` status. type: object properties: - expiration: + algorithm: + $ref: '#/components/schemas/PasswordCredentialHashAlgorithm' + digestAlgorithm: + $ref: '#/components/schemas/DigestAlgorithm' + iterationCount: + type: integer + description: The number of iterations used when hashing passwords using PBKDF2. Must be >= 4096. Only required for PBKDF2 algorithm. + keySize: + type: integer + description: Size of the derived key in bytes. Only required for PBKDF2 algorithm. + salt: + description: |- + Only required for salted hashes. For BCRYPT, this specifies Radix-64 as the encoded salt used to generate the hash, + which must be 22 characters long. For other salted hashes, this specifies the Base64-encoded salt used to + generate the hash. type: string - fqdn: + saltOrder: type: string - recordType: - $ref: '#/components/schemas/DNSRecordType' - values: - type: array - items: - type: string - DNSRecordType: + description: Specifies whether salt was pre- or postfixed to the password before hashing. Only required for salted algorithms. + value: + description: |- + For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual base64-encoded hash of the password (and salt, if used). + This is the Base64-encoded `value` of the SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either pre-fixing or post-fixing + the `salt` to the `password`, depending on the `saltOrder`. If a `salt` was not used in the `source` system, then this should just be + the Base64-encoded `value` of the password's SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the actual Radix-64 encoded hashed password. + type: string + workFactor: + type: integer + description: Governs the strength of the hash and the time required to compute it. Only required for BCRYPT algorithm. + minimum: 1 + maximum: 20 + PasswordCredentialHashAlgorithm: + description: The algorithm used to generate the hash using the password (and salt, when applicable). type: string x-okta-known-values: - - CNAME - - TXT - DeviceAccessPolicyRuleCondition: - allOf: - - $ref: '#/components/schemas/DevicePolicyRuleCondition' - - type: object - properties: - managed: - type: boolean - registered: - type: boolean - DeviceAssurance: - title: DeviceAssurance + - BCRYPT + - MD5 + - PBKDF2 + - SHA-1 + - SHA-256 + - SHA-512 + PasswordCredentialHook: + description: Specify a [password import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook) to trigger verification of the user's password the first time the user signs in. This allows an existing password to be imported into Okta directly from some other store. type: object properties: - createdBy: - type: string - readOnly: true - createdDate: - type: string - readOnly: true - diskEncryptionType: - type: object - properties: - include: - type: array - items: - $ref: '#/components/schemas/DiskEncryptionType' - id: + type: type: string - readOnly: true - jailbreak: + description: The type of password inline hook. Currently, must be set to default. + PasswordDictionary: + description: Weak password dictionary lookup settings + type: object + properties: + common: + $ref: '#/components/schemas/PasswordDictionaryCommon' + PasswordDictionaryCommon: + description: Lookup settings for commonly used passwords + type: object + properties: + exclude: type: boolean - lastUpdatedBy: + description: Indicates whether to check passwords against the common password dictionary + default: false + PasswordExpirationPolicyRuleCondition: + type: object + properties: + number: + type: integer + unit: type: string - readOnly: true - lastUpdatedDate: + PasswordImportRequest: + type: object + properties: + data: + $ref: '#/components/schemas/PasswordImportRequestData' + eventType: type: string - readOnly: true - name: + description: The type of inline hook. The password import inline hook type is `com.okta.user.credential.password.import`. + source: + description: The ID and URL of the password import inline hook type: string - description: Display name of the Device Assurance Policy - osVersion: - $ref: '#/components/schemas/VersionObject' - platform: - $ref: '#/components/schemas/Platform' - screenLockType: + PasswordImportRequestData: + type: object + properties: + action: type: object + description: This object specifies the default action Okta is set to take. Okta takes this action if your external service sends an empty HTTP 204 response. You can override the default action by returning a commands object in your response specifying the action to take. properties: - include: - type: array - items: - $ref: '#/components/schemas/ScreenLockType' - secureHardwarePresent: - type: boolean - _links: + credential: + description: The status of the user credential, either `UNVERIFIED` or `VERIFIED` + default: UNVERIFIED + type: string + context: type: object properties: - self: - $ref: '#/components/schemas/HrefObject' - readOnly: true - DevicePolicyMDMFramework: - type: string - x-okta-known-values: - - AFW - - NATIVE - - SAFE - DevicePolicyPlatformType: - type: string - x-okta-known-values: - - ANDROID - - IOS - - OSX - - WINDOWS - DevicePolicyRuleCondition: - type: object - properties: - migrated: - type: boolean - platform: - $ref: '#/components/schemas/DevicePolicyRuleConditionPlatform' - rooted: - type: boolean - trustLevel: - $ref: '#/components/schemas/DevicePolicyTrustLevel' - DevicePolicyRuleConditionPlatform: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + credential: + type: object + properties: + username: + description: The `username` that the user supplied when attempting to sign in to Okta. + type: string + password: + description: The `password` that the user supplied when attempting to sign in to Okta. + type: string + PasswordImportRequestExecute: + description: Password import inline hook request + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/PasswordImportRequest' + PasswordImportResponse: + description: Password import inline hook response type: object properties: - supportedMDMFrameworks: + commands: + description: The `commands` object specifies whether Okta accepts the end user's sign-in credentials as valid or not. For the password import inline hook, you typically only return one `commands` object with one array element in it. type: array items: - $ref: '#/components/schemas/DevicePolicyMDMFramework' - types: + type: object + properties: + type: + description: The location where you specify the command. For the password import inline hook, there's only one command, `com.okta.action.update`. + value: + description: |- + The parameter value of the command. + * To indicate that the supplied credentials are valid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "VERIFIED"}`. + * To indicate that the supplied credentials are invalid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "UNVERIFIED"}`. + Alternatively, you can send an empty response (`204`). By default, the `data.action.credential` is always set to `UNVERIFIED`. + type: object + properties: + credential: + type: string + enum: + - UNVERIFIED + - VERIFIED + PasswordPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + $ref: '#/components/schemas/PasswordPolicyConditions' + settings: + $ref: '#/components/schemas/PasswordPolicySettings' + PasswordPolicyAuthenticationProviderCondition: + type: object + properties: + include: type: array items: - $ref: '#/components/schemas/DevicePolicyPlatformType' - DevicePolicyTrustLevel: + type: string + provider: + $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderType' + PasswordPolicyAuthenticationProviderType: type: string x-okta-known-values: + - ACTIVE_DIRECTORY - ANY - - TRUSTED - DiskEncryptionType: - type: string - x-okta-known-values: - - ALL_INTERNAL_VOLUMES - - FULL - - USER - Domain: + - LDAP + - OKTA + PasswordPolicyConditions: + allOf: + - type: object + properties: + authProvider: + $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' + people: + type: object + description: Identifies Users and Groups that are used together + properties: + groups: + type: object + description: Specifies a set of Groups whose Users are to be included or excluded + properties: + include: + type: array + description: Groups to be included + items: + type: string + PasswordPolicyDelegationSettings: type: object properties: - certificateSourceType: - $ref: '#/components/schemas/DomainCertificateSourceType' - dnsRecords: - type: array - items: - $ref: '#/components/schemas/DNSRecord' - domain: - type: string - id: - type: string - publicCertificate: - $ref: '#/components/schemas/DomainCertificateMetadata' - validationStatus: - $ref: '#/components/schemas/DomainValidationStatus' - DomainCertificate: + options: + $ref: '#/components/schemas/PasswordPolicyDelegationSettingsOptions' + PasswordPolicyDelegationSettingsOptions: type: object properties: - certificate: - type: string - certificateChain: - type: string - privateKey: - type: string - type: - $ref: '#/components/schemas/DomainCertificateType' - DomainCertificateMetadata: + skipUnlock: + type: boolean + description: Indicates if, when performing an unlock operation on an Active Directory sourced User who is locked out of Okta, the system should also attempt to unlock the User's Windows account + default: false + PasswordPolicyPasswordSettings: type: object properties: - expiration: - type: string - fingerprint: - type: string - subject: - type: string - DomainCertificateSourceType: - type: string - x-okta-known-values: - - MANUAL - - OKTA_MANAGED - DomainCertificateType: - type: string - x-okta-known-values: - - PEM - DomainLinks: + age: + $ref: '#/components/schemas/PasswordPolicyPasswordSettingsAge' + complexity: + $ref: '#/components/schemas/PasswordPolicyPasswordSettingsComplexity' + lockout: + $ref: '#/components/schemas/PasswordPolicyPasswordSettingsLockout' + PasswordPolicyPasswordSettingsAge: + description: Age settings type: object properties: - certificate: - type: object - properties: {} - self: - type: object - properties: {} - verify: - type: object - properties: {} - DomainListResponse: + expireWarnDays: + type: integer + description: 'Specifies the number of days prior to password expiration when a User is warned to reset their password: `0` indicates no warning' + default: 0 + historyCount: + type: integer + description: 'Specifies the number of distinct passwords that a User must create before they can reuse a previous password: `0` indicates none' + default: 0 + maxAgeDays: + type: integer + description: 'Specifies how long (in days) a password remains valid before it expires: `0` indicates no limit' + default: 0 + minAgeMinutes: + type: integer + description: 'Specifies the minimum time interval (in minutes) between password changes: `0` indicates no limit' + default: 0 + PasswordPolicyPasswordSettingsComplexity: + description: Complexity settings type: object properties: - domains: + dictionary: + $ref: '#/components/schemas/PasswordDictionary' + excludeAttributes: type: array + description: 'The User profile attributes whose values must be excluded from the password: currently only supports `firstName` and `lastName`' + default: [] items: - $ref: '#/components/schemas/DomainResponse' - DomainResponse: + type: string + excludeUsername: + type: boolean + description: Indicates if the Username must be excluded from the password + default: true + minLength: + type: integer + description: Minimum password length + default: 8 + minLowerCase: + type: integer + description: 'Indicates if a password must contain at least one lower case letter: `0` indicates no, `1` indicates yes' + default: 1 + minNumber: + type: integer + description: 'Indicates if a password must contain at least one number: `0` indicates no, `1` indicates yes' + default: 1 + minSymbol: + type: integer + description: 'Indicates if a password must contain at least one symbol (For example: !@#$%^&*): `0` indicates no, `1` indicates yes' + default: 1 + minUpperCase: + type: integer + description: 'Indicates if a password must contain at least one upper case letter: `0` indicates no, `1` indicates yes' + default: 1 + PasswordPolicyPasswordSettingsLockout: + description: Lockout settings type: object properties: - certificateSourceType: - $ref: '#/components/schemas/DomainCertificateSourceType' - dnsRecords: + autoUnlockMinutes: + type: integer + description: 'Specifies the time interval (in minutes) a locked account remains locked before it is automatically unlocked: `0` indicates no limit' + default: 0 + maxAttempts: + type: integer + description: 'Specifies the number of times Users can attempt to sign in to their accounts with an invalid password before their accounts are locked: `0` indicates no limit' + default: 10 + showLockoutFailures: + type: boolean + description: Indicates if the User should be informed when their account is locked + default: false + userLockoutNotificationChannels: type: array + description: How the user is notified when their account becomes locked. The only acceptable values are `[]` and `['EMAIL']`. + default: [] items: - $ref: '#/components/schemas/DNSRecord' - domain: - type: string - id: - type: string - publicCertificate: - $ref: '#/components/schemas/DomainCertificateMetadata' - validationStatus: - $ref: '#/components/schemas/DomainValidationStatus' - _links: - $ref: '#/components/schemas/DomainLinks' - DomainValidationStatus: - type: string - x-okta-known-values: - - COMPLETED - - IN_PROGRESS - - NOT_STARTED - - VERIFIED - Duration: + type: string + PasswordPolicyRecoveryEmail: type: object properties: - number: + properties: + $ref: '#/components/schemas/PasswordPolicyRecoveryEmailProperties' + status: + $ref: '#/components/schemas/LifecycleStatus' + PasswordPolicyRecoveryEmailProperties: + type: object + properties: + recoveryToken: + $ref: '#/components/schemas/PasswordPolicyRecoveryEmailRecoveryToken' + PasswordPolicyRecoveryEmailRecoveryToken: + type: object + properties: + tokenLifetimeMinutes: + description: Lifetime (in minutes) of the recovery token type: integer - unit: - type: string - EmailContent: + default: 10080 + PasswordPolicyRecoveryFactorSettings: type: object properties: - body: - type: string - description: The email's HTML body. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). - subject: - type: string - description: The email's subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). - required: - - subject - - body - EmailCustomization: - allOf: - - $ref: '#/components/schemas/EmailContent' - - type: object - properties: - created: - type: string - format: date-time - readOnly: true - description: The UTC time at which this email customization was created. - id: - type: string - readOnly: true - description: A unique identifier for this email customization. - isDefault: - type: boolean - description: Whether this is the default customization for the email template. Each customized email template must have exactly one default customization. Defaults to `true` for the first customization and `false` thereafter. - language: - $ref: '#/components/schemas/Language' - lastUpdated: - type: string - format: date-time - readOnly: true - description: The UTC time at which this email customization was last updated. - _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - template: - $ref: '#/components/schemas/HrefObject' - preview: - $ref: '#/components/schemas/HrefObject' - test: - $ref: '#/components/schemas/HrefObject' - readOnly: true - description: Links to resources related to this email customization. - required: - - language - EmailDefaultContent: + status: + $ref: '#/components/schemas/LifecycleStatus' + PasswordPolicyRecoveryFactors: + description: Settings for the Factors that can be used for recovery + type: object + properties: + okta_call: + $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' + okta_email: + $ref: '#/components/schemas/PasswordPolicyRecoveryEmail' + okta_sms: + $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' + recovery_question: + $ref: '#/components/schemas/PasswordPolicyRecoveryQuestion' + PasswordPolicyRecoveryQuestion: + type: object + properties: + properties: + $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionProperties' + status: + $ref: '#/components/schemas/LifecycleStatus' + PasswordPolicyRecoveryQuestionComplexity: + type: object + properties: + minLength: + description: Minimum length of the password recovery question answer + type: integer + readOnly: true + default: 4 + PasswordPolicyRecoveryQuestionProperties: + type: object + properties: + complexity: + $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionComplexity' + PasswordPolicyRecoverySettings: + type: object + properties: + factors: + $ref: '#/components/schemas/PasswordPolicyRecoveryFactors' + PasswordPolicyRule: allOf: - - $ref: '#/components/schemas/EmailContent' + - $ref: '#/components/schemas/PolicyRule' - type: object properties: - _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - template: - $ref: '#/components/schemas/HrefObject' - preview: - $ref: '#/components/schemas/HrefObject' - test: - $ref: '#/components/schemas/HrefObject' - readOnly: true - description: Links to resources related to this email template's default content. - EmailDomain: + actions: + $ref: '#/components/schemas/PasswordPolicyRuleActions' + conditions: + $ref: '#/components/schemas/PasswordPolicyRuleConditions' + PasswordPolicyRuleAction: + type: object + properties: + access: + $ref: '#/components/schemas/PolicyAccess' + PasswordPolicyRuleActions: allOf: - - $ref: '#/components/schemas/BaseEmailDomain' + - $ref: '#/components/schemas/PolicyRuleActions' + - type: object + properties: + passwordChange: + $ref: '#/components/schemas/PasswordPolicyRuleAction' + selfServicePasswordReset: + $ref: '#/components/schemas/SelfServicePasswordResetAction' + selfServiceUnlock: + $ref: '#/components/schemas/PasswordPolicyRuleAction' + PasswordPolicyRuleConditions: type: object properties: - domain: - type: string - required: - - domain - EmailDomainListResponse: + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + PasswordPolicySettings: type: object properties: - email-domains: - type: array - items: - $ref: '#/components/schemas/EmailDomainResponse' - EmailDomainResponse: - allOf: - - $ref: '#/components/schemas/BaseEmailDomain' + delegation: + $ref: '#/components/schemas/PasswordPolicyDelegationSettings' + password: + $ref: '#/components/schemas/PasswordPolicyPasswordSettings' + recovery: + $ref: '#/components/schemas/PasswordPolicyRecoverySettings' + PasswordProtectionWarningTrigger: + description: Indicates whether the Password Protection Warning feature is enabled + example: PHISHING_REUSE + type: string + x-enumDescriptions: + PASSWORD_PROTECTION_OFF: Password protection warning is off + PASSWORD_REUSE: Password protection warning is triggered by password reuse + PHISHING_REUSE: Password protection warning is triggered by password reuse on a phishing page + x-okta-known-values: + - PASSWORD_PROTECTION_OFF + - PASSWORD_REUSE + - PHISHING_REUSE + PasswordSettingObject: + description: Determines whether Okta creates and pushes a password in the app for each assigned user type: object properties: - dnsValidationRecords: - type: array - items: - $ref: '#/components/schemas/DNSRecord' - domain: - type: string - id: - type: string - validationStatus: - $ref: '#/components/schemas/EmailDomainStatus' - EmailDomainStatus: + change: + $ref: '#/components/schemas/ChangeEnum' + seed: + $ref: '#/components/schemas/SeedEnum' + status: + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED + - example: ENABLED + PatchAction: + description: The operation (PATCH action) type: string + x-enumDescriptions: + remove: Removes the attribute in `path` + replace: Replaces the attribute in content `path` with the content in `value` x-okta-known-values: - - DELETED - - ERROR - - NOT_STARTED - - POLLING - - VERIFIED - EmailPreview: + - remove + - replace + PerClientRateLimitMode: + type: string + x-okta-known-values: + - DISABLE + - ENFORCE + - PREVIEW + PerClientRateLimitSettings: + title: PerClientRateLimitSettings + description: '' type: object properties: - body: + defaultMode: + $ref: '#/components/schemas/PerClientRateLimitMode' + description: The default PerClientRateLimitMode that applies to any use case in the absence of a more specific override + useCaseModeOverrides: + description: A map of Per-Client Rate Limit Use Case to the applicable PerClientRateLimitMode. Overrides the `defaultMode` property for the specified use cases. + type: object + properties: + LOGIN_PAGE: + $ref: '#/components/schemas/PerClientRateLimitMode' + OAUTH2_AUTHORIZE: + $ref: '#/components/schemas/PerClientRateLimitMode' + OIE_APP_INTENT: + $ref: '#/components/schemas/PerClientRateLimitMode' + required: + - defaultMode + Permission: + type: object + properties: + conditions: + $ref: '#/components/schemas/PermissionConditions' + created: type: string + format: date-time + description: Timestamp when the role was created readOnly: true - description: The email's HTML body. - subject: + label: type: string + description: The permission type + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the role was last updated readOnly: true - description: The email's subject. _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + role: + $ref: '#/components/schemas/HrefObject' + PermissionConditions: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + description: Conditions for further restricting a permission + nullable: true + type: object + properties: + exclude: type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - contentSource: - $ref: '#/components/schemas/HrefObject' - template: - $ref: '#/components/schemas/HrefObject' - test: - $ref: '#/components/schemas/HrefObject' - defaultContent: - $ref: '#/components/schemas/HrefObject' - readOnly: true - description: Links to resources related to this email preview. - EmailSettings: + description: Exclude attributes with specific values for the permission + additionalProperties: + type: object + properties: {} + nullable: true + include: + type: object + description: Include attributes with specific values for the permission + additionalProperties: + type: object + properties: {} + nullable: true + Permissions: type: object properties: - recipients: - type: string - enum: - - ALL_USERS - - ADMINS_ONLY - - NO_USERS - required: - - recipients - EmailTemplate: + permissions: + type: array + items: + $ref: '#/components/schemas/Permission' + PersonalAppsBlockList: + description: Defines a list of email domains with a subset of the properties for each domain type: object properties: - name: + domains: + type: array + description: List of blocked email domains + PinRequest: + description: Pin Request + type: object + properties: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta type: string - readOnly: true - description: The name of this email template. - _embedded: - type: object - properties: - settings: - $ref: '#/components/schemas/EmailSettings' - customizationCount: - type: integer - readOnly: true - _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - settings: - $ref: '#/components/schemas/HrefObject' - defaultContent: - $ref: '#/components/schemas/HrefObject' - customizations: - $ref: '#/components/schemas/HrefObject' - test: - $ref: '#/components/schemas/HrefObject' - readOnly: true - description: Links to resources related to this email template. - EmailTemplateTouchPointVariant: + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + PipelineType: + description: The authentication pipeline of the org type: string + x-enumDescriptions: + idx: Identity Engine + v1: Classic Engine x-okta-known-values: - - FULL_THEME - - OKTA_DEFAULT - EmailUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/EmailUserFactorProfile' - EmailUserFactorProfile: + - idx + - v1 + Platform: + type: string + x-okta-known-values: + - ANDROID + - CHROMEOS + - IOS + - MACOS + - WINDOWS + PlatformConditionEvaluatorPlatform: type: object properties: - email: + os: + $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystem' + type: + $ref: '#/components/schemas/PolicyPlatformType' + PlatformConditionEvaluatorPlatformOperatingSystem: + type: object + properties: + expression: type: string - EnabledStatus: - type: string - x-okta-known-values: - - DISABLED - - ENABLED - EndUserDashboardTouchPointVariant: + type: + $ref: '#/components/schemas/PolicyPlatformOperatingSystemType' + version: + $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystemVersion' + PlatformConditionEvaluatorPlatformOperatingSystemVersion: + type: object + properties: + matchType: + $ref: '#/components/schemas/PlatformConditionOperatingSystemVersionMatchType' + value: + type: string + PlatformConditionOperatingSystemVersionMatchType: type: string x-okta-known-values: - - FULL_THEME - - LOGO_ON_FULL_WHITE_BACKGROUND - - OKTA_DEFAULT - - WHITE_LOGO_BACKGROUND - Error: - title: Error + - EXPRESSION + - SEMVER + PlatformPolicyRuleCondition: type: object properties: - errorCauses: + exclude: type: array items: - type: object - properties: - errorSummary: - type: string - errorCode: - type: string - description: An Okta code for this type of error - errorId: - type: string - description: A unique identifier for this error. This can be used by Okta Support to help with troubleshooting. - errorLink: - type: string - description: An Okta code for this type of error - errorSummary: - type: string - description: A short description of what caused this error. Sometimes this contains dynamically-generated information about your specific error. - ErrorPageTouchPointVariant: + $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' + include: + type: array + items: + $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' + PlayProtectVerdict: + description: Indicates if Google Play Protect is enabled on the device and whether it has found known malware type: string + x-enumDescriptions: + LOW: Play Protect is turned on and didn't find any app issues on the device + MEDIUM: Play Protect is turned on and either hasn't performed a scan yet or has found potentially harmful apps installed on the device + HIGH: Play Protect is turned on and has either found dangerous apps installed on the device or its verdict wasn't evaluated. That is, the device isn't trustworthy enough. x-okta-known-values: - - BACKGROUND_IMAGE - - BACKGROUND_SECONDARY_COLOR - - OKTA_DEFAULT - EventHook: + - HIGH + - LOW + - MEDIUM + Policy: type: object properties: - channel: - $ref: '#/components/schemas/EventHookChannel' created: + description: Timestamp when the Policy was created type: string format: date-time readOnly: true - createdBy: + default: Assigned + description: + description: Description of the Policy type: string - events: - $ref: '#/components/schemas/EventSubscriptions' + default: null id: + description: Identifier of the Policy type: string readOnly: true + default: Assigned lastUpdated: + description: Timestamp when the Policy was last modified type: string format: date-time readOnly: true + default: Assigned name: + description: Name of the Policy type: string + priority: + description: Specifies the order in which this Policy is evaluated in relation to the other policies + type: integer + default: Last / Lowest Priority, for example `1` status: $ref: '#/components/schemas/LifecycleStatus' - verificationStatus: - $ref: '#/components/schemas/EventHookVerificationStatus' - _links: + system: + description: Specifies whether Okta created the Policy + type: boolean + default: false + type: + $ref: '#/components/schemas/PolicyType' + _embedded: type: object additionalProperties: type: object properties: {} readOnly: true - EventHookChannel: + _links: + $ref: '#/components/schemas/PolicyLinks' + required: + - name + - type + discriminator: + propertyName: type + mapping: + ACCESS_POLICY: '#/components/schemas/AccessPolicy' + IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicy' + MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicy' + OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' + PASSWORD: '#/components/schemas/PasswordPolicy' + PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy' + POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicy' + ENTITY_RISK: '#/components/schemas/EntityRiskPolicy' + PolicyAccess: + type: string + x-okta-known-values: + - ALLOW + - DENY + PolicyAccountLink: + description: Specifies the behavior for linking an IdP User to an existing Okta User type: object properties: - config: - $ref: '#/components/schemas/EventHookChannelConfig' - type: - $ref: '#/components/schemas/EventHookChannelType' - version: - type: string - EventHookChannelConfig: + action: + $ref: '#/components/schemas/PolicyAccountLinkAction' + filter: + $ref: '#/components/schemas/PolicyAccountLinkFilter' + PolicyAccountLinkAction: + description: Specifies the account linking action for an IdP User + type: string + x-enumDescriptions: + AUTO: The IdP User is automatically linked to an Okta User when the transformed IdP User matches an existing Okta User according to [subject match rules](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/subject&t=request). + DISABLED: Okta never attempts to link the IdP User to an existing Okta User, but may still attempt to provision a new Okta User according to the [provisioning action type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/provisioning/action&t=request). + x-okta-known-values: + - AUTO + - DISABLED + PolicyAccountLinkFilter: + description: Specifies Group memberships to restrict which Users are available for account linking by an IdP type: object properties: - authScheme: - $ref: '#/components/schemas/EventHookChannelConfigAuthScheme' - headers: + groups: + $ref: '#/components/schemas/PolicyAccountLinkFilterGroups' + PolicyAccountLinkFilterGroups: + description: Group memberships used to determine link candidates + type: object + properties: + include: type: array + description: Specifies the allowlist of Group identifiers to match against. Group memberships are restricted to type `OKTA_GROUP`. items: - $ref: '#/components/schemas/EventHookChannelConfigHeader' - uri: + type: string + example: 00gjg5lzfBpn62wuF0g3 + PolicyContext: + type: object + properties: + device: + type: object + properties: + platform: + type: string + description: The platform of the device, for example, IOS. + registered: + type: boolean + description: If the device is registered + managed: + type: boolean + description: If the device is managed + assuranceId: + type: string + description: The device assurance policy ID for the simulation + groups: + type: object + description: An array of Group IDs for the simulate operation. Only user IDs or Group IDs are allowed, not both. + properties: + ids: + type: array + items: + type: string + uniqueItems: true + required: + - ids + ip: type: string - EventHookChannelConfigAuthScheme: + description: The network rule condition, zone, or IP address + risk: + type: object + description: The risk rule condition level + properties: + level: + type: string + enum: + - LOW + - MEDIUM + - HIGH + user: + type: object + description: The user ID for the simulate operation. Only user IDs or Group IDs are allowed, not both. + properties: + id: + type: string + description: The unique ID number for the user. + required: + - id + zones: + type: object + description: The zone ID under the network rule condition. + properties: + ids: + type: array + items: + type: string + required: + - user + - groups + PolicyLinks: type: object properties: - key: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + mappings: + $ref: '#/components/schemas/HrefObjectMappingsLink' + rules: + $ref: '#/components/schemas/HrefObjectRulesLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + PolicyMapping: + type: object + properties: + id: type: string - type: - $ref: '#/components/schemas/EventHookChannelConfigAuthSchemeType' - value: + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + application: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the mapped application + policy: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the mapped policy + PolicyMappingRequest: + type: object + properties: + resourceId: type: string - EventHookChannelConfigAuthSchemeType: + resourceType: + $ref: '#/components/schemas/PolicyMappingResourceType' + PolicyMappingResourceType: type: string x-okta-known-values: - - HEADER - EventHookChannelConfigHeader: + - APP + PolicyNetworkCondition: type: object properties: - key: - type: string - value: - type: string - EventHookChannelType: + connection: + $ref: '#/components/schemas/PolicyNetworkConnection' + exclude: + type: array + description: The zones to exclude. Required only if connection data type is `ZONE` + items: + type: string + include: + type: array + description: The zones to include. Required only if connection data type is `ZONE` + items: + type: string + PolicyNetworkConnection: + description: Network selection mode type: string x-okta-known-values: - - HTTP - EventHookVerificationStatus: + - ANYWHERE + - ZONE + PolicyPeopleCondition: + description: Identifies Users and Groups that are used together + type: object + properties: + groups: + $ref: '#/components/schemas/GroupCondition' + users: + $ref: '#/components/schemas/UserCondition' + required: + - groups + - users + PolicyPlatformOperatingSystemType: type: string x-okta-known-values: - - UNVERIFIED - - VERIFIED - EventSubscriptionType: + - ANDROID + - ANY + - IOS + - OSX + - OTHER + - WINDOWS + PolicyPlatformType: type: string x-okta-known-values: - - EVENT_TYPE - - FLOW_EVENT - EventSubscriptions: + - ANY + - DESKTOP + - MOBILE + - OTHER + PolicyRule: type: object properties: - items: - type: array - items: - type: string + created: + type: string + description: Timestamp when the rule was created + format: date-time + readOnly: true + nullable: true + id: + type: string + description: Identifier for the rule + lastUpdated: + type: string + description: Timestamp when the rule was last modified + format: date-time + readOnly: true + nullable: true + name: + type: string + description: Name of the rule + priority: + type: integer + description: Priority of the rule + status: + $ref: '#/components/schemas/LifecycleStatus' + system: + type: boolean + description: Specifies whether Okta created the Policy Rule (`system=true`). You can't delete Policy Rules that have `system` set to `true`. + default: false type: - $ref: '#/components/schemas/EventSubscriptionType' + $ref: '#/components/schemas/PolicyRuleType' + _links: + $ref: '#/components/schemas/PolicyLinks' discriminator: propertyName: type - FCMConfiguration: + mapping: + ACCESS_POLICY: '#/components/schemas/AccessPolicyRule' + PASSWORD: '#/components/schemas/PasswordPolicyRule' + PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicyRule' + RESOURCE_ACCESS: '#/components/schemas/AuthorizationServerPolicyRule' + SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule' + IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicyRule' + POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicyRule' + ENTITY_RISK: '#/components/schemas/EntityRiskPolicyRule' + MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicyRule' + PolicyRuleActions: + type: object + PolicyRuleActionsEnroll: + type: object properties: - fileName: - type: string - description: (Optional) File name for Admin Console display - projectId: - type: string - description: Project ID of FCM configuration - readOnly: true - serviceAccountJson: - type: object - description: JSON containing the private service account key and service account details. See [Creating and managing service account keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for more information on creating service account keys in JSON. - writeOnly: true - FCMPushProvider: - allOf: - - $ref: '#/components/schemas/PushProvider' - - type: object - properties: - configuration: - $ref: '#/components/schemas/FCMConfiguration' - FactorProvider: + self: + $ref: '#/components/schemas/PolicyRuleActionsEnrollSelf' + PolicyRuleActionsEnrollSelf: type: string x-okta-known-values: - - CUSTOM - - DUO - - FIDO - - GOOGLE - - OKTA - - RSA - - SYMANTEC - - YUBICO - FactorResultType: + - CHALLENGE + - LOGIN + - NEVER + PolicyRuleAuthContextCondition: + type: object + properties: + authType: + $ref: '#/components/schemas/PolicyRuleAuthContextType' + PolicyRuleAuthContextType: type: string x-okta-known-values: - - CANCELLED - - CHALLENGE - - ERROR - - FAILED - - PASSCODE_REPLAYED - - REJECTED - - SUCCESS - - TIMEOUT - - TIME_WINDOW_EXCEEDED - - WAITING - FactorStatus: + - ANY + - LDAP_INTERFACE + - RADIUS + PolicyRuleConditions: + type: object + properties: + app: + $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' + apps: + $ref: '#/components/schemas/AppInstancePolicyRuleCondition' + authContext: + $ref: '#/components/schemas/PolicyRuleAuthContextCondition' + authProvider: + $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' + beforeScheduledAction: + $ref: '#/components/schemas/BeforeScheduledActionPolicyRuleCondition' + clients: + $ref: '#/components/schemas/ClientPolicyCondition' + context: + $ref: '#/components/schemas/ContextPolicyRuleCondition' + device: + $ref: '#/components/schemas/DevicePolicyRuleCondition' + grantTypes: + $ref: '#/components/schemas/GrantTypePolicyRuleCondition' + groups: + $ref: '#/components/schemas/GroupPolicyRuleCondition' + identityProvider: + $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' + mdmEnrollment: + $ref: '#/components/schemas/MDMEnrollmentPolicyRuleCondition' + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + platform: + $ref: '#/components/schemas/PlatformPolicyRuleCondition' + risk: + $ref: '#/components/schemas/RiskPolicyRuleCondition' + riskScore: + $ref: '#/components/schemas/RiskScorePolicyRuleCondition' + scopes: + $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' + userIdentifier: + $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' + users: + $ref: '#/components/schemas/UserPolicyRuleCondition' + userStatus: + $ref: '#/components/schemas/UserStatusPolicyRuleCondition' + PolicyRuleType: + description: Rule type type: string x-okta-known-values: - - ACTIVE - - DISABLED - - ENROLLED - - EXPIRED - - INACTIVE - - NOT_SETUP - - PENDING_ACTIVATION - FactorType: + - ACCESS_POLICY + - ENTITY_RISK + - IDP_DISCOVERY + - MFA_ENROLL + - PASSWORD + - POST_AUTH_SESSION + - PROFILE_ENROLLMENT + - RESOURCE_ACCESS + - SIGN_ON + PolicyRuleVerificationMethodType: + description: Verification method type type: string x-okta-known-values: - - call - - email - - hotp - - push - - question - - sms - - token - - token:hardware - - token:hotp - - token:software:totp - - u2f - - web - - webauthn - Feature: + - ASSURANCE + - AUTH_METHOD_CHAIN + PolicySubject: + description: Specifies the behavior for establishing, validating, and matching a username for an IdP User type: object properties: - description: - type: string - id: + filter: type: string - readOnly: true - name: + description: |- + Optional [regular expression pattern](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions) used to filter untrusted IdP usernames. + * As a best security practice, you should define a regular expression pattern to filter untrusted IdP usernames. This is especially important if multiple IdPs are connected to your org. The filter prevents an IdP from issuing an assertion for any User, including partners or directory Users in your Okta org. + * For example, the filter pattern `(\S+@example\.com)` allows only Users that have an `@example.com` username suffix. It rejects assertions that have any other suffix such as `@corp.example.com` or `@partner.com`. + * Only `SAML2` and `OIDC` IdP providers support the `filter` property. + maxLength: 1024 + example: (\S+@example\.com) + matchAttribute: type: string - stage: - $ref: '#/components/schemas/FeatureStage' - status: - $ref: '#/components/schemas/EnabledStatus' - type: - $ref: '#/components/schemas/FeatureType' - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - FeatureStage: - type: object - properties: - state: - $ref: '#/components/schemas/FeatureStageState' - value: - $ref: '#/components/schemas/FeatureStageValue' - FeatureStageState: - type: string - x-okta-known-values: - - CLOSED - - OPEN - FeatureStageValue: + description: |- + Okta User profile attribute for matching a transformed IdP username. Only for matchType `CUSTOM_ATTRIBUTE`. + The `matchAttribute` must be a valid Okta User profile attribute of one of the following types: + * String (with no format or 'email' format only) + * Integer + * Number + example: login + matchType: + $ref: '#/components/schemas/PolicySubjectMatchType' + userNameTemplate: + $ref: '#/components/schemas/PolicyUserNameTemplate' + PolicySubjectMatchType: + description: Determines the Okta User profile attribute match conditions for account linking and authentication of the transformed IdP username type: string x-okta-known-values: - - BETA - - EA - FeatureType: + - CUSTOM_ATTRIBUTE + - EMAIL + - USERNAME + - USERNAME_OR_EMAIL + PolicyType: + description: |- + All Okta orgs contain only one IdP Discovery Policy with an immutable default Rule routing to your org's sign-in page. + Creating or replacing a policy with the `IDP_DISCOVERY` type isn't supported. The following policy types are available with + Identity Engine: `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, and `ENTITY_RISK`. type: string x-okta-known-values: - - self-service - FipsEnum: + - ACCESS_POLICY + - ENTITY_RISK + - IDP_DISCOVERY + - MFA_ENROLL + - OKTA_SIGN_ON + - PASSWORD + - POST_AUTH_SESSION + - PROFILE_ENROLLMENT + - RESOURCE_ACCESS + PolicyTypeSimulation: type: string x-okta-known-values: - - OPTIONAL - - REQUIRED - ForgotPasswordResponse: + - ACCESS_POLICY + - MFA_ENROLL + - OKTA_SIGN_ON + - PROFILE_ENROLLMENT + PolicyUserNameTemplate: + description: |- + [Okta Expression Language (EL) expression](https://developer.okta.com/docs/reference/okta-expression-language/) to generate or transform a unique username for the IdP User. + * IdP User profile attributes can be referenced with the `idpuser` prefix such as `idpuser.subjectNameId`. + * You must define an IdP User profile attribute before it can be referenced in an Okta EL expression. To define an IdP User attribute policy, you may need to create a new IdP instance without a base profile property. Then edit the IdP User profile to update the IdP instance with an expression that references the IdP User profile attribute that you just created. type: object properties: - resetPasswordUrl: + template: type: string - readOnly: true - GrantOrTokenStatus: + minLength: 9 + maxLength: 1024 + example: idpuser.subjectNameId + PolicyUserStatus: type: string x-okta-known-values: + - ACTIVATING - ACTIVE - - REVOKED - GrantTypePolicyRuleCondition: - type: object - properties: - include: - type: array - items: - type: string - Group: + - DELETED + - DELETING + - EXPIRED_PASSWORD + - INACTIVE + - PENDING + - SUSPENDED + PossessionConstraint: + allOf: + - $ref: '#/components/schemas/AccessPolicyConstraint' + - type: object + properties: + deviceBound: + type: string + description: Indicates if device-bound Factors are required. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + hardwareProtection: + type: string + description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + phishingResistant: + type: string + description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + userPresence: + type: string + description: Indicates if the user needs to approve an Okta Verify prompt or provide biometrics (meets NIST AAL2 requirements). This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: REQUIRED + userVerification: + type: string + description: Indicates the user interaction requirement (PIN or biometrics) to ensure verification of a possession factor + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + PostAuthKeepMeSignedInPrompt: type: object properties: - created: + acceptButtonText: type: string - format: date-time - readOnly: true - id: + description: The label on the accept button when prompting for Stay signed in + rejectButtonText: type: string - readOnly: true - lastMembershipUpdated: + description: The label on the reject button when prompting for Stay signed in + subtitle: type: string - format: date-time - readOnly: true - lastUpdated: + description: The subtitle on the Sign-In Widget when prompting for Stay signed in + title: type: string - format: date-time - readOnly: true - objectClass: - type: array - readOnly: true - items: - type: string - profile: - $ref: '#/components/schemas/GroupProfile' - type: - $ref: '#/components/schemas/GroupType' - _embedded: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - GroupCondition: + description: The title on the Sign-In Widget when prompting for Stay signed in + PostAuthSessionFailureActionsObject: type: object properties: - exclude: - type: array - items: - type: string - include: - type: array - items: - type: string - GroupPolicyRuleCondition: + action: + type: string + enum: + - RUN_WORKFLOW + - TERMINATE_SESSION + discriminator: + propertyName: action + mapping: + RUN_WORKFLOW: '#/components/schemas/PostAuthSessionPolicyRuleRunWorkflow' + TERMINATE_SESSION: '#/components/schemas/PostAuthSessionPolicyRuleTerminateSession' + PostAuthSessionPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + type: string + description: Policy conditions aren't supported for this policy type. + default: null + nullable: true + PostAuthSessionPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + type: object + description: The action to take in response to a failure of the reevaluated global session policy or authentication polices. + properties: + postAuthSession: + type: object + description: This object contains a `failureActions` array that defines the specific action to take when post auth session evaluation detects a failure. + properties: + failureActions: + type: array + description: An array of objects that define the action. It can be empty or contain two `action` value pairs. + items: + $ref: '#/components/schemas/PostAuthSessionFailureActionsObject' + conditions: + type: object + properties: + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + PostAuthSessionPolicyRuleRunWorkflow: type: object properties: - exclude: - type: array - items: - type: string - include: - type: array - items: - type: string - GroupProfile: + action: + type: string + enum: + - RUN_WORKFLOW + workflow: + type: object + description: This action runs a workflow + properties: + id: + type: integer + description: The `id` of the workflow that runs. + PostAuthSessionPolicyRuleTerminateSession: type: object properties: - description: + action: type: string - name: + description: The action to take when post auth session evaluation detects a failure. + enum: + - TERMINATE_SESSION + PreRegistrationInlineHook: + type: object + properties: + inlineHookId: type: string - x-okta-extensible: true - GroupRule: + PrincipalRateLimitEntity: + title: PrincipalRateLimitEntity + description: '' type: object properties: - actions: - $ref: '#/components/schemas/GroupRuleAction' - conditions: - $ref: '#/components/schemas/GroupRuleConditions' - created: + createdBy: + type: string + readOnly: true + createdDate: type: string format: date-time readOnly: true + defaultConcurrencyPercentage: + type: integer + readOnly: true + defaultPercentage: + type: integer + readOnly: true id: type: string readOnly: true - lastUpdated: + lastUpdate: type: string format: date-time readOnly: true - name: - type: string - status: - $ref: '#/components/schemas/GroupRuleStatus' - type: + lastUpdatedBy: type: string - GroupRuleAction: - type: object - properties: - assignUserToGroups: - $ref: '#/components/schemas/GroupRuleGroupAssignment' - GroupRuleConditions: - type: object - properties: - expression: - $ref: '#/components/schemas/GroupRuleExpression' - people: - $ref: '#/components/schemas/GroupRulePeopleCondition' - GroupRuleExpression: - type: object - properties: - type: + readOnly: true + orgId: type: string - value: + readOnly: true + principalId: type: string - GroupRuleGroupAssignment: - type: object - properties: - groupIds: - type: array - items: - type: string - GroupRuleGroupCondition: - type: object - properties: - exclude: - type: array - items: - type: string - include: - type: array - items: - type: string - GroupRulePeopleCondition: - type: object - properties: - groups: - $ref: '#/components/schemas/GroupRuleGroupCondition' - users: - $ref: '#/components/schemas/GroupRuleUserCondition' - GroupRuleStatus: + principalType: + $ref: '#/components/schemas/PrincipalType' + required: + - principalId + - principalType + PrincipalType: type: string x-okta-known-values: - - ACTIVE - - INACTIVE - - INVALID - GroupRuleUserCondition: - type: object - properties: - exclude: - type: array - items: - type: string - include: - type: array - items: - type: string - GroupSchema: + - SSWS_TOKEN + PrivilegedAccount: type: object properties: - $schema: - readOnly: true - type: string + accountType: + $ref: '#/components/schemas/PrivilegedAccountType' created: - readOnly: true type: string - definitions: - $ref: '#/components/schemas/GroupSchemaDefinitions' + format: date-time + description: Timestamp when the Privileged Account was created + readOnly: true description: + description: The description of the Privileged Account + format: regex + maxLength: 255 + minLength: 0 type: string + example: This is for accessing AWS Prod-5 id: + description: The UUID of the Privileged Account + format: regex + pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ readOnly: true type: string + example: a747a818-a4c4-4446-8a87-704216495a08 lastUpdated: - readOnly: true - type: string - name: - readOnly: true type: string - properties: - $ref: '#/components/schemas/UserSchemaProperties' - title: - type: string - type: - readOnly: true - type: string - _links: - additionalProperties: - type: object + format: date-time + description: Timestamp when the Privileged Account was last updated readOnly: true - type: object - x-okta-allow-null-property-value-for-updates: true - GroupSchemaAttribute: - type: object - properties: - description: + name: + description: The human-readable name for the Privileged Account + format: regex + maxLength: 50 + minLength: 1 + pattern: ^[\w\-_. ]+$ type: string - enum: + example: AWS Prod-5 account + ownerGroupIds: + description: A list of IDs of the Okta groups that own the Privileged Account + type: array items: type: string + minItems: 0 + maxItems: 10 + example: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + description: A list of IDs of the Okta users that own the Privileged Account type: array - externalName: + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00u11s48P9zGW8yqm0g5 + status: + $ref: '#/components/schemas/PrivilegedAccountStatus' + statusDetail: + $ref: '#/components/schemas/PrivilegedAccountStatusDetail' + required: + - name + - accountType + discriminator: + propertyName: accountType + mapping: + APP_ACCOUNT: '#/components/schemas/PrivilegedAccountDetailsAppAccount' + OKTA_USER_ACCOUNT: '#/components/schemas/PrivilegedAccountDetailsOktaUserAccount' + PrivilegedAccountCredentials: + description: Credentials for a Privileged Account + type: object + properties: + password: type: string - externalNamespace: + writeOnly: true + description: The password associated with the Privileged Account + format: password + username: type: string - items: - $ref: '#/components/schemas/UserSchemaAttributeItems' - master: - $ref: '#/components/schemas/UserSchemaAttributeMaster' - maxLength: - type: integer - minLength: - type: integer - mutability: + description: The username associated with the Privileged Account + minLength: 1 + maxLength: 100 + example: testuser@example.com + required: + - username + PrivilegedAccountDetailsAppAccount: + description: Details for a SaaS Application Account, which will be managed as a Privileged Account + allOf: + - $ref: '#/components/schemas/PrivilegedAccount' + - type: object + properties: + details: + $ref: '#/components/schemas/PrivilegedAccountDetailsAppAccountSub' + required: + - details + PrivilegedAccountDetailsAppAccountSub: + description: Details for a SaaS Application Account, which will be managed as a Privileged Account + type: object + properties: + appGlobalName: + description: The name of the SaaS Application in the Okta Integration Network catalog type: string - oneOf: - items: - $ref: '#/components/schemas/UserSchemaAttributeEnum' - type: array - permissions: - items: - $ref: '#/components/schemas/UserSchemaAttributePermission' - type: array - required: - type: boolean - scope: - $ref: '#/components/schemas/UserSchemaAttributeScope' - title: + example: Salesforce + appInstanceName: + description: The instance name of the SaaS Application type: string - type: - $ref: '#/components/schemas/UserSchemaAttributeType' - union: - $ref: '#/components/schemas/UserSchemaAttributeUnion' - unique: + example: Salesforce Prod + credentials: + $ref: '#/components/schemas/PrivilegedAccountCredentials' + oktaApplicationId: + description: The Okta app instance ID of the SaaS Application type: string - GroupSchemaBase: + example: aln1aqcs055ZRoizW0g8 + required: + - oktaApplicationId + - credentials + PrivilegedAccountDetailsOktaUserAccount: + description: Details for managing an Okta Universal Directory Account as a Privileged Account + allOf: + - $ref: '#/components/schemas/PrivilegedAccount' + - type: object + properties: + details: + $ref: '#/components/schemas/PrivilegedAccountDetailsOktaUserAccountSub' + required: + - details + PrivilegedAccountDetailsOktaUserAccountSub: + description: Details for managing an Okta Universal Directory Account as a Privileged Account type: object properties: - id: - readOnly: true + credentials: + $ref: '#/components/schemas/PrivilegedAccountCredentials' + email: + description: The email address for the Okta Universal Directory Account type: string - properties: - $ref: '#/components/schemas/GroupSchemaBaseProperties' - required: - items: - type: string - type: array - type: + example: foo@bar.com + minLength: 5 + maxLength: 100 + oktaUserId: + description: An optional Okta user ID. If supplied, converts the matching Okta Universal Directory Account to a Privileged Account and updates the account with the provided details. type: string - GroupSchemaBaseProperties: + example: 00u11s48P9zGW8yqm0g5 + required: + - email + - credentials + PrivilegedAccountForUpdate: type: object properties: description: - $ref: '#/components/schemas/GroupSchemaAttribute' + description: The description of the Privileged Account + format: regex + maxLength: 255 + minLength: 0 + type: string + example: This is for accessing AWS Prod-5 + email: + description: The email address for the Okta Universal Directory Account + type: string + example: foo@bar.com + minLength: 5 + maxLength: 100 name: - $ref: '#/components/schemas/GroupSchemaAttribute' - GroupSchemaCustom: - type: object - properties: - id: - readOnly: true + description: The human-readable name for the Privileged Account + format: regex + maxLength: 50 + minLength: 1 + pattern: ^[\w\-_. ]+$ type: string - properties: - additionalProperties: - $ref: '#/components/schemas/GroupSchemaAttribute' - type: object - required: + example: AWS Prod-5 account + ownerGroupIds: + description: A list of IDs of the Okta groups who own the Privileged Account + type: array items: type: string + minItems: 0 + maxItems: 10 + example: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + description: A list of IDs of the Okta users who own the Privileged Account type: array - type: + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00u11s48P9zGW8yqm0g5 + username: type: string - GroupSchemaDefinitions: - type: object - properties: - base: - $ref: '#/components/schemas/GroupSchemaBase' - custom: - $ref: '#/components/schemas/GroupSchemaCustom' - GroupType: + description: The username associated with the Privileged Account + minLength: 1 + maxLength: 100 + example: testuser@example.com + PrivilegedAccountStatus: + description: Describes the current status of a Privileged Account type: string - x-okta-known-values: - - APP_GROUP - - BUILT_IN - - OKTA_GROUP - HardwareUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/HardwareUserFactorProfile' - HardwareUserFactorProfile: - type: object - properties: - credentialId: - type: string - HostedPage: - type: object - properties: - type: - $ref: '#/components/schemas/HostedPageType' - url: - type: string - required: - - type - HostedPageType: + x-enumDescriptions: + NO_ISSUES: The Account is ready for use in Okta Privileged Access + UNSECURED: The Account needs to be assigned to a Resource Group and a Project in Okta Privileged Access + INFO: An action involving the Account is currently in progress in Okta Privileged Access + ALERT: The Account requires attention from an Administrator + ERROR: An error is preventing the Account from being used in Okta Privileged Access + x-okta-known-values: + - ALERT + - ERROR + - INFO + - NO_ISSUES + - UNSECURED + PrivilegedAccountStatusDetail: + description: Describes the detailed status of a Privileged Account type: string + x-enumDescriptions: + PENDING: The Account is in the process of being created + CREATION_FAILED: The Account could not be created + STAGED: The Account is in the Okta Privileged Access resource assignment area + ROTATING: The Account is assigned to a Project in Okta Privileged Access. Credentials are currently being synced using Okta Lifecycle Management. + ROTATED: The Account is assigned to a Project in Okta Privileged Access. Password rotations are fulfilled by Okta Lifecycle Management. + ROTATION_FAILED: The Account is assigned to a Project in Okta Privileged Access. An error occurred while using Okta Lifecycle Management to rotate the password. + VAULTED: The Account is assigned to a Project in Okta Privileged Access. A manually managed password is assigned to the Account. + MISSING_PASSWORD: The Account is assigned to a Project in Okta Privileged Access. A password is not assigned to the Account. x-okta-known-values: - - EXTERNALLY_HOSTED - - OKTA_DEFAULT - HrefObject: - title: hrefObject - description: Used for links - type: object - properties: - hints: - type: object - properties: - allow: - type: array - items: - $ref: '#/components/schemas/HttpMethod' - href: - type: string - HttpMethod: + - CREATION_FAILED + - MISSING_PASSWORD + - PENDING + - ROTATED + - ROTATING + - ROTATION_FAILED + - STAGED + - VAULTED + PrivilegedAccountType: + description: The type of Privileged Account type: string + x-enumDescriptions: + APP_ACCOUNT: SaaS Application Account + OKTA_USER_ACCOUNT: Okta Universal Directory Account x-okta-known-values: - - DELETE - - GET - - POST - - PUT - IdentityProvider: + - APP_ACCOUNT + - OKTA_USER_ACCOUNT + PrivilegedResource: + default: + resourceType: OKTA_USER_ACCOUNT type: object properties: created: type: string + description: Timestamp when the object was created format: date-time readOnly: true - nullable: true + example: '2024-06-10T11:11:01.000Z' + credentialSyncInfo: + $ref: '#/components/schemas/CredentialSyncInfo' + readOnly: true + example: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-10T11:13:01.000Z' + syncState: NOT_SYNCED + errorCode: UNKNOWN_ERROR + errorReason: Unknown error id: type: string + description: ID of the privileged resource readOnly: true - issuerMode: - $ref: '#/components/schemas/IssuerMode' + example: opa100xTfFs4MasRf0g4 lastUpdated: type: string + description: Timestamp when the object was last updated format: date-time readOnly: true - name: - type: string - policy: - $ref: '#/components/schemas/IdentityProviderPolicy' - protocol: - $ref: '#/components/schemas/Protocol' + example: '2024-06-10T11:13:01.000Z' + resourceType: + $ref: '#/components/schemas/PrivilegedResourceType' + example: APP_ACCOUNT status: - $ref: '#/components/schemas/LifecycleStatus' - type: - $ref: '#/components/schemas/IdentityProviderType' - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - IdentityProviderApplicationUser: + $ref: '#/components/schemas/PrivilegedResourceStatus' + example: ACTIVE + discriminator: + propertyName: resourceType + mapping: + APP_ACCOUNT: '#/components/schemas/PrivilegedResourceAccountApp' + OKTA_USER_ACCOUNT: '#/components/schemas/PrivilegedResourceAccountOkta' + PrivilegedResourceAccountApp: + allOf: + - type: object + properties: + containerDetails: + $ref: '#/components/schemas/AppAccountContainerDetails' + credentials: + $ref: '#/components/schemas/PrivilegedResourceCredentials' + - $ref: '#/components/schemas/PrivilegedResource' + required: + - containerId + PrivilegedResourceAccountOkta: + allOf: + - type: object + properties: + resourceId: + type: string + description: The user ID associated with the Okta privileged resource + example: 00u100xTfFs4MasRf0g4 + credentials: + $ref: '#/components/schemas/PrivilegedResourceCredentials' + profile: + $ref: '#/components/schemas/profile' + example: + email: testuser@example.com + - $ref: '#/components/schemas/PrivilegedResource' + PrivilegedResourceCredentials: + description: Credentials for the privileged account type: object properties: - created: - type: string - externalId: - type: string - id: + password: type: string - readOnly: true - lastUpdated: + description: The password associated with the privileged resource + format: password + writeOnly: true + example: xf1bs9am2 + userName: type: string - profile: - type: object - additionalProperties: - type: object - properties: {} - _embedded: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - IdentityProviderCredentials: - type: object - properties: - client: - $ref: '#/components/schemas/IdentityProviderCredentialsClient' - signing: - $ref: '#/components/schemas/IdentityProviderCredentialsSigning' - trust: - $ref: '#/components/schemas/IdentityProviderCredentialsTrust' - IdentityProviderCredentialsClient: + description: The username associated with the privileged resource + minLength: 1 + maxLength: 100 + example: testuser@example.com + required: + - userName + PrivilegedResourceStatus: + description: Current status of the privileged resource + type: string + x-enumDescriptions: + CREATED: The privileged resource is created but not yet managed by OPA + ACTIVE: The privileged resource is currently managed by OPA + INACTIVE: The privileged resource is `INACTIVE` and not currently managed by OPA + readOnly: true + x-okta-known-values: + - ACTIVE + - CREATED + - CREATION_FAILED + - INACTIVE + - PENDING + PrivilegedResourceType: + description: The type of the resource + type: string + x-okta-known-values: + - APP_ACCOUNT + - OKTA_USER_ACCOUNT + PrivilegedResourceUpdateRequest: + description: Update request for a privileged resource type: object properties: - client_id: - type: string - client_secret: + profile: + $ref: '#/components/schemas/profile' + example: + email: testuser@example.com + userName: type: string - IdentityProviderCredentialsSigning: + description: The username associated with the privileged resource + minLength: 1 + maxLength: 100 + example: testuser@example.com + ProfileEnrollmentPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + type: string + description: Policy conditions aren't supported for this policy type + default: null + nullable: true + ProfileEnrollmentPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActions' + conditions: + type: string + description: Policy Rule conditions aren't supported for this policy type + default: null + nullable: true + ProfileEnrollmentPolicyRuleAction: type: object properties: - kid: + access: type: string - IdentityProviderCredentialsTrust: - type: object - properties: - audience: + enum: + - ALLOW + - DENY + description: '**Note:** The Profile Enrollment Action object can''t be modified to set the `access` property to `DENY` after the policy is created.' + activationRequirements: + $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActivationRequirement' + allowedIdentifiers: + items: + type: string + type: array + description: <x-lifecycle class="ea"></x-lifecycle> A list of attributes to identify an end user. Can be used across Okta sign-in, unlock, and recovery flows. + default: + - login + enrollAuthenticatorTypes: + items: + type: string + type: array + description: Additional authenticator fields that can be used on the first page of user registration. Valid values only includes `'password'`. + preRegistrationInlineHooks: + items: + $ref: '#/components/schemas/PreRegistrationInlineHook' + type: array + description: (Optional) The `id` of at most one registration inline hook + profileAttributes: + items: + $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleProfileAttribute' + type: array + description: A list of attributes to prompt the user during registration or progressive profiling. Where defined on the User schema, these attributes are persisted in the User profile. Non-schema attributes can also be added, which aren't persisted to the User's profile, but are included in requests to the registration inline hook. A maximum of 10 Profile properties is supported. + progressiveProfilingAction: type: string - issuer: + enum: + - ENABLED + - DISABLED + description: Progressive profile enrollment helps evaluate the profile enrollment policy at every user login. Users can be prompted to provide input for newly required attributes. + targetGroupIds: + items: + type: string + type: array + description: (Optional, max 1 entry) The `id` of a Group that this User should be added to + uiSchemaId: type: string - kid: + description: Value created by the backend. If present, all policy updates must include this attribute/value. + unknownUserAction: type: string - revocation: - $ref: '#/components/schemas/IdentityProviderCredentialsTrustRevocation' - revocationCacheLifetime: - type: integer - IdentityProviderCredentialsTrustRevocation: - type: string - x-okta-known-values: - - CRL - - DELTA_CRL - - OCSP - IdentityProviderPolicy: + enum: + - DENY + - REGISTER + description: Which action should be taken if this User is new + ProfileEnrollmentPolicyRuleActions: allOf: - - $ref: '#/components/schemas/Policy' + - $ref: '#/components/schemas/PolicyRuleActions' - type: object properties: - accountLink: - $ref: '#/components/schemas/PolicyAccountLink' - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - maxClockSkew: - type: integer - provisioning: - $ref: '#/components/schemas/Provisioning' - subject: - $ref: '#/components/schemas/PolicySubject' - IdentityProviderPolicyProvider: - type: string - x-okta-known-values: - - ANY - - OKTA - - SPECIFIC_IDP - IdentityProviderPolicyRuleCondition: + profileEnrollment: + $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleAction' + ProfileEnrollmentPolicyRuleActivationRequirement: + description: Contains a single Boolean property that indicates whether `emailVerification` should occur (`true`) or not (`false`, default) type: object properties: - idpIds: - type: array - items: - type: string - provider: - $ref: '#/components/schemas/IdentityProviderPolicyProvider' - IdentityProviderType: - type: string - x-okta-known-values: - - AgentlessDSSO - - FACEBOOK - - GOOGLE - - IWA - - LINKEDIN - - MICROSOFT - - OIDC - - OKTA - - SAML2 - - X509 - IdpPolicyRuleAction: + emailVerification: + type: boolean + ProfileEnrollmentPolicyRuleProfileAttribute: type: object properties: - providers: - items: - $ref: '#/components/schemas/IdpPolicyRuleActionProvider' - type: array - IdpPolicyRuleActionProvider: + label: + type: string + description: A display-friendly label for this property + name: + type: string + description: The name of a User Profile property. Can be an existing property. + required: + type: boolean + description: (Optional, default `FALSE`) Indicates if this property is required for enrollment + default: false + ProfileMapping: + description: |- + The Profile Mapping object describes a mapping between an Okta User's and an App User's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). + + > **Note:** Same type source/target mappings aren't supported by this API. Profile mappings must either be Okta->App or App->Okta. type: object properties: id: - readOnly: true type: string - type: + description: Unique identifier for a profile mapping + readOnly: true + properties: + type: object + additionalProperties: + $ref: '#/components/schemas/ProfileMappingProperty' + readOnly: false + source: + $ref: '#/components/schemas/ProfileMappingSource' + target: + $ref: '#/components/schemas/ProfileMappingTarget' + _links: + $ref: '#/components/schemas/LinksSelf' + ProfileMappingProperty: + description: A target property, in string form, that maps to a valid [JSON Schema Draft](https://tools.ietf.org/html/draft-zyp-json-schema-04) document. + type: object + properties: + expression: + description: Combination or single source properties that are mapped to the target property type: string - IframeEmbedScopeAllowedApps: + pushStatus: + $ref: '#/components/schemas/ProfileMappingPropertyPushStatus' + ProfileMappingPropertyPushStatus: + description: |- + Indicates whether to update target properties for user create and update or just for user create. + + Having a pushStatus of `PUSH` causes properties in the target to be updated on create and update. Having a pushStatus of `DONT_PUSH` causes properties in the target to be updated only on create. type: string x-okta-known-values: - - OKTA_ENDUSER - ImageUploadResponse: + - DONT_PUSH + - PUSH + ProfileMappingRequest: + description: The updated request body properties type: object properties: - url: - readOnly: true - type: string - InactivityPolicyRuleCondition: + properties: + type: object + additionalProperties: + $ref: '#/components/schemas/ProfileMappingProperty' + required: + - properties + - additionalProperties + - expression + - pushStatus + ProfileMappingSource: + description: |- + The parameter is the source of a profile mapping and is a valid [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04) document with the following properties. The data type can be an app instance or an Okta object. + + > **Note:** If the source is Okta and the UserTypes feature isn't enabled, then the source `_links` only has a link to the schema. type: object properties: - number: - type: integer - unit: + id: type: string - InlineHook: - type: object - properties: - channel: - $ref: '#/components/schemas/InlineHookChannel' - created: + description: Unique identifier for the application instance or userType + readOnly: true + name: type: string - format: date-time + description: Variable name of the application instance or name of the referenced UserType readOnly: true - id: + type: type: string + description: Type of user referenced in the mapping readOnly: true - lastUpdated: + _links: + $ref: '#/components/schemas/SourceLinks' + ProfileMappingTarget: + description: |- + The parameter is the target of a profile mapping and is a valid [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04) document with the following properties. The data type can be an app instance or an Okta object. + + > **Note:** If the target is Okta and the UserTypes feature isn't enabled, then the target `_links` only has a link to the schema. + type: object + properties: + id: type: string - format: date-time + description: Unique identifier for the application instance or UserType readOnly: true name: type: string - status: - $ref: '#/components/schemas/InlineHookStatus' + description: Variable name of the application instance or name of the referenced userType + readOnly: true type: - $ref: '#/components/schemas/InlineHookType' - version: type: string - _links: - type: object - additionalProperties: - type: object - properties: {} + description: Type of user referenced in the mapping readOnly: true - InlineHookChannel: + _links: + $ref: '#/components/schemas/SourceLinks' + ProfileSettingObject: + description: | + This setting determines whether a user in the app gets updated when they're updated in Okta. + + If enabled, Okta updates a user's attributes in the app when the app is assigned. + Future changes made to the Okta user's profile automatically overwrite the corresponding attribute value in the app. type: object properties: - config: - $ref: '#/components/schemas/InlineHookChannelConfig' + status: + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - example: DISABLED + - default: DISABLED + ProtocolAlgorithmRequestScope: + description: Specifies whether to digitally sign authorization requests to the IdP + example: REQUEST + type: string + x-okta-known-values: + - NONE + - REQUEST + ProtocolAlgorithmResponseScope: + description: Specifies whether to verify responses from the IdP + example: ANY + type: string + x-okta-known-values: + - ANY + - RESPONSE + - TOKEN + ProtocolCredentialsKeyId: + description: IdP Key Credential reference to the Okta X.509 signature certificate + example: your-key-id + type: string + ProtocolEndpointBinding: + type: string + x-okta-known-values: + - HTTP-POST + - HTTP-REDIRECT + ProtocolMtls: + title: Mutual TLS Protocol + description: Protocol settings for the [MTLS Protocol](https://tools.ietf.org/html/rfc5246#section-7.4.4) + type: object + properties: + credentials: + $ref: '#/components/schemas/MtlsCredentials' + endpoints: + $ref: '#/components/schemas/MtlsEndpoints' type: - $ref: '#/components/schemas/InlineHookChannelType' - version: type: string - InlineHookChannelConfig: + description: Mutual TLS + enum: + - MTLS + ProtocolOAuth: + title: OAuth 2.0 Protocol + description: Protocol settings for authentication using the [OAuth 2.0 Authorization Code flow](https://tools.ietf.org/html/rfc6749#section-4.1) type: object properties: - authScheme: - $ref: '#/components/schemas/InlineHookChannelConfigAuthScheme' - headers: + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + scopes: type: array + description: |- + IdP-defined permission bundles to request delegated access from the User + > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. items: - $ref: '#/components/schemas/InlineHookChannelConfigHeaders' - method: - type: string - uri: + type: string + example: public_profile + type: type: string - InlineHookChannelConfigAuthScheme: + description: OAuth 2.0 Authorization Code flow + enum: + - OAUTH2 + ProtocolOidc: + title: OpenID Connect Protocol + description: Protocol settings for authentication using the [OpenID Connect Protocol](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) type: object properties: - key: - type: string + algorithms: + $ref: '#/components/schemas/OidcAlgorithms' + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + scopes: + type: array + description: |- + OpenID Connect and IdP-defined permission bundles to request delegated access from the User + > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. + items: + type: string + example: openid type: type: string - value: - type: string - InlineHookChannelConfigHeaders: + description: OpenID Connect Authorization Code flow + enum: + - OIDC + ProtocolSaml: + title: SAML 2.0 Protocol + description: Protocol settings for the [SAML 2.0 Authentication Request Protocol](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) type: object properties: - key: - type: string - value: + algorithms: + $ref: '#/components/schemas/SamlAlgorithms' + credentials: + $ref: '#/components/schemas/SamlCredentials' + endpoints: + $ref: '#/components/schemas/SamlEndpoints' + relayState: + $ref: '#/components/schemas/SamlRelayState' + settings: + $ref: '#/components/schemas/SamlSettings' + type: type: string - InlineHookChannelType: + description: SAML 2.0 protocol + enum: + - SAML2 + ProviderType: type: string x-okta-known-values: - - HTTP - InlineHookPayload: - type: object - x-okta-extensible: true - InlineHookResponse: - type: object - properties: - commands: - type: array - items: - $ref: '#/components/schemas/InlineHookResponseCommands' - InlineHookResponseCommandValue: + - APNS + - FCM + Provisioning: + description: Specifies the behavior for just-in-time (JIT) provisioning of an IdP User as a new Okta User and their Group memberships type: object properties: - op: - type: string - path: - type: string - value: - type: string - InlineHookResponseCommands: + action: + $ref: '#/components/schemas/ProvisioningAction' + conditions: + $ref: '#/components/schemas/ProvisioningConditions' + groups: + $ref: '#/components/schemas/ProvisioningGroups' + profileMaster: + type: boolean + description: Determines if the IdP should act as a source of truth for User profile attributes + ProvisioningAction: + description: |- + Specifies the User provisioning action during authentication when an IdP User isn't linked to an existing Okta User. + * To successfully provision a new Okta User, you must enable just-in-time (JIT) provisioning in your org security settings. + * If the target username isn't unique or the resulting Okta User profile is missing a required profile attribute, JIT provisioning may fail. + * New Okta Users are provisioned with either a `FEDERATION` or `SOCIAL` authentication provider depending on the IdP type. + type: string + x-enumDescriptions: + AUTO: The IdP User profile is transformed through defined universal directory profile mappings to an Okta User profile and automatically provisioned as an Okta User. + DISABLED: Okta rejects the authentication request and skips provisioning of a new Okta User if the IdP User isn't linked to an existing Okta User. + x-okta-known-values: + - AUTO + - DISABLED + ProvisioningConditions: + description: Conditional behaviors for an IdP User during authentication type: object properties: - type: - type: string - value: - type: array - items: - $ref: '#/components/schemas/InlineHookResponseCommandValue' - InlineHookStatus: + deprovisioned: + $ref: '#/components/schemas/ProvisioningDeprovisionedCondition' + suspended: + $ref: '#/components/schemas/ProvisioningSuspendedCondition' + ProvisioningConnectionAuthScheme: + description: Defines the method of authentication type: string + x-enumDescriptions: + TOKEN: A token is used to authenticate with the app. + OAUTH2: OAuth 2.0 is used to authenticate with the app. + UNKNOWN: The authentication scheme used by the app isn't supported, or the app doesn't support provisioning. x-okta-known-values: - - ACTIVE - - INACTIVE - InlineHookType: + - OAUTH2 + - TOKEN + - UNKNOWN + ProvisioningConnectionOauthAuthScheme: + description: OAuth 2.0 is used to authenticate with the app. type: string x-okta-known-values: - - com.okta.import.transform - - com.okta.oauth2.tokens.transform - - com.okta.saml.tokens.transform - - com.okta.user.credential.password.import - - com.okta.user.pre-registration - IssuerMode: + - OAUTH2 + ProvisioningConnectionOauthRequest: + title: OAuth 2.0-based connection + allOf: + - $ref: '#/components/schemas/ProvisioningConnectionRequest' + - description: OAuth 2.0-based Provisioning Connection request + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionOauthRequestProfile' + required: + - profile + ProvisioningConnectionOauthRequestProfile: + properties: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionOauthAuthScheme' + clientId: + type: string + description: Only used for the Okta Org2Org (`okta_org2org`) app. The unique client identifier for the OAuth 2.0 service app from the target org. + settings: + $ref: '#/components/schemas/Office365ProvisioningSettings' + required: + - authScheme + ProvisioningConnectionProfileOauth: + description: | + The app provisioning connection profile used to configure the method of authentication and the credentials. + Currently, token-based and OAuth 2.0-based authentication are supported. + properties: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionOauthAuthScheme' + clientId: + type: string + required: + - authScheme + ProvisioningConnectionRequest: + type: object + ProvisioningConnectionRequestAuthScheme: type: string x-okta-known-values: - - CUSTOM_URL - - DYNAMIC - - ORG_URL - JsonWebKey: + - OAUTH2 + - TOKEN + ProvisioningConnectionResponse: type: object properties: - alg: - type: string - created: - type: string - format: date-time - e: - type: string - expiresAt: - type: string - format: date-time - key_ops: - type: array - items: - type: string - kid: - type: string - kty: - type: string - lastUpdated: - type: string - format: date-time - 'n': + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme' + baseUrl: type: string + description: Base URL + profile: + $ref: '#/components/schemas/ProvisioningConnectionResponseProfile' status: - type: string - use: - type: string - x5c: - type: array - items: - type: string - x5t: - type: string - x5t#S256: - type: string - x5u: - type: string + $ref: '#/components/schemas/ProvisioningConnectionStatus' _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - JwkUse: - type: object + $ref: '#/components/schemas/LinksSelfLifecycleAndAuthorize' + required: + - profile + - status + ProvisioningConnectionResponseProfile: properties: - use: - $ref: '#/components/schemas/JwkUseType' - JwkUseType: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionAuthScheme' + required: + - authScheme + ProvisioningConnectionStatus: + description: Provisioning Connection status + default: DISABLED type: string + x-enumDescriptions: + DISABLED: The Provisioning Connection is disabled. + ENABLED: The Provisioning Connection is enabled. + UNKNOWN: Provisioning isn't supported by the app, or the authentication method is unknown. x-okta-known-values: - - sig - KnowledgeConstraint: - allOf: - - $ref: '#/components/schemas/AccessPolicyConstraint' - Language: - description: The language specified as an [IETF BCP 47 language tag](https://datatracker.ietf.org/doc/html/rfc5646). + - DISABLED + - ENABLED + - UNKNOWN + ProvisioningConnectionTokenAuthScheme: + description: A token is used to authenticate with the app. This property is only returned for the `TOKEN` authentication scheme. type: string - LifecycleCreateSettingObject: - type: object - properties: - status: - $ref: '#/components/schemas/EnabledStatus' - LifecycleDeactivateSettingObject: - type: object - properties: - status: - $ref: '#/components/schemas/EnabledStatus' - LifecycleExpirationPolicyRuleCondition: - type: object + x-okta-known-values: + - TOKEN + ProvisioningConnectionTokenRequest: + title: Token-based connection + allOf: + - $ref: '#/components/schemas/ProvisioningConnectionRequest' + - description: Token-based Provisioning Connection request + properties: + baseUrl: + type: string + description: Only used for the Zscaler 2.0 (`zscalerbyz`) app. The base URL for the Zscaler 2.0 target app, which also contains the Zscaler ID. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + profile: + $ref: '#/components/schemas/ProvisioningConnectionTokenRequestProfile' + required: + - profile + ProvisioningConnectionTokenRequestProfile: properties: - lifecycleStatus: - type: string - number: - type: integer - unit: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme' + token: type: string - LifecycleStatus: + description: Token used to authenticate with the app + required: + - authScheme + ProvisioningDeprovisionedAction: + description: Specifies the action during authentication when an IdP User is linked to a previously deprovisioned Okta User type: string + x-enumDescriptions: + NONE: Take no action. If an IdP User that matches a previously deprovisioned Okta User attempts to authenticate, authentication fails. + REACTIVATE: If an IdP User that matches a previously deprovisioned Okta User attempts to authenticate, reactivate the matching User in Okta and allow the authentication attempt to proceed. x-okta-known-values: - - ACTIVE - - INACTIVE - LinkedObject: + - NONE + - REACTIVATE + ProvisioningDeprovisionedCondition: + description: Behavior for a previously deprovisioned IdP User during authentication. Not supported with OIDC IdPs. type: object properties: - associated: - $ref: '#/components/schemas/LinkedObjectDetails' - primary: - $ref: '#/components/schemas/LinkedObjectDetails' - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - LinkedObjectDetails: + action: + $ref: '#/components/schemas/ProvisioningDeprovisionedAction' + ProvisioningGroups: + description: Provisioning settings for a User's Group memberships type: object properties: - description: - type: string - name: - type: string - title: + action: + $ref: '#/components/schemas/ProvisioningGroupsAction' + assignments: + type: array + description: List of `OKTA_GROUP` Group identifiers to add an IdP User as a member with the `ASSIGN` action + items: + type: string + example: 00gak46y5hydV6NdM0g4 + filter: + type: array + description: Allowlist of `OKTA_GROUP` Group identifiers for the `APPEND` or `SYNC` provisioning action + items: + type: string + example: 00gak46y5hydV6NdM0g4 + sourceAttributeName: type: string - type: - $ref: '#/components/schemas/LinkedObjectDetailsType' - LinkedObjectDetailsType: + description: IdP User profile attribute name (case-insensitive) for an array value that contains Group memberships + maxLength: 1024 + example: Groups + ProvisioningGroupsAction: + description: |- + Provisioning action for the IdP User's Group memberships + + | Enum | Description | Existing OKTA_GROUP Memberships | Existing APP_GROUP Memberships | Existing BUILT_IN Memberships | + | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------ | ----------------------------- | + | `APPEND` | Adds a User to any Group defined by the IdP as a value of the `sourceAttributeName` array that matches the name of the allow listed Group defined in the `filter` | Unchanged | Unchanged | Unchanged | + | `ASSIGN` | Assigns a User to Groups defined in the `assignments` array | Unchanged | Unchanged | Unchanged | + | `NONE` | Skips processing of Group memberships | Unchanged | Unchanged | Unchanged | + | `SYNC` | Group memberships are sourced by the IdP as a value of the `sourceAttributeName` array that matches the name of the Group defined in the `filter` | Removed if not defined by the IdP in `sourceAttributeName` and matching name of the Group in `filter` | Unchanged | Unchanged | + + > **Note:** Group provisioning action is processed independently from profile sourcing. You can sync Group memberships through SAML with profile sourcing disabled. type: string x-okta-known-values: - - USER - LocationGranularity: + - APPEND + - ASSIGN + - NONE + - SYNC + ProvisioningSuspendedAction: + description: Specifies the action during authentication when an IdP User is linked to a previously suspended Okta User type: string + x-enumDescriptions: + NONE: Take no action. If an IdP User that matches a previously suspended Okta User attempts to authenticate, authentication fails. + UNSUSPEND: If an IdP User that matches a previously suspended Okta User attempts to authenticate, unsuspend the matching User in Okta and allow the authentication attempt to proceed. x-okta-known-values: - - CITY - - COUNTRY - - LAT_LONG - - SUBDIVISION - LogActor: + - NONE + - UNSUSPEND + ProvisioningSuspendedCondition: + description: Behavior for a previously suspended IdP User during authentication. Not supported with OIDC IdPs. + type: object + properties: + action: + $ref: '#/components/schemas/ProvisioningSuspendedAction' + PushMethodKeyProtection: + description: Indicates whether you must use a hardware key store + type: string + x-okta-known-values: + - ANY + - HARDWARE + PushProvider: + title: PushProvider type: object properties: - alternateId: - type: string - readOnly: true - detail: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - displayName: - type: string - readOnly: true id: type: string readOnly: true - type: + description: Unique key for the Push Provider + lastUpdatedDate: type: string readOnly: true - LogAuthenticationContext: + description: Timestamp when the Push Provider was last modified + name: + type: string + description: Display name of the push provider + providerType: + $ref: '#/components/schemas/ProviderType' + _links: + $ref: '#/components/schemas/LinksSelf' + discriminator: + propertyName: providerType + mapping: + APNS: '#/components/schemas/APNSPushProvider' + FCM: '#/components/schemas/FCMPushProvider' + RateLimitAdminNotifications: + title: RateLimitAdminNotifications + description: '' type: object properties: - authenticationProvider: - $ref: '#/components/schemas/LogAuthenticationProvider' - authenticationStep: + notificationsEnabled: + type: boolean + required: + - notificationsEnabled + RateLimitWarningThresholdRequest: + title: RateLimitWarningThreshold + description: '' + type: object + properties: + warningThreshold: + description: The threshold value (percentage) of a rate limit that, when exceeded, triggers a warning notification. By default, this value is 90 for Workforce orgs and 60 for CIAM orgs. + type: integer + minimum: 30 + maximum: 90 + required: + - warningThreshold + RateLimitWarningThresholdResponse: + title: RateLimitWarningThreshold + description: '' + type: object + properties: + warningThreshold: + description: The threshold value (percentage) of a rate limit that, when exceeded, triggers a warning notification. By default, this value is 90 for Workforce orgs and 60 for CIAM orgs. type: integer + minimum: 30 + maximum: 90 + Realm: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the Realm was created readOnly: true - credentialProvider: - $ref: '#/components/schemas/LogCredentialProvider' - credentialType: - $ref: '#/components/schemas/LogCredentialType' - externalSessionId: + id: type: string + description: Unique key for the Realm readOnly: true - interface: + isDefault: + type: boolean + description: Conveys whether the Realm is the default + readOnly: true + lastUpdated: type: string + format: date-time + description: Timestamp when the Realm was last updated readOnly: true - issuer: - $ref: '#/components/schemas/LogIssuer' - LogAuthenticationProvider: - type: string - x-okta-known-values: - - ACTIVE_DIRECTORY - - FACTOR_PROVIDER - - FEDERATION - - LDAP - - OKTA_AUTHENTICATION_PROVIDER - - SOCIAL - LogClient: + profile: + $ref: '#/components/schemas/RealmProfile' + _links: + $ref: '#/components/schemas/LinksSelf' + RealmAssignment: type: object properties: - device: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' + created: type: string + format: date-time readOnly: true - geographicalContext: - $ref: '#/components/schemas/LogGeographicalContext' id: type: string readOnly: true - ipAddress: - type: string + isDefault: + type: boolean readOnly: true - userAgent: - $ref: '#/components/schemas/LogUserAgent' - zone: + lastUpdated: type: string + format: date-time readOnly: true - LogCredentialProvider: + name: + type: string + priority: + type: integer + status: + $ref: '#/components/schemas/LifecycleStatus' + _links: + $ref: '#/components/schemas/LinksSelf' + RealmProfile: + type: object + properties: + name: + type: string + description: Name of a Realm + realmType: + type: string + description: Used to store partner users. This must be set to Partner to access Okta's external partner portal. + enum: + - PARTNER + - DEFAULT + x-enumDescriptions: + PARTNER: Realm with external partner portal + DEFAULT: Default + required: + - name + RecoveryQuestionCredential: + description: |- + Specifies a secret question and answer that's validated (case insensitive) when a user forgets their + password or unlocks their account. The answer property is write-only. + type: object + properties: + answer: + type: string + description: The answer to the recovery question + minimum: 1 + maximum: 100 + writeOnly: true + example: se7en + question: + type: string + description: The recovery question + minimum: 1 + maximum: 100 + example: what is your favourite movie? + RefreshToken: + description: The refresh token + type: object + properties: + jti: + description: The refresh token ID + type: string + RegistrationInlineHook: + allOf: + - $ref: '#/components/schemas/InlineHook' + - type: object + RegistrationInlineHookCommand: + type: object + properties: + type: + type: string + enum: + - com.okta.user.profile.update + - com.okta.action.update + - com.okta.user.progressive.profile.update + RegistrationInlineHookPPData: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + - type: object + properties: + data: + type: object + properties: + context: + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + user: + type: object + properties: + passwordChanged: + type: string + format: date-time + description: The last time the user's password was updated + _links: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled. + type: object + properties: + groups: + description: URL to retrieve the individual user's group memberships + allOf: + - $ref: '#/components/schemas/HrefObject' + factors: + description: URL to retrieve individual user's factor enrollments + allOf: + - $ref: '#/components/schemas/HrefObject' + profile: + additionalProperties: true + type: object + description: The user to update's current attributes + id: + type: string + action: + description: The default action the system takes. Set to `ALLOW`. `DENY` is never sent to your external service + type: string + userProfileUpdate: + additionalProperties: true + type: object + description: Name-value pairs for each new attribute supplied by the user in the Progressive Profile form + RegistrationInlineHookRequest: + description: Registration inline hook request + type: object + properties: + eventType: + type: string + description: The type of inline hook. The registration inline hook type is `com.okta.user.pre-registration`. + requestType: + $ref: '#/components/schemas/RegistrationInlineHookRequestType' + discriminator: + propertyName: requestType + mapping: + self.service.registration: '#/components/schemas/RegistrationInlineHookSSRData' + progressive.profile: '#/components/schemas/RegistrationInlineHookPPData' + RegistrationInlineHookRequestType: + description: The type of registration hook. Use either `self.service.registration` or `progressive.profile`. type: string x-okta-known-values: - - DUO - - GOOGLE - - OKTA_AUTHENTICATION_PROVIDER - - OKTA_CREDENTIAL_PROVIDER - - RSA - - SYMANTEC - - YUBIKEY - LogCredentialType: + - progressive.profile + - self.service.registration + RegistrationInlineHookResponse: + description: Registration inline hook response + type: object + properties: + commands: + type: array + RegistrationInlineHookSSRData: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + - type: object + properties: + data: + type: object + properties: + context: + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + action: + description: The default action the system will take. Will be `ALLOW`. `DENY` will never be sent to your external service. + type: string + userProfile: + additionalProperties: true + type: object + description: The name-value pairs for each registration-related attribute supplied by the user in the Profile Enrollment form. + RegistrationResponse: + type: object + properties: + commands: + description: |- + The `commands` object lets you invoke commands to modify or add values to the attributes in the Okta user profile that are created for this user. The object also lets you control whether or not the registration attempt is allowed to proceed. + + This object is an array, allowing you to send multiple commands in your response. Each array element requires a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you wish to execute, and `value` is where you supply parameters for that command. + + The registration inline hook supports these three commands: + * `com.okta.user.profile.update`: Change attribute values in the user's Okta user profile. For SSR only. Invalid if used with a Progressive Profile response. + * `com.okta.action.update`: Allow or deny the user's registration. + * `com.okta.user.progressive.profile.update`: Change attribute values in the user's Okta Progressive Profile. + type: array + items: + type: object + properties: + type: + description: |- + The location where you specify the command. To set attributes in the user's Okta profile, supply a `type` property set to `com.okta.user.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Okta user profile attributes you want to set. The attributes must already exist in your user profile schema. + + To explicitly allow or deny registration to the user, supply a type property set to `com.okta.action.update`, together with a value property set to `{"registration": "ALLOW"}` or `{"registration": "DENY"}`. The default is to allow registration. + + In Okta Identity Engine, to set attributes in the user's profile, supply a `type` property set to `com.okta.user.progressive.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Progressive Enrollment attributes that you want to set. See [Registration inline hook - Send response](https://developer.okta.com/docs/guides/registration-inline-hook/nodejs/main/#send-response). + + Commands are applied in the order that they appear in the array. Within a single `com.okta.user.profile.update` or `com.okta.user.progressive.profile.update command`, attributes are updated in the order that they appear in the `value` object. + + You can never use a command to update the user's password, but you are allowed to set the values of attributes other than password that are designated sensitive in your Okta user schema. However, the values of those sensitive attributes, if included as fields in the Profile Enrollment form, aren't included in the `data.userProfile` object sent to your external service by Okta. See [data.userProfile](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook!path=0/data/userProfile&t=request). + type: string + value: + additionalProperties: true + description: |- + The `value` object is the parameter to pass to the command. + + For `com.okta.user.profile.update` commands, `value` should be an object containing one or more name-value pairs for the attributes you wish to update. + + For `com.okta.action.update` commands, the value should be an object containing the attribute `action` set to a value of either `ALLOW` or `DENY`, indicating whether the registration should be permitted or not. + + Registrations are allowed by default, so setting a value of `ALLOW` for the action field is valid but superfluous. + type: object + Error: + description: |- + For the registration inline hook, the `error` object provides a way of displaying an error message to the end user who is trying to register or update their profile. + + * If you're using the Okta Sign-In Widget for Profile Enrollment, only the `errorSummary` messages of the `errorCauses` objects that your external service returns appear as inline errors, given the following: + * You don't customize the error handling behavior of the widget. + * The `location` of `errorSummary` in the `errorCauses` object specifies the request object's user profile attribute. + * If you don't return a value for the `errorCauses` object, and deny the user's registration attempt through the `commands` object in your response to Okta, one of the following generic messages appears to the end user: + * "Registration cannot be completed at this time." (SSR) + * "We found some errors. Please review the form and make corrections." (Progressive Enrollment) + * If you don't return an `error` object at all and the registration is denied, the following generic message appears to the end user: + * "Registration denied." (SSR) + * "Profile update denied." (Progressive Enrollment) + + >**Note:** If you include an error object in your response, no commands are executed and the registration fails. This holds true even if the top-level `errorSummary` and the `errorCauses` objects are omitted. + type: object + properties: + errorSummary: + type: string + description: Human-readable summary of one or more errors + errorCauses: + type: array + items: + type: object + properties: + errorSummary: + type: string + description: Human-readable summary of the error. + reason: + type: string + description: A brief, enum-like string that indicates the nature of the error. For example, `UNIQUE_CONSTRAINT` for a property uniqueness violation. + locationType: + type: string + description: Where in the request the error was found (`body`, `header`, `url`, or `query`). + location: + description: The valid JSON path to the location of the error. For example, if there was an error in the user's `login` field, the `location` might be `data.userProfile.login`. + type: string + domain: + type: string + description: Indicates the source of the error. If the error was in the user's profile, for example, you might use `end-user`. If the error occurred in the external service, you might use `external-service`. + ReleaseChannel: + description: Release channel for auto-update type: string x-okta-known-values: - - ASSERTION - - EMAIL - - IWA - - JWT - - OAuth 2.0 - - OTP - - PASSWORD - - SMS - LogDebugContext: + - BETA + - EA + - GA + - TEST + RequiredEnum: + type: string + x-okta-known-values: + - ALWAYS + - HIGH_RISK_ONLY + - NEVER + ResendUserFactor: type: object properties: - debugData: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - LogEvent: + factorType: + description: Type of the Factor + type: string + enum: + - call + - email + - sms + discriminator: + propertyName: factorType + mapping: + call: '#/components/schemas/UserFactorCall' + email: '#/components/schemas/UserFactorEmail' + sms: '#/components/schemas/UserFactorSMS' + ResetPasswordToken: type: object properties: - actor: - $ref: '#/components/schemas/LogActor' - authenticationContext: - $ref: '#/components/schemas/LogAuthenticationContext' - client: - $ref: '#/components/schemas/LogClient' - debugContext: - $ref: '#/components/schemas/LogDebugContext' - displayMessage: - type: string - readOnly: true - eventType: - type: string - readOnly: true - legacyEventType: - type: string - readOnly: true - outcome: - $ref: '#/components/schemas/LogOutcome' - published: - type: string - format: date-time - readOnly: true - request: - $ref: '#/components/schemas/LogRequest' - securityContext: - $ref: '#/components/schemas/LogSecurityContext' - severity: - $ref: '#/components/schemas/LogSeverity' - target: - type: array - readOnly: true - items: - $ref: '#/components/schemas/LogTarget' - transaction: - $ref: '#/components/schemas/LogTransaction' - uuid: - type: string - readOnly: true - version: + resetPasswordUrl: type: string readOnly: true - LogGeographicalContext: + example: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO + ResourceSelectorCreateRequestSchema: type: object properties: - city: + description: type: string - readOnly: true - country: + description: Description of the Resource Selector + filter: type: string - readOnly: true - geolocation: - $ref: '#/components/schemas/LogGeolocation' - postalCode: + description: SCIM filter of the Resource Selector + name: type: string - readOnly: true - state: + description: Name of the Resource Selector + schema: type: string - readOnly: true - LogGeolocation: + description: Schema of the Resource Selector + ResourceSelectorPatchRequestSchema: type: object properties: - lat: - type: number - format: double - readOnly: true - lon: - type: number - format: double - readOnly: true - LogIpAddress: - type: object - properties: - geographicalContext: - $ref: '#/components/schemas/LogGeographicalContext' - ip: + description: type: string - readOnly: true - source: + description: Description of the Resource Selector + filter: type: string - readOnly: true - version: + description: SCIM filter of the Resource Selector + name: type: string - readOnly: true - LogIssuer: + description: Name of the Resource Selector + ResourceSelectorResponseSchema: type: object properties: + description: + type: string + description: Description of the Resource Selector id: type: string - readOnly: true - type: + description: Unique key for the Resource Selector + name: type: string - readOnly: true - LogOutcome: + description: Name of the Resource Selector + orn: + type: string + description: An Okta resource name + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + resources: + $ref: '#/components/schemas/HrefObject' + ResourceSelectorResponseWithoutSelfLinkSchema: type: object properties: - reason: + description: type: string - readOnly: true - result: + description: Description of the Resource Selector + id: type: string - readOnly: true - LogRequest: + description: Unique key for the Resource Selector + name: + type: string + description: Name of the Resource Selector + orn: + type: string + description: An Okta resource name + _links: + allOf: + - properties: + resources: + $ref: '#/components/schemas/HrefObject' + ResourceSelectorsSchema: type: object properties: - ipChain: + resourceSelectors: type: array - readOnly: true items: - $ref: '#/components/schemas/LogIpAddress' - LogSecurityContext: - type: object - properties: - asNumber: - type: integer - readOnly: true - asOrg: - type: string - readOnly: true - domain: - type: string - readOnly: true - isp: - type: string - readOnly: true - isProxy: - type: boolean - readOnly: true - LogSeverity: - type: string - x-okta-known-values: - - DEBUG - - ERROR - - INFO - - WARN - LogTarget: + $ref: '#/components/schemas/ResourceSelectorResponseWithoutSelfLinkSchema' + _links: + $ref: '#/components/schemas/LinksNext' + ResourceSet: type: object properties: - alternateId: + created: type: string + format: date-time + description: Timestamp when the role was created readOnly: true - detailEntry: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - displayName: + description: type: string - readOnly: true + description: Description of the Resource Set id: type: string + description: Unique ID for the Resource Set object readOnly: true - type: + label: + type: string + description: Unique label for the Resource Set + lastUpdated: type: string + format: date-time + description: Timestamp when the role was last updated readOnly: true - LogTransaction: + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + resources: + $ref: '#/components/schemas/HrefObject' + bindings: + $ref: '#/components/schemas/HrefObject' + ResourceSetBindingAddMembersRequest: type: object properties: - detail: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - id: - type: string - readOnly: true - type: + additions: + type: array + items: + type: string + ResourceSetBindingCreateRequest: + type: object + properties: + members: + type: array + items: + type: string + role: type: string - readOnly: true - LogUserAgent: + description: Unique key for the role + ResourceSetBindingMember: type: object properties: - browser: + created: type: string + format: date-time + description: Timestamp when the role was created readOnly: true - os: + id: type: string + description: Unique key for the role readOnly: true - rawUserAgent: + lastUpdated: type: string + format: date-time + description: Timestamp when the role was last updated readOnly: true - MDMEnrollmentPolicyEnrollment: - type: string - x-okta-known-values: - - ANY_OR_NONE - - OMM - MDMEnrollmentPolicyRuleCondition: + _links: + $ref: '#/components/schemas/LinksSelf' + ResourceSetBindingMembers: type: object properties: - blockNonSafeAndroid: - type: boolean - enrollment: - $ref: '#/components/schemas/MDMEnrollmentPolicyEnrollment' - MultifactorEnrollmentPolicy: - allOf: - - $ref: '#/components/schemas/Policy' - - type: object - properties: - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - settings: - $ref: '#/components/schemas/MultifactorEnrollmentPolicySettings' - MultifactorEnrollmentPolicyAuthenticatorSettings: + members: + type: array + items: + $ref: '#/components/schemas/ResourceSetBindingMember' + _links: + allOf: + - $ref: '#/components/schemas/LinksNext' + - properties: + binding: + $ref: '#/components/schemas/HrefObject' + ResourceSetBindingResponse: type: object properties: - enroll: - type: object - properties: - self: - $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorStatus' - key: - $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorType' - MultifactorEnrollmentPolicyAuthenticatorStatus: - type: string - x-okta-known-values: - - NOT_ALLOWED - - OPTIONAL - - REQUIRED - MultifactorEnrollmentPolicyAuthenticatorType: - type: string - x-okta-known-values: - - custom_app - - custom_otp - - duo - - external_idp - - google_otp - - okta_email - - okta_password - - okta_verify - - onprem_mfa - - phone_number - - rsa_token - - security_question - - symantec_vip - - webauthn - - yubikey_token - MultifactorEnrollmentPolicySettings: + id: + type: string + description: '`id` of the role' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + bindings: + $ref: '#/components/schemas/HrefObject' + resource-set: + $ref: '#/components/schemas/HrefObject' + ResourceSetBindingRole: type: object properties: - authenticators: - items: - $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorSettings' - type: array - type: - $ref: '#/components/schemas/MultifactorEnrollmentPolicySettingsType' - MultifactorEnrollmentPolicySettingsType: - type: string - x-okta-known-values: - - AUTHENTICATORS - NetworkZone: + id: + type: string + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + members: + $ref: '#/components/schemas/HrefObject' + ResourceSetBindings: type: object properties: - asns: + roles: type: array items: - type: string + $ref: '#/components/schemas/ResourceSetBindingRole' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + bindings: + $ref: '#/components/schemas/HrefObject' + resource-set: + $ref: '#/components/schemas/HrefObject' + ResourceSetResource: + type: object + properties: created: type: string format: date-time + description: Timestamp when the Resource Set Resource object was created readOnly: true - gateways: - type: array - items: - $ref: '#/components/schemas/NetworkZoneAddress' id: type: string + description: Unique ID of the Resource Set Resource object readOnly: true lastUpdated: type: string format: date-time + description: Timestamp when this object was last updated readOnly: true - locations: + orn: + type: string + description: The Okta Resource Name (ORN) of the resource + _links: + description: Related discoverable resources + readOnly: true + properties: + self: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The REST API URL of the related resource + resource: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to this Resource Set Resource object (self) + groups: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: If applicable, the REST API URL of the related Groups resource + users: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: If applicable, the REST API URL of the related Users resource + ResourceSetResourcePatchRequest: + type: object + properties: + additions: type: array + description: A list of resources to add to the Resource Set items: - $ref: '#/components/schemas/NetworkZoneLocation' - name: + type: string + description: Resource in ORN or REST API URL format + ResourceSetResourcePostRequest: + type: object + properties: + resourceOrnOrUrl: type: string - proxies: + description: Resource in ORN or REST API URL format + required: + - resourceOrnOrUrl + - conditions + ResourceSetResourcePutRequest: + type: object + ResourceSetResources: + type: object + properties: + resources: type: array items: - $ref: '#/components/schemas/NetworkZoneAddress' - proxyType: - type: string - status: - $ref: '#/components/schemas/NetworkZoneStatus' - system: - type: boolean - type: - $ref: '#/components/schemas/NetworkZoneType' - usage: - $ref: '#/components/schemas/NetworkZoneUsage' + $ref: '#/components/schemas/ResourceSetResource' _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - NetworkZoneAddress: + allOf: + - $ref: '#/components/schemas/LinksNext' + - properties: + resource-set: + $ref: '#/components/schemas/HrefObject' + ResourceSets: type: object properties: - type: - $ref: '#/components/schemas/NetworkZoneAddressType' - value: - type: string - NetworkZoneAddressType: - type: string - x-okta-known-values: - - CIDR - - RANGE - NetworkZoneLocation: + resource-sets: + type: array + items: + $ref: '#/components/schemas/ResourceSet' + _links: + $ref: '#/components/schemas/LinksNext' + ResponseLinks: + description: Link objects type: object properties: - country: - type: string - region: - type: string - NetworkZoneStatus: - type: string - x-okta-known-values: - - ACTIVE - - INACTIVE - NetworkZoneType: + _links: + $ref: '#/components/schemas/LinksSelf' + ResponseMode: type: string + x-enumDescriptions: + fragment: Parameters are encoded in the URL fragment added to the `redirect_uri` when redirecting back to the client. + query: Parameters are encoded in the query string added to the `redirect_uri` when redirecting back to the client. + form_post: Parameters are encoded as HTML form values (`application/x-www-form-urlencoded` format) and are transmitted through the HTTP POST method to the client. + okta_post_message: |- + Uses [HTML5 Web Messaging](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) (for example, `window.postMessage()`) instead of the redirect for the authorization response from the `/authorize` endpoint. + + `okta_post_message` is an adaptation of the [Web Message Response Mode](https://tools.ietf.org/html/draft-sakimura-oauth-wmrm-00#section-4.1). + This value provides a secure way for a single-page application to perform a sign-in flow in a pop-up window or an iFrame and receive the ID token, access token, and/or authorization code back in the parent page without leaving the context of that page. The data object for the `postMessage` call is in the next section. x-okta-known-values: - - DYNAMIC - - IP - NetworkZoneUsage: + - form_post + - fragment + - okta_post_message + - query + ResponseType: type: string x-okta-known-values: - - BLOCKLIST - - POLICY - NotificationType: + - code + - id_token + - none + - token + ResponseTypesSupported: type: string x-okta-known-values: - - AD_AGENT - - APP_IMPORT - - CONNECTOR_AGENT - - IWA_AGENT - - LDAP_AGENT - - OKTA_ANNOUNCEMENT - - OKTA_ISSUE - - OKTA_UPDATE - - RATELIMIT_NOTIFICATION - - REPORT_SUSPICIOUS_ACTIVITY - - USER_DEPROVISION - - USER_LOCKED_OUT - OAuth2Actor: + - code + - code id_token + - code id_token token + - code token + - id_token + - id_token token + - token + RevokeRefreshTokenHrefObject: type: object properties: - id: - type: string - readOnly: true - type: + href: type: string - OAuth2Claim: + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + RiscIdentifierChangedEvent: + description: The subject's identifier has changed, which is either an email address or a phone number change type: object properties: - alwaysIncludeInToken: - type: boolean - claimType: - $ref: '#/components/schemas/OAuth2ClaimType' - conditions: - $ref: '#/components/schemas/OAuth2ClaimConditions' - group_filter_type: - $ref: '#/components/schemas/OAuth2ClaimGroupFilterType' - id: - type: string - readOnly: true - name: - type: string - status: - $ref: '#/components/schemas/LifecycleStatus' - system: - type: boolean - value: + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + new-value: type: string - valueType: - $ref: '#/components/schemas/OAuth2ClaimValueType' - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - OAuth2ClaimConditions: + description: The new identifier value + example: new.email@okta.example.com + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + RiskDetectionTypesPolicyRuleCondition: + description: <x-lifecycle class="oie"></x-lifecycle> An object that references detected risk events. This object can have an `include` parameter or an `exclude` parameter, but not both. type: object properties: - scopes: + exclude: type: array + description: An array of detected risk events to exclude in the entity policy rule items: - type: string - OAuth2ClaimGroupFilterType: - type: string - x-okta-known-values: - - CONTAINS - - EQUALS - - REGEX - - STARTS_WITH - OAuth2ClaimType: - type: string - x-okta-known-values: - - IDENTITY - - RESOURCE - OAuth2ClaimValueType: - type: string - x-okta-known-values: - - EXPRESSION - - GROUPS - - SYSTEM - OAuth2Client: + $ref: '#/components/schemas/DetectedRiskEvents' + include: + type: array + description: An array of detected risk events to include in the entity policy rule + items: + $ref: '#/components/schemas/DetectedRiskEvents' + required: + - exclude + - include + RiskEvent: type: object properties: - client_id: + expiresAt: type: string - readOnly: true - client_name: + format: date-time + description: 'Timestamp at which the event expires (expressed as a UTC time zone using ISO 8601 format: yyyy-MM-dd`T`HH:mm:ss.SSS`Z`). If this optional field is not included, Okta automatically expires the event 24 hours after the event is consumed.' + subjects: + type: array + description: List of Risk Event Subjects + items: + $ref: '#/components/schemas/RiskEventSubject' + timestamp: type: string - readOnly: true - client_uri: + format: date-time + description: 'Timestamp of when the event is produced (expressed as a UTC time zone using ISO 8601 format: yyyy-MM-dd`T`HH:mm:ss.SSS`Z`)' + required: + - subjects + RiskEventSubject: + type: object + properties: + ip: type: string - readOnly: true - logo_uri: + description: The risk event subject IP address (either an IPv4 or IPv6 address) + message: type: string - readOnly: true - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - OAuth2RefreshToken: + description: Additional reasons for the risk level of the IP + maxLength: 512 + pattern: ^[a-zA-Z0-9 .\-_]*$ + riskLevel: + $ref: '#/components/schemas/RiskEventSubjectRiskLevel' + required: + - ip + - riskLevel + RiskEventSubjectRiskLevel: + description: The risk level associated with the IP + type: string + x-okta-known-values: + - HIGH + - LOW + - MEDIUM + RiskPolicyRuleCondition: + type: object + properties: + behaviors: + uniqueItems: true + type: array + items: + type: string + RiskProvider: type: object properties: + action: + $ref: '#/components/schemas/RiskProviderAction' clientId: type: string + description: The ID of the [OAuth service app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#create-a-service-app-and-grant-scopes) that is used to send risk events to Okta + example: 00cjkjjkkgjkdkjdkkljjsd created: type: string format: date-time + description: Timestamp when the Risk Provider object was created readOnly: true - createdBy: - $ref: '#/components/schemas/OAuth2Actor' - expiresAt: - type: string - format: date-time - readOnly: true + example: '2021-01-05 22:18:30' id: type: string + description: The ID of the Risk Provider object readOnly: true - issuer: - type: string + example: 00rp12r4skkjkjgsn lastUpdated: type: string format: date-time + description: Timestamp when the Risk Provider object was last updated readOnly: true - scopes: - type: array - items: - type: string - status: - $ref: '#/components/schemas/GrantOrTokenStatus' - userId: - type: string - _embedded: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - OAuth2Scope: - type: object - properties: - consent: - $ref: '#/components/schemas/OAuth2ScopeConsentType' - default: - type: boolean - description: - type: string - displayName: - type: string - id: - type: string - readOnly: true - metadataPublish: - $ref: '#/components/schemas/OAuth2ScopeMetadataPublish' - name: - type: string - system: - type: boolean - OAuth2ScopeConsentGrant: + example: '2021-01-05 22:18:30' + name: + type: string + description: Name of the risk provider + maxLength: 50 + example: Risk-Partner-X + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - name + - clientId + - action + - id + - _links + RiskProviderAction: + description: Action taken by Okta during authentication attempts based on the risk events sent by this provider + default: log_only + type: string + x-enumDescriptions: + log_only: Include risk event information in the System Log + none: No action + enforce_and_log: Use risk event information to evaluate risks during authentication attempts and include risk event information in the System Log + x-okta-known-values: + - enforce_and_log + - log_only + - none + RiskScorePolicyRuleCondition: + description: Specifies a particular level of risk to match on type: object properties: - clientId: + level: type: string + description: The level to match + enum: + - ANY + - LOW + - MEDIUM + - HIGH + required: + - level + Role: + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' created: type: string format: date-time readOnly: true - createdBy: - $ref: '#/components/schemas/OAuth2Actor' + description: + type: string id: type: string readOnly: true - issuer: + label: type: string + readOnly: true lastUpdated: type: string format: date-time readOnly: true - scopeId: - type: string - source: - $ref: '#/components/schemas/OAuth2ScopeConsentGrantSource' status: - $ref: '#/components/schemas/GrantOrTokenStatus' - userId: - type: string + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/RoleType' _embedded: type: object additionalProperties: @@ -18225,2278 +62256,4573 @@ components: properties: {} readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} + $ref: '#/components/schemas/LinksSelf' + RoleAssignedUser: + type: object + properties: + id: + type: string readOnly: true - OAuth2ScopeConsentGrantSource: - type: string - x-okta-known-values: - - ADMIN - - END_USER - OAuth2ScopeConsentType: - type: string - x-okta-known-values: - - ADMIN - - IMPLICIT - - REQUIRED - OAuth2ScopeMetadataPublish: + description: The ID of the User + orn: + type: string + readOnly: true + description: ORN representing the assignee + _links: + $ref: '#/components/schemas/LinksSelfAndRoles' + RoleAssignedUsers: + type: object + properties: + value: + type: array + items: + $ref: '#/components/schemas/RoleAssignedUser' + _links: + $ref: '#/components/schemas/LinksNextForRoleAssignments' + RoleAssignmentType: + description: Role assignment type type: string + x-enumDescriptions: + USER: The Role is assigned to a User + GROUP: The Role is assigned to a Group + CLIENT: The Role is assigned to a Client Application x-okta-known-values: - - ALL_CLIENTS - - NO_CLIENTS - OAuth2ScopesMediationPolicyRuleCondition: + - CLIENT + - GROUP + - USER + RoleGovernance: + description: List of all User Role Governance Sources type: object properties: - include: + grants: type: array items: - type: string - OAuth2Token: + $ref: '#/components/schemas/RoleGovernanceSource' + _links: + $ref: '#/components/schemas/LinksGovernanceSources' + RoleGovernanceResource: + description: The resource of a grant type: object properties: - clientId: - type: string - created: + label: type: string - format: date-time - readOnly: true - expiresAt: + description: The resource name + resource: type: string - format: date-time - readOnly: true - id: + description: The resources id + RoleGovernanceResources: + description: The resources of a grant + type: object + properties: + resources: + type: array + items: + $ref: '#/components/schemas/RoleGovernanceResource' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + RoleGovernanceSource: + description: User Role Governance Source + type: object + properties: + bundleId: type: string readOnly: true - issuer: - type: string - lastUpdated: + description: '`id` of the entitlement bundle' + expirationDate: type: string format: date-time readOnly: true - scopes: - type: array - items: - type: string - status: - $ref: '#/components/schemas/GrantOrTokenStatus' - userId: + description: The expiration date of the entitlement bundle + grantId: type: string - _embedded: - type: object - additionalProperties: - type: object - properties: {} readOnly: true + description: '`id` of the grant' + type: + $ref: '#/components/schemas/GovernanceSourceType' _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - OAuthApplicationCredentials: - allOf: - - $ref: '#/components/schemas/ApplicationCredentials' - - type: object - properties: - oauthClient: - $ref: '#/components/schemas/ApplicationCredentialsOAuthClient' - OAuthEndpointAuthenticationMethod: + allOf: + - $ref: '#/components/schemas/LinksGovernanceResources' + - $ref: '#/components/schemas/LinksSelf' + required: + - type + - grantId + - resources + RolePermissionType: + description: Permission type type: string x-okta-known-values: - - client_secret_basic - - client_secret_jwt - - client_secret_post - - none - - private_key_jwt - OAuthGrantType: + - okta.apps.assignment.manage + - okta.apps.manage + - okta.apps.manageFirstPartyApps + - okta.apps.read + - okta.authzServers.manage + - okta.authzServers.read + - okta.customizations.manage + - okta.customizations.read + - okta.devices.lifecycle.activate + - okta.devices.lifecycle.deactivate + - okta.devices.lifecycle.delete + - okta.devices.lifecycle.manage + - okta.devices.lifecycle.suspend + - okta.devices.lifecycle.unsuspend + - okta.devices.manage + - okta.devices.read + - okta.governance.accessCertifications.manage + - okta.governance.accessRequests.manage + - okta.groups.appAssignment.manage + - okta.groups.create + - okta.groups.manage + - okta.groups.members.manage + - okta.groups.read + - okta.identityProviders.manage + - okta.identityProviders.read + - okta.profilesources.import.run + - okta.support.cases.manage + - okta.users.appAssignment.manage + - okta.users.create + - okta.users.credentials.expirePassword + - okta.users.credentials.manage + - okta.users.credentials.resetFactors + - okta.users.credentials.resetPassword + - okta.users.groupMembership.manage + - okta.users.lifecycle.activate + - okta.users.lifecycle.clearSessions + - okta.users.lifecycle.deactivate + - okta.users.lifecycle.delete + - okta.users.lifecycle.manage + - okta.users.lifecycle.suspend + - okta.users.lifecycle.unlock + - okta.users.lifecycle.unsuspend + - okta.users.manage + - okta.users.read + - okta.users.userprofile.manage + RoleType: + description: Standard role type type: string + x-enumDescriptions: + API_ACCESS_MANAGEMENT_ADMIN: Access Management Administrator + API_ADMIN: Access Management Administrator + APP_ADMIN: Application Administrator + CUSTOM: Custom label specified by the client + GROUP_MEMBERSHIP_ADMIN: Group Membership Administrator + HELP_DESK_ADMIN: Help Desk Administrator + MOBILE_ADMIN: Mobile Administrator + ORG_ADMIN: Organizational Administrator + READ_ONLY_ADMIN: Read-Only Administrator + REPORT_ADMIN: Report Administrator + SUPER_ADMIN: Super Administrator + USER_ADMIN: Group Administrator + ACCESS_CERTIFICATIONS_ADMIN: Access Certifications Administrator (predefined Resource Sets) + ACCESS_REQUESTS_ADMIN: Access Requests Administrator (predefined Resource Sets) <x-lifecycle class="ea"></x-lifecycle> x-okta-known-values: - - authorization_code - - client_credentials - - implicit - - interaction_code + - ACCESS_CERTIFICATIONS_ADMIN + - ACCESS_REQUESTS_ADMIN + - API_ACCESS_MANAGEMENT_ADMIN + - API_ADMIN + - APP_ADMIN + - CUSTOM + - GROUP_MEMBERSHIP_ADMIN + - HELP_DESK_ADMIN + - MOBILE_ADMIN + - ORG_ADMIN + - READ_ONLY_ADMIN + - REPORT_ADMIN + - SUPER_ADMIN + - USER_ADMIN + RotatePasswordRequest: + description: Rotate password request for the privileged account + type: object + properties: + password: + type: string + description: The password associated with the privileged resource + format: password + writeOnly: true + example: xf1bs9am2 + secretVersionId: + type: string + description: The version ID of the password secret from the OPA vault + minLength: 1 + maxLength: 36 + example: 9f8400-e29b-41d4-a716-926655440034 + required: - password - - refresh_token - OAuthResponseType: - type: string - x-okta-known-values: - - code - - id_token - - token - OktaSignOnPolicy: - allOf: - - $ref: '#/components/schemas/Policy' - - type: object - properties: - conditions: - $ref: '#/components/schemas/OktaSignOnPolicyConditions' - OktaSignOnPolicyConditions: - allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - - type: object - properties: - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - OktaSignOnPolicyFactorPromptMode: - type: string - x-okta-known-values: - - ALWAYS - - DEVICE - - SESSION - OktaSignOnPolicyRule: - allOf: - - $ref: '#/components/schemas/PolicyRule' - - type: object - properties: - actions: - $ref: '#/components/schemas/OktaSignOnPolicyRuleActions' - conditions: - $ref: '#/components/schemas/OktaSignOnPolicyRuleConditions' - OktaSignOnPolicyRuleActions: - allOf: - - $ref: '#/components/schemas/PolicyRuleActions' - - type: object - properties: - signon: - $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions' - OktaSignOnPolicyRuleConditions: - allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - - type: object - properties: - authContext: - $ref: '#/components/schemas/PolicyRuleAuthContextCondition' - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - OktaSignOnPolicyRuleSignonActions: + - secretVersionId + SAMLHookResponse: type: object properties: - access: - $ref: '#/components/schemas/PolicyAccess' - factorLifetime: - type: integer - factorPromptMode: - $ref: '#/components/schemas/OktaSignOnPolicyFactorPromptMode' - rememberDeviceByDefault: - type: boolean - default: false - requireFactor: - type: boolean - default: false - session: - $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonSessionActions' - OktaSignOnPolicyRuleSignonSessionActions: + commands: + description: |- + The `commands` object is where you tell Okta to add additional claims to the assertion or to modify the existing assertion statements. + + `commands` is an array, allowing you to send multiple commands. In each array element, include a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command. + In the case of the SAML assertion inline hook, the `value` property is itself a nested object, in which you specify a particular operation, a path to act on, and a value. + type: array + items: + type: object + properties: + type: + type: string + description: One of the supported commands `com.okta.assertion.patch` + value: + type: array + items: + type: object + properties: + op: + type: string + description: |- + The name of one of the supported ops: + `add`: Add a new claim to the assertion + `replace`: Modify any element of the assertion + > **Note:** If a response to the SAML assertion inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta process flow continues with the original SAML assertion returned. + path: + type: string + description: Location, within the assertion, to apply the operation + value: + oneOf: + - type: string + - type: integer + - type: object + description: |- + The value of the claim that you add or replace, and can also include other attributes. If adding to a claim, add another `value` attribute residing within an array called `attributeValues`. + + See the following examples: + + #### Simple value (integer or string) + + `"value": 300` or `"value": "replacementString"` + + #### Attribute value (object) + + ` "value": { + "authContextClassRef": "replacementValue" + }` + + #### AttributeValues array value (object) + + ` "value": { + "attributes": { + "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" + }, + "attributeValues": [ + {"attributes": { + "xsi:type": "xs:string" + }, + "value": "4321"} + ] + }` + error: + description: |- + An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log. + The string supplied in the `errorSummary` property is recorded in the System Log event. + > **Note:** If the error object doesn't include the defined `errorSummary` property, the following common default message + is returned to the end user: `The callback service returned an error`. + + > **Note:** If a response to a SAML inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta SAML inline hook process continues, and the user is created. + type: object + properties: + errorSummary: + description: A human-readable summary of the error + type: string + SAMLPayLoad: type: object properties: - maxSessionIdleMinutes: - type: integer - maxSessionLifetimeMinutes: - type: integer - usePersistentCookie: - type: boolean - default: false - OpenIdConnectApplication: + data: + type: object + properties: + context: + allOf: + - $ref: '#/components/schemas/BaseContext' + - type: object + properties: + protocol: + description: Details of the assertion protocol being used + type: object + properties: + type: + description: The type of authentication protocol being used for the assertion + type: string + example: SAML2.0 + issuer: + type: object + properties: + id: + description: The unique identifier of the issuer that provided the SAML assertion + type: string + example: 0oath92zlO60urQOP0g3 + name: + description: The name of the issuer that provided the SAML assertion + type: string + example: SAML 2.0 App + uri: + description: The base URI of the SAML endpoint that's used to assert the authorization + type: string + example: http://www.okta.com/exkth8lMzFm0HZOTU0g3 + assertion: + description: Details of the SAML assertion that was generated + type: object + properties: + subject: + description: Provides a JSON representation of the `<saml:Subject>` element of the SAML assertion + type: object + properties: + nameId: + description: The unique identifier of the user + type: string + example: user@example.com + nameFormat: + description: Indicates how to interpret the attribute name + type: string + example: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + confirmation: + type: object + properties: + method: + description: Used to indicate how the authorization server confirmed the SAML assertion + type: string + example: urn:oasis:names:tc:SAML:2.0:cm:bearer + data: + type: object + properties: + recipient: + description: The token endpoint URL of the authorization server + type: string + example: http://www.example.com:7070/saml/sso + authentication: + description: Provides a JSON representation of the `<saml:AuthnStatement>` element of the SAML assertion + type: object + properties: + sessionIndex: + description: The unique identifier describing the assertion statement + type: string + example: id1553800523546.312669168 + authnContext: + description: Details of the authentication methods used for the SAML assertion + type: object + properties: + authnContextClassRef: + description: Describes the identity provider's supported authentication context classes + type: string + example: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + conditions: + description: Provides a JSON representation of the `<saml:Conditions>` element of the SAML assertion + type: object + properties: + audienceRestriction: + description: Describes which service providers the assertion is valid for + type: array + items: + type: string + example: + - urn:example:sp + claims: + description: Provides a JSON representation of the `<saml:AttributeStatement>` element contained in the generated SAML assertion. Contains any optional SAML attribute statements that you have defined for the app using the Admin Console's **SAML Settings**. + type: object + additionalProperties: + type: object + properties: + attributes: + type: object + properties: + NameFormat: + type: string + description: Indicates how to interpret the attribute name + attributeValues: + type: array + items: + type: object + properties: + attributes: + type: object + properties: + xsi:type: + type: string + description: Used to derive the type of the attribute + value: + type: string + description: The actual value of the attribute + lifetime: + description: Specifies the expiration time, in seconds, of the SAML assertion + type: object + properties: + expiration: + description: The expiration time in seconds + type: integer + example: 300 + SAMLPayloadExecute: + description: SAML assertion inline hook request + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/SAMLPayLoad' + SafeBrowsingProtectionLevel: + description: Represents the current value of the Safe Browsing protection level + example: ENHANCED_PROTECTION + type: string + x-enumDescriptions: + NO_SAFE_BROWSING: Safe Browsing is never active + STANDARD_PROTECTION: Safe Browsing is active in the standard mode + ENHANCED_PROTECTION: Safe Browsing is active in the enhanced mode + x-okta-known-values: + - ENHANCED_PROTECTION + - NO_SAFE_BROWSING + - STANDARD_PROTECTION + SalesforceApplication: + title: Salesforce + x-tags: + - Application x-okta-defined-as: - name: oidc_client + name: salesforce + example: + name: salesforce + label: Sample Salesforce App + signOnMode: SAML_2_0 + settings: + app: + instanceType: SANDBOX + integrationType: STANDARD + description: | + Schema for the Salesforce app (key name: `salesforce`) + + To create a Salesforce app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Salesforce app only supports `BROWSER_PLUGIN`, `BOOKMARK`, and `SAML_2_0` sign-on modes. allOf: - - $ref: '#/components/schemas/Application' + - $ref: '#/components/schemas/OINApplication' - type: object - properties: - credentials: - $ref: '#/components/schemas/OAuthApplicationCredentials' + - required: + - name + - label + - settings + properties: name: type: string - default: oidc_client + enum: + - salesforce + example: salesforce + signOnMode: + enum: + - BROWSER_PLUGIN + - BOOKMARK + - SAML_2_0 + example: BROWSER_PLUGIN settings: - $ref: '#/components/schemas/OpenIdConnectApplicationSettings' - OpenIdConnectApplicationConsentMethod: - type: string - x-okta-known-values: - - REQUIRED - - TRUSTED - OpenIdConnectApplicationIdpInitiatedLogin: - type: object - properties: - default_scope: - type: array - items: - type: string - mode: - type: string - OpenIdConnectApplicationIssuerMode: - type: string - x-okta-known-values: - - CUSTOM_URL - - DYNAMIC - - ORG_URL - OpenIdConnectApplicationSettings: + $ref: '#/components/schemas/SalesforceApplicationSettings' + SalesforceApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object + - required: + - app properties: - oauthClient: - $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClient' - OpenIdConnectApplicationSettingsClient: + app: + $ref: '#/components/schemas/SalesforceApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + SalesforceApplicationSettingsApplication: + description: Salesforce app instance properties type: object properties: - application_type: - $ref: '#/components/schemas/OpenIdConnectApplicationType' - client_uri: + instanceType: type: string - consent_method: - $ref: '#/components/schemas/OpenIdConnectApplicationConsentMethod' - grant_types: - type: array - items: - $ref: '#/components/schemas/OAuthGrantType' - idp_initiated_login: - $ref: '#/components/schemas/OpenIdConnectApplicationIdpInitiatedLogin' - initiate_login_uri: + description: Salesforce instance that you want to connect to + enum: + - SANDBOX + - PRODUCTION + - GOVERNMENT + integrationType: type: string - issuer_mode: - $ref: '#/components/schemas/OpenIdConnectApplicationIssuerMode' - jwks: - $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClientKeys' - logo_uri: + description: Salesforce integration type + enum: + - STANDARD + - PORTAL + - COMMUNITY + loginUrl: type: string - policy_uri: + description: The Login URL specified in your Salesforce Single Sign-On settings + logoutUrl: type: string - post_logout_redirect_uris: - type: array - items: - type: string - redirect_uris: + description: Salesforce Logout URL + required: + - integrationType + - instanceType + Saml: + description: SAML configuration details + type: object + properties: + acs: type: array + minItems: 1 + description: 'List of Assertion Consumer Service (ACS) URLs. The default ACS URL is required and is indicated by a null `index` value. You can use the org-level variables you defined in the `config` array in the URL. For example: `https://${org.subdomain}.example.com/saml/login`' items: - type: string - refresh_token: - $ref: '#/components/schemas/OpenIdConnectApplicationSettingsRefreshToken' - response_types: + type: object + properties: + index: + type: number + minimum: 0 + maximum: 65535 + description: Index of ACS URL. You can't reuse the same index in the ACS URL array. + example: 0 + url: + type: string + format: uri + maxLength: 1024 + description: Assertion Consumer Service (ACS) URL + example: https://${org.subdomain}.example.com/saml/login + claims: type: array + description: Attribute statements to appear in the Okta SAML assertion items: - $ref: '#/components/schemas/OAuthResponseType' - tos_uri: + type: object + properties: + name: + type: string + description: The attribute name + example: Address + values: + type: array + description: The Okta values inserted in the attribute statement + items: + type: string + example: ${user.homeAddress} + doc: type: string - wildcard_redirect: + format: uri + description: The URL to your customer-facing instructions for configuring your SAML integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines). + example: https://example.com/strawberry/help/samlSetup + entityId: type: string - OpenIdConnectApplicationSettingsClientKeys: - type: object - properties: - keys: + description: Globally unique name for your SAML entity. For instance, your Identity Provider (IdP) or Service Provider (SP) URL. + example: https://${org.subdomain}.example.com + groups: type: array + description: Defines the group attribute names for the SAML assertion statement. Okta inserts the list of Okta user groups into the attribute names in the statement. items: - $ref: '#/components/schemas/JsonWebKey' - OpenIdConnectApplicationSettingsRefreshToken: - type: object - properties: - leeway: - type: integer - rotation_type: - $ref: '#/components/schemas/OpenIdConnectRefreshTokenRotationType' - OpenIdConnectApplicationType: - type: string - x-okta-known-values: - - browser - - native - - service - - web - OpenIdConnectRefreshTokenRotationType: - type: string - x-okta-known-values: - - ROTATE - - STATIC - OperationalStatus: - description: Operational status of a given agent - type: string - x-okta-known-values: - - DEGRADED - - DISRUPTED - - INACTIVE - - OPERATIONAL - OrgContactType: - type: string - x-okta-known-values: - - BILLING - - TECHNICAL - OrgContactTypeObj: - type: object - properties: - contactType: - $ref: '#/components/schemas/OrgContactType' - _links: - additionalProperties: - type: object - OrgContactUser: + type: string + description: A group attribute name in your SAML app + example: groups + required: + - acs + - entityId + - doc + Saml11Application: + allOf: + - $ref: '#/components/schemas/Application' + - type: object + properties: + credentials: + $ref: '#/components/schemas/ApplicationCredentials' + name: + type: string + description: The key name for the SAML 1.1 app definition. You can't create a custom SAML 1.1 app integration instance. Only existing OIN SAML 1.1 app integrations are supported. + settings: + $ref: '#/components/schemas/Saml11ApplicationSettings' + required: + - name + Saml11ApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + properties: + app: + type: object + additionalProperties: true + signOn: + $ref: '#/components/schemas/Saml11ApplicationSettingsSignOn' + Saml11ApplicationSettingsSignOn: + title: SAML 1.1 settings + description: SAML 1.1 sign-on mode attributes type: object properties: - userId: + audienceOverride: type: string - _links: - additionalProperties: - type: object - readOnly: true - type: object - OrgOktaCommunicationSetting: + description: The intended audience of the SAML assertion. This is usually the Entity ID of your application. + defaultRelayState: + type: string + description: The URL of the resource to direct users after they successfully sign in to the SP using SAML. See the SP documentation to check if you need to specify a RelayState. In most instances, you can leave this field blank. + recipientOverride: + type: string + description: The location where the application can present the SAML assertion. This is usually the Single Sign-On (SSO) URL. + ssoAcsUrlOverride: + type: string + description: Assertion Consumer Services (ACS) URL value for the Service Provider (SP). This URL is always used for Identity Provider (IdP) initiated sign-on requests. + SamlAcsEndpoint: + description: Okta's `SPSSODescriptor` endpoint where the IdP sends a `<SAMLResponse>` message type: object properties: - optOutEmailUsers: - type: boolean - readOnly: true - _links: - additionalProperties: - type: object - OrgOktaSupportSetting: - type: string - x-okta-known-values: - - DISABLED - - ENABLED - OrgOktaSupportSettingsObj: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + type: + $ref: '#/components/schemas/SamlEndpointType' + SamlAlgorithms: + description: Settings for signing and verifying SAML messages type: object properties: - expiration: - format: date-time - type: string - readOnly: true - support: - $ref: '#/components/schemas/OrgOktaSupportSetting' - _links: - additionalProperties: - type: object - OrgPreferences: + request: + $ref: '#/components/schemas/SamlRequestAlgorithm' + response: + $ref: '#/components/schemas/SamlResponseAlgorithm' + SamlApplication: + allOf: + - $ref: '#/components/schemas/Application' + - type: object + properties: + credentials: + $ref: '#/components/schemas/ApplicationCredentials' + name: + type: string + description: A unique key is generated for the custom app instance when you use SAML_2_0 `signOnMode`. + readOnly: true + settings: + $ref: '#/components/schemas/SamlApplicationSettings' + SamlApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + properties: + signOn: + $ref: '#/components/schemas/SamlApplicationSettingsSignOn' + SamlApplicationSettingsSignOn: + description: |- + SAML 2.0 sign-on attributes. + > **Note:** Set either `destinationOverride` or `ssoAcsUrl` to configure any other SAML 2.0 attributes in this section. type: object properties: - showEndUserFooter: + acsEndpoints: + type: array + description: An array of ACS endpoints. You can configure a maximum of 100 endpoints. + items: + $ref: '#/components/schemas/AcsEndpoint' + allowMultipleAcsEndpoints: + description: Determines whether the app allows you to configure multiple ACS URIs type: boolean - readOnly: true - _links: - additionalProperties: - type: object - OrgSetting: - type: object - properties: - address1: - type: string - address2: + assertionSigned: + type: boolean + description: Determines whether the SAML assertion is digitally signed + attributeStatements: + type: array + description: | + A list of custom attribute statements for the app's SAML assertion. See [SAML 2.0 Technical Overview](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html). + + There are two types of attribute statements: + | Type | Description | + | ---- | ----------- | + | EXPRESSION | Generic attribute statement that can be dynamic and supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/) | + | GROUP | Group attribute statement | + items: + $ref: '#/components/schemas/SamlAttributeStatement' + audience: type: string - city: + description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP. + audienceOverride: type: string - companyName: + description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + authnContextClassRef: type: string - country: + description: Identifies the SAML authentication context class for the assertion's authentication statement + enum: + - urn:federation:authentication:windows + - oasis:names:tc:SAML:2.0:ac:classes:Kerberos + - urn:oasis:names:tc:SAML:2.0:ac:classes:Password + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + - urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient + - urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified + - urn:oasis:names:tc:SAML:2.0:ac:classes:X509 + x-enumDescriptions: + urn:federation:authentication:windows: Integrated Windows Authentication + oasis:names:tc:SAML:2.0:ac:classes:Kerberos: Kerberos + urn:oasis:names:tc:SAML:2.0:ac:classes:Password: Password + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport: PasswordProtectedTransport + urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient: TLS Client + urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified: Unspecified + urn:oasis:names:tc:SAML:2.0:ac:classes:X509: X509 Certificate + configuredAttributeStatements: + type: array + description: | + The list of dynamic attribute statements for the SAML assertion inherited from app metadata (apps from the OIN) during app creation. + + There are two types of attribute statements: `EXPRESSION` and `GROUP`. + items: + $ref: '#/components/schemas/SamlAttributeStatement' + defaultRelayState: type: string - created: - format: date-time - readOnly: true + description: Identifies a specific application resource in an IdP-initiated SSO scenario + destination: type: string - endUserSupportHelpURL: + description: Identifies the location inside the SAML assertion where the SAML response should be sent + destinationOverride: type: string - expiresAt: - format: date-time - readOnly: true + description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + digestAlgorithm: type: string - id: - readOnly: true + description: Determines the digest algorithm used to digitally sign the SAML assertion and response + enum: + - SHA1 + - SHA256 + honorForceAuthn: + type: boolean + description: Set to `true` to prompt users for their credentials when a SAML request has the `ForceAuthn` attribute set to `true` + idpIssuer: type: string - lastUpdated: - format: date-time - readOnly: true + description: SAML Issuer ID + inlineHooks: + description: Associates the app with SAML inline hooks. See [the SAML assertion inline hook reference](https://developer.okta.com/docs/reference/saml-hook/). + items: + $ref: '#/components/schemas/SignOnInlineHook' + type: array + participateSlo: + $ref: '#/components/schemas/SloParticipate' + recipient: + description: The location where the app may present the SAML assertion type: string - phoneNumber: + recipientOverride: type: string - postalCode: + description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + requestCompressed: + type: boolean + description: Determines whether the SAML request is expected to be compressed + responseSigned: + type: boolean + description: |- + Determines whether the SAML authentication response message is digitally signed by the IdP + > **Note:** Either (or both) `responseSigned` or `assertionSigned` must be `TRUE`. + samlAssertionLifetimeSeconds: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: integer + description: Determines the SAML app session lifetimes with Okta + example: 3600 + signatureAlgorithm: type: string - state: + description: Determines the signing algorithm used to digitally sign the SAML assertion and response + enum: + - RSA_SHA1 + - RSA_SHA256 + slo: + $ref: '#/components/schemas/SingleLogout' + spCertificate: + $ref: '#/components/schemas/SamlSpCertificate' + spIssuer: type: string - status: - readOnly: true + description: The issuer ID for the Service Provider. This property appears when SLO is enabled. + ssoAcsUrl: type: string - subdomain: - readOnly: true + description: Single Sign-On Assertion Consumer Service (ACS) URL + ssoAcsUrlOverride: type: string - supportPhoneNumber: + description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + subjectNameIdFormat: type: string - website: + description: 'Identifies the SAML processing rules. Supported values:' + enum: + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName + x-enumDescriptions: + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Email Address + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: Persistent + urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Transient + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: Unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName: x509SubjectName + subjectNameIdTemplate: type: string - _links: - additionalProperties: - type: object - PasswordCredential: + description: Template for app user's username when a user is assigned to the app + required: + - allowMultipleAcsEndpoints + - assertionSigned + - audience + - authnContextClassRef + - destination + - digestAlgorithm + - honorForceAuthn + - idpIssuer + - recipient + - requestCompressed + - responseSigned + - signatureAlgorithm + - ssoAcsUrl + - subjectNameIdFormat + - subjectNameIdTemplate + SamlAttributeStatement: + anyOf: + - $ref: '#/components/schemas/SamlAttributeStatementExpression' + - $ref: '#/components/schemas/SamlAttributeStatementGroup' type: object properties: - hash: - $ref: '#/components/schemas/PasswordCredentialHash' - hook: - $ref: '#/components/schemas/PasswordCredentialHook' - value: + type: type: string - format: password - PasswordCredentialHash: + description: The type of attribute statements object + enum: + - EXPRESSION + - GROUP + discriminator: + propertyName: type + mapping: + EXPRESSION: '#/components/schemas/SamlAttributeStatementExpression' + GROUP: '#/components/schemas/SamlAttributeStatementGroup' + SamlAttributeStatementExpression: + description: Generic `EXPRESSION` attribute statements type: object properties: - algorithm: - $ref: '#/components/schemas/PasswordCredentialHashAlgorithm' - salt: + name: type: string - saltOrder: + description: The name of the attribute in your app. The attribute name must be unique across all user and group attribute statements. + example: attributeOne + namespace: type: string - value: + description: 'The name format of the attribute. Supported values:' + enum: + - urn:oasis:names:tc:SAML:2.0:attrname-format:basic + - urn:oasis:names:tc:SAML:2.0:attrname-format:uri + - urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + x-enumDescriptions: + urn:oasis:names:tc:SAML:2.0:attrname-format:basic: Basic + urn:oasis:names:tc:SAML:2.0:attrname-format:uri: URI reference + urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified: Unspecified + example: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + type: type: string - workFactor: - type: integer - PasswordCredentialHashAlgorithm: - type: string - x-okta-known-values: - - BCRYPT - - MD5 - - SHA-1 - - SHA-256 - - SHA-512 - PasswordCredentialHook: + description: The type of attribute statements object + example: EXPRESSION + values: + type: array + description: The attribute values (supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/)) + items: + type: string + example: ValueOne + SamlAttributeStatementGroup: + description: '`GROUP` attribute statements' type: object properties: + filterType: + type: string + description: The operation to filter groups based on `filterValue` + enum: + - STARTS_WITH + - EQUALS + - CONTAINS + - REGEX + filterValue: + type: string + description: Filter the groups based on a specific value. + example: Team + name: + type: string + description: The name of the group attribute in your app. The attribute name must be unique across all user and group attribute statements. + namespace: + type: string + description: 'The name format of the group attribute. Supported values:' + enum: + - urn:oasis:names:tc:SAML:2.0:attrname-format:basic + - urn:oasis:names:tc:SAML:2.0:attrname-format:uri + - urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + x-enumDescriptions: + urn:oasis:names:tc:SAML:2.0:attrname-format:basic: Basic + urn:oasis:names:tc:SAML:2.0:attrname-format:uri: URI reference + urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified: Unspecified + example: urn:oasis:names:tc:SAML:2.0:attrname-format:basic type: type: string - PasswordDictionary: - type: object - properties: - common: - $ref: '#/components/schemas/PasswordDictionaryCommon' - PasswordDictionaryCommon: + description: The type of attribute statements object + example: GROUP + SamlCredentials: + description: Federation Trust Credentials for verifying assertions from the IdP and signing requests to the IdP type: object properties: - exclude: - type: boolean - default: false - PasswordExpirationPolicyRuleCondition: + signing: + $ref: '#/components/schemas/SamlSigningCredentials' + trust: + $ref: '#/components/schemas/SamlTrustCredentials' + SamlEndpointType: + description: Determines whether to publish an instance-specific (trust) or organization (shared) ACS endpoint in the SAML metadata + default: INSTANCE + type: string + x-okta-known-values: + - INSTANCE + - ORG + SamlEndpoints: + description: SAML 2.0 HTTP binding settings for IdP and SP (Okta) type: object properties: - number: - type: integer - unit: - type: string - PasswordPolicy: - allOf: - - $ref: '#/components/schemas/Policy' - - type: object - properties: - conditions: - $ref: '#/components/schemas/PasswordPolicyConditions' - settings: - $ref: '#/components/schemas/PasswordPolicySettings' - PasswordPolicyAuthenticationProviderCondition: + acs: + $ref: '#/components/schemas/SamlAcsEndpoint' + sso: + $ref: '#/components/schemas/SamlSsoEndpoint' + SamlNameIdFormat: + description: SAML 2.0 Name Identifier formats + default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + type: string + x-okta-known-values: + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + SamlRelayState: + description: Relay state settings for IdP type: object properties: - include: - type: array - items: - type: string - provider: - $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderType' - PasswordPolicyAuthenticationProviderType: + format: + $ref: '#/components/schemas/SamlRelayStateFormat' + SamlRelayStateFormat: + description: The format used to generate the `relayState` in the SAML request. The `FROM_URL` format is used if this value is null. type: string x-okta-known-values: - - ACTIVE_DIRECTORY - - ANY - - LDAP - - OKTA - PasswordPolicyConditions: - allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - - type: object - properties: - authProvider: - $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - PasswordPolicyDelegationSettings: + - FROM_URL + - OPAQUE + SamlRequestAlgorithm: + description: Algorithm settings used to secure an `<AuthnRequest>` message type: object properties: - options: - $ref: '#/components/schemas/PasswordPolicyDelegationSettingsOptions' - PasswordPolicyDelegationSettingsOptions: + signature: + $ref: '#/components/schemas/SamlRequestSignatureAlgorithm' + SamlRequestSignatureAlgorithm: + description: |- + XML digital Signature Algorithm settings for signing `<AuthnRequest>` messages sent to the IdP + > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`). type: object properties: - skipUnlock: - type: boolean - PasswordPolicyPasswordSettings: + algorithm: + $ref: '#/components/schemas/SamlSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' + SamlResponseAlgorithm: + description: Algorithm settings for verifying `<SAMLResponse>` messages and `<Assertion>` elements from the IdP type: object properties: - age: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsAge' - complexity: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsComplexity' - lockout: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsLockout' - PasswordPolicyPasswordSettingsAge: + signature: + $ref: '#/components/schemas/SamlResponseSignatureAlgorithm' + SamlResponseSignatureAlgorithm: + description: XML digital Signature Algorithm settings for verifying `<SAMLResponse>` messages and `<Assertion>` elements from the IdP type: object properties: - expireWarnDays: - type: integer - historyCount: - type: integer - maxAgeDays: - type: integer - minAgeMinutes: - type: integer - PasswordPolicyPasswordSettingsComplexity: + algorithm: + $ref: '#/components/schemas/SamlSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmResponseScope' + SamlSettings: + description: Advanced settings for the SAML 2.0 protocol type: object properties: - dictionary: - $ref: '#/components/schemas/PasswordDictionary' - excludeAttributes: - type: array - items: - type: string - excludeUsername: + honorPersistentNameId: type: boolean + description: Determines if the IdP should persist account linking when the incoming assertion NameID format is `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` default: true - minLength: - type: integer - minLowerCase: - type: integer - minNumber: - type: integer - minSymbol: - type: integer - minUpperCase: - type: integer - PasswordPolicyPasswordSettingsLockout: + nameFormat: + $ref: '#/components/schemas/SamlNameIdFormat' + SamlSigningAlgorithm: + example: SHA-256 + type: string + x-okta-known-values: + - SHA-1 + - SHA-256 + SamlSigningCredentials: + description: Key used for signing requests to the IdP type: object properties: - autoUnlockMinutes: - type: integer - maxAttempts: - type: integer - showLockoutFailures: - type: boolean - userLockoutNotificationChannels: + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + SamlSpCertificate: + description: The certificate that Okta uses to validate Single Logout (SLO) requests and responses + type: object + properties: + x5c: type: array + description: A list that contains exactly one x509 encoded certificate items: type: string - PasswordPolicyRecoveryEmail: - type: object - properties: - properties: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmailProperties' - status: - $ref: '#/components/schemas/LifecycleStatus' - PasswordPolicyRecoveryEmailProperties: - type: object - properties: - recoveryToken: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmailRecoveryToken' - PasswordPolicyRecoveryEmailRecoveryToken: - type: object - properties: - tokenLifetimeMinutes: - type: integer - PasswordPolicyRecoveryFactorSettings: - type: object - properties: - status: - $ref: '#/components/schemas/LifecycleStatus' - PasswordPolicyRecoveryFactors: + SamlSsoEndpoint: + description: IdP's `SingleSignOnService` endpoint where Okta sends an `<AuthnRequest>` message type: object properties: - okta_call: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' - okta_email: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmail' - okta_sms: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' - recovery_question: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestion' - PasswordPolicyRecoveryQuestion: - type: object - properties: - properties: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionProperties' - status: - $ref: '#/components/schemas/LifecycleStatus' - PasswordPolicyRecoveryQuestionComplexity: - type: object - properties: - minLength: - type: integer - readOnly: true - PasswordPolicyRecoveryQuestionProperties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + destination: + type: string + description: |- + URI reference that indicates the address to which the `<AuthnRequest>` message is sent. + The `destination` property is required if request signatures are specified. See [SAML 2.0 Request Algorithm object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=protocol/0/algorithms/request&t=request). + maxLength: 512 + example: https://idp.example.com/saml2/sso + url: + type: string + description: |- + URL of the binding-specific endpoint to send an `<AuthnRequest>` message to the IdP. + The value of `url` defaults to the same value as the `sso` endpoint if omitted during creation of a new IdP instance. + The `url` should be the same value as the `Location` attribute for a published binding in the IdP's SAML Metadata `IDPSSODescriptor`. + maxLength: 1014 + example: https://idp.example.com/saml2/sso + SamlTrustCredentials: + description: Federation Trust Credentials for verifying assertions from the IdP type: object - properties: - complexity: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionComplexity' - PasswordPolicyRecoverySettings: + properties: + audience: + type: string + description: URI that identifies the target Okta IdP instance (SP) for an `<Assertion>` + maxLength: 1024 + example: https://www.okta.com/saml2/service-provider/spgv32vOnpdyeGSaiUpL + issuer: + type: string + description: URI that identifies the issuer (IdP) of a `<SAMLResponse>` message `<Assertion>` element + maxLength: 1024 + example: urn:example:idp + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + ScheduledUserLifecycleAction: type: object properties: - factors: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactors' - PasswordPolicyRule: + status: + $ref: '#/components/schemas/PolicyUserStatus' + SchemeApplicationCredentials: allOf: - - $ref: '#/components/schemas/PolicyRule' + - $ref: '#/components/schemas/ApplicationCredentials' - type: object properties: - actions: - $ref: '#/components/schemas/PasswordPolicyRuleActions' - conditions: - $ref: '#/components/schemas/PasswordPolicyRuleConditions' - PasswordPolicyRuleAction: + password: + $ref: '#/components/schemas/PasswordCredential' + revealPassword: + type: boolean + description: Allow users to securely see their password + scheme: + $ref: '#/components/schemas/ApplicationCredentialsScheme' + signing: + $ref: '#/components/schemas/ApplicationCredentialsSigning' + userName: + type: string + description: Shared username for the app + minLength: 1 + maxLength: 100 + Scope: + type: string + ScopeResourceHrefObject: type: object properties: - access: - $ref: '#/components/schemas/PolicyAccess' - PasswordPolicyRuleActions: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scpCmCCV1DpxVkCaye2X + title: + type: string + description: Link name + example: My phone + ScreenLockComplexity: + description: | + Indicates whether a device has a screen lock set, and the type or complexity of the screen lock + + **Note:** This option requires a `screenLockType.include` value. + type: string + x-enumDescriptions: + LOW: A pattern or PIN is set + MEDIUM: A complex PIN, or alphabetic or alphanumeric screen lock with at least 4 digits is set + HIGH: A complex 8-digit PIN, or 6-character alphabetic or alphanumeric screen lock is set + x-okta-known-values: + - HIGH + - LOW + - MEDIUM + ScreenLockType: + type: string + x-okta-known-values: + - BIOMETRIC + - NONE + - PASSCODE + SecurePasswordStoreApplication: + x-okta-defined-as: + name: template_sps allOf: - - $ref: '#/components/schemas/PolicyRuleActions' + - $ref: '#/components/schemas/Application' - type: object properties: - passwordChange: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - selfServicePasswordReset: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - selfServiceUnlock: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - PasswordPolicyRuleConditions: + credentials: + $ref: '#/components/schemas/SchemeApplicationCredentials' + name: + type: string + description: '`template_sps` is the key name for a SWA app instance that uses HTTP POST and doesn''t require a browser plugin' + enum: + - template_sps + settings: + $ref: '#/components/schemas/SecurePasswordStoreApplicationSettings' + required: + - name + - settings + SecurePasswordStoreApplicationSettings: allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' + - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - PasswordPolicySettings: + app: + $ref: '#/components/schemas/SecurePasswordStoreApplicationSettingsApplication' + SecurePasswordStoreApplicationSettingsApplication: type: object properties: - delegation: - $ref: '#/components/schemas/PasswordPolicyDelegationSettings' - password: - $ref: '#/components/schemas/PasswordPolicyPasswordSettings' - recovery: - $ref: '#/components/schemas/PasswordPolicyRecoverySettings' - PasswordSettingObject: + optionalField1: + type: string + description: Name of the optional parameter in the sign-in form + optionalField1Value: + type: string + description: Name of the optional value in the sign-in form + optionalField2: + type: string + description: Name of the optional parameter in the sign-in form + optionalField2Value: + type: string + description: Name of the optional value in the sign-in form + optionalField3: + type: string + description: Name of the optional parameter in the sign-in form + optionalField3Value: + type: string + description: Name of the optional value in the sign-in form + passwordField: + type: string + description: CSS selector for the **Password** field in the sign-in form + url: + type: string + description: The URL of the sign-in page for this app + usernameField: + type: string + description: CSS selector for the **Username** field in the sign-in form + required: + - passwordField + - url + - usernameField + SecurityEvent: type: object properties: - change: - $ref: '#/components/schemas/ChangeEnum' - seed: - $ref: '#/components/schemas/SeedEnum' - status: - $ref: '#/components/schemas/EnabledStatus' - Platform: - type: string - x-okta-known-values: - - ANDROID - - IOS - - MACOS - - WINDOWS - PlatformConditionEvaluatorPlatform: + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + SecurityEventReason: type: object properties: - os: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystem' - type: - $ref: '#/components/schemas/PolicyPlatformType' - PlatformConditionEvaluatorPlatformOperatingSystem: + en: + type: string + description: The event reason in English + example: Event message example + required: + - en + SecurityEventSubject: + description: The event subjects + properties: + device: + type: object + description: The device involved with the event + tenant: + type: object + description: The tenant involved with the event + user: + type: object + description: The user involved with the event + SecurityEventTokenError: + title: Security Event Token Error + description: Error object thrown when parsing the Security Event Token type: object properties: - expression: + description: type: string - type: - $ref: '#/components/schemas/PolicyPlatformOperatingSystemType' - version: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystemVersion' - PlatformConditionEvaluatorPlatformOperatingSystemVersion: + description: | + Describes the error + > **Note:** SET claim fields with underscores (snake case) are presented in camelcase. For example, `previous_status` appears as `previousStatus`. + example: 'Failed claim validation in security event token. ''events.mediationDeviceComplianceChangeEvent.previousStatus'': The field cannot be left blank' + err: + type: string + description: A code that describes the category of the error + example: invalid_request + enum: + - authentication_failed + - invalid_audience + - invalid_issuer + - invalid_key + - invalid_request + SecurityEventTokenRequestJwtBody: + title: Security Event Token JWT body payload + x-tags: + - SSFSecurityEventToken + description: JSON Web Token body payload for a Security Event Token type: object properties: - matchType: - $ref: '#/components/schemas/PlatformConditionOperatingSystemVersionMatchType' - value: + aud: type: string - PlatformConditionOperatingSystemVersionMatchType: - type: string - x-okta-known-values: - - EXPRESSION - - SEMVER - PlatformPolicyRuleCondition: + description: Audience + example: https://receiverexample.okta.com/ + events: + $ref: '#/components/schemas/SecurityEventTokenRequestJwtEvents' + iat: + type: integer + format: int64 + description: Token issue time (UNIX timestamp) + example: 1702448550 + iss: + type: string + description: Token issuer + example: https://transmitter.example.com + jti: + type: string + description: Token ID + example: 24c63fb56f ... a9fa24 + required: + - iss + - aud + - jti + - iat + - events + SecurityEventTokenRequestJwtEvents: + description: A non-empty collection of events type: object properties: - exclude: - type: array - items: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' - include: - type: array - items: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' - Policy: + https://schemas.okta.com/secevent/okta/event-type/device-risk-change: + $ref: '#/components/schemas/OktaDeviceRiskChangeEvent' + https://schemas.okta.com/secevent/okta/event-type/ip-change: + $ref: '#/components/schemas/OktaIpChangeEvent' + https://schemas.okta.com/secevent/okta/event-type/user-risk-change: + $ref: '#/components/schemas/OktaUserRiskChangeEvent' + https://schemas.openid.net/secevent/caep/event-type/device-compliance-change: + $ref: '#/components/schemas/CaepDeviceComplianceChangeEvent' + https://schemas.openid.net/secevent/caep/event-type/session-revoked: + $ref: '#/components/schemas/CaepSessionRevokedEvent' + https://schemas.openid.net/secevent/risc/event-type/identifier-changed: + $ref: '#/components/schemas/RiscIdentifierChangedEvent' + SecurityEventTokenRequestJwtHeader: + title: Security Event Token JWT header + x-tags: + - SSFSecurityEventToken + description: JSON Web Token header for a Security Event Token type: object properties: - created: + alg: type: string - format: date-time - readOnly: true - description: + description: Algorithm used to sign or encrypt the JWT + example: RS256 + kid: type: string - id: + description: Key ID used to sign or encrypt the JWT + typ: type: string - readOnly: true - lastUpdated: + description: The type of content being signed or encrypted + example: secevent+jwt + required: + - kid + - typ + - alg + SecurityEventsProviderRequest: + title: Security Events Provider Request + description: The request schema for creating or updating a Security Events Provider. The `settings` must match one of the schemas. + type: object + properties: + name: + description: The name of the Security Events Provider instance + type: string + maxLength: 100 + example: Target SSF Provider + settings: + type: object + description: Information about the Security Events Provider for signal ingestion + oneOf: + - $ref: '#/components/schemas/SecurityEventsProviderSettingsSSFCompliant' + - $ref: '#/components/schemas/SecurityEventsProviderSettingsNonSSFCompliant' + type: + description: The application type of the Security Events Provider + maxLength: 255 + type: string + example: okta + required: + - name + - settings + - type + SecurityEventsProviderResponse: + title: Security Events Provider Response + description: The Security Events Provider response + type: object + properties: + id: + description: The unique identifier of this instance type: string - format: date-time readOnly: true + example: sse1qg25RpusjUP6m0g5 name: + description: The name of the Security Events Provider instance type: string - priority: - type: integer + maxLength: 100 + example: Target SSF Provider + settings: + description: Information about the Security Events Provider for signal ingestion + $ref: '#/components/schemas/SecurityEventsProviderSettingsResponse' status: - $ref: '#/components/schemas/LifecycleStatus' - system: - type: boolean - type: - $ref: '#/components/schemas/PolicyType' - _embedded: - type: object - additionalProperties: - type: object - properties: {} + description: Indicates whether the Security Events Provider is active or not + type: string + enum: + - ACTIVE + - INACTIVE readOnly: true + type: + description: The application type of the Security Events Provider + maxLength: 255 + type: string + example: okta _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - discriminator: - propertyName: type - mapping: - ACCESS_POLICY: '#/components/schemas/AccessPolicy' - IDP_DISCOVERY: '#/components/schemas/IdentityProviderPolicy' - MFA_ENROLL: '#/components/schemas/MultifactorEnrollmentPolicy' - OAUTH_AUTHORIZATION_POLICY: '#/components/schemas/AuthorizationServerPolicy' - OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' - PASSWORD: '#/components/schemas/PasswordPolicy' - PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy' - PolicyAccess: - type: string - x-okta-known-values: - - ALLOW - - DENY - PolicyAccountLink: - type: object - properties: - action: - $ref: '#/components/schemas/PolicyAccountLinkAction' - filter: - $ref: '#/components/schemas/PolicyAccountLinkFilter' - PolicyAccountLinkAction: - type: string - x-okta-known-values: - - AUTO - - DISABLED - PolicyAccountLinkFilter: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + SecurityEventsProviderSettingsNonSSFCompliant: + title: Provider with issuer and JWKS settings + description: Security Events Provider with issuer and JWKS settings for signal ingestion type: object properties: - groups: - $ref: '#/components/schemas/PolicyAccountLinkFilterGroups' - PolicyAccountLinkFilterGroups: + issuer: + type: string + description: Issuer URL + maxLength: 700 + example: example.okta.com + jwks_url: + type: string + format: url + description: The public URL where the JWKS public key is uploaded + maxLength: 1000 + example: https://example.okta.com/oauth2/v1/keys + required: + - jwks_url + - issuer + SecurityEventsProviderSettingsResponse: + title: Security Events Provider settings + description: Security Events Provider settings type: object properties: - include: - type: array - items: - type: string - PolicyNetworkCondition: + issuer: + type: string + description: Issuer URL + maxLength: 700 + example: example.okta.com + jwks_url: + type: string + format: url + description: The public URL where the JWKS public key is uploaded + maxLength: 1000 + example: https://example.okta.com/oauth2/v1/keys + well_known_url: + type: string + format: url + description: The well-known URL of the Security Events Provider (the SSF transmitter) + nullable: true + maxLength: 1000 + example: https://example.okta.com/.well-known/ssf-configuration + SecurityEventsProviderSettingsSSFCompliant: + title: Provider with well-known URL setting + description: Security Events Provider with well-known URL setting type: object properties: - connection: - $ref: '#/components/schemas/PolicyNetworkConnection' - exclude: - type: array - items: - type: string - include: - type: array - items: - type: string - PolicyNetworkConnection: + well_known_url: + type: string + format: url + description: The published well-known URL of the Security Events Provider (the SSF transmitter) + maxLength: 1000 + example: https://example.okta.com/.well-known/ssf-configuration + required: + - well_known_url + SeedEnum: + description: Determines whether the generated password is the user's Okta password or a randomly generated password + default: RANDOM + example: OKTA type: string x-okta-known-values: - - ANYWHERE - - ZONE - PolicyPeopleCondition: + - OKTA + - RANDOM + SelfServicePasswordResetAction: + description: Enables or disables users to reset their own password and defines the authenticators and constraints needed to complete the reset type: object properties: - groups: - $ref: '#/components/schemas/GroupCondition' - users: - $ref: '#/components/schemas/UserCondition' - PolicyPlatformOperatingSystemType: - type: string - x-okta-known-values: - - ANDROID - - ANY - - IOS - - OSX - - OTHER - - WINDOWS - PolicyPlatformType: - type: string - x-okta-known-values: - - ANY - - DESKTOP - - MOBILE - - OTHER - PolicyRule: + access: + $ref: '#/components/schemas/PolicyAccess' + requirement: + $ref: '#/components/schemas/SsprRequirement' + type: + type: string + description: <x-lifecycle class="oie"></x-lifecycle> The type of rule action + enum: + - selfServicePasswordReset + Session: type: object properties: - created: + amr: + type: array + readOnly: true + description: Authentication method reference + items: + $ref: '#/components/schemas/SessionAuthenticationMethod' + createdAt: + type: string + format: date-time + readOnly: true + expiresAt: type: string format: date-time readOnly: true + description: A timestamp when the Session expires id: type: string - lastUpdated: + readOnly: true + description: A unique key for the Session + idp: + $ref: '#/components/schemas/SessionIdentityProvider' + lastFactorVerification: type: string format: date-time readOnly: true - name: + description: A timestamp when the user last performed multifactor authentication + lastPasswordVerification: type: string - priority: - type: integer + format: date-time + readOnly: true + description: A timestamp when the user last performed the primary or step-up authentication with a password + login: + type: string + readOnly: true + description: A unique identifier for the user (username) status: - $ref: '#/components/schemas/LifecycleStatus' - system: - type: boolean - default: false - type: - $ref: '#/components/schemas/PolicyRuleType' - discriminator: - propertyName: type - mapping: - ACCESS_POLICY: '#/components/schemas/AccessPolicyRule' - PASSWORD: '#/components/schemas/PasswordPolicyRule' - PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicyRule' - RESOURCE_ACCESS: '#/components/schemas/AuthorizationServerPolicyRule' - SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule' - PolicyRuleActions: - type: object - properties: - enroll: - $ref: '#/components/schemas/PolicyRuleActionsEnroll' - idp: - $ref: '#/components/schemas/IdpPolicyRuleAction' - passwordChange: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - selfServicePasswordReset: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - selfServiceUnlock: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - signon: - $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions' - PolicyRuleActionsEnroll: - type: object - properties: - self: - $ref: '#/components/schemas/PolicyRuleActionsEnrollSelf' - PolicyRuleActionsEnrollSelf: + $ref: '#/components/schemas/SessionStatus' + description: Current Session status + userId: + type: string + readOnly: true + description: A unique key for the user + _links: + $ref: '#/components/schemas/LinksSelf' + SessionAuthenticationMethod: type: string + x-enumDescriptions: + pwd: Password authentication. **Inline hook value:** `PASSWORD` **Example:** Standard password-based sign-in + swk: Proof-of-possession (PoP) of a software key. **Inline hook value:** `POP_SOFTWARE_KEY` **Example:** Okta Verify with Push + hwk: Proof-of-possession (PoP) of a hardware key. **Inline hook value:** `POP_HARDWARE_KEY` **Example:** Yubikey factor + opt: One-time password. **Inline hook value:** `ONE_TIME_PASSWORD`. **Example:** Okta Verify, Google Authenticator + sms: SMS text message to the user at a registered number. **Inline hook value:** `SMS_MESSAGE`. **Example:** SMS factor + tel: Telephone call to the user at a registered number. **Inline hook value:** `TELEPHONE_CALL`. **Example:** Phone call factor + geo: Use of geo-location information. **Inline hook value:** `GEOLOCATION`. **Example:** IP Trust and Network Zone policy conditions + fpt: Fingerprint biometric authentication. **Inline hook value:** `BIO_FINGERPRINT`. **Example:** Okta Verify with Touch ID + kba: Knowledge-based authentication. **Inline hook value:** `KNOWLEDGE_BASED_AUTHENTICATION`. **Example:** Security Question factor + mfa: Multifactor authentication. **Inline hook value:** `MULTIFACTOR_AUTHENTICATION`. **Example:** This value is present whenever any MFA factor verification is performed. + mca: Multiple-channel authentication. **Inline hook value:** `MULTIPLE_CHANNEL_AUTHENTICATION`. **Example:** Authentication requires communication over more than one channel, such as Internet and mobile network + sc: Smart card authentication. **Inline hook value:** `SMART_CARD. **Example:** User authenticated using a smart card, such as a Personal Identity Verification (PIV) card or Common Access Card (CAC) x-okta-known-values: - - CHALLENGE - - LOGIN - - NEVER - PolicyRuleAuthContextCondition: + - fpt + - geo + - hwk + - kba + - mca + - mfa + - otp + - pwd + - sc + - sms + - swk + - tel + SessionIdentityProvider: type: object properties: - authType: - $ref: '#/components/schemas/PolicyRuleAuthContextType' - PolicyRuleAuthContextType: + id: + type: string + readOnly: true + description: Identity Provider ID. If the `type` is `OKTA`, then the `id` is the org ID. + type: + $ref: '#/components/schemas/SessionIdentityProviderType' + SessionIdentityProviderType: type: string x-okta-known-values: - - ANY - - RADIUS - PolicyRuleConditions: - type: object - properties: - app: - $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' - apps: - $ref: '#/components/schemas/AppInstancePolicyRuleCondition' - authContext: - $ref: '#/components/schemas/PolicyRuleAuthContextCondition' - authProvider: - $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' - beforeScheduledAction: - $ref: '#/components/schemas/BeforeScheduledActionPolicyRuleCondition' - clients: - $ref: '#/components/schemas/ClientPolicyCondition' - context: - $ref: '#/components/schemas/ContextPolicyRuleCondition' - device: - $ref: '#/components/schemas/DevicePolicyRuleCondition' - grantTypes: - $ref: '#/components/schemas/GrantTypePolicyRuleCondition' - groups: - $ref: '#/components/schemas/GroupPolicyRuleCondition' - identityProvider: - $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' - mdmEnrollment: - $ref: '#/components/schemas/MDMEnrollmentPolicyRuleCondition' - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - platform: - $ref: '#/components/schemas/PlatformPolicyRuleCondition' - risk: - $ref: '#/components/schemas/RiskPolicyRuleCondition' - riskScore: - $ref: '#/components/schemas/RiskScorePolicyRuleCondition' - scopes: - $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' - userIdentifier: - $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' - users: - $ref: '#/components/schemas/UserPolicyRuleCondition' - userStatus: - $ref: '#/components/schemas/UserStatusPolicyRuleCondition' - PolicyRuleType: + - ACTIVE_DIRECTORY + - FEDERATION + - LDAP + - OKTA + - SOCIAL + SessionStatus: type: string + x-enumDescriptions: + ACTIVE: The Session is established and fully validated. + MFA_REQUIRED: The Session is established, but requires second factor verification. + MFA_ENROLL: The Session is established, but the user needs to enroll a second factor. x-okta-known-values: - - ACCESS_POLICY - - IDP_DISCOVERY + - ACTIVE - MFA_ENROLL - - PASSWORD - - PROFILE_ENROLLMENT - - RESOURCE_ACCESS - - SIGN_ON - PolicySubject: - type: object - properties: - filter: - type: string - format: - type: array - items: - type: string - matchAttribute: - type: string - matchType: - $ref: '#/components/schemas/PolicySubjectMatchType' - userNameTemplate: - $ref: '#/components/schemas/PolicyUserNameTemplate' - PolicySubjectMatchType: + - MFA_REQUIRED + ShowSignInWithOV: + description: Controls whether to show the Sign in with Okta Verify button on the Sign-In Widget + type: string + x-okta-known-values: + - ALWAYS + - NEVER + SignInPage: + allOf: + - $ref: '#/components/schemas/CustomizablePage' + - type: object + properties: + contentSecurityPolicySetting: + $ref: '#/components/schemas/ContentSecurityPolicySetting' + widgetCustomizations: + type: object + properties: + signInLabel: + type: string + description: The label for the sign in widget + usernameLabel: + type: string + description: The label for the username field + usernameInfoTip: + type: string + description: The label for the username information tip + passwordLabel: + type: string + description: The label for the password field + passwordInfoTip: + type: string + description: The label for the password information tip + showPasswordVisibilityToggle: + type: boolean + description: Allows users to see their passwords as they type + showUserIdentifier: + type: boolean + description: Allows the user's identifier to appear on authentication and enrollment pages + forgotPasswordLabel: + type: string + description: The label for the forgot password page + forgotPasswordUrl: + type: string + description: The forgot password URL + unlockAccountLabel: + type: string + description: The label for the unlock account link + unlockAccountUrl: + type: string + description: The unlock account URL + helpLabel: + type: string + description: The label for the help link + helpUrl: + type: string + description: The help link URL + customLink1Label: + type: string + description: The label for the first custom link + customLink1Url: + type: string + description: The URL for the first custom link + customLink2Label: + type: string + description: The label for the second custom link + customLink2Url: + type: string + description: The URL for the second custom link + authenticatorPageCustomLinkLabel: + type: string + description: The label for the authenticator page custom link + authenticatorPageCustomLinkUrl: + type: string + description: The URL for the authenticator page custom link + classicRecoveryFlowEmailOrUsernameLabel: + type: string + description: The label for the username field in the classic recovery flow + widgetGeneration: + $ref: '#/components/schemas/WidgetGeneration' + widgetVersion: + $ref: '#/components/schemas/Version' + SignInPageTouchPointVariant: + description: | + Variant for the Okta sign-in page. You can publish a theme for sign-in page with different combinations of assets. Variants are preset combinations of those assets. + > **Note:** For a non-`OKTA_DEFAULT` variant, `primaryColorHex` is used for button background color and `primaryColorContrastHex` is used to optimize the opacity for button text. type: string + x-enumDescriptions: + BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the Theme + BACKGROUND_SECONDARY_COLOR: Uses the logo and favicon from the Theme. Uses `secondaryColorHex` as the background color for the Okta sign-in page. + OKTA_DEFAULT: Uses the Okta logo and favicon with no background image. Uses the Okta colors on the Okta sign-in page. x-okta-known-values: - - CUSTOM_ATTRIBUTE - - EMAIL - - USERNAME - - USERNAME_OR_EMAIL - PolicyType: + - BACKGROUND_IMAGE + - BACKGROUND_SECONDARY_COLOR + - OKTA_DEFAULT + SignOnInlineHook: + properties: + id: + type: string + readOnly: false + SigningAlgorithm: type: string x-okta-known-values: - - ACCESS_POLICY - - IDP_DISCOVERY - - MFA_ENROLL - - OAUTH_AUTHORIZATION_POLICY - - OKTA_SIGN_ON - - PASSWORD - - PROFILE_ENROLLMENT - PolicyUserNameTemplate: + - ES256 + - ES384 + - ES512 + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + SimulatePolicyBody: + description: The request body required for a simulate policy operation type: object properties: - template: + appInstance: type: string - PolicyUserStatus: - type: string - x-okta-known-values: - - ACTIVATING - - ACTIVE - - DELETED - - DELETING - - EXPIRED_PASSWORD - - INACTIVE - - PENDING - - SUSPENDED - PossessionConstraint: - allOf: - - $ref: '#/components/schemas/AccessPolicyConstraint' - - type: object + description: The application instance ID for a simulate operation + policyContext: + $ref: '#/components/schemas/PolicyContext' + policyTypes: + type: array + description: Supported policy types for a simulate operation. The default value, `null`, returns all types. + items: + $ref: '#/components/schemas/PolicyTypeSimulation' + required: + - appInstance + SimulatePolicyEvaluations: + type: object + properties: + evaluated: + type: object + description: A list of evaluated but not matched policies and rules properties: - deviceBound: - type: string - hardwareProtection: - type: string - phishingResistant: - type: string - userPresence: - type: string - PreRegistrationInlineHook: + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + policyType: + type: array + description: The policy type of the simulate operation + items: + $ref: '#/components/schemas/PolicyTypeSimulation' + result: + $ref: '#/components/schemas/SimulatePolicyResult' + status: + $ref: '#/components/schemas/SimulateResultStatus' + undefined: + type: object + description: A list of undefined but not matched policies and rules + properties: + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + SimulatePolicyResponse: + description: The response body returned for a simulate policy operation. An array of `evaluations`. + items: + $ref: '#/components/schemas/SimulatePolicyEvaluations' + type: array + SimulatePolicyResult: + description: The result of the policy evaluation type: object properties: - inlineHookId: - type: string - PrincipalRateLimitEntity: - title: PrincipalRateLimitEntity - description: '' + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + SimulateResultConditions: type: object properties: - createdBy: - type: string - readOnly: true - createdDate: + status: + $ref: '#/components/schemas/SimulateResultStatus' + type: type: string - format: date-time - readOnly: true - defaultConcurrencyPercentage: - type: integer - readOnly: true - defaultPercentage: - type: integer - readOnly: true + description: The type of condition + SimulateResultPolicies: + items: + $ref: '#/components/schemas/SimulateResultPoliciesItems' + type: array + SimulateResultPoliciesItems: + type: object + properties: + conditions: + type: array + description: List of all conditions involved for this policy evaluation + items: + $ref: '#/components/schemas/SimulateResultConditions' id: type: string - readOnly: true - lastUpdate: - type: string - format: date-time - readOnly: true - lastUpdatedBy: + description: ID of the specified policy type + name: type: string - readOnly: true - orgId: + description: Policy name + rules: + type: array + items: + $ref: '#/components/schemas/SimulateResultRules' + status: + $ref: '#/components/schemas/SimulateResultStatus' + SimulateResultRules: + type: object + properties: + conditions: + type: array + description: List of all conditions involved for this rule evaluation + items: + $ref: '#/components/schemas/SimulateResultConditions' + id: type: string - readOnly: true - principalId: + description: The unique ID number of the policy rule + name: type: string - principalType: - $ref: '#/components/schemas/PrincipalType' - required: - - principalId - - principalType - PrincipalType: + description: The name of the policy rule + status: + $ref: '#/components/schemas/SimulateResultStatus' + SimulateResultStatus: + description: The result of this entity evaluation type: string x-okta-known-values: - - SSWS_TOKEN - ProfileEnrollmentPolicy: + - MATCH + - NOT_MATCH + - UNDEFINED + SingleLogout: + description: Determines if the app supports Single Logout (SLO) + type: object + properties: + enabled: + type: boolean + description: Whether the application supports SLO + issuer: + type: string + description: The issuer of the Service Provider that generates the SLO request + logoutUrl: + type: string + description: The location where the logout response is sent + SlackApplication: + title: Slack + x-tags: + - Application + x-okta-defined-as: + name: slack + example: + name: slack + label: Sample Slack App + signOnMode: SAML_2_0 + settings: + app: + domain: my-company-domain + description: | + Schema for the Slack app (key name: `slack`) + + To create a Slack app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Slack app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes. allOf: - - $ref: '#/components/schemas/Policy' + - $ref: '#/components/schemas/OINApplication' - type: object + - required: + - name + - label + - settings properties: - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - ProfileEnrollmentPolicyRule: + name: + type: string + enum: + - slack + example: slack + signOnMode: + enum: + - BROWSER_PLUGIN + - SAML_2_0 + settings: + $ref: '#/components/schemas/SlackApplicationSettings' + SlackApplicationSettings: allOf: - - $ref: '#/components/schemas/PolicyRule' + - $ref: '#/components/schemas/ApplicationSettings' - type: object + - required: + - app properties: - actions: - $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActions' - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - ProfileEnrollmentPolicyRuleAction: + app: + $ref: '#/components/schemas/SlackApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + SlackApplicationSettingsApplication: + description: Slack app instance properties type: object properties: - access: + domain: type: string - activationRequirements: - $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActivationRequirement' - preRegistrationInlineHooks: - items: - $ref: '#/components/schemas/PreRegistrationInlineHook' - type: array - profileAttributes: - items: - $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleProfileAttribute' - type: array - targetGroupIds: - items: - type: string - type: array - unknownUserAction: + description: The Slack app domain name + userEmailValue: type: string - ProfileEnrollmentPolicyRuleActions: - allOf: - - $ref: '#/components/schemas/PolicyRuleActions' - - type: object - properties: - profileEnrollment: - $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleAction' - ProfileEnrollmentPolicyRuleActivationRequirement: - type: object - properties: - emailVerification: - type: boolean - ProfileEnrollmentPolicyRuleProfileAttribute: + description: The `User.Email` attribute value + required: + - domain + SloParticipate: + description: Determines if the app participates in Single Logout (SLO) type: object properties: - label: + bindingType: type: string - name: + description: Request binding type + enum: + - POST + - REDIRECT + enabled: + type: boolean + description: Indicates whether the app is allowed to participate in front-channel SLO + logoutRequestUrl: type: string - required: + description: URL where Okta sends the logout request + sessionIndexRequired: type: boolean - ProfileMapping: + description: Determines whether Okta sends the `SessionIndex` elements in the logout request + SmsTemplate: type: object properties: - id: + created: type: string + format: date-time readOnly: true - properties: - type: object - additionalProperties: - $ref: '#/components/schemas/ProfileMappingProperty' + id: + type: string readOnly: true - source: - $ref: '#/components/schemas/ProfileMappingSource' - target: - $ref: '#/components/schemas/ProfileMappingSource' - _links: - type: object - additionalProperties: - type: object - properties: {} + lastUpdated: + type: string + format: date-time readOnly: true - ProfileMappingProperty: - type: object - properties: - expression: + name: type: string - pushStatus: - $ref: '#/components/schemas/ProfileMappingPropertyPushStatus' - ProfileMappingPropertyPushStatus: + description: Human-readable name of the Template + maxLength: 50 + minLength: 1 + template: + type: string + description: Text of the Template, including any [macros](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/) + maxLength: 161 + minLength: 1 + translations: + $ref: '#/components/schemas/SmsTemplateTranslations' + type: + $ref: '#/components/schemas/SmsTemplateType' + SmsTemplateTranslations: + description: | + - Template translations are optionally provided when you want to localize the SMS messages. Translations are provided as an object that contains `key:value` pairs: the language and the translated Template text. The key portion is a two-letter country code that conforms to [ISO 639-1](https://www.loc.gov/standards/iso639-2/php/code_list.php). The value is the translated SMS Template. + - Just like with regular SMS Templates, the length of the SMS message can't exceed 160 characters. + type: object + x-okta-extensible: true + SmsTemplateType: + description: Type of the Template + maxLength: 50 + minLength: 1 type: string x-okta-known-values: - - DONT_PUSH - - PUSH - ProfileMappingSource: + - SMS_VERIFY_CODE + SocialAuthToken: + description: The Social Authentication Token object provides the tokens and associated metadata provided by social providers during social authentication. type: object properties: + expiresAt: + $ref: '#/components/schemas/ExpiresAt' id: type: string + description: Unique identifier for the token readOnly: true - name: + example: NXp9GaX1eOA-XVF_H9fn2Q + scopes: + type: array + description: The scopes that the token is good for + readOnly: true + items: + type: string + example: + - openid + - foo + token: type: string + description: The raw token readOnly: true - type: + example: JBTWGV22G4ZGKV3N + tokenAuthScheme: type: string readOnly: true - _links: - type: object - additionalProperties: - type: object - properties: {} + description: The token authentication scheme as defined by the social provider + example: Bearer + tokenType: + type: string readOnly: true - ProfileSettingObject: + description: The type of token defined by the [OAuth Token Exchange Spec](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07#section-3) + example: urn:ietf:params:oauth:token-type:access_token + SourceLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + schema: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The associated schema + SplunkEdition: + description: Edition of the Splunk Cloud instance + example: aws + type: string + x-okta-known-values: + - aws + - aws_govcloud + - gcp + SplunkHost: + description: 'The domain name for your Splunk Cloud instance. Don''t include `http` or `https` in the string. For example: `acme.splunkcloud.com`' + minLength: 17 + maxLength: 116 + example: acme.splunkcloud.com + type: string + SplunkToken: + description: The HEC token for your Splunk Cloud HTTP Event Collector. The token value is set at object creation, but isn't returned. + example: 11111111-1111-2222-2222-222222222222 + writeOnly: true + type: string + pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ + Sso: + description: 'Supported SSO protocol configurations. You must configure at least one protocol: `oidc` or `saml`' type: object properties: - status: - $ref: '#/components/schemas/EnabledStatus' - Protocol: + oidc: + $ref: '#/components/schemas/Oidc' + saml: + $ref: '#/components/schemas/Saml' + SsprPrimaryRequirement: + description: Defines the authenticators permitted for the initial authentication step of password recovery type: object properties: - algorithms: - $ref: '#/components/schemas/ProtocolAlgorithms' - credentials: - $ref: '#/components/schemas/IdentityProviderCredentials' - endpoints: - $ref: '#/components/schemas/ProtocolEndpoints' - issuer: - $ref: '#/components/schemas/ProtocolEndpoint' - relayState: - $ref: '#/components/schemas/ProtocolRelayState' - scopes: + methodConstraints: + description: Constraints on the values specified in the `methods` array. Specifying a constraint limits methods to specific authenticator(s). Currently, Google OTP is the only accepted constraint. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodConstraint' + methods: type: array + description: Authenticator methods allowed for the initial authentication step of password recovery. Method `otp` requires a constraint limiting it to a Google authenticator. items: type: string - settings: - $ref: '#/components/schemas/ProtocolSettings' - type: - $ref: '#/components/schemas/ProtocolType' - ProtocolAlgorithmType: - type: object - properties: - signature: - $ref: '#/components/schemas/ProtocolAlgorithmTypeSignature' - ProtocolAlgorithmTypeSignature: + enum: + - push + - sms + - voice + - email + - otp + SsprRequirement: + description: <x-lifecycle class="oie"></x-lifecycle> Describes the initial and secondary authenticator requirements a user needs to reset their password type: object properties: - algorithm: + accessControl: + description: Determines which authentication requirements a user needs to perform self-service operations. `AUTH_POLICY` defers conditions and authentication requirements to the [Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). `LEGACY` refers to the requirements described by this rule. type: string - scope: - $ref: '#/components/schemas/ProtocolAlgorithmTypeSignatureScope' - ProtocolAlgorithmTypeSignatureScope: - type: string - x-okta-known-values: - - ANY - - NONE - - REQUEST - - RESPONSE - - TOKEN - ProtocolAlgorithms: + enum: + - AUTH_POLICY + - LEGACY + primary: + $ref: '#/components/schemas/SsprPrimaryRequirement' + stepUp: + $ref: '#/components/schemas/SsprStepUpRequirement' + SsprStepUpRequirement: + description: |- + Defines the secondary authenticators needed for password reset if `required` is true. The following are three valid configurations: + * `required`=false + * `required`=true with no methods to use any SSO authenticator + * `required`=true with `security_question` as the method type: object properties: - request: - $ref: '#/components/schemas/ProtocolAlgorithmType' - response: - $ref: '#/components/schemas/ProtocolAlgorithmType' - ProtocolEndpoint: + methods: + description: Authenticator methods required for secondary authentication step of password recovery. Specify this value only when `required` is true and `security_question` is permitted for the secondary authentication. + type: array + items: + type: string + enum: + - security_question + required: + type: boolean + StandardRole: + title: Standard Role Assignment type: object properties: - binding: - $ref: '#/components/schemas/ProtocolEndpointBinding' - destination: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: type: string - type: - $ref: '#/components/schemas/ProtocolEndpointType' - url: + description: Timestamp when the object was created + format: date-time + readOnly: true + id: type: string - ProtocolEndpointBinding: - type: string - x-okta-known-values: - - HTTP-POST - - HTTP-REDIRECT - ProtocolEndpointType: - type: string - x-okta-known-values: - - INSTANCE - - ORG - ProtocolEndpoints: + description: Role Assignment ID + readOnly: true + label: + type: string + description: Label for the Role Assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the Role Assignment + type: + $ref: '#/components/schemas/RoleType' + _embedded: + type: object + description: Optional embedded resources for the Role Assignment + properties: + targets: + type: object + description: Targets configured for the Role Assignment + properties: + groups: + type: array + description: Group targets + items: + $ref: '#/components/schemas/Group' + catalog: + description: App targets + properties: + apps: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + _links: + $ref: '#/components/schemas/LinksAssignee' + StandardRoleAssignmentSchema: + title: Standard Role type: object properties: - acs: - $ref: '#/components/schemas/ProtocolEndpoint' - authorization: - $ref: '#/components/schemas/ProtocolEndpoint' - jwks: - $ref: '#/components/schemas/ProtocolEndpoint' - metadata: - $ref: '#/components/schemas/ProtocolEndpoint' - slo: - $ref: '#/components/schemas/ProtocolEndpoint' - sso: - $ref: '#/components/schemas/ProtocolEndpoint' - token: - $ref: '#/components/schemas/ProtocolEndpoint' - userInfo: - $ref: '#/components/schemas/ProtocolEndpoint' - ProtocolRelayState: + type: + type: string + description: Specify the standard or IAM-based role type. See [standard roles](/openapi/okta-management/guides/roles/#standard-roles). + StreamConfiguration: + title: Stream Configuration type: object properties: + aud: + oneOf: + - type: string + format: uri + example: https://example.com + - type: array + items: + type: string + format: uri + example: https://example.com + description: |- + The audience used in the SET. This value is set as `aud` in the claim. + + A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. + example: https://example.com + delivery: + $ref: '#/components/schemas/StreamConfigurationDelivery' + events_delivered: + type: array + items: + type: string + format: uri + description: |- + The events (mapped by the array of event type URIs) that the transmitter actually delivers to the SSF Stream. + + A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. + example: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_requested: + type: array + maxItems: 50 + items: + type: string + format: uri + maxLength: 256 + description: The events (mapped by the array of event type URIs) that the receiver wants to receive + example: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_supported: + type: array + items: + type: string + format: uri + description: |- + An array of event type URIs that the transmitter supports. + + A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. + example: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change format: - $ref: '#/components/schemas/ProtocolRelayStateFormat' - ProtocolRelayStateFormat: - type: string - x-okta-known-values: - - FROM_URL - - OPAQUE - ProtocolSettings: + type: string + description: The Subject Identifier format expected for any SET transmitted. + enum: + - iss_sub + iss: + type: string + description: |- + The issuer used in Security Event Tokens (SETs). This value is set as `iss` in the claim. + + A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. + example: https://{yourOktaDomain} + min_verification_interval: + type: integer + nullable: true + example: 60 + description: |- + The minimum amount of time, in seconds, between two verification requests. + + A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. + stream_id: + type: string + description: The ID of the SSF Stream configuration + example: esc1k235GIIztAuGK0g5 + required: + - events_requested + - delivery + StreamConfigurationCreateRequest: + title: Stream Configuration Create Request type: object properties: - nameFormat: + delivery: + $ref: '#/components/schemas/StreamConfigurationDelivery' + events_requested: + type: array + maxItems: 50 + items: + type: string + format: uri + maxLength: 256 + description: The events (mapped by the array of event type URIs) that the receiver wants to receive + example: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + format: type: string - ProtocolType: - type: string - x-okta-known-values: - - MTLS - - OAUTH2 - - OIDC - - SAML2 - ProviderType: - type: string - x-okta-known-values: - - APNS - - FCM - Provisioning: + description: The Subject Identifier format expected for any SET transmitted. + enum: + - iss_sub + required: + - events_requested + - delivery + StreamConfigurationDelivery: + title: Stream Configuration Delivery + description: Contains information about the intended SET delivery method by the receiver type: object properties: - action: - $ref: '#/components/schemas/ProvisioningAction' - conditions: - $ref: '#/components/schemas/ProvisioningConditions' - groups: - $ref: '#/components/schemas/ProvisioningGroups' - profileMaster: - type: boolean - ProvisioningAction: + authorization_header: + type: string + description: The HTTP Authorization header that is included for each HTTP POST request + example: '{authorizationHeaderValue}' + nullable: true + maxLength: 8192 + endpoint_url: + type: string + format: uri + description: The target endpoint URL where the transmitter delivers the SET using HTTP POST requests + example: https://example.com/ + maxLength: 2048 + method: + type: string + description: The delivery method that the transmitter uses for delivering a SET + enum: + - https://schemas.openid.net/secevent/risc/delivery-method/push + - urn:ietf:rfc:8935 + required: + - method + - endpoint_url + SubjectType: type: string x-okta-known-values: - - AUTO - - CALLOUT - - DISABLED - ProvisioningConditions: + - pairwise + - public + SubmissionRequest: + allOf: + - $ref: '#/components/schemas/SubmissionResponse' + required: + - name + - description + - logo + SubmissionResponse: type: object properties: - deprovisioned: - $ref: '#/components/schemas/ProvisioningDeprovisionedCondition' - suspended: - $ref: '#/components/schemas/ProvisioningSuspendedCondition' - ProvisioningConnection: + config: + type: array + description: 'List of org-level variables for the customer per-tenant configuration. For example, a `subdomain` variable can be used in the ACS URL: `https://${org.subdomain}.example.com/saml/login`' + items: + type: object + properties: + label: + type: string + description: Display name of the variable in the Admin Console + example: Subdomain + name: + type: string + maxLength: 1024 + minLength: 1 + description: Name of the variable + example: subdomain + description: + type: string + maxLength: 1024 + minLength: 1 + description: A general description of your application and the benefits provided to your customers + example: Your one source for in-season strawberry deals. Okta's Strawberry Central integration allow users to securely access those sweet deals. + id: + type: string + description: OIN Integration ID + readOnly: true + example: acme_submissionapp_1 + lastPublished: + type: string + description: Timestamp when the OIN Integration was last published + readOnly: true + example: '2023-08-24T14:15:22.000Z' + lastUpdated: + type: string + description: Timestamp when the OIN Integration instance was last updated + readOnly: true + example: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: + type: string + description: ID of the user who made the last update + readOnly: true + example: 00ub0oNGTSWTBKOLGLNR + logo: + type: string + format: uri + description: URL to an uploaded application logo. This logo appears next to your app integration name in the OIN catalog. You must first [Upload an OIN Integration logo](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/uploadSubmissionLogo) to obtain the logo URL before you can specify this value. + example: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + name: + type: string + maxLength: 64 + minLength: 1 + description: The app integration name. This is the main title used for your integration in the OIN catalog. + example: Strawberry Central + sso: + $ref: '#/components/schemas/Sso' + status: + type: string + description: Status of the OIN Integration submission + readOnly: true + example: New + Subscription: type: object properties: - authScheme: - $ref: '#/components/schemas/ProvisioningConnectionAuthScheme' + channels: + description: |- + An array of sources send notifications to users. + > **Note**: Currently, Okta only allows `email` channels. + items: + type: string + type: array + notificationType: + $ref: '#/components/schemas/NotificationType' status: - $ref: '#/components/schemas/ProvisioningConnectionStatus' + $ref: '#/components/schemas/SubscriptionStatus' _links: - additionalProperties: - type: object - readOnly: true type: object - ProvisioningConnectionAuthScheme: + description: Discoverable resources related to the subscription + properties: + self: + $ref: '#/components/schemas/HrefObject' + readOnly: true + SubscriptionStatus: + description: The status of the subscription type: string x-okta-known-values: - - TOKEN - - UNKNOWN - ProvisioningConnectionProfile: + - subscribed + - unsubscribed + SupportedMethods: + description: The supported methods of an Authenticator type: object properties: - authScheme: - $ref: '#/components/schemas/ProvisioningConnectionAuthScheme' - token: + settings: + type: object + properties: + keyProtection: + $ref: '#/components/schemas/PushMethodKeyProtection' + algorithms: + description: The encryption algorithm for this authenticator method + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodAlgorithm' + transactionTypes: + type: array + description: The transaction type for this authenticator method + items: + $ref: '#/components/schemas/AuthenticatorMethodTransactionType' + status: + description: The status of the authenticator method + $ref: '#/components/schemas/LifecycleStatus' + type: type: string - ProvisioningConnectionRequest: + description: The type of authenticator method + enum: + - push + SwaApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + properties: + app: + $ref: '#/components/schemas/SwaApplicationSettingsApplication' + SwaApplicationSettingsApplication: type: object properties: - profile: - $ref: '#/components/schemas/ProvisioningConnectionProfile' - ProvisioningConnectionStatus: - type: string - x-okta-known-values: - - DISABLED - - ENABLED - - UNKNOWN - ProvisioningDeprovisionedAction: - type: string - x-okta-known-values: - - NONE - - REACTIVATE - ProvisioningDeprovisionedCondition: + buttonField: + type: string + description: CSS selector for the **Sign-In** button in the sign-in form (for SWA apps with the `template_swa` app name definition) + buttonSelector: + type: string + description: CSS selector for the **Sign-In** button in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) + extraFieldSelector: + type: string + description: Enter the CSS selector for the extra field (for three-field SWA apps with the `template_swa3field` app name definition). + extraFieldValue: + type: string + description: Enter the value for the extra field in the form (for three-field SWA apps with the `template_swa3field` app name definition). + loginUrlRegex: + type: string + description: A regular expression that further restricts targetURL to the specified regular expression + passwordField: + type: string + description: CSS selector for the **Password** field in the sign-in form (for SWA apps with the `template_swa` app name definition) + passwordSelector: + type: string + description: CSS selector for the **Password** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) + targetURL: + type: string + description: The URL of the sign-in page for this app (for three-field SWA apps with the `template_swa3field` app name definition) + url: + type: string + description: The URL of the sign-in page for this app (for SWA apps with the `template_swa` app name definition) + usernameField: + type: string + description: CSS selector for the **Username** field in the sign-in form (for SWA apps with the `template_swa` app name definition) + userNameSelector: + type: string + description: CSS selector for the **Username** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) + required: + - buttonField + - passwordField + - usernameField + - url + TelephonyRequest: type: object properties: - action: - $ref: '#/components/schemas/ProvisioningDeprovisionedAction' - ProvisioningGroups: + data: + $ref: '#/components/schemas/TelephonyRequestData' + eventType: + type: string + description: The type of inline hook. The Telephony inline hook type is `com.okta.telephony.provider`. + requestType: + type: string + description: The type of inline hook request. For example, `com.okta.user.telephony.pre-enrollment`. + source: + description: The ID and URL of the Telephony inline hook + type: string + TelephonyRequestData: type: object properties: - action: - $ref: '#/components/schemas/ProvisioningGroupsAction' - assignments: - type: array - items: - type: string - filter: - type: array - items: - type: string - sourceAttributeName: - type: string - ProvisioningGroupsAction: - type: string - x-okta-known-values: - - APPEND - - ASSIGN - - NONE - - SYNC - ProvisioningSuspendedAction: - type: string - x-okta-known-values: - - NONE - - UNSUSPEND - ProvisioningSuspendedCondition: + context: + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + messageProfile: + type: object + description: Message profile specifies information about the telephony (sms/voice) message to be sent to the Okta user + properties: + msgTemplate: + description: Default or Okta org configured sms or voice message template + type: string + phoneNumber: + description: The Okta's user's phone number + type: string + otpExpires: + description: The time when OTP expires + type: string + deliveryChannel: + description: The channel for OTP delivery - SMS or voice + type: string + otpCode: + description: The OTP code requested by the Okta user + type: string + locale: + description: The locale associated with the Okta user + type: string + userProfile: + type: object + description: User profile specifies information about the Okta user + properties: + firstName: + description: The user's first name + type: string + lastName: + description: The user's last name + type: string + login: + description: The user's Okta login + type: string + userId: + description: The user's Okta user ID + type: string + TelephonyRequestExecute: + description: Telephony inline hook request body + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/TelephonyRequest' + TelephonyResponse: + description: Telephony inline hook response type: object properties: - action: - $ref: '#/components/schemas/ProvisioningSuspendedAction' - PushProvider: - title: PushProvider + commands: + description: The `commands` object specifies whether Okta accepts the end user's sign-in credentials as valid or not. For the Telephony inline hook, you typically only return one `commands` object with one array element in it. + type: array + items: + type: object + properties: + type: + description: The location where you specify the command. For the Telephony inline hook, there's only one command, `com.okta.telephony.action`. + type: string + value: + description: The status of the telephony operation along with optional additional information about the provider, transaction ID and any other transaction metadata. + type: array + items: + type: object + properties: + status: + type: string + description: Status of telephony callout + enum: + - SUCCESSFUL + - PENDING + - FAILED + x-enumDescriptions: + SUCCESSFUL: External web service was able to deliver the OTP to the Requester. + PENDING: External web service wasn't able to confirm delivery of the OTP to the Requester. + FAILED: External web service was unable to deliver the OTP to the Requester. + provider: + type: string + description: Telephony provider for sms/voice + transactionId: + type: string + description: Transaction ID for sms/voice + transactionMetadata: + type: string + description: Any relevant metadata for the telephony transaction + TempPassword: type: object properties: - id: - type: string - readOnly: true - lastUpdatedDate: + tempPassword: type: string readOnly: true - name: + TestInfo: + description: Integration Testing Information + type: object + properties: + escalationSupportContact: type: string - description: Display name of the push provider - providerType: - $ref: '#/components/schemas/ProviderType' - _links: + maxLength: 255 + description: An email for Okta to contact your company about your integration. This email isn't shared with customers. + example: strawberry.support@example.com + oidcTestConfiguration: type: object + description: OIDC test details properties: - self: - $ref: '#/components/schemas/HrefObject' - readOnly: true - discriminator: - propertyName: providerType - mapping: - APNS: '#/components/schemas/APNSPushProvider' - FCM: '#/components/schemas/FCMPushProvider' - PushUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object + idp: + type: boolean + description: Read only.<br>Indicates if your integration supports IdP-initiated sign-in flows. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) is specified, this property is set to `true`. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) isn't set for the integration submission, this property is set to `false` + readOnly: true + sp: + type: boolean + description: Read only.<br>Indicates if your integration supports SP-initiated sign-in flows and is always set to `true` for OIDC SSO + readOnly: true + jit: + type: boolean + description: Indicates if your integration supports Just-In-Time (JIT) provisioning + spInitiateUrl: + type: string + format: uri + maxLength: 512 + description: URL for SP-initiated sign-in flows (required if `sp = true`) + example: https://test.example.com/strawberry/oidc/sp-init + required: + - spInitiateUrl + samlTestConfiguration: + type: object + description: SAML test details properties: - expiresAt: + idp: + type: boolean + description: Indicates if your integration supports IdP-initiated sign-in + sp: + type: boolean + description: Indicates if your integration supports SP-initiated sign-in + jit: + type: boolean + description: Indicates if your integration supports Just-In-Time (JIT) provisioning + spInitiateUrl: type: string - format: date-time - factorResult: - $ref: '#/components/schemas/FactorResultType' - profile: - $ref: '#/components/schemas/PushUserFactorProfile' - PushUserFactorProfile: + format: uri + maxLength: 512 + description: URL for SP-initiated sign-in flows (required if `sp = true`) + example: https://test.example.com/strawberry/saml/sp-init + spInitiateDescription: + type: string + maxLength: 2048 + description: Instructions on how to sign in to your app using the SP-initiated flow (required if `sp = true`) + example: Go to your app URL from a browser and enter your username + required: + - spInitiateUrl + testAccount: + type: object + description: An account on a test instance of your app with admin privileges. A test admin account is required by Okta for integration testing. During OIN QA testing, an Okta analyst uses this admin account to configure your app for the various test case flows. + properties: + url: + type: string + format: uri + maxLength: 512 + description: The sign-in URL to a test instance of your app + example: https://example.com/strawberry/login + username: + type: string + maxLength: 255 + description: The username for your app admin account + example: test@example.com + password: + type: string + maxLength: 255 + description: The password for your app admin account + example: sUperP@ssw0rd + instructions: + type: string + maxLength: 2048 + description: Additional instructions to test the app integration, including instructions for obtaining test accounts + example: Go to your app URL from a browser and enter your credentials + required: + - url + - username + - password + required: + - escalationSupportContact + ThemeResponse: type: object properties: - credentialId: + backgroundImage: + readOnly: true type: string - deviceToken: + emailTemplateTouchPointVariant: + $ref: '#/components/schemas/EmailTemplateTouchPointVariant' + endUserDashboardTouchPointVariant: + $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' + errorPageTouchPointVariant: + $ref: '#/components/schemas/ErrorPageTouchPointVariant' + favicon: + readOnly: true type: string - deviceType: + id: + readOnly: true type: string - name: + loadingPageTouchPointVariant: + $ref: '#/components/schemas/LoadingPageTouchPointVariant' + logo: + readOnly: true type: string - platform: + primaryColorContrastHex: type: string - version: + description: Primary color contrast hex code + primaryColorHex: type: string - RecoveryQuestionCredential: + description: Primary color hex code + secondaryColorContrastHex: + type: string + description: Secondary color contrast hex code + secondaryColorHex: + type: string + description: Secondary color hex code + signInPageTouchPointVariant: + $ref: '#/components/schemas/SignInPageTouchPointVariant' + _links: + $ref: '#/components/schemas/LinksSelf' + ThirdPartyAdminSetting: + description: The third-party admin setting type: object properties: - answer: + thirdPartyAdmin: + type: boolean + description: Indicates if third-party admin is enabled + example: false + ThreatInsightConfiguration: + type: object + properties: + action: type: string - question: + description: Specifies how Okta responds to authentication requests from suspicious IP addresses + enum: + - none + - audit + - block + x-enumDescriptions: + none: Indicates that ThreatInsight is disabled + audit: Indicates that Okta logs suspicious requests to the System Log + block: Indicates that Okta logs suspicious requests to the System Log and blocks the requests + example: none + created: type: string - ReleaseChannel: - description: Release channel for auto-update - type: string - x-okta-known-values: - - BETA - - EA - - GA - - TEST - RequiredEnum: + format: date-time + description: Timestamp when the ThreatInsight Configuration object was created + example: '2020-08-05T22:18:30.629Z' + readOnly: true + excludeZones: + type: array + description: |- + Accepts a list of [Network Zone](/openapi/okta-management/management/tag/NetworkZone/) IDs. + IPs in the excluded network zones aren't logged or blocked. + This ensures that traffic from known, trusted IPs isn't accidentally logged or blocked. + items: + type: string + example: [] + lastUpdated: + type: string + format: date-time + description: Timestamp when the ThreatInsight Configuration object was last updated + readOnly: true + example: '2020-09-08T20:53:20.882Z' + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - action + TimeDuration: + description: A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). type: string - x-okta-known-values: - - ALWAYS - - HIGH_RISK_ONLY - - NEVER - ResetPasswordToken: + pattern: ^P(?:$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?:\d)(\d+H)?(\d+M)?(\d+S)?)?$ + TokenAuthorizationServerPolicyRuleAction: type: object properties: - resetPasswordUrl: - type: string - readOnly: true - ResponseLinks: + accessTokenLifetimeMinutes: + type: integer + description: Lifetime of the access token in minutes. The minimum is five minutes. The maximum is one day. + inlineHook: + $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook' + refreshTokenLifetimeMinutes: + type: integer + description: Lifetime of the refresh token is the minimum access token lifetime. + refreshTokenWindowMinutes: + type: integer + description: Timeframe when the refresh token is valid. The minimum is 10 minutes. The maximum is five years (2,628,000 minutes). + TokenAuthorizationServerPolicyRuleActionInlineHook: type: object - RiskPolicyRuleCondition: + properties: + id: + type: string + readOnly: false + TokenDeliveryMode: + type: string + x-okta-known-values: + - poll + TokenHookResponse: + description: |- + For the token inline hook, the `commands` and `error` objects that you can return in the JSON payload of your response are defined in the following sections. + > **Note:** The size of your response payload must be less than 256 KB. type: object properties: - behaviors: - uniqueItems: true + commands: + description: |- + You can use the `commands` object to provide commands to Okta. It's where you can tell Okta to add more claims to the token. + The `commands` object is an array, allowing you to send multiple commands. In each array element, there needs to be a `type` property and `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command. + In the case of the token hook type, the `value` property is itself a nested object in which you specify a particular operation, a path to act on, and a value. type: array items: - type: string - RiskScorePolicyRuleCondition: + type: object + properties: + type: + description: |- + One of the supported commands: + `com.okta.identity.patch`: Modify an ID token + `com.okta.access.patch`: Modify an access token + > **Note:** The `commands` array should only contain commands that can be applied to the requested tokens. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`. + type: string + value: + description: The `value` object is where you specify the operation to perform. It's an array, which allows you to request more than one operation. + type: array + items: + type: object + properties: + op: + description: |- + The name of one of the supported ops: `add`: Add a claim. `replace`: Modify an existing claim and update the token lifetime. `remove`: Remove an existing claim. + #### `op: add` notes + + <details> + <summary>Add a claim</summary> + + Add a claim + + **Existing JSON** + + ``` + { + "employeeId": "00u12345678" + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.assertion.patch", + "value": [ + { + "op": "add", + "path": "/claims/extPatientId", + "value": "1234" + } + ] + }, + { + "type": "com.okta.assertion.patch", + "value": [ + { + "op": "add", + "path": "/claims/external_guid", + "value": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 1234, + "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ``` + + > **Note:** If you use the `add` operation and include an existing claim in your response with a different value, that value is replaced. Use the `replace` operation instead. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. See `op: replace` notes. + </details> + + <details> + <summary>Add new members to existing JSON objects</summary> + + If you have a JSON object in a claim called `employee_profile`, and you want to add the `department_id` member to the claim, the existing JSON is updated by specifying the claim in the path, followed by the name of the object member. + + **Existing JSON** + + ``` + { + "employee_profile": { + "employee_id": "1234", + "name": "Anna" + } + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "add", + "path": "/claims/employee_profile/department_id", + "value": "4947" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employee_profile": { + "employee_id": "1234", + "name": "Anna", + "department_id": "4947" + } + } + ``` + + > **Note:** If you attempt to add a member within a JSON object that doesn't exist or using an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. + </details> + + <details> + <summary>Add new elements to existing arrays</summary> + + Append an element to an array by specifying the name of the array, followed by the index where you want to insert the element in the path. Alternatively, you can specify the array name followed by a hyphen (-) in the path to append an element at the end of the array. For example, you have an array that contains the user's preferred airports, and you want to add a new airport to the array. The existing target JSON object is updated by specifying the claim in the path, followed by the index of where to insert the claim. + + **Existing JSON** + + ``` + { + "preferred_airports":[ + "sjc", + "sfo", + "oak" + ] + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "add", + "path": "/claims/preferred_airports/3", + "value": "lax" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "preferred_airports":[ + "sjc", + "sfo", + "oak", + "lax" + ] + } + ``` + + > **Note:** If you attempt to add an element within an array that doesn't exist or specify an invalid index, the entire PATCH fails and errors are logged in the token hooks events. + </details> + + #### `op: replace` notes + + <details> + <summary>Modify an existing claim</summary> + + You can modify (`replace`) existing custom claims or OIDC standard profile claims, such as `birthdate` and `locale`. You can't, however, modify any system-specific claims, such as `iss` or `ver`. Also, you can't modify a claim that isn't currently part of the token in the request payload. Attempting to modify a system-specific claim or using an invalid operation results in the entire PATCH failing and errors logged in the token hooks events. + + See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify. + + > **Note:** Although the `aud` and `sub` claims are listed as reserved claims, you can modify those claims in access tokens. You can't modify these claims in ID tokens. + + See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify. + + **Existing target JSON object** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 1234, + "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/claims/extPatientId", + "value": "12345" + }, + { + "op": "replace", + "path": "/claims/external_guid", + "value": "D1495796-G98E-585C-959E-1269CD6766B8" + } + ] + } + ] + } + ``` + + **Updated JSON*** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 12345, + "external_guid": "D1495796-G98E-585C-959E-1269CD6766B8" + } + ``` + + </details> + + <details> + <summary>Modify members within existing JSON objects and arrays</summary> + + Use the `replace` operation to modify members within JSON objects and elements within arrays. For example, you have a JSON object in a claim called `employee_profile`, and you want to update the email address of the employee. The existing target JSON object is updated by specifying the claim in the path, followed by the name of the object member that you want to modify. + + **Existing target JSON object** + + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna.v@company.com" + } + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/claims/employee_profile/email", + "value": "anna@company.com" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna@company.com" + } + } + ``` + + > **Note:** If you attempt to modify a member within a JSON object that doesn't exist or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. + + Similarly, you can replace elements in an array by specifying the array name and the valid index of the element that you want to replace in the path. + </details> + + <details> + <summary>Modify token lifetimes</summary> + You can modify how long the access and ID tokens are valid by specifying the `lifetime` in seconds. The `lifetime` value must be a minimum of five minutes (300 seconds) and a maximum of 24 hours (86,400 seconds). + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/token/lifetime/expiration", + "value": 36000 + } + ] + }, + { + "type": "com.okta.access.patch", + "value": [ + { + "op": "replace", + "path": "/token/lifetime/expiration", + "value": 36000 + } + ] + } + ] + } + ``` + + </details> + + #### `op: remove` notes + + <details> + <summary>Remove a claim</summary> + + You can remove existing custom claims or OIDC standard profile claims, such as `birthdate` or `locale`. You can't, however, remove any system-specific claims, such as `iss` or `ver`. You also can't remove a claim that isn't currently part of the token in the request payload. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. + + See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify. + + See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify. + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/birthdate", + "value": null + } + ] + }, + { + "type": "com.okta.access.patch", + "value": [ + { + "op": "remove", + "path": "/claims/external_guid" + } + ] + } + ] + } + ``` + + > **Note:** The `value` property for the `remove` operation isn't required. If you provide it in the response, it should be set to `null`. Providing any other value fails the entire PATCH response. + + </details> + + <details> + <summary>Remove members from existing arrays</summary> + + Use the `remove` operation to remove members from existing arrays. For example, you have an array that contains the user's preferred airports, and you want to remove an airport from the array. The existing target JSON object is updated by specifying the array name followed by the index of the element that you want to remove. You don't need to specify a value for the remove operation, but you can specify `null` as the value if you want. + + **Existing target JSON object** + + ``` + { + "preferred_airports": [ + "sjc", + "lax", + "sfo", + "oak" + ] + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/preferred_airports/1" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "preferred_airports": [ + "sjc", + "sfo", + "oak" + ] + } + ``` + + </details> + + <details> + <summary>Remove members from existing JSON objects</summary> + + Use the `remove` operation to remove members from existing JSON objects. Do this by specifying the JSON object in the path, followed by the claim member that you would like to remove. For example, you have an `employee_profile` claim, and you want to remove `email` from it. + + **Existing target JSON object** + + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna.v@company.com" + } + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/employee_profile/email" + } + ] + } + ] + } + ``` + + **Updated JSON** + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + } + } + ``` + + </details> + type: string + path: + description: Location within the token to apply the operation, specified as a slash-delimited path. When you add, replace, or remove a claim, this path always begins with `/claims/` and is followed by the name of the new claim that you're adding. When you replace a token lifetime, the path should always be `/token/lifetime/expiration`. + type: string + value: + description: Value to set the claim to. + oneOf: + - type: string + - type: integer + - type: object + error: + description: When an error object is returned, it causes Okta to return an OAuth 2.0 error to the requester of the token. In the error response, the value of `error` is `server_error`, and the value of `error_description` is the string that you supplied in the `errorSummary` property of the `error` object that you returned. + type: object + properties: + errorSummary: + description: 'Human-readable summary of the error. If the error object doesn''t include the `errorSummary` property defined, the following common default message is returned to the end user: `The callback service returned an error`.' + type: string + TokenPayLoad: type: object properties: - level: + data: + type: object + properties: + context: + allOf: + - $ref: '#/components/schemas/BaseContext' + - type: object + properties: + protocol: + description: Details of the authentication protocol + type: object + properties: + type: + description: The type of authentication protocol used + type: string + example: OAUTH2.0 + request: + $ref: '#/components/schemas/TokenProtocolRequest' + OriginalGrant: + description: Information about the original token request used to get the refresh token being used, when in a refresh token request + type: object + properties: + request: + $ref: '#/components/schemas/TokenProtocolRequest' + refresh_token: + $ref: '#/components/schemas/RefreshToken' + issuer: + description: The authorization server's issuer identifier + type: object + properties: + uri: + description: The authorization server's issuer identifier + type: string + format: uri + client: + description: The client making the token request + type: object + properties: + id: + description: The unique identifier of the client + type: string + name: + description: The name of the client + type: string + type: + description: The type of client + type: string + example: PUBLIC + policy: + description: The authorization server policy used to mint the token + type: object + properties: + id: + description: The unique identifier for the policy + type: string + example: 00p4ktaq2ryOYtsHC0g7 + rule: + description: The authorization server policy rule used to mint the token + type: object + properties: + id: + description: The unique identifier for the policy rule + type: string + example: 0pr4ktb7elD3ZvrMy0g7 + identity: + allOf: + - description: Provides information on the properties of the ID token that Okta has generated, including the existing claims that it contains + - $ref: '#/components/schemas/BaseToken' + access: + allOf: + - description: Provides information on the properties of the access token that Okta has generated, including the existing claims that it contains + - $ref: '#/components/schemas/BaseToken' + - type: object + properties: + scopes: + description: The scopes contained in the token. For descriptions of the scopes that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#scopes). + type: object + refresh_token: + $ref: '#/components/schemas/RefreshToken' + TokenProtocolRequest: + description: Details of the token request + type: object + properties: + client_id: + description: The ID of the client associated with the token type: string - Role: + grant_type: + $ref: '#/components/schemas/GrantType' + redirect_uri: + description: Specifies the callback location where the authorization was sent + type: string + format: uri + response_mode: + description: The authorization response mode + type: string + enum: + - form_post + - fragment + - okta_post_message + - query + response_type: + description: The authorization response type + type: string + enum: + - code + - id_token + - token + - none + scope: + description: The scopes requested + type: string + state: + type: string + TokenRequest: + description: Token inline hook request + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/TokenPayLoad' + TokenResourcesHrefObject: type: object properties: - assignmentType: - $ref: '#/components/schemas/RoleAssignmentType' - created: + href: type: string - format: date-time - readOnly: true - description: + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens + TokenResponse: + type: object + properties: + access_token: type: string - id: + description: An access token. + device_secret: type: string - readOnly: true - label: + description: An opaque device secret. This is returned if the `device_sso` scope is granted. + expires_in: + type: integer + description: The expiration time of the access token in seconds. + id_token: type: string - readOnly: true - lastUpdated: + description: An ID token. This is returned if the `openid` scope is granted. + issued_token_type: + $ref: '#/components/schemas/TokenType' + refresh_token: + type: string + description: An opaque refresh token. This is returned if the `offline_access` scope is granted. + scope: type: string - format: date-time - readOnly: true - status: - $ref: '#/components/schemas/LifecycleStatus' - type: - $ref: '#/components/schemas/RoleType' - _embedded: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - RoleAssignmentType: + description: The scopes contained in the access token. + token_type: + $ref: '#/components/schemas/TokenResponseTokenType' + TokenResponseTokenType: + description: The token type in a `/token` response. The value is generally `Bearer` except for a few instances of token exchange. type: string x-okta-known-values: - - GROUP - - USER - RoleType: + - Bearer + - N_A + TokenType: + description: The type of token for token exchange. type: string x-okta-known-values: - - API_ACCESS_MANAGEMENT_ADMIN - - APP_ADMIN - - GROUP_MEMBERSHIP_ADMIN - - HELP_DESK_ADMIN - - MOBILE_ADMIN - - ORG_ADMIN - - READ_ONLY_ADMIN - - REPORT_ADMIN - - SUPER_ADMIN - - USER_ADMIN - SamlApplication: + - urn:ietf:params:oauth:token-type:access_token + - urn:ietf:params:oauth:token-type:id_token + - urn:ietf:params:oauth:token-type:jwt + - urn:ietf:params:oauth:token-type:refresh_token + - urn:ietf:params:oauth:token-type:saml1 + - urn:ietf:params:oauth:token-type:saml2 + - urn:okta:oauth:token-type:web_sso_token + - urn:x-oath:params:oauth:token-type:device-secret + TrendMicroApexOneServiceApplication: + title: Trend Micro Apex One Service + x-tags: + - Application + x-okta-defined-as: + name: trendmicroapexoneservice + example: + name: trendmicroapexoneservice + label: Sample Trend Micro Apex One as a Service App + signOnMode: SAML_2_0 + settings: + app: + baseURL: https://acme.trendmicro.com + description: | + Schema for Trend Micro Apex One as a Service app (key name: `trendmicroapexoneservice`) + + To create a Trend Micro Apex One as a Service app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Trend Micro Apex One as a Service app only supports `SAML_2_0` sign-on mode. allOf: - - $ref: '#/components/schemas/Application' + - $ref: '#/components/schemas/OINApplication' - type: object + - required: + - name + - label + - settings properties: - credentials: - $ref: '#/components/schemas/ApplicationCredentials' name: type: string + enum: + - trendmicroapexoneservice + example: trendmicroapexoneservice + signOnMode: + enum: + - SAML_2_0 settings: - $ref: '#/components/schemas/SamlApplicationSettings' - SamlApplicationSettings: + $ref: '#/components/schemas/TrendMicroApexOneServiceApplicationSettings' + TrendMicroApexOneServiceApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object + - required: + - app properties: app: - $ref: '#/components/schemas/SamlApplicationSettingsApplication' + $ref: '#/components/schemas/TrendMicroApexOneServiceApplicationSettingsApplication' signOn: - $ref: '#/components/schemas/SamlApplicationSettingsSignOn' - SamlApplicationSettingsApplication: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + TrendMicroApexOneServiceApplicationSettingsApplication: + description: Trend Micro Apex One as a Service app instance properties type: object properties: - acsUrl: - type: string - audRestriction: - type: string - baseUrl: + baseURL: type: string - SamlApplicationSettingsSignOn: + description: Base Trend Micro Apex One Service URL + required: + - baseURL + TrustedOrigin: type: object properties: - acsEndpoints: - type: array - items: - $ref: '#/components/schemas/AcsEndpoint' - allowMultipleAcsEndpoints: - type: boolean - assertionSigned: - type: boolean - attributeStatements: - type: array - items: - $ref: '#/components/schemas/SamlAttributeStatement' - audience: - type: string - audienceOverride: - type: string - authnContextClassRef: - type: string - defaultRelayState: + created: + description: Timestamp when the Trusted Origin was created type: string - destination: + format: date-time + readOnly: true + createdBy: + description: The ID of the user who created the Trusted Origin type: string - destinationOverride: + id: + description: Unique identifier for the Trusted Origin type: string - digestAlgorithm: + readOnly: true + lastUpdated: + description: Timestamp when the Trusted Origin was last updated type: string - honorForceAuthn: - type: boolean - idpIssuer: + format: date-time + readOnly: true + lastUpdatedBy: + description: The ID of the user who last updated the Trusted Origin type: string - inlineHooks: - items: - $ref: '#/components/schemas/SignOnInlineHook' + name: + $ref: '#/components/schemas/TrustedOriginName' + origin: + $ref: '#/components/schemas/TrustedOriginOrigin' + scopes: + $ref: '#/components/schemas/TrustedOriginScopes' + status: + $ref: '#/components/schemas/LifecycleStatus' + _links: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + TrustedOriginName: + maximum: 255 + description: Unique name for the Trusted Origin + type: string + TrustedOriginOrigin: + maximum: 255 + description: Unique origin URL for the Trusted Origin. The supported schemes for this attribute are HTTP, HTTPS, FTP, Ionic 2, and Capacitor. + type: string + TrustedOriginScope: + type: object + properties: + allowedOktaApps: type: array - recipient: - type: string - recipientOverride: - type: string - requestCompressed: - type: boolean - responseSigned: - type: boolean - signatureAlgorithm: + description: The allowed Okta apps for the Trusted Origin scope + items: + $ref: '#/components/schemas/IframeEmbedScopeAllowedApps' + type: + $ref: '#/components/schemas/TrustedOriginScopeType' + TrustedOriginScopeType: + description: | + The scope type. Supported values: When you use `IFRAME_EMBED` as the scope type, leave the allowedOktaApps property + empty to allow iFrame embedding of only Okta sign-in pages. Include `OKTA_ENDUSER` as a value for the allowedOktaApps + property to allow iFrame embedding of both Okta sign-in pages and the Okta End-User Dashboard. + type: string + x-okta-known-values: + - CORS + - IFRAME_EMBED + - REDIRECT + TrustedOriginScopes: + maximum: 3 + description: Array of Scope types that this Trusted Origin is used for + items: + $ref: '#/components/schemas/TrustedOriginScope' + type: array + TrustedOriginWrite: + type: object + properties: + name: + $ref: '#/components/schemas/TrustedOriginName' + origin: + $ref: '#/components/schemas/TrustedOriginOrigin' + scopes: + $ref: '#/components/schemas/TrustedOriginScopes' + UIElement: + description: Specifies the configuration of an input field on an enrollment form + type: object + properties: + label: type: string - slo: - $ref: '#/components/schemas/SingleLogout' - spCertificate: - $ref: '#/components/schemas/SpCertificate' - spIssuer: + description: Label name for the UI element + options: + type: object + description: UI Schema element options object + properties: + format: + type: string + description: Specifies how the input appears + enum: + - text + - radio + - select + - checkbox + - radio_yes_no + - radio_true_false + x-enumDescriptions: + text: The default format for the majority of property types + radio: Radio button options. This option is only available for `string` data types with an `enum` or `one of` constraint. + select: Displays input as a dropdown list. This option is only available for the `country-code` data type or a string data type with an enum or one of constraint. + checkbox: Displays input as a checkbox. This option is only available for Boolean data types. + radio_yes_no: Displays input as two radio buttons, one with the option `yes` and the other `no`. This option is only available for Boolean data types. + radio_true_false: Displays input as two radio buttons, one with the option `true` and the other `false`. This option is only available for Boolean data types. + scope: type: string - ssoAcsUrl: + description: Specifies the property bound to the input field. It must follow the format `#/properties/PROPERTY_NAME` where `PROPERTY_NAME` is a variable name for an attribute in `profile editor`. + type: type: string - ssoAcsUrlOverride: + description: Specifies the relationship between this input element and `scope`. The `Control` value specifies that this input controls the value represented by `scope`. + UISchemaObject: + description: Properties of the UI schema + type: object + properties: + buttonLabel: type: string - subjectNameIdFormat: + description: Specifies the button label for the `Submit` button at the bottom of the enrollment form + default: Submit + elements: + $ref: '#/components/schemas/UIElement' + label: type: string - subjectNameIdTemplate: + description: Specifies the label at the top of the enrollment form under the logo + default: Sign in + type: type: string - SamlAttributeStatement: + description: Specifies the type of layout + UISchemasResponseObject: type: object properties: - filterType: - type: string - filterValue: - type: string - name: + created: type: string - namespace: + format: date-time + description: Timestamp when the UI Schema was created (ISO-86001) + readOnly: true + id: type: string - type: + description: Unique identifier for the UI Schema + readOnly: true + lastUpdated: type: string - values: - type: array - items: - type: string - ScheduledUserLifecycleAction: + format: date-time + description: Timestamp when the UI Schema was last modified (ISO-86001) + readOnly: true + uiSchema: + $ref: '#/components/schemas/UISchemaObject' + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - id + - uiSchema + - created + - lastUpdated + - _links + UpdateDomain: type: object properties: - status: - $ref: '#/components/schemas/PolicyUserStatus' - SchemeApplicationCredentials: - allOf: - - $ref: '#/components/schemas/ApplicationCredentials' - - type: object - properties: - password: - $ref: '#/components/schemas/PasswordCredential' - revealPassword: - type: boolean - scheme: - $ref: '#/components/schemas/ApplicationCredentialsScheme' - signing: - $ref: '#/components/schemas/ApplicationCredentialsSigning' - userName: - type: string - ScreenLockType: - type: string - x-okta-known-values: - - BIOMETRIC - - PASSCODE - SecurePasswordStoreApplication: - x-okta-defined-as: - name: template_sps - allOf: - - $ref: '#/components/schemas/Application' - - type: object - properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - name: - type: string - default: template_sps - settings: - $ref: '#/components/schemas/SecurePasswordStoreApplicationSettings' - SecurePasswordStoreApplicationSettings: + brandId: + description: The `id` of the brand used to replace the existing brand. + type: string + example: bndul904tTZ6kWVhP0g3 + required: + - brandId + UpdateEmailDomain: allOf: - - $ref: '#/components/schemas/ApplicationSettings' - - type: object - properties: - app: - $ref: '#/components/schemas/SecurePasswordStoreApplicationSettingsApplication' - SecurePasswordStoreApplicationSettingsApplication: + - $ref: '#/components/schemas/BaseEmailDomain' + UpdateIamRoleRequest: type: object properties: - optionalField1: - type: string - optionalField1Value: - type: string - optionalField2: + description: type: string - optionalField2Value: + description: Description of the role + label: type: string - optionalField3: + description: Unique label for the role + required: + - label + - description + UpdateRealmAssignmentRequest: + type: object + properties: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' + name: type: string - optionalField3Value: + priority: + type: integer + UpdateRealmRequest: + type: object + properties: + profile: + $ref: '#/components/schemas/RealmProfile' + UpdateThemeRequest: + type: object + properties: + emailTemplateTouchPointVariant: + $ref: '#/components/schemas/EmailTemplateTouchPointVariant' + endUserDashboardTouchPointVariant: + $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' + errorPageTouchPointVariant: + $ref: '#/components/schemas/ErrorPageTouchPointVariant' + loadingPageTouchPointVariant: + $ref: '#/components/schemas/LoadingPageTouchPointVariant' + primaryColorContrastHex: type: string - passwordField: + description: Primary color contrast hex code + default: null + primaryColorHex: type: string - url: + description: Primary color hex code + default: null + secondaryColorContrastHex: type: string - usernameField: + description: Secondary color contrast hex code + default: null + secondaryColorHex: type: string - SecurityQuestion: + description: Secondary color hex code + default: null + signInPageTouchPointVariant: + $ref: '#/components/schemas/SignInPageTouchPointVariant' + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - primaryColorHex + - secondaryColorHex + - signInPageTouchPointVariant + - endUserDashboardTouchPointVariant + - errorPageTouchPointVariant + - emailTemplateTouchPointVariant + UpdateUISchema: + description: The updated request body properties type: object properties: - answer: - type: string - question: - type: string - questionText: - type: string - SecurityQuestionUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/SecurityQuestionUserFactorProfile' - SecurityQuestionUserFactorProfile: + uiSchema: + $ref: '#/components/schemas/UISchemaObject' + UpdateUserRequest: type: object properties: - answer: - type: string - question: - type: string - questionText: - type: string - SeedEnum: - type: string - x-okta-known-values: - - OKTA - - RANDOM - Session: + credentials: + $ref: '#/components/schemas/UserCredentials' + profile: + $ref: '#/components/schemas/UserProfile' + realmId: + type: string + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the realm in which the user is residing + example: guo1bfiNtSnZYILxO0g4 + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + User: type: object properties: - amr: - type: array - readOnly: true - items: - $ref: '#/components/schemas/SessionAuthenticationMethod' - createdAt: + activated: type: string + description: The timestamp when the user status transitioned to `ACTIVE` format: date-time readOnly: true - expiresAt: + nullable: true + created: type: string + description: The timestamp when the user was created format: date-time readOnly: true + credentials: + $ref: '#/components/schemas/UserCredentials' id: type: string + description: The unique key for the user readOnly: true - idp: - $ref: '#/components/schemas/SessionIdentityProvider' - lastFactorVerification: + lastLogin: type: string + description: The timestamp of the last login format: date-time readOnly: true - lastPasswordVerification: + nullable: true + lastUpdated: type: string + description: The timestamp when the user was last updated format: date-time readOnly: true - login: + passwordChanged: type: string + description: The timestamp when the user's password was last updated + format: date-time + readOnly: true + nullable: true + profile: + $ref: '#/components/schemas/UserProfile' + realmId: + type: string + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the realm in which the user is residing + example: guo1bfiNtSnZYILxO0g4 + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] readOnly: true status: - $ref: '#/components/schemas/SessionStatus' - userId: + $ref: '#/components/schemas/UserStatus' + statusChanged: type: string + description: The timestamp when the status of the user last changed + format: date-time readOnly: true - _links: + nullable: true + transitioningToStatus: + type: string + description: The target status of an in-progress asynchronous status transition. This property is only returned if the user's state is transitioning. + readOnly: true + nullable: true + enum: + - ACTIVE + - DEPROVISIONED + - PROVISIONED + type: + type: object + description: |- + The user type that determines the schema for the user's profile. The `type` property is a map that identifies the [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType). + + Currently it contains a single element, `id`. It can be specified when creating a new user, and ca be updated by an admin on a full replace of an existing user (but not a partial update). + properties: + id: + type: string + description: The ID of the user type + _embedded: type: object + description: Embedded resources related to the user using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification additionalProperties: type: object properties: {} readOnly: true - SessionAuthenticationMethod: - type: string - x-okta-known-values: - - fpt - - geo - - hwk - - kba - - mca - - mfa - - otp - - pwd - - sc - - sms - - swk - - tel - SessionIdentityProvider: + _links: + description: |- + Specifies link relations (see [Web Linking](https://datatracker.ietf.org/doc/html/rfc8288) available for the current status of a user. + The links object is used for dynamic discovery of related resources, lifecycle operations, and credential operations. The links object is read-only. + + For an individual user result, the links object contains a full set of link relations available for that user as determined by your policies. + For a collection of users, the links object contains only the `self` link. Operations that return a collection of users include List users and List group Members. + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + self: + description: URL to the individual user + allOf: + - $ref: '#/components/schemas/HrefObject' + activate: + description: URL to activate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + resetPassword: + description: URL to reset the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + resetFactors: + description: URL to reset the user's factors + allOf: + - $ref: '#/components/schemas/HrefObject' + expirePassword: + description: URL to expire the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + forgotPassword: + description: URL to initiate a forgot password operation + allOf: + - $ref: '#/components/schemas/HrefObject' + changeRecoveryQuestion: + description: URL to change the user's recovery question + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: URL to deactivate a user + allOf: + - $ref: '#/components/schemas/HrefObject' + reactivate: + description: URL to reactivate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + changePassword: + description: URL to change the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + schema: + description: URL to the user's profile schema + allOf: + - $ref: '#/components/schemas/HrefObject' + suspend: + description: URL to suspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unsuspend: + description: URL to unsuspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unlock: + description: URL to unlock the locked-out user + allOf: + - $ref: '#/components/schemas/HrefObject' + type: + description: URL to the user type + allOf: + - $ref: '#/components/schemas/HrefObject' + - readOnly: true + UserActivationToken: type: object properties: - id: + activationToken: type: string readOnly: true - type: - $ref: '#/components/schemas/SessionIdentityProviderType' - SessionIdentityProviderType: - type: string - x-okta-known-values: - - ACTIVE_DIRECTORY - - FEDERATION - - LDAP - - OKTA - - SOCIAL - SessionStatus: - type: string - x-okta-known-values: - - ACTIVE - - MFA_ENROLL - - MFA_REQUIRED - SignInPage: - allOf: - - $ref: '#/components/schemas/CustomizablePage' - - type: object - properties: - type: - $ref: '#/components/schemas/HostedPageType' - url: - type: string - widgetCustomizations: - type: object - properties: - signInLabel: - type: string - usernameLabel: - type: string - usernameInfoTip: - type: string - passwordLabel: - type: string - passwordInfoTip: - type: string - showPasswordVisibilityToggle: - type: boolean - showUserIdentifier: - type: boolean - forgotPasswordLabel: - type: string - forgotPasswordUrl: - type: string - unlockAccountLabel: - type: string - unlockAccountUrl: - type: string - helpLabel: - type: string - helpUrl: - type: string - customLink1Label: - type: string - customLink1Url: - type: string - customLink2Label: - type: string - customLink2Url: - type: string - authenticatorPageCustomLinkLabel: - type: string - authenticatorPageCustomLinkUrl: - type: string - classicRecoveryFlowEmailOrUsernameLabel: - type: string - widgetVersion: - $ref: '#/components/schemas/Version' - required: - - type - SignInPageTouchPointVariant: - type: string - x-okta-known-values: - - BACKGROUND_IMAGE - - BACKGROUND_SECONDARY_COLOR - - OKTA_DEFAULT - SignOnInlineHook: - properties: - id: + example: XE6wE17zmphl3KqAPFxO + description: |- + Token received as part of an activation user request. If a password was set before the user was activated, then user must sign in with their password or the `activationToken` and not the activation link. More information about using the `activationToken` + to login can be found in the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#primary-authentication-with-activation-token). + activationUrl: type: string - readOnly: false - SingleLogout: + readOnly: true + example: https://{yourOktaDomain}/welcome/XE6wE17zmphl3KqAPFxO + description: If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link. + UserBlock: + description: Describes how the account is blocked from access. If `appliesTo` is `ANY_DEVICES`, then the account is blocked for all devices. If `appliesTo` is `UNKNOWN_DEVICES`, then the account is only blocked for unknown devices. type: object properties: - enabled: - type: boolean - issuer: + appliesTo: type: string - logoutUrl: + readOnly: true + description: The devices that the block applies to + enum: + - ANY_DEVICES + - UNKNOWN_DEVICES + x-enumDescriptions: + ANY_DEVICES: The account is blocked for all devices + UNKNOWN_DEVICES: The account is only blocked for unknown devices + type: type: string - SmsTemplate: + readOnly: true + description: Type of access block + enum: + - DEVICE_BASED + UserCondition: + description: Specifies a set of Users to be included or excluded + type: object + properties: + exclude: + description: Users to be excluded + type: array + items: + type: string + include: + description: Users to be included + type: array + items: + type: string + required: + - exclude + - include + UserCredentials: + description: Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org. + type: object + properties: + password: + $ref: '#/components/schemas/PasswordCredential' + provider: + $ref: '#/components/schemas/AuthenticationProvider' + recovery_question: + $ref: '#/components/schemas/RecoveryQuestionCredential' + UserFactor: type: object properties: created: + description: Timestamp when the Factor was enrolled type: string format: date-time + example: '2022-08-25T00:31:00.000Z' readOnly: true + factorType: + $ref: '#/components/schemas/UserFactorType' id: + description: ID of the Factor type: string + example: caf8m6jbcvUH8mAep1d7 readOnly: true lastUpdated: + description: Timestamp when the Factor was last updated type: string format: date-time + example: '2022-08-25T00:31:00.000Z' readOnly: true - name: + profile: + type: object + description: Specific attributes related to the Factor + provider: + $ref: '#/components/schemas/UserFactorProvider' + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: Name of the Factor vendor. This is usually the same as the provider except for On-Prem MFA where it depends on administrator settings. type: string - template: + example: OKTA + readOnly: true + _embedded: + type: object + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/UserFactorLinks' + discriminator: + propertyName: factorType + mapping: + call: '#/components/schemas/UserFactorCall' + email: '#/components/schemas/UserFactorEmail' + push: '#/components/schemas/UserFactorPush' + question: '#/components/schemas/UserFactorSecurityQuestion' + sms: '#/components/schemas/UserFactorSMS' + token: '#/components/schemas/UserFactorToken' + token:hardware: '#/components/schemas/UserFactorTokenHardware' + token:hotp: '#/components/schemas/UserFactorTokenHOTP' + token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP' + u2f: '#/components/schemas/UserFactorU2F' + web: '#/components/schemas/UserFactorWeb' + webauthn: '#/components/schemas/UserFactorWebAuthn' + hotp: '#/components/schemas/UserFactorTokenHOTP' + UserFactorActivatePush: + description: Activation requests have a short lifetime and expire if the activation isn't completed before the indicated timestamp. If the activation expires, use the returned `activate` link to restart the process. + type: object + properties: + expiresAt: + description: Timestamp when the Factor verification attempt expires type: string - translations: - $ref: '#/components/schemas/SmsTemplateTranslations' - type: - $ref: '#/components/schemas/SmsTemplateType' - SmsTemplateTranslations: + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + factorResult: + $ref: '#/components/schemas/UserFactorActivatePushResult' + readOnly: true + UserFactorActivatePushResult: + description: Result of a Factor activation + type: string + x-okta-known-values: + - CANCELLED + - ERROR + - TIMEOUT + - WAITING + UserFactorActivateRequest: + oneOf: + - title: call + description: Attempts to activate a `call` Factor with the specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: email + description: Attempts to activate an `email` Factor with the specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: push + type: object + nullable: true + description: |- + Sends an asynchronous push notification to the device for approval by the user. You must poll the transaction to determine the state of the activation. See [Retrieve a Factor transaction status](./#tag/UserFactor/operation/getFactorTransactionStatus). + + No request body is required for `push` Factors. + + Activations have a short lifetime of several minutes and return a `TIMEOUT` if not completed before the timestamp specified in the `expiresAt` param. Use the published activate link to restart the activation process if the activation expires. + - title: sms + description: Attempts to activate an `sms` Factor with the specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: token:software:totp + description: Attempts to activate a `token:software:totp` Factor with the specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: u2f + description: Activates a `u2f` Factor with the specified client and registration information from the U2F token + properties: + clientData: + type: string + description: Base64-encoded client data from the U2F token + example: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ + registrationData: + type: string + description: Base64-encoded registration data from the U2F token + example: BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew + - title: webauthn + description: Activates a `webauthn` Factor with the specified attestation and registration information from the WebAuthn authenticator + properties: + attestation: + type: string + description: Base64-encoded attestation from the WebAuthn authenticator + example: o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ== + clientData: + type: string + description: Base64-encoded client data from the WebAuthn authenticator + example: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0 type: object - x-okta-extensible: true - SmsTemplateType: - type: string - x-okta-known-values: - - SMS_VERIFY_CODE - SmsUserFactor: + UserFactorActivateResponse: + type: object + properties: + factorType: + description: Type of the Factor + type: string + enum: + - call + - email + - sms + - push + - token:software:totp + - u2f + - webauthn + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUser' + - $ref: '#/components/schemas/LinksVerify' + discriminator: + propertyName: factorType + mapping: + call: '#/components/schemas/UserFactorCall' + email: '#/components/schemas/UserFactorEmail' + sms: '#/components/schemas/UserFactorSMS' + push: '#/components/schemas/UserFactorPush' + token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP' + u2f: '#/components/schemas/UserFactorU2F' + webauthn: '#/components/schemas/UserFactorWebAuthn' + UserFactorCall: + title: call allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: + factorType: + example: call profile: - $ref: '#/components/schemas/SmsUserFactorProfile' - SmsUserFactorProfile: + $ref: '#/components/schemas/UserFactorCallProfile' + provider: + enum: + - OKTA + UserFactorCallProfile: type: object properties: + phoneExtension: + description: Extension of the associated `phoneNumber` + type: string + example: 1234 + nullable: true + maxLength: 15 phoneNumber: + description: Phone number of the Factor. Format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/). + example: '+15554151337' type: string - SocialAuthToken: + pattern: ^\+[1-9]\d{1,14}$ + maxLength: 15 + UserFactorEmail: + title: email + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: email + profile: + $ref: '#/components/schemas/UserFactorEmailProfile' + provider: + enum: + - OKTA + UserFactorEmailProfile: type: object properties: - expiresAt: - type: string - format: date-time - readOnly: true - id: - type: string - readOnly: true - scopes: - type: array - items: - type: string - token: - type: string - tokenAuthScheme: - type: string - tokenType: + email: + description: Email address of the user. This must be either the primary or secondary email address associated with the Okta user account. + maxLength: 100 + example: z.cool@example.com type: string - SpCertificate: - type: object - properties: - x5c: - type: array - items: - type: string - Subscription: - type: object - properties: - channels: - items: - type: string - type: array - notificationType: - $ref: '#/components/schemas/NotificationType' - status: - $ref: '#/components/schemas/SubscriptionStatus' - _links: - additionalProperties: - type: object - readOnly: true - type: object - SubscriptionStatus: + UserFactorLinks: + allOf: + - $ref: '#/components/schemas/LinksActivate' + - $ref: '#/components/schemas/LinksCancel' + - $ref: '#/components/schemas/LinksDeactivate' + - $ref: '#/components/schemas/LinksEnroll' + - $ref: '#/components/schemas/LinksFactor' + - $ref: '#/components/schemas/LinksPoll' + - $ref: '#/components/schemas/LinksQrcode' + - $ref: '#/components/schemas/LinksQuestions' + - $ref: '#/components/schemas/LinksResend' + - $ref: '#/components/schemas/LinksSend' + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUser' + - $ref: '#/components/schemas/LinksVerify' + readOnly: true + UserFactorPassCode: + description: OTP for the current time window + example: 1234567890 + type: string + UserFactorProvider: + description: Provider for the Factor type: string x-okta-known-values: - - subscribed - - unsubscribed - SwaApplicationSettings: + - CUSTOM + - DUO + - FIDO + - GOOGLE + - OKTA + - RSA + - SYMANTEC + - YUBICO + UserFactorPush: + title: push allOf: - - $ref: '#/components/schemas/ApplicationSettings' + - $ref: '#/components/schemas/UserFactor' - type: object properties: - app: - $ref: '#/components/schemas/SwaApplicationSettingsApplication' - SwaApplicationSettingsApplication: + profile: + $ref: '#/components/schemas/UserFactorPushProfile' + provider: + enum: + - OKTA + UserFactorPushProfile: type: object properties: - buttonField: - type: string - buttonSelector: - type: string - checkbox: - type: string - extraFieldSelector: - type: string - extraFieldValue: - type: string - loginUrlRegex: - type: string - passwordField: - type: string - passwordSelector: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com type: string - redirectUrl: + deviceToken: + description: Token used to identify the device + example: fwf7ku6bsiSCieh6y1d7 type: string - targetURL: + deviceType: + description: Type of device + example: SmartPhone_IPhone type: string - url: + name: + description: Name of the device + example: My Phone type: string - usernameField: + platform: + description: OS version of the associated device + example: IOS type: string - userNameSelector: + version: + description: Installed version of Okta Verify + example: '9.0' type: string - TempPassword: + UserFactorPushTransaction: type: object properties: - tempPassword: + factorResult: + description: Result of the verification transaction type: string - readOnly: true - Theme: + enum: + - WAITING + - SUCCESS + - REJECTED + - TIMEOUT + discriminator: + propertyName: factorResult + mapping: + WAITING: '#/components/schemas/UserFactorPushTransactionWaiting' + SUCCESS: '#/components/schemas/UserFactorPushTransaction' + REJECTED: '#/components/schemas/UserFactorPushTransactionRejected' + TIMEOUT: '#/components/schemas/UserFactorPushTransactionTimeout' + UserFactorPushTransactionRejected: + allOf: + - $ref: '#/components/schemas/UserFactorPushTransaction' + - type: object + properties: + profile: + type: object + properties: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com + type: string + _links: + allOf: + - $ref: '#/components/schemas/LinksVerify' + - type: object + properties: + factor: + $ref: '#/components/schemas/UserFactor' + UserFactorPushTransactionSuccess: + $ref: '#/components/schemas/UserFactorPushTransaction' + UserFactorPushTransactionTimeout: + allOf: + - $ref: '#/components/schemas/UserFactorPushTransaction' + - type: object + properties: + profile: + type: object + properties: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com + type: string + _links: + allOf: + - $ref: '#/components/schemas/LinksVerify' + - type: object + properties: + factor: + $ref: '#/components/schemas/UserFactor' + UserFactorPushTransactionWaiting: + allOf: + - $ref: '#/components/schemas/UserFactorPushTransaction' + - type: object + properties: + profile: + type: object + properties: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com + type: string + _links: + allOf: + - $ref: '#/components/schemas/LinksPoll' + - $ref: '#/components/schemas/LinksCancel' + UserFactorResultType: + description: Result of a Factor verification attempt + type: string + readOnly: true + x-okta-known-values: + - CANCELLED + - CHALLENGE + - ERROR + - FAILED + - PASSCODE_REPLAYED + - REJECTED + - SUCCESS + - TIMEOUT + - TIME_WINDOW_EXCEEDED + - WAITING + UserFactorSMS: + title: sms + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: sms + profile: + $ref: '#/components/schemas/UserFactorSMSProfile' + provider: + enum: + - OKTA + UserFactorSMSProfile: type: object properties: - backgroundImage: - readOnly: true - type: string - emailTemplateTouchPointVariant: - $ref: '#/components/schemas/EmailTemplateTouchPointVariant' - endUserDashboardTouchPointVariant: - $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' - errorPageTouchPointVariant: - $ref: '#/components/schemas/ErrorPageTouchPointVariant' - primaryColorContrastHex: - type: string - primaryColorHex: - type: string - secondaryColorContrastHex: - type: string - secondaryColorHex: + phoneNumber: + description: Phone number of the Factor. You should format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/). + example: '+15554151337' type: string - signInPageTouchPointVariant: - $ref: '#/components/schemas/SignInPageTouchPointVariant' - _links: - additionalProperties: - type: object - readOnly: true - type: object - ThemeResponse: + pattern: ^\+[1-9]\d{1,14}$ + maxLength: 15 + UserFactorSecurityQuestion: + title: question + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: question + profile: + $ref: '#/components/schemas/UserFactorSecurityQuestionProfile' + provider: + enum: + - OKTA + UserFactorSecurityQuestionProfile: type: object properties: - backgroundImage: - readOnly: true - type: string - emailTemplateTouchPointVariant: - $ref: '#/components/schemas/EmailTemplateTouchPointVariant' - endUserDashboardTouchPointVariant: - $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' - errorPageTouchPointVariant: - $ref: '#/components/schemas/ErrorPageTouchPointVariant' - favicon: - readOnly: true - type: string - id: - readOnly: true - type: string - logo: - readOnly: true - type: string - primaryColorContrastHex: - type: string - primaryColorHex: - type: string - secondaryColorContrastHex: - type: string - secondaryColorHex: + answer: + description: Answer to the question + minLength: 4 type: string - signInPageTouchPointVariant: - $ref: '#/components/schemas/SignInPageTouchPointVariant' - _links: - additionalProperties: - type: object - readOnly: true - type: object - ThreatInsightConfiguration: - type: object - properties: - action: + writeOnly: true + question: + description: Unique key for the question + example: disliked_food + enum: + - disliked_food + - name_of_first_plush_toy + - first_award + - favorite_security_question + - favorite_toy + - first_computer_game + - favorite_movie_quote + - first_sports_team_mascot + - first_music_purchase + - favorite_art_piece + - grandmother_favorite_desert + - first_thing_cooked + - childhood_dream_job + - first_kiss_location + - place_where_significant_other_was_met + - favorite_vacation_location + - new_years_two_thousand + - favorite_speaker_actor + - favorite_book_movie_character + - favorite_sports_player type: string - created: + questionText: + description: Human-readable text that's displayed to the user + example: What is the food you least liked as a child? type: string - format: date-time readOnly: true - excludeZones: - type: array - items: - type: string - lastUpdated: + UserFactorSignatureData: + description: Base64-encoded signature data from the WebAuthn authenticator + type: string + UserFactorStatus: + example: ACTIVE + description: Status of the Factor + type: string + readOnly: true + x-okta-known-values: + - ACTIVE + - DISABLED + - ENROLLED + - EXPIRED + - INACTIVE + - NOT_SETUP + - PENDING_ACTIVATION + UserFactorSupported: + type: object + properties: + enrollment: type: string - format: date-time + description: Indicates if the Factor is required for the specified user + example: OPTIONAL + enum: + - OPTIONAL + - REQUIRED + factorType: + $ref: '#/components/schemas/UserFactorType' + provider: + $ref: '#/components/schemas/UserFactorProvider' + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: Name of the Factor vendor. This is usually the same as the provider except for On-Prem MFA where it depends on administrator settings. + type: string + example: OKTA readOnly: true - _links: + _embedded: type: object + description: Embedded resources related to the Factor additionalProperties: type: object properties: {} readOnly: true - TimeDuration: - description: A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). - type: string - pattern: ^P(?!$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?$ - TokenAuthorizationServerPolicyRuleAction: - type: object - properties: - accessTokenLifetimeMinutes: - type: integer - inlineHook: - $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook' - refreshTokenLifetimeMinutes: - type: integer - refreshTokenWindowMinutes: - type: integer - TokenAuthorizationServerPolicyRuleActionInlineHook: + _links: + $ref: '#/components/schemas/UserFactorLinks' + UserFactorToken: + title: token + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: token + profile: + $ref: '#/components/schemas/UserFactorTokenProfile' + provider: + enum: + - RSA + - SYMANTEC + verify: + oneOf: + - $ref: '#/components/schemas/UserFactorTokenVerifyRSA' + - $ref: '#/components/schemas/UserFactorTokenVerifySymantec' + UserFactorTokenFactorVerificationObject: type: object properties: - id: + nextPassCode: + description: OTP for the next time window type: string - readOnly: false - TokenUserFactor: + example: 678195 + passCode: + description: OTP for the current time window + type: string + example: 875498 + UserFactorTokenHOTP: + title: token:hotp allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: + factorProfileId: + description: ID of an existing Custom TOTP Factor profile. To create this, see [Custom TOTP Factor](https://help.okta.com/okta_help.htm?id=ext-mfa-totp). + type: string + factorType: + example: token:hotp profile: - $ref: '#/components/schemas/TokenUserFactorProfile' - TokenUserFactorProfile: + $ref: '#/components/schemas/UserFactorTokenHOTPProfile' + provider: + enum: + - CUSTOM + UserFactorTokenHOTPProfile: type: object properties: - credentialId: + sharedSecret: + description: Unique secret key used to generate the OTP type: string - TotpUserFactor: + example: 484f97be3213b117e3a20438e291540a + UserFactorTokenHardware: + title: token:hardware allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: + factorType: + example: token:hardware profile: - $ref: '#/components/schemas/TotpUserFactorProfile' - TotpUserFactorProfile: + $ref: '#/components/schemas/UserFactorTokenProfile' + provider: + enum: + - YUBICO + verify: + type: object + properties: + passCode: + description: OTP for the current time window + type: string + example: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji + UserFactorTokenProfile: type: object properties: credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com type: string - TrustedOrigin: + UserFactorTokenSoftwareTOTP: + title: token:software:totp + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: token:software:totp + profile: + $ref: '#/components/schemas/UserFactorTokenProfile' + provider: + enum: + - OKTA + - GOOGLE + UserFactorTokenVerifyRSA: + title: RSA SecurID type: object properties: - created: - type: string - format: date-time - readOnly: true - createdBy: - type: string - id: - type: string - readOnly: true - lastUpdated: - type: string - format: date-time - readOnly: true - lastUpdatedBy: - type: string - name: - type: string - origin: - type: string - scopes: - type: array - items: - $ref: '#/components/schemas/TrustedOriginScope' - status: + passCode: + description: OTP for the current time window type: string - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - TrustedOriginScope: + example: 5275875498 + UserFactorTokenVerifySymantec: + title: Symantec VIP type: object properties: - allowedOktaApps: - type: array - items: - $ref: '#/components/schemas/IframeEmbedScopeAllowedApps' - type: - $ref: '#/components/schemas/TrustedOriginScopeType' - TrustedOriginScopeType: + nextPassCode: + description: OTP for the next time window + type: integer + example: 3956685498 + passCode: + description: OTP for the current time window + type: string + example: 5275875498 + UserFactorType: + description: Type of Factor type: string x-okta-known-values: - - CORS - - IFRAME_EMBED - - REDIRECT - U2fUserFactor: + - call + - email + - push + - question + - signed_nonce + - sms + - token + - token:hardware + - token:hotp + - token:software:totp + - u2f + - web + - webauthn + UserFactorU2F: + title: u2f allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: + factorType: + example: u2f profile: - $ref: '#/components/schemas/U2fUserFactorProfile' - U2fUserFactorProfile: + $ref: '#/components/schemas/UserFactorU2FProfile' + provider: + enum: + - FIDO + UserFactorU2FProfile: type: object properties: credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com type: string - UpdateEmailDomain: - allOf: - - $ref: '#/components/schemas/BaseEmailDomain' - UpdateUserRequest: - type: object - properties: - credentials: - $ref: '#/components/schemas/UserCredentials' - profile: - $ref: '#/components/schemas/UserProfile' - User: + UserFactorVerifyRequest: + oneOf: + - title: call + description: Verifies an OTP sent by a `call` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone. + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: sms + description: Verifies an OTP sent by an `sms` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone. + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: push + type: object + nullable: true + description: Sends an asynchronous push notification to the device for approval by the user. You must poll the transaction to determine the state of the verification. See [Retrieve a Factor transaction status](./#tag/UserFactor/operation/getFactorTransactionStatus). + - title: email + description: Verifies an OTP sent by an `email` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone. + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: question + description: Verifies an answer to a `question` Factor + properties: + answer: + description: Answer to the question + minLength: 4 + type: string + writeOnly: true + - title: token:software:totp + description: Verifies an OTP for a `token:software:totp` Factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: token:hotp + description: Verifies an OTP for a `token:hotp` Factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: token:hardware + description: Verifies an OTP for a `token:hardware` Factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: token + description: Verifies an OTP for a `token` Factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: u2f + description: Verifies a `u2f` Factor challenge by posting a signed assertion using the challenge `nonce` + properties: + clientData: + type: string + description: Base64-encoded client data from the U2F token + example: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ + signatureData: + description: Base64-encoded signature data from the U2F token + - title: webauthn + description: Verifies a `webauthn` Factor challenge by posting a signed assertion using the challenge `nonce` + properties: + authenticatorData: + description: Base64-encoded authenticator data from the WebAuthn authenticator + type: string + clientData: + type: string + description: Base64-encoded client data from the WebAuthn authenticator + example: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0 + signatureData: + type: string + description: Base64-encoded signature data from the WebAuthn authenticator + UserFactorVerifyResponse: type: object properties: - activated: - type: string - format: date-time - readOnly: true - nullable: true - created: - type: string - format: date-time - readOnly: true - credentials: - $ref: '#/components/schemas/UserCredentials' - id: - type: string - readOnly: true - lastLogin: - type: string - format: date-time - readOnly: true - nullable: true - lastUpdated: + expiresAt: + description: Timestamp when the verification expires type: string format: date-time + example: '2022-08-25T00:31:00.000Z' readOnly: true - passwordChanged: + factorMessage: + description: Optional display message for Factor verification type: string - format: date-time readOnly: true nullable: true - profile: - $ref: '#/components/schemas/UserProfile' - status: - $ref: '#/components/schemas/UserStatus' - statusChanged: - type: string - format: date-time + factorResult: + $ref: '#/components/schemas/UserFactorVerifyResult' readOnly: true - nullable: true - transitioningToStatus: - $ref: '#/components/schemas/UserStatus' - type: - $ref: '#/components/schemas/UserType' _embedded: type: object additionalProperties: @@ -20504,98 +66830,154 @@ components: properties: {} readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - UserActivationToken: + $ref: '#/components/schemas/UserFactorLinks' + UserFactorVerifyResult: + description: Result of a Factor verification + type: string + x-enumDescriptions: + CANCELED: User cancelled the verification + CHALLENGE: Okta issued a verification challenge + ERROR: Verification encountered an unexpected server error + EXPIRED: User didn't complete the verification within the allowed time window + FAILED: Verification failed + PASSCODE_REPLAYED: User previously verified the Factor within the same time window. Another verification is required during another time window. + REJECTED: User rejected the verification + SUCCESS: User completed the verification + TIMEOUT: Okta didn't complete the verification within the allowed time window + TIME_WINDOW_EXCEEDED: User completed the verification outside of the allowed time window. Another verification is required. + WAITING: Verification is in progress + x-okta-known-values: + - CHALLENGE + - ERROR + - EXPIRED + - FAILED + - PASSCODE_REPLAYED + - REJECTED + - SUCCESS + - TIMEOUT + - TIME_WINDOW_EXCEEDED + - WAITING + UserFactorWeb: + title: web + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: web + profile: + $ref: '#/components/schemas/UserFactorWebProfile' + provider: + enum: + - DUO + UserFactorWebAuthn: + title: webauthn + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: webauthn + profile: + $ref: '#/components/schemas/UserFactorWebAuthnProfile' + provider: + enum: + - FIDO + UserFactorWebAuthnProfile: type: object properties: - activationToken: + authenticatorName: + description: Human-readable name of the authenticator + example: MacBook Touch ID type: string - readOnly: true - activationUrl: + credentialId: + description: ID for the Factor credential + example: AHoOEhwvYiMv6SSwLp7KYRNttXtg_kYgQoQiEIWPFH_T3Ztp5Vj3bQ5H0LypIFR8ka8kfiCJ3I5qVpxrsd6JTMWKcE3xNh_U2QVF0Kwlan8Fiw type: string - readOnly: true - UserCondition: - type: object - properties: - exclude: - type: array - items: - type: string - include: - type: array - items: - type: string - UserCredentials: + UserFactorWebProfile: type: object properties: - password: - $ref: '#/components/schemas/PasswordCredential' - provider: - $ref: '#/components/schemas/AuthenticationProvider' - recovery_question: - $ref: '#/components/schemas/RecoveryQuestionCredential' - UserFactor: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com + type: string + UserFactorYubikeyOtpToken: type: object properties: created: + description: Timestamp when the Token was created type: string format: date-time + example: '2022-08-25T00:31:00.000Z' readOnly: true - factorType: - $ref: '#/components/schemas/FactorType' id: + description: ID of the Token type: string + example: ykkwcx13nrDq8g4oy0g3 readOnly: true lastUpdated: + description: Timestamp when the Token was last updated type: string format: date-time + example: '2022-08-25T00:31:00.000Z' readOnly: true - provider: - $ref: '#/components/schemas/FactorProvider' - status: - $ref: '#/components/schemas/FactorStatus' - verify: - $ref: '#/components/schemas/VerifyFactorRequest' - _embedded: + lastVerified: + description: Timestamp when the Token was last verified + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + profile: type: object + description: Specified profile information for token additionalProperties: type: object properties: {} - readOnly: true - _links: + status: + description: Token status + type: string + enum: + - BLOCKED + - UNASSIGNED + - ACTIVE + - REVOKED + - DELETED + - INACTIVE + _embedded: type: object additionalProperties: type: object properties: {} - readOnly: true - discriminator: - propertyName: factorType - mapping: - call: '#/components/schemas/CallUserFactor' - email: '#/components/schemas/EmailUserFactor' - push: '#/components/schemas/PushUserFactor' - question: '#/components/schemas/SecurityQuestionUserFactor' - sms: '#/components/schemas/SmsUserFactor' - token: '#/components/schemas/TokenUserFactor' - token:hardware: '#/components/schemas/HardwareUserFactor' - token:hotp: '#/components/schemas/CustomHotpUserFactor' - token:software:totp: '#/components/schemas/TotpUserFactor' - u2f: '#/components/schemas/U2fUserFactor' - web: '#/components/schemas/WebUserFactor' - webauthn: '#/components/schemas/WebAuthnUserFactor' - hotp: '#/components/schemas/CustomHotpUserFactor' + _links: + $ref: '#/components/schemas/UserFactorLinks' + UserGetSingleton: + allOf: + - $ref: '#/components/schemas/User' + - type: object + properties: + _embedded: + type: object + description: The embedded resources related to the object if the `expand` query parameter is specified + properties: + blocks: + type: array + description: A list of access block details for the user account + items: + $ref: '#/components/schemas/UserBlock' UserIdentifierConditionEvaluatorPattern: + description: Used in the User Identifier Condition object. Specifies the details of the patterns to match against. type: object properties: matchType: $ref: '#/components/schemas/UserIdentifierMatchType' value: type: string + description: The regular expression or simple match string + required: + - matchType + - value UserIdentifierMatchType: + description: The type of pattern. For regex, use `EXPRESSION`. type: string x-okta-known-values: - CONTAINS @@ -20604,17 +66986,23 @@ components: - STARTS_WITH - SUFFIX UserIdentifierPolicyRuleCondition: + description: Specifies a user identifier condition to match on type: object properties: attribute: type: string + description: The name of the profile attribute to match against. Only used when type is `ATTRIBUTE`. patterns: type: array items: $ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern' type: $ref: '#/components/schemas/UserIdentifierType' + required: + - patterns + - type UserIdentifierType: + description: What to match against, either user ID or an attribute in the user's Okta profile. type: string x-okta-known-values: - ATTRIBUTE @@ -20624,6 +67012,164 @@ components: properties: externalId: type: string + description: Unique IdP-specific identifier for a User + example: '121749775026145' + UserImportRequest: + type: object + properties: + data: + $ref: '#/components/schemas/UserImportRequestData' + eventType: + type: string + description: The type of inline hook. The user import inline hook type is `com.okta.import.transform`. + source: + description: The ID of the user import inline hook + type: string + UserImportRequestData: + type: object + properties: + action: + type: object + description: The object that specifies the default action Okta is set to take + properties: + result: + description: |- + The current default action that results when Okta imports a user. The two possible values are `CREATE_USER` and `LINK_USER`. You + can change the action that is taken by means of the commands object you return. + type: string + enum: + - CREATE_USER + - LINK_USER + x-enumDescriptions: + CREATE_USER: A new Okta user profile is created for the user + LINK_USER: The user is treated as a match for the existing Okta user identified by the value of `data.user.id` + appUser: + type: object + description: The app user profile being imported + properties: + profile: + type: object + description: |- + Provides the name-value pairs of the attributes contained in the app user profile of the user who is being imported. You can change + the values of attributes in the user's app profile by means of the `commands` object you return. If you change attributes in the app + profile, they then flow through to the Okta user profile, based on matching and mapping rules. + additionalProperties: + type: string + context: + type: object + properties: + conflicts: + description: An array of user profile attributes that are in conflict + type: array + items: + additionalProperties: true + type: string + application: + type: object + description: Details of the app from which the user is being imported + properties: + name: + type: string + description: The app name + id: + type: string + description: The app ID + label: + type: string + description: The user-defined display name for the app + status: + type: string + description: The status of the app + enum: + - ACTIVE + - INACTIVE + job: + type: object + description: The details of the running import job + properties: + id: + type: string + description: The ID number of the import job + type: + type: string + description: The type of import job + matches: + type: array + description: The list of Okta users currently matched to the app user based on import matching. There can be more than one match. + items: + additionalProperties: true + type: string + policy: + type: array + description: The list of any policies that apply to the import matching + items: + additionalProperties: true + type: string + user: + type: object + description: |- + Provides information on the Okta user profile currently set to be used for the user who is being imported, based on the matching + rules and attribute mappings that were applied. + properties: + profile: + description: |- + The `data.user.profile` contains the name-value pairs of the attributes in the user profile. If the user has been matched to an existing + Okta user, a `data.user.id` object is included, containing the unique identifier of the Okta user profile. + + You can change the values of the attributes by means of the `commands` object you return. + type: object + additionalProperties: + type: string + UserImportRequestExecute: + description: User import inline hook request + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/UserImportRequest' + UserImportResponse: + type: object + properties: + commands: + description: |- + The `commands` object is where you can provide commands to Okta. It is an array that allows you to send multiple commands. + Each array element needs to consist of a type-value pair. + type: array + items: + type: object + properties: + type: + description: |- + The command types supported for the import inline hook. + When using the `com.okta.action.update` command to specify that the user should be treated as a match, you need to also provide a `com.okta.user.update` command that sets the ID of the Okta user. + type: string + enum: + - com.okta.appUser.profile.update + - com.okta.user.profile.update + - com.okta.action.update + - com.okta.user.update + x-enumDescriptions: + com.okta.appUser.profile.update: Change values of attributes in the user's app user profile + com.okta.user.profile.update: Change values of attributes in the user's Okta user profile + com.okta.action.update: Specify whether to create a new Okta user for the user being imported or treat them as a match of an existing Okta user + com.okta.user.update: Specify the existing Okta user that the imported user should be treated as a match of. + value: + description: |- + The `value` object is the parameter to pass to the command. In the case of the `com.okta.appUser.profile.update` and `com.okta.user.profile.update` commands, + the parameter should be a list of one or more profile attributes and the values you wish to set them to. In the case of the `com.okta.action.update` command, + the parameter should be a `result` property set to either `CREATE_USER` or `LINK_USER`. + type: object + additionalProperties: + type: string + error: + description: |- + An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log. + The string supplied in the `errorSummary` property is recorded in the System Log event. + + >**Note:** If a response to an import inline hook request is not received from your external service within three seconds, a timeout occurs. In this scenario, the Okta import process continues and the user is created. + type: object + properties: + errorSummary: + description: A human-readable summary of the error + type: string UserLifecycleAttributePolicyRuleCondition: type: object properties: @@ -20631,21 +67177,31 @@ components: type: string matchingValue: type: string + UserLockoutSettings: + type: object + properties: + preventBruteForceLockoutFromUnknownDevices: + type: boolean + description: Prevents brute-force lockout from unknown devices for the password authenticator. + default: false UserNextLogin: type: string x-okta-known-values: - changePassword UserPolicyRuleCondition: + description: Specifies a set of Users to be included or excluded type: object properties: exclude: type: array + description: Users to be excluded items: type: string inactivity: $ref: '#/components/schemas/InactivityPolicyRuleCondition' include: type: array + description: Users to be included items: type: string lifecycleExpiration: @@ -20655,179 +67211,401 @@ components: userLifecycleAttribute: $ref: '#/components/schemas/UserLifecycleAttributePolicyRuleCondition' UserProfile: - type: object additionalProperties: true + description: |- + Specifies the default and custom profile properties for a user. + + The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643). + + The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications. + + You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. + You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions. + + Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. + type: object properties: city: type: string + description: The city or locality of the user's address (`locality`) maxLength: 128 nullable: true costCenter: type: string + description: Name of the cost center assigned to a user + nullable: true countryCode: + description: The country name component of the user's address (`country`). For validation, see [ISO 3166-1 alpha 2 "short" code format](https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema-22#ref-ISO3166). type: string maxLength: 2 nullable: true department: type: string + description: Name of the user's department displayName: type: string + description: Name of the user suitable for display to end users + nullable: true division: type: string + description: Name of the user's division + nullable: true email: type: string + description: The primary email address of the user. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). format: email minLength: 5 maxLength: 100 employeeNumber: + description: The organization or company assigned unique identifier for the user type: string firstName: type: string + description: Given name of the user (`givenName`) minLength: 1 maxLength: 50 nullable: true honorificPrefix: type: string + description: Honorific prefix(es) of the user, or title in most Western languages + nullable: true honorificSuffix: type: string + description: Honorific suffix(es) of the user + nullable: true lastName: type: string + description: The family name of the user (`familyName`) minLength: 1 maxLength: 50 nullable: true locale: - $ref: '#/components/schemas/Language' + type: string + description: |- + The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. + A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example, en_US specifies the language English and country US. This value is `en_US` by default. login: type: string - maxLength: 100 + description: |- + The unique identifier for the user (`username`). For validation, see [Login pattern validation](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation). + + Every user within your Okta org must have a unique identifier for a login. This constraint applies to all users you import from other systems or applications such as Active Directory. Your organization is the top-level namespace to mix and match logins from all your connected applications or directories. Careful consideration of naming conventions for your login identifier will make it easier to onboard new applications in the future. + + Logins are not considered unique if they differ only in case and/or diacritical marks. If one of your users has a login of Isaac.Brock@example.com, there cannot be another user whose login is isaac.brock@example.com, nor isáàc.bröck@example.com. + + Okta has a default ambiguous name resolution policy for usernames that include @-signs. (By default, usernames must be formatted as email addresses and thus always include @-signs. You can remove that restriction using either the Admin Console or the Schemas API (opens new window).) Users can sign in with their non-qualified short name (for example: isaac.brock with username isaac.brock@example.com) as long as the short name is still unique within the organization. + maxLength: 100 + minLength: 5 manager: type: string + description: The `displayName` of the user's manager + nullable: true managerId: type: string + description: The `id` of the user's manager + nullable: true middleName: type: string + description: The middle name of the user + nullable: true mobilePhone: type: string + description: The mobile phone number of the user maxLength: 100 + minLength: 0 nullable: true nickName: type: string + description: The casual way to address the user in real life + nullable: true organization: type: string + description: Name of the the user's organization + nullable: true postalAddress: type: string + description: Mailing address component of the user's address maxLength: 4096 nullable: true preferredLanguage: type: string + description: The user's preferred written or spoken language. For validation, see [RFC 7231 Section 5.3.5](https://datatracker.ietf.org/doc/html/rfc7231#section-5.3.5). + nullable: true primaryPhone: type: string + description: The primary phone number of the user such as a home number maxLength: 100 + minLength: 0 nullable: true profileUrl: type: string + description: The URL of the user's online profile. For example, a web page. See [URL](https://datatracker.ietf.org/doc/html/rfc1808). + nullable: true secondEmail: type: string format: email + description: The secondary email address of the user typically used for account recovery. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). minLength: 5 maxLength: 100 nullable: true state: type: string + description: The state or region component of the user's address (`region`) maxLength: 128 nullable: true streetAddress: type: string + description: The full street address component of the user's address maxLength: 1024 nullable: true timezone: type: string + description: The user's time zone + nullable: true title: type: string + description: The user's title, such as Vice President + nullable: true userType: type: string + description: The property used to describe the organization-to-user relationship, such as employee or contractor + nullable: true zipCode: type: string + description: The ZIP code or postal code component of the user's address (`postalCode`) maxLength: 50 nullable: true + UserProvisioningApplicationFeature: + allOf: + - $ref: '#/components/schemas/ApplicationFeature' + - type: object + - properties: + capabilities: + $ref: '#/components/schemas/CapabilitiesObject' + UserResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + title: + type: string + description: Link name + example: SAML Jackson + UserRiskGetResponse: + type: object + properties: + riskLevel: + $ref: '#/components/schemas/UserRiskLevelAll' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUserRef' + discriminator: + propertyName: riskLevel + mapping: + HIGH: '#/components/schemas/UserRiskLevelExists' + MEDIUM: '#/components/schemas/UserRiskLevelExists' + LOW: '#/components/schemas/UserRiskLevelExists' + NONE: '#/components/schemas/UserRiskLevelNone' + UserRiskLevelAll: + description: The risk level associated with the user + type: string + x-okta-known-values: + - HIGH + - LOW + - MEDIUM + - NONE + UserRiskLevelExists: + allOf: + - $ref: '#/components/schemas/UserRiskGetResponse' + - type: object + properties: + reason: + $ref: '#/components/schemas/UserRiskReason' + UserRiskLevelNone: + allOf: + - $ref: '#/components/schemas/UserRiskGetResponse' + UserRiskLevelPut: + description: The risk level associated with the user + type: string + x-okta-known-values: + - HIGH + - LOW + UserRiskPutResponse: + type: object + properties: + reason: + $ref: '#/components/schemas/UserRiskReason' + riskLevel: + $ref: '#/components/schemas/UserRiskLevelPut' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUserRef' + UserRiskReason: + description: Describes the risk level for the user + example: Admin override risk + type: string + UserRiskRequest: + type: object + properties: + riskLevel: + type: string + description: The risk level associated with the user + enum: + - HIGH + - LOW UserSchema: type: object properties: $schema: type: string readOnly: true + description: JSON Schema version identifier created: type: string readOnly: true + description: Timestamp when the Schema was created definitions: - $ref: '#/components/schemas/UserSchemaDefinitions' + allOf: + - $ref: '#/components/schemas/UserSchemaDefinitions' + description: |- + User Profile subschemas + + The Profile object for a User is defined by a composite Schema of base and custom properties using a JSON path to reference subschemas. The `#base` properties are defined and versioned by Okta, while `#custom` properties are extensible. Custom property names for the Profile object must be unique and can't conflict with a property name defined in the `#base` subschema. id: type: string readOnly: true + description: URI of User Schema lastUpdated: type: string readOnly: true + description: Timestamp when the Schema was last updated name: type: string readOnly: true + description: Name of the Schema properties: - $ref: '#/components/schemas/UserSchemaProperties' + allOf: + - $ref: '#/components/schemas/UserSchemaProperties' + description: User Object Properties title: type: string + description: User-defined display name for the Schema type: type: string readOnly: true + description: Type of [root Schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4) _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' UserSchemaAttribute: type: object properties: description: type: string + description: Description of the property enum: type: array + nullable: true + description: |- + Enumerated value of the property. + + The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements. items: - type: string + anyOf: + - type: string + - type: integer externalName: type: string + description: |- + Name of the property as it exists in an external application + + **NOTE**: When you add a custom property, only Identity Provider app user schemas require `externalName` to be + included in the request body. If an existing custom Identity Provider app user schema property has an empty + `externalName`, requests aren't allowed to update other properties until the `externalName` is defined. externalNamespace: type: string - items: - $ref: '#/components/schemas/UserSchemaAttributeItems' + description: Namespace from the external application + format: + description: Identifies the type of data represented by the string + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeFormat' master: - $ref: '#/components/schemas/UserSchemaAttributeMaster' + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMaster' + description: Identifies where the property is mastered maxLength: type: integer + description: Maximum character length of a string property + nullable: true minLength: type: integer + description: Minimum character length of a string property + nullable: true mutability: - type: string + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString' + description: Defines the mutability of the property oneOf: type: array + nullable: true + description: |- + Non-empty array of valid JSON schemas. + + Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format: + + ``` + { + "const": "enumValue", + "title": "display name" + } + ```json + + When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order. + + ``` + {"enum": ["S","M","L","XL"], + "oneOf": [ + {"const": "S", "title": "Small"}, + {"const": "M", "title": "Medium"}, + {"const": "L", "title": "Large"}, + {"const": "XL", "title": "Extra Large"} + ] + } + ```json + + The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value. items: $ref: '#/components/schemas/UserSchemaAttributeEnum' pattern: type: string + description: For `string` property types, specifies the regular expression used to validate the property permissions: type: array + nullable: true + description: Access control permissions for the property items: $ref: '#/components/schemas/UserSchemaAttributePermission' required: type: boolean + nullable: true + description: Determines whether the property is required scope: $ref: '#/components/schemas/UserSchemaAttributeScope' title: type: string + minLength: 1 + description: User-defined display name for the property type: - $ref: '#/components/schemas/UserSchemaAttributeType' - union: - $ref: '#/components/schemas/UserSchemaAttributeUnion' + description: Type of property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeType' unique: - type: string + description: Determines whether property values must be unique + type: boolean + nullable: true x-okta-allow-null-property-value-for-updates: true UserSchemaAttributeEnum: type: object @@ -20836,6 +67614,19 @@ components: type: string title: type: string + UserSchemaAttributeFormat: + type: string + x-okta-known-values: + - country-code + - date-time + - email + - encrypted + - hashed + - language-code + - locale + - ref-id + - timezone + - uri UserSchemaAttributeItems: type: object properties: @@ -20850,6 +67641,7 @@ components: type: type: string UserSchemaAttributeMaster: + nullable: true type: object properties: priority: @@ -20871,13 +67663,22 @@ components: - OKTA - OVERRIDE - PROFILE_MASTER + UserSchemaAttributeMutabilityString: + type: string + x-okta-known-values: + - IMMUTABLE + - READ_ONLY + - READ_WRITE + - WRITE_ONLY UserSchemaAttributePermission: type: object properties: action: type: string + description: Determines whether the principal can view or modify the property principal: type: string + description: Security principal UserSchemaAttributeScope: type: string x-okta-known-values: @@ -20891,89 +67692,169 @@ components: - integer - number - string - UserSchemaAttributeUnion: - type: string - x-okta-known-values: - - DISABLE - - ENABLE UserSchemaBase: + description: |- + All Okta-defined Profile properties are defined in a Profile subschema with the resolution scope `#base`. You can't modify these properties, except to update permissions, to change the nullability of `firstName` and `lastName`, or to specify a pattern for `login`. They can't be removed. + + The base User Profile is based on the [System for Cross-domain Identity Management: Core Schema](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#section-4.1.1) and has the standard properties detailed below. type: object properties: id: type: string + description: The subschema name + readOnly: true properties: - $ref: '#/components/schemas/UserSchemaBaseProperties' + description: The `#base` object properties + allOf: + - $ref: '#/components/schemas/UserSchemaBaseProperties' required: type: array + description: A collection indicating required property names + readOnly: true items: type: string type: type: string + description: The object type + readOnly: true UserSchemaBaseProperties: type: object properties: city: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: City or locality component of the User's address (`locality`) costCenter: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of a cost center assigned to the User countryCode: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Country name component of the User's address (`country`.) This property uses [ISO 3166-1 alpha 2 "short" code format](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166). department: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User's department displayName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User, suitable for display to end Users division: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User's division email: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Primary email address of the User. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). employeeNumber: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Organization or company assigned unique identifier for the User firstName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Given name of the User (`givenName`) honorificPrefix: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Honorific prefix(es) of the User or title in most Western languages honorificSuffix: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Honorific suffix(es) of the User lastName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Family name of the User (`familyName`) locale: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: |- + User's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. + + A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example: `en_US` specifies the language English and country US. This value is `en_US` by default. login: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: |- + Unique identifier for the User (`username`) + + The login property is validated according to its pattern attribute, which is a string. By default, the attribute is null. When the attribute is null, the username is required to be formatted as an email address as defined by [RFC 6531 Section 3.3](http://tools.ietf.org/html/rfc6531#section-3.3). The pattern can be set through the API to one of the following forms. (The Admin Console provides access to the same forms.) + * A login pattern of `".+"` indicates that there is no restriction on usernames. Any non-empty, unique value is permitted, and the minimum length of five isn't enforced. In this case, usernames don't need to include the `@` character. If a name does include `@`, the portion ahead of the `@` can be used for logging in, provided it identifies a unique User within the org. + * A login pattern of the form `"[...]+"` indicates that usernames must only contain characters from the set given between the brackets. The enclosing brackets and final `+` are required for this form. Character ranges can be indicated using hyphens. To include the hyphen itself in the allowed set, the hyphen must appear first. Any characters in the set except the hyphen, a-z, A-Z, and 0-9 must be preceded by a backslash (`\`). For example, `"[a-z13579\.]+"` would restrict usernames to lowercase letters, odd digits, and periods, while `"[-a-zA-Z0-9]+"` would allow basic alphanumeric characters and hyphens. manager: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: The `displayName` of the User's manager managerId: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: The `id` of the User's manager middleName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Middle name(s) of the User mobilePhone: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Mobile phone number of the User nickName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Casual way to address the User in real life organization: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User's organization postalAddress: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Mailing address component of the User's address preferredLanguage: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: User's preferred written or spoken languages. This property is formatted according to [RFC 7231 Section 5.3.5](https://tools.ietf.org/html/rfc7231#section-5.3.5). primaryPhone: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Primary phone number of the User, such as home number profileUrl: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: URL of the User's online Profile (for example, a web page.) This property is formatted according to the [Relative Uniform Resource Locators specification](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166). secondEmail: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Secondary email address of the User typically used for account recovery. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). state: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: State or region component of the User's address (`region`) streetAddress: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Full street address component of the User's address timezone: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: User's time zone. This property is formatted according to the [IANA Time Zone database format](https://tools.ietf.org/html/rfc6557). title: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: User's title, such as "Vice President" userType: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: |- + Used to describe the organization to the User relationship such as "Employee" or "Contractor". + + **Note:** The `userType` field is an arbitrary string value and isn't related to the newer [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature. zipCode: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: ZIP code or postal code component of the User's address (`postalCode`) UserSchemaDefinitions: type: object properties: @@ -20999,22 +67880,35 @@ components: $ref: type: string UserSchemaPublic: + description: All custom Profile properties are defined in a Profile subschema with the resolution scope `#custom` type: object properties: id: type: string + description: The subschema name + readOnly: true properties: type: object + description: The `#custom` object properties additionalProperties: $ref: '#/components/schemas/UserSchemaAttribute' required: type: array + description: A collection indicating required property names + readOnly: true items: type: string type: type: string + description: The object type + readOnly: true UserStatus: + description: |- + The current status of the user. + + The status of a user changes in response to explicit events, such as admin-driven lifecycle changes, user login, or self-service password recovery. Okta doesn't asynchronously sweep through users and update their password expiry state, for example. Instead, Okta evaluates password policy at login time, notices the password has expired, and moves the user to the expired state. When running reports, remember that the data is valid as of the last login or lifecycle event for that user. type: string + readOnly: true x-okta-known-values: - ACTIVE - DEPROVISIONED @@ -21035,152 +67929,287 @@ components: created: type: string format: date-time + description: A timestamp from when the User Type was created readOnly: true createdBy: type: string + description: The user ID of the account that created the User Type readOnly: true default: type: boolean + description: A boolean value to indicate if this is the default User Type readOnly: true description: type: string + description: The human-readable description of the User Type displayName: type: string + description: The human-readable name of the User Type id: type: string + description: The unique key for the User Type + readOnly: true lastUpdated: type: string format: date-time + description: A timestamp from when the User Type was most recently updated readOnly: true lastUpdatedBy: type: string + description: The user ID of the most recent account to edit the User Type readOnly: true name: type: string + description: The name of the User Type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters. This value becomes read-only after creation and can't be updated. _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/UserTypeLinks' + required: + - name + - displayName UserTypeCondition: + description: <x-lifecycle class="oie"></x-lifecycle> Specifies which User Types to include and/or exclude properties: exclude: items: type: string type: array + description: The User Types to exclude include: items: type: string type: array + description: The User Types to include + required: + - exclude + - include + UserTypeLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + schema: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The associated schema + UserTypePostRequest: + type: object + properties: + description: + type: string + description: The updated human-readable description of the User Type + displayName: + type: string + description: The updated human-readable display name for the User Type + UserTypePutRequest: + type: object + properties: + description: + type: string + description: The human-readable description of the User Type + displayName: + type: string + description: The human-readable name of the User Type + name: + type: string + description: The name of the existing type + required: + - name + - displayName + - description UserVerificationEnum: + description: User verification setting. Possible values `DISCOURAGED` (the authenticator isn't asked to perform user verification, but may do so at its discretion), `PREFERRED` (the client uses an authenticator capable of user verification if possible), or `REQUIRED`(the client uses only an authenticator capable of user verification) type: string x-okta-known-values: + - DISCOURAGED - PREFERRED - REQUIRED + UsersLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Application Users](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers) resource VerificationMethod: + description: |- + Describes the method for verifying the user. The supported method types are `ASSURANCE` and `AUTH_METHOD_CHAIN`. + + <x-lifecycle class="ea"></x-lifecycle> The method type `AUTH_METHOD_CHAIN` is an [Early Access](https://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) (Self-Service) feature. You can + enable the feature for your org from the **Settings** > **Features** page in the Admin Console. type: object properties: - constraints: - items: - $ref: '#/components/schemas/AccessPolicyConstraints' - type: array - factorMode: - type: string - reauthenticateIn: - type: string type: - type: string - VerifyFactorRequest: + $ref: '#/components/schemas/PolicyRuleVerificationMethodType' + discriminator: + propertyName: type + mapping: + ASSURANCE: '#/components/schemas/AssuranceMethod' + AUTH_METHOD_CHAIN: '#/components/schemas/AuthenticationMethodChainMethod' + Version: + description: The version specified as a [Semantic Version](https://semver.org/). + type: string + pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ + WebAuthnAttachment: + description: Method attachment + type: string + x-okta-known-values: + - ANY + - BUILT_IN + - ROAMING + WebAuthnCredRequest: + description: Credential request object for the initialized credential, along with the enrollment and key identifiers to associate with the credential type: object properties: - activationToken: - type: string - answer: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta type: string - attestation: + credRequestJwe: + description: Encrypted JWE of credential request for the fulfillment provider type: string - clientData: - type: string - nextPassCode: - type: string - passCode: + keyId: + description: ID for the Okta response key-pair used to encrypt and decrypt credential requests and responses type: string - registrationData: + WebAuthnCredResponse: + description: Credential response object for enrolled credential details, along with enrollment and key identifiers to associate the credential + type: object + properties: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta type: string - stateToken: + credResponseJWE: + description: Encrypted JWE of credential response from the fulfillment provider type: string - VerifyUserFactorResponse: + WebAuthnPreregistrationFactor: + description: User Factor variant used for WebAuthn Preregistration Factors type: object properties: - expiresAt: + created: + description: Timestamp indicating when the Factor was enrolled type: string format: date-time readOnly: true - factorResult: - $ref: '#/components/schemas/VerifyUserFactorResult' - factorResultMessage: + factorType: + $ref: '#/components/schemas/UserFactorType' + id: + description: ID of the Factor type: string - _embedded: - type: object - additionalProperties: - type: object - properties: {} readOnly: true - _links: - type: object - additionalProperties: - type: object - properties: {} + lastUpdated: + description: Timestamp indicating when the Factor was last updated + type: string + format: date-time readOnly: true - VerifyUserFactorResult: - type: string - x-okta-known-values: - - CHALLENGE - - ERROR - - EXPIRED - - FAILED - - PASSCODE_REPLAYED - - REJECTED - - SUCCESS - - TIMEOUT - - TIME_WINDOW_EXCEEDED - - WAITING - Version: - description: The version specified as a [Semantic Version](https://semver.org/). - type: string - pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ - VersionObject: + profile: + type: object + description: Specific attributes related to the Factor + provider: + $ref: '#/components/schemas/UserFactorProvider' + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: Name of the Factor vendor. This is usually the same as the provider. + type: string + example: OKTA + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' + WellKnownAppAuthenticatorConfiguration: type: object properties: - minimum: + appAuthenticatorEnrollEndpoint: type: string - WebAuthnUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object + description: The authenticator enrollment endpoint + authenticatorId: + type: string + description: The unique identifier of the app authenticator + createdDate: + type: string + description: Timestamp when the Authenticator was created + format: date-time + key: + $ref: '#/components/schemas/AuthenticatorKeyEnum' + lastUpdated: + type: string + description: Timestamp when the Authenticator was last modified + format: date-time + name: + type: string + description: The authenticator display name + orgId: + type: string + description: The `id` of the Okta Org + settings: + type: object properties: - profile: - $ref: '#/components/schemas/WebAuthnUserFactorProfile' - WebAuthnUserFactorProfile: + userVerification: + $ref: '#/components/schemas/CustomAppUserVerificationEnum' + supportedMethods: + type: array + items: + $ref: '#/components/schemas/SupportedMethods' + type: + type: string + description: The type of Authenticator + enum: + - app + WellKnownOrgMetadata: type: object properties: - authenticatorName: - type: string - credentialId: + id: type: string - WebUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object + description: The unique identifier of the Org + pipeline: + $ref: '#/components/schemas/PipelineType' + settings: + $ref: '#/components/schemas/WellKnownOrgMetadataSettings' + _links: + type: object properties: - profile: - $ref: '#/components/schemas/WebUserFactorProfile' - WebUserFactorProfile: + alternate: + $ref: '#/components/schemas/HrefObject' + organization: + $ref: '#/components/schemas/HrefObject' + WellKnownOrgMetadataSettings: type: object properties: - credentialId: + analyticsCollectionEnabled: + type: boolean + bugReportingEnabled: + type: boolean + omEnabled: + type: boolean + description: Whether the legacy Okta Mobile application is enabled for the org + WellKnownSSFMetadata: + title: Shared Signals Framework Metadata + description: Metadata about Okta as a transmitter and relevant information for configuration. + type: object + properties: + configuration_endpoint: + type: string + format: uri + description: The URL of the SSF Stream configuration endpoint + example: https://{yourOktaDomain}/api/v1/ssf/stream + delivery_methods_supported: + type: array + items: + type: string + format: uri + description: An array of supported SET delivery methods + example: + - https://schemas.openid.net/secevent/risc/delivery-method/push + - urn:ietf:rfc:8935 + issuer: type: string + description: The issuer used in Security Event Tokens. This value is set as `iss` in the claim. + example: https://{yourOktaDomain} + jwks_uri: + type: string + description: The URL of the JSON Web Key Set (JWKS) that contains the signing keys for validating the signatures of Security Event Tokens (SETs) + format: uri + example: https://{yourOktaDomain}/oauth2/v1/keys + WidgetGeneration: + description: The generation of the Sign-in Widget + type: string + x-okta-known-values: + - G2 + - G3 WsFederationApplication: x-okta-defined-as: name: template_wsfed @@ -21188,11 +68217,18 @@ components: - $ref: '#/components/schemas/Application' - type: object properties: + credentials: + $ref: '#/components/schemas/ApplicationCredentials' name: type: string - default: template_wsfed + description: '`template_wsfed` is the key name for a WS-Federated app instance with a SAML 2.0 token' + enum: + - template_wsfed settings: $ref: '#/components/schemas/WsFederationApplicationSettings' + required: + - name + - settings WsFederationApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' @@ -21205,62 +68241,531 @@ components: properties: attributeStatements: type: string + description: You can federate user attributes such as Okta profile fields, LDAP, Active Directory, and Workday values. The SP uses the federated WS-Fed attribute values accordingly. audienceRestriction: type: string + description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP. authnContextClassRef: type: string + description: Identifies the SAML authentication context class for the assertion's authentication statement groupFilter: type: string + description: A regular expression that filters for the User Groups you want included with the `groupName` attribute. If the matching User Group has a corresponding AD group, then the attribute statement includes the value of the attribute specified by `groupValueFormat`. If the matching User Group doesn't contain a corresponding AD group, then the `groupName` is used in the attribute statement. groupName: type: string + description: The group name to include in the WS-Fed response attribute statement. This property is used in conjunction with the `groupFilter` property. Groups that are filtered through the `groupFilter` expression are included with the `groupName` in the attribute statement. Any users that belong to the group you've filtered are included in the WS-Fed response attribute statement. groupValueFormat: type: string + description: Specifies the WS-Fed assertion attribute value for filtered groups. This attribute is only applied to Active Directory groups. + enum: + - windowsDomainQualifiedName + - samAccountName + - dn nameIDFormat: type: string + description: The username format that you send in the WS-Fed response realm: type: string + description: The uniform resource identifier (URI) of the WS-Fed app that's used to share resources securely within a domain. It's the identity that's sent to the Okta IdP when signing in. See [Realm name](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_Configure_Okta_Template_WS_Federation#Realm). siteURL: type: string + description: Launch URL for the web app usernameAttribute: type: string + description: Specifies additional username attribute statements to include in the WS-Fed assertion + enum: + - username + - upn + - upnAndUsername + - none wReplyOverride: type: boolean + description: Enables a web app to override the `wReplyURL` URL with a reply parameter. wReplyURL: type: string - responses: - ErrorApiValidationFailed400: - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - API Validation Failed: - $ref: '#/components/examples/ErrorApiValidationFailed' - ErrorAccessDenied403: - description: Forbidden - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - Access Denied: - $ref: '#/components/examples/ErrorAccessDenied' - ErrorResourceNotFound404: - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - Resource Not Found: - $ref: '#/components/examples/ErrorResourceNotFound' - ErrorTooManyRequests429: - description: Too Many Requests - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - Resource Not Found: - $ref: '#/components/examples/ErrorTooManyRequests' + description: The WS-Fed SP endpoint where your users sign in + example: http://test.acme.com/example-post-sign/ + required: + - audienceRestriction + - groupValueFormat + - wReplyURL + - nameIDFormat + - authnContextClassRef + - siteURL + - usernameAttribute + X5c: + description: Base64-encoded X.509 certificate chain with DER encoding + items: + type: string + example: MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + type: array + ZoomUsApplication: + title: Zoom + x-tags: + - Application + x-okta-defined-as: + name: zoomus + example: + name: zoomus + label: Sample Zoom App + signOnMode: SAML_2_0 + settings: + app: + subDomain: my-zoom-subdomain + description: | + Schema for the Zoom app (key name: `zoomus`) + + To create a Zoom app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Zoom app only supports `SAML_2_0` sign-on mode. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + type: string + enum: + - zoomus + example: zoomus + signOnMode: + enum: + - SAML_2_0 + settings: + $ref: '#/components/schemas/ZoomUsApplicationSettings' + ZoomUsApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/ZoomUsApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + ZoomUsApplicationSettingsApplication: + description: Zoom app instance properties + type: object + properties: + subDomain: + type: string + description: Your Zoom subdomain + required: + - subDomain + ZscalerbyzApplication: + title: Zscaler 2.0 + x-tags: + - Application + x-okta-defined-as: + name: zscalerbyz + example: + name: zscalerbyz + label: Sample Zscaler 2.0 App + signOnMode: SAML_2_0 + description: | + Schema for the Zscaler 2.0 app (key name: `zscalerbyz`) + + To create a Zscaler 2.0 app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Zscaler 2.0 app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + type: string + enum: + - zscalerbyz + example: zscalerbyz + signOnMode: + enum: + - BROWSER_PLUGIN + - SAML_2_0 + settings: + $ref: '#/components/schemas/ZscalerbyzApplicationSettings' + ZscalerbyzApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/ZscalerbyzApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + ZscalerbyzApplicationSettingsApplication: + description: Zscaler app instance properties + type: object + properties: + siteDomain: + type: string + description: Your Zscaler domain + _embedded: + description: The Public Key Details are defined in the `_embedded` property of the Key object. + type: object + properties: + alg: + description: Algorithm used in the key + type: string + nullable: false + readOnly: true + e: + description: RSA key value (exponent) for key binding + type: string + nullable: false + readOnly: true + kid: + description: Unique identifier for the certificate + type: string + uniqueItems: true + nullable: false + readOnly: true + kty: + description: Cryptographic algorithm family for the certificate's keypair + type: string + nullable: false + readOnly: true + 'n': + description: RSA key value (modulus) for key binding + type: string + nullable: false + readOnly: true + use: + description: Acceptable use of the certificate + type: string + nullable: true + readOnly: true + appLink: + type: object + properties: + login: + $ref: '#/components/schemas/HrefObjectAppLink' + logo: + $ref: '#/components/schemas/HrefObjectLogoLink' + readOnly: true + createdProperty: + description: Timestamp when the object was created + format: date-time + example: '2017-03-28T01:11:10.000Z' + type: string + readOnly: true + enabledPagesType: + title: enabledPages + type: string + x-enumDescriptions: + SIGN_IN: User sign-in page + SSPR: Self-service Password Recovery page + SSR: Self-service Registration page + x-okta-known-values: + - SIGN_IN + - SSPR + - SSR + lastUpdatedProperty: + format: date-time + description: Timestamp when the object was last updated + type: string + readOnly: true + orgBillingContactType: + description: Org billing contact + type: object + properties: + contactType: + $ref: '#/components/schemas/OrgContactType' + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org billing Contact Type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + billing: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the org billing [Contact Type User](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource + orgGeneralSettingLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + type: object + properties: + contacts: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Contacts](/openapi/okta-management/management/tag/OrgSettingContact/) resource + logo: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the org logo + oktaCommunication: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Communication Settings](/openapi/okta-management/management/tag/OrgSettingCommunication/) resource + oktaSupport: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Support Settings](/openapi/okta-management/management/tag/OrgSettingSupport/) resource + preferences: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Preferences](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/getOrgPreferences) resource + uploadLogo: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Upload Org Logo](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/uploadOrgLogo) resource + readOnly: true + orgTechnicalContactType: + description: Org technical contact + type: object + properties: + contactType: + $ref: '#/components/schemas/OrgContactType' + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org technical Contact Type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + technical: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the org technical [Contact Type User](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource + postAPIServiceIntegrationInstance: + allOf: + - $ref: '#/components/schemas/APIServiceIntegrationInstance' + - type: object + properties: + clientSecret: + type: string + description: The client secret for the API Service Integration instance. This property is only returned in a POST response. + readOnly: true + postAPIServiceIntegrationInstanceRequest: + type: object + properties: + grantedScopes: + type: array + description: The list of Okta management scopes granted to the API Service Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management). + items: + type: string + example: + - okta.logs.read + type: + type: string + description: The type of the API service integration. This string is an underscore-concatenated, lowercased API service integration name. For example, `my_api_log_integration`. + example: my_app_cie + required: + - type + - grantedScopes + profile: + description: Specific profile properties for the privileged account + additionalProperties: + type: object + properties: {} + type: object + readOnly: true + subject: + nullable: false + type: object + properties: + format: + type: string + description: The user identifier + nullable: false + writeOnly: true + enum: + - opaque + id: + type: string + description: ID of the user + writeOnly: true + nullable: false + userLink: + type: object + properties: + user: + $ref: '#/components/schemas/HrefObjectUserLink' + schemas-JsonWebKey: + description: A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON representation of a cryptographic key. Okta can use these keys to verify the signature of a JWT when provided for the `private_key_jwt` client authentication method or for a signed authorize request object. Okta supports both RSA and Elliptic Curve (EC) keys. + type: object + properties: + alg: + $ref: '#/components/schemas/SigningAlgorithm' + kid: + type: string + description: The unique identifier of the key + kty: + $ref: '#/components/schemas/JsonWebKeyType' + status: + $ref: '#/components/schemas/JsonWebKeyStatus' + use: + $ref: '#/components/schemas/JsonWebKeyUse' + discriminator: + propertyName: kty + mapping: + EC: '#/components/schemas/JsonWebKeyEC' + RSA: '#/components/schemas/JsonWebKeyRsa' + JsonWebKeyEC: + allOf: + - $ref: '#/components/schemas/schemas-JsonWebKey' + - type: object + properties: + x: + type: string + description: The public x coordinate for the elliptic curve point + 'y': + type: string + description: The public y coordinate for the elliptic curve point + JsonWebKeyRsa: + allOf: + - $ref: '#/components/schemas/schemas-JsonWebKey' + - type: object + properties: + e: + type: string + description: The key exponent of a RSA key + 'n': + type: string + description: The modulus of the RSA key + JsonWebKeyType: + description: The type of public key + type: string + x-okta-known-values: + - EC + - RSA + JsonWebKeyStatus: + description: The status of the public key + type: string + x-okta-known-values: + - ACTIVE + - INACTIVE + JsonWebKeyUse: + description: The intended use of the public key + type: string + x-okta-known-values: + - enc + - sig + securitySchemes: + apiToken: + description: 'Pass the API token as the Authorization header value prefixed with SSWS: `Authorization: SSWS {API Token}`' + name: Authorization + type: apiKey + in: header + oauth2: + type: oauth2 + description: 'Pass the access_token as the value of the Authorization header: `Authorization: Bearer {access_token}`' + flows: + authorizationCode: + authorizationUrl: /oauth2/v1/authorize + tokenUrl: /oauth2/v1/token + scopes: + okta.agentPools.manage: Allows the app to create and manage agent pools in your Okta organization + okta.agentPools.read: Allows the app to read agent pools in your Okta organization + okta.apiTokens.manage: Allows the app to manage API Tokens in your Okta organization + okta.apiTokens.read: Allows the app to read API Tokens in your Okta organization + okta.appGrants.manage: Allows the app to create and manage grants in your Okta organization + okta.appGrants.read: Allows the app to read grants in your Okta organization + okta.apps.manage: Allows the app to create and manage Apps in your Okta organization + okta.apps.read: Allows the app to read information about Apps in your Okta organization + okta.authenticators.manage: Allows the app to manage all authenticators. For example, enrollments or resets. + okta.authenticators.manage.self: Allows the app to manage a user's own authenticators. For example, enrollments or resets. + okta.authenticators.read: Allows the app to read org authenticators information + okta.authorizationServers.manage: Allows the app to create and manage Authorization Servers in your Okta organization + okta.authorizationServers.read: Allows the app to read information about Authorization Servers in your Okta organization + okta.behaviors.manage: Allows the app to create and manage behavior detection rules in your Okta organization + okta.behaviors.read: Allows the app to read behavior detection rules in your Okta organization + okta.brands.manage: Allows the app to create and manage Brands and Themes in your Okta organization + okta.brands.read: Allows the app to read information about Brands and Themes in your Okta organization + okta.captchas.manage: Allows the app to create and manage CAPTCHAs in your Okta organization + okta.captchas.read: Allows the app to read information about CAPTCHAs in your Okta organization + okta.deviceAssurance.manage: Allows the app to manage device assurances + okta.deviceAssurance.read: Allows the app to read device assurances + okta.deviceChecks.manage: Allows the app to manage device checks + okta.deviceChecks.read: Allows the app to read device checks + okta.devices.manage: Allows the app to manage device status transitions and delete a device + okta.devices.read: Allows the app to read the existing device's profile and search devices + okta.directories.groups.manage: Allows the app to manage AD/LDAP Groups for your Okta organization + okta.domains.manage: Allows the app to manage custom Domains for your Okta organization + okta.domains.read: Allows the app to read information about custom Domains for your Okta organization + okta.dr.manage: Allows the app to manage disaster recovery + okta.dr.read: Allows the app to read the disaster recovery status + okta.emailDomains.manage: Allows the app to manage Email Domains for your Okta organization + okta.emailDomains.read: Allows the app to read information about Email Domains for your Okta organization + okta.emailServers.manage: Allows the app to manage Email Servers for your Okta organization + okta.emailServers.read: Allows the app to read information about Email Servers for your Okta organization + okta.eventHooks.manage: Allows the app to create and manage Event Hooks in your Okta organization + okta.eventHooks.read: Allows the app to read information about Event Hooks in your Okta organization + okta.features.manage: Allows the app to create and manage Features in your Okta organization + okta.features.read: Allows the app to read information about Features in your Okta organization + okta.groups.manage: Allows the app to manage existing groups in your Okta organization + okta.groups.read: Allows the app to read information about groups and their members in your Okta organization + okta.identitySources.manage: Allows the custom identity sources to manage user entities in your Okta organization + okta.identitySources.read: Allows to read session information for custom identity sources in your Okta organization + okta.idps.manage: Allows the app to create and manage Identity Providers in your Okta organization + okta.idps.read: Allows the app to read information about Identity Providers in your Okta organization + okta.inlineHooks.manage: Allows the app to create and manage Inline Hooks in your Okta organization + okta.inlineHooks.read: Allows the app to read information about Inline Hooks in your Okta organization + okta.linkedObjects.manage: Allows the app to manage linked object definitions in your Okta organization + okta.linkedObjects.read: Allows the app to read linked object definitions in your Okta organization + okta.logStreams.manage: Allows the app to create and manage log streams in your Okta organization + okta.logStreams.read: Allows the app to read information about log streams in your Okta organization + okta.logs.read: Allows the app to read information about System Log entries in your Okta organization + okta.manifests.manage: Allows the app to manage OIN submissions in your Okta organization + okta.manifests.read: Allows the app to read OIN submissions in your Okta organization + okta.networkZones.manage: Allows the app to create and manage Network Zones in your Okta organization + okta.networkZones.read: Allows the app to read Network Zones in your Okta organization + okta.oauthIntegrations.manage: Allows the app to create and manage API service Integration instances in your Okta organization + okta.oauthIntegrations.read: Allows the app to read API service Integration instances in your Okta organization + okta.orgs.manage: Allows the app to manage organization-specific details for your Okta organization + okta.orgs.read: Allows the app to read organization-specific details about your Okta organization + okta.personal.adminSettings.manage: Allows the app to manage the personal admin settings for the signed-in user + okta.personal.adminSettings.read: Allows the app to read the personal admin settings for the signed-in user + okta.policies.manage: Allows the app to manage policies in your Okta organization + okta.policies.read: Allows the app to read information about policies in your Okta organization + okta.principalRateLimits.manage: Allows the app to create and manage Principal Rate Limits in your Okta organization + okta.principalRateLimits.read: Allows the app to read information about Principal Rate Limits in your Okta organization + okta.privilegedAccounts.manage: Allows the app to create and manage Privileged Accounts in your Okta organization + okta.privilegedAccounts.read: Allows the app to read Privileged Accounts in your Okta organization + okta.privilegedResources.manage: Allows the app to create privileged resources and manage their details + okta.privilegedResources.read: Allows the app to read the details of existing privileged resources + okta.profileMappings.manage: Allows the app to manage user profile mappings in your Okta organization + okta.profileMappings.read: Allows the app to read user profile mappings in your Okta organization + okta.pushProviders.manage: Allows the app to create and manage push notification providers such as APNs and FCM + okta.pushProviders.read: Allows the app to read push notification providers such as APNs and FCM + okta.rateLimits.manage: Allows the app to create and manage rate limits in your Okta organization + okta.rateLimits.read: Allows the app to read information about rate limits in your Okta organization + okta.realmAssignments.manage: Allows a user to manage realm assignments + okta.realmAssignments.read: Allows a user to read realm assignments + okta.realms.manage: Allows the app to create new realms and to manage their details + okta.realms.read: Allows the app to read the existing realms and their details + okta.resourceSelectors.manage: Allows the app to manage resource selectors in your Okta org + okta.resourceSelectors.read: Allows the app to read resource selectors in your Okta org + okta.riskEvents.manage: Allows the app to publish risk events to your Okta organization + okta.riskProviders.manage: Allows the app to create and manage risk provider integrations in your Okta organization + okta.riskProviders.read: Allows the app to read all risk provider integrations in your Okta organization + okta.roles.manage: Allows the app to manage administrative role assignments for users in your Okta organization. Delegated admins with this permission can only manage user credential fields and not the credential values themselves. + okta.roles.read: Allows the app to read administrative role assignments for users in your Okta organization. Delegated admins with this permission can only manage user credential fields and not the credential values themselves. + okta.schemas.manage: Allows the app to create and manage Schemas in your Okta organization + okta.schemas.read: Allows the app to read information about Schemas in your Okta organization + okta.securityEventsProviders.manage: Allows the app to create and manage Security Events Providers in your Okta organization + okta.securityEventsProviders.read: Allows the app to read information about Security Events Providers in your Okta organization + okta.sessions.manage: Allows the app to manage all sessions in your Okta organization + okta.sessions.read: Allows the app to read all sessions in your Okta organization + okta.templates.manage: Allows the app to manage all custom templates in your Okta organization + okta.templates.read: Allows the app to read all custom templates in your Okta organization + okta.threatInsights.manage: Allows the app to manage all ThreatInsight configurations in your Okta organization + okta.threatInsights.read: Allows the app to read all ThreatInsight configurations in your Okta organization + okta.trustedOrigins.manage: Allows the app to manage all Trusted Origins in your Okta organization + okta.trustedOrigins.read: Allows the app to read all Trusted Origins in your Okta organization + okta.uischemas.manage: Allows the app to manage all the UI Schemas in your Okta organization + okta.uischemas.read: Allows the app to read all the UI Schemas in your Okta organization + okta.userRisk.manage: Allows the app to manage a user's risk in your Okta org + okta.userRisk.read: Allows the app to read a user's risk in your Okta org + okta.userTypes.manage: Allows the app to manage user types in your Okta org + okta.userTypes.read: Allows the app to read user types in your Okta org + okta.users.manage: Allows the app to create new users and to manage all users' profile and credentials information + okta.users.manage.self: Allows the app to manage the signed-in user's profile and credentials + okta.users.read: Allows the app to read the existing users' profiles and credentials + okta.users.read.self: Allows the app to read the signed-in user's profile and credentials + ssf.manage: Allows the app to create and manage Shared Signals Framework (SSF) in your Okta organization + ssf.read: Allows the app to read information about Shared Signals Framework (SSF) in your Okta organization diff --git a/openapi3/management.yaml b/openapi3/management.yaml index 752afcbd..fac07bd6 100644 --- a/openapi3/management.yaml +++ b/openapi3/management.yaml @@ -15,9 +15,6 @@ info: url: logo.svg backgroundColor: transparent altText: Okta Developer -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/reference/core-okta-api/#design-principles servers: - url: https://{yourOktaDomain} variables: @@ -42,36 +39,42 @@ tags: description: The API Tokens API provides operations to manage SSWS API tokens for your organization. - name: Application x-displayName: Applications - description: The Applications API provides operations to manage applications and/or assignments to users or groups for your organization. + description: |- + The Applications API provides operations to manage apps in your org. + + To create a custom app integration instance, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) operation with the schema provided in the request payload. + + To create an app instance from the Okta Integration Network (OIN), use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) + operation with the corresponding OIN app schema in the request body. - name: ApplicationConnections x-displayName: Application Connections description: | The Application Connections API provides operations for configuring connections to an app. - Currently, only the Okta Org2Org app provisioning connection is supported in this API. - - name: ApplicationCredentials - x-displayName: Application Credentials - description: | - Specifies credentials and scheme for the application's `signOnMode` + Okta supports token-based and OAuth 2.0-based provisioning connections for supported apps. + The following available provisioning connections are supported by the indicated apps: - ### Application Key Credential - The application Key Credential object defines a [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc7517) for a signature or encryption credential for an application. + | <div style="width:100px">Connection</div> | Description | <div style="width:150px">Apps supported</div> | + | -------------------------------- | -------------- | ----------- | + | Token | The provisioning API connection is based on bearer token authentication. | <ul><li>Okta Org2Org (`okta_org2org`)</li> <li>Zscaler 2.0 (`zscalerbyz`)</li></ul> | + | OAuth 2.0 | The provisioning API connection is based on OAuth 2.0 authentication. | <ul><li>Google Workspace (`google`)</li> <li>Microsoft Office 365 (`office365`)</li> <li>Okta Org2Org (`okta_org2org`)</li> <li>Slack (`slack`)</li> <li>Zoom (`zoomus`)</li></ul> | - > **Notes:** - > * To update the app, you can provide just the Signing Credential object instead of the entire Application Credential object. - > * Currently only the X.509 JWK format is supported for applications with the `SAML_2_0` sign-on mode. + > **Note:** The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team. - name: ApplicationFeatures x-displayName: Application Features description: | - The Feature object is used to configure feature settings for the application. - - The only feature this API currently supports is `USER_PROVISIONING` for the Org2Org application type. - The `USER_PROVISIONING` feature is the same as the **To App** provisioning setting in the Admin Console. - Enable this feature to: - * Create Users - * Update User Attributes - * Deactivate Users - * Sync Password + The Application Features API supports operations to configure app provisioning feature settings. + + You must have app provisioning enabled to configure provisioning features. See [Update the default Provisioning Connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication). + + The following available provisioning features are supported by the indicated apps: + + | <div style="width:190px">Feature</div> | Description | <div style="width:150px">Apps supported</div> | + | -------------------- | -------------- | ----------- | + | `USER_PROVISIONING` | Similar to the app **Provisioning** > **To App** setting in the Admin Console, user profiles are pushed from Okta to the third-party app. You can configure rules for creating users, deactivating users, and syncing passwords. | <ul><li>Google Workspace (`google`)</li> <li>Microsoft Office 365 (`office365`)</li> <li>Okta Org2Org (`okta_org2org`)</li> <li>Slack (`slack`)</li> <li>Zoom (`zoomus`)</li> <li>Zscaler 2.0 (`zscalerbyz`)</li></ul> | + | `INBOUND_PROVISIONING` | Similar to the app **Provisioning** > **To Okta** provisioning setting in the Admin Console, user profiles are imported from the third-party app into Okta. You can schedule user import and configure rules for user creation and matching. | <ul><li>Google Workspace (`google`)</li> <li>Microsoft Office 365 (`office365`)</li> <li>Okta Org2Org (`okta_org2org`)</li> <li>Slack (`slack`)</li> <li>Zoom (`zoomus`)</li></ul> | + + > **Note:** The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team. - name: ApplicationGrants x-displayName: Application Grants description: | @@ -81,52 +84,117 @@ tags: If the app doesn't have permission to grant consent for a particular Okta scope, token requests that contain the scope are denied. - name: ApplicationGroups x-displayName: Application Groups - description: Groups assigned to an application + description: The Application Groups API provides a set of operations to manage group assignment for an app. - name: ApplicationLogos x-displayName: Application Logos description: Provides a resource to manage the application instance logo - name: ApplicationPolicies x-displayName: Application Policies - description: Provides a resource to manage authentication policies associated with an application + description: The Application Policies API provides a resource to manage authentication policies associated with an app. - name: ApplicationSSO x-displayName: Application SSO description: Provides a Single Sign-On (SSO) resource for an application + - name: ApplicationSSOCredentialKey + x-displayName: Application Key Credentials + description: | + The Application Key Credentials API provides a set of operations to manage an app's key store credentials. + - name: ApplicationSSOCredentialOAuth2ClientAuth + x-displayName: Application Client Auth Credentials + description: | + The Application Client Authentication Credentials API provides a set of operations to manage credentials used for OAuth 2.0 client authentication as described in [Client authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/client-auth/). - name: ApplicationTokens x-displayName: Application Tokens - description: Application OAuth 2.0 token operations + description: | + Resource to manage OAuth 2.0 tokens for an app + > **Note:** To configure refresh tokens for an app, see + > [grant_types](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/settings/oauthClient/grant_types&t=request) + > and [refresh_token](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/settings/oauthClient/refresh_token&t=request). - name: ApplicationUsers x-displayName: Application Users - description: Application user operations + description: | + The Application Users API provides operations to manage app users and their assignments. + The object returned from assigning a user to an app is known as the Application User. + + You can assign users to apps for: + * SSO only + * SSO and provisioning - name: AttackProtection x-displayName: Attack Protection - description: The Attack Protection API provides operations to configure the User Lockout Settings in your org to prevent brute-force attacks. + description: The Attack Protection API provides operations to configure the User Lockout Settings and the Authenticator Settings in your org to protect against password abuse. - name: Authenticator x-displayName: Authenticators description: |- - The Authenticators Administration API provides operations to configure which Authenticators are available to end users for use when signing in to applications. + The Authenticators Administration API provides operations to configure which Authenticators are available to end users for use when they sign in to applications. - End users are required to use one or more Authenticators depending on the security requirements of the authentication policy. + End users are required to use one or more Authenticators based on the security requirements of the authentication policy. Okta Identity Engine currently supports Authenticators for the following factors: **Knowledge-based:** - * Password * Security Question **Possession-based:** - - * Phone (SMS, Voice Call) + * Phone (SMS, voice call) * Email * WebAuthn * Duo - * Custom App + * Custom app - name: AuthorizationServer x-displayName: Authorization Servers - description: Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them. + description: |- + Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them. + + **Work with the Default Authorization Server** + + Okta provides a pre-configured Custom Authorization Server with the name `default`. This Default Authorization Server includes a basic access policy and rule, which you can edit to control access. It allows you to specify `default` instead of the `authorizationServerId` in requests to it: + + `https://${yourOktaDomain}/api/v1/authorizationServers/default` + + vs + + `https://${yourOktaDomain}/api/v1/authorizationServers/${authorizationServerId}` for other Custom Authorization Servers + - name: AuthorizationServerAssoc + x-displayName: Authorization Server Associated Servers + description: Associated authorization servers allow you to designate a trusted authorization server that you associate with another authorization server. This type of association provides a way to configure [token exchange](https://developer.okta.com/docs/guides/set-up-token-exchange/main/#trusted-servers) between other authorization servers under the same Okta tenant. + - name: AuthorizationServerClaims + x-displayName: Authorization Server Claims + description: Provides operations to manage custom token claims for the given `authServerId` and `claimId` + - name: AuthorizationServerClients + x-displayName: Authorization Server Clients + description: |- + These endpoints allow you to manage tokens issued by an authorization server for a particular client. For example, you can revoke every active refresh token for a specific client. You can also revoke specific tokens or manage tokens at the User level. + + Read [Validate access tokens](https://developer.okta.com/docs/guides/validate-access-tokens/dotnet/main/) and [Validate ID tokens](https://developer.okta.com/docs/guides/validate-id-tokens/main/) to understand more about how OAuth 2.0 tokens work. + - name: AuthorizationServerKeys + x-displayName: Authorization Server Keys + description: |- + Provides operations to manage [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc7517) credentials for the given `authServerId`. + + > **Note:** Looking for how to obtain the jwks_uri for your org or custom authorization server? See the [well-known OpenID metadata endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/getWellKnownOpenIDConfigurationCustomAS) and the [well-known OAuth 2.0 metadata endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/getWellKnownOAuthConfigurationCustomAS). + - name: AuthorizationServerPolicies + x-displayName: Authorization Server Policies + description: Provides operations to manage policies for the given `authServerId`. + - name: AuthorizationServerRules + x-displayName: Authorization Server Rules + description: Provides operations to manage policy rules for the given `authServerId`, `policyId`, and `ruleId`. + - name: AuthorizationServerScopes + x-displayName: Authorization Server Scopes + description: Provides operations to manage custom token scopes for the given `authServerId` and `scopeId`. See [scope properties](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#scope-properties). - name: Behavior x-displayName: Behavior Rules description: The Behavior Rules API provides operations to manage the behavior detection rules for your organization. + - name: Brands + x-displayName: Brands + description: |- + These endpoints allow you to manage Brands, and their metadata, in your orgs. With Brands, you can customize the following: + * [The Okta-hosted sign-in page](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/) + * [The sign-out page](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/) + * [Error pages](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/) + * [Email templates](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomTemplates/) + * [The Okta End-User Dashboard](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Themes/) + + > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: CAPTCHA x-displayName: CAPTCHAs description: |- @@ -138,12 +206,45 @@ tags: - name: CustomDomain x-displayName: Custom Domains description: The Custom Domains API provides operations to manage custom domains for your organization. - - name: Customization - x-displayName: Customizations + - name: CustomPages + x-displayName: Custom Pages description: |- - The Brands API allows you to customize the look and feel of pages and templates, such as the Okta-hosted sign-in page, error pages, email templates, and the Okta End-User Dashboard. + These endpoints allow you to customize the contents of various pages, including: + * The Okta-hosted sign-in page + * Error pages + * The sign-out page + + > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). + - name: CustomTemplates + x-displayName: Custom Email Templates + description: |- + These endpoints allow you to programmatically manage email customizations. + + Okta provides many customizable email templates. For example, the `UserActivation` email template allows users to activate their account. Use email customizations to override a template's default content. See the [list of email templates](https://developer.okta.com/docs/guides/custom-email/main/#use-customizable-email-templates). + + Each template has default content that Okta translates to any one of the supported languages. The following settings determine the language for emails sent from Okta to a user, if the user hasn't selected a specific display language: + * The user's locale property value (if specified) + * The org's display language + + See [Supported languages](https://developer.okta.com/docs/guides/custom-email/main/#supported-languages). + + The following constraints apply to email customizations: + * If an email template has any customizations at all, exactly one of them must be the default (where `isDefault` is `true`). Okta uses the default customization when no other customization applies to the user's language settings. + * Each email template can have only one customization for each supported language. + + ### Enable other locales + <ApiLifecycle access="ea" /> - Each new org contains Okta default branding. You can upload your own assets (colors, background image, logo, and favicon) to replace the default assets and publish these assets directly to your pages and templates. + Use the [BCP 47 format](https://www.rfc-editor.org/info/bcp47) to enable more locales than Okta's 27 default languages. + + Once you create a customization with the new locale, the locale appears in the Admin Console along with the default-supported locales. + + Include `null` in the subject or body of the email customization. Okta replaces `null` with a default value based on the following order of priority: + + - An existing default email customization, if one exists + - Okta-provided translated content for the specified language, if one exists + - Okta-provided translated content for the brand locale, if it's set + - Okta-provided content in English - name: Device x-displayName: Devices description: |- @@ -164,15 +265,27 @@ tags: > **Note:** End users with a new enrollment in Okta Verify on an Okta Identity Engine org have a device record created in the device inventory by default. See [Device Registration](https://help.okta.com/okta_help.htm?type=oie&id=csh-device-registration), [Login Using Okta Verify](https://help.okta.com/okta_help.htm?type=eu&id=ext-ov-user-overview). + - name: DeviceAccess + x-displayName: Device Access + description: The Device Access API provides operations to configure device access settings. - name: DeviceAssurance x-displayName: Device Assurance Policies description: The Device Assurance Policies API provides operations to manage device assurance policies in your organization. + - name: DirectoriesIntegration + x-displayName: Directories Integration + description: |- + > **Note:** Your Okta org needs to have the AD bidirectional group management feature enabled. Contact your Okta account team to enable this feature. + + The Directories Integration API provides operations to manage Active Directory objects in a connected on-premises directory through Okta. + - name: EmailCustomization + x-displayName: Email Customization + description: The Email Customization API provides operations to modify the email bounce list for your Okta org. - name: EmailDomain x-displayName: Email Domains description: The Email Domains API provides operations to manage email domains for your organization. - name: EmailServer x-displayName: Email Servers - description: The Okta Email Servers API provides operations to manage custom email SMTP servers for your organization. + description: The Email Servers API allows you to configure a custom external email provider to send email notifications. By default, notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. Adding a custom email provider gives you more control over your email delivery. - name: EventHook x-displayName: Event Hooks description: |- @@ -181,21 +294,51 @@ tags: For general information on event hooks and how to create and use them, see [Event hooks](https://developer.okta.com/docs/concepts/event-hooks/). The following documentation is only for the management API, which provides a CRUD interface for registering event hooks. For a step-by-step guide on implementing an example event hook, see the [Event hook](https://developer.okta.com/docs/guides/event-hook-implementation/) guide. + + When you create an event hook, you need to specify which events you want to subscribe to. To see the list of event types currently eligible for use in event hooks, use the [Event Types](https://developer.okta.com/docs/reference/api/event-types/#catalog) catalog and search with the parameter `event-hook-eligible`. - name: Feature x-displayName: Features description: |- The Okta Features API provides operations to manage self-service Early Access (EA) and Beta features in your org. > **Note:** Important background information for this API is available on the [Feature Lifecycle Management](https://developer.okta.com/docs/concepts/feature-lifecycle-management/) page. + - name: GovernanceBundle + x-displayName: IAM Governance Bundles + description: |- + These APIs allow you to manage governance bundles for the Admin Console, and manage roles and resources associated with the bundles. + For details on how governance bundles are supported from the Resource Management Access Platform (RAMP), see [Entitlement Management](https://help.okta.com/oie/en-us/content/topics/identity-governance/em/entitlement-mgt.htm). - name: Group x-displayName: Groups - description: The Groups API provides operations to manage Okta Groups and their user members for your organization. + description: The Groups API provides operations to manage Okta Groups and their user members for your org. + - name: GroupOwner + x-displayName: Group Owners + description: |- + The Group Owners API provides operations to manage owners of Okta Groups for your organization. + + > **Note**: This API is only available if you're subscribed to [Okta Identity Governance](https://www.okta.com/products/identity-governance/). Contact your Customer Success Manager or Account Executive for more information. + - name: GroupRule + x-displayName: Group Rules + description: The Group Rules API provides operations to manage rules for Okta Groups in your org. - name: HookKey x-displayName: Hook Keys - description: The Hook Keys API provides operations to manage hook keys for your organization. + description: |- + The Okta Key Management API provides a CRUD interface for JSON Web Keys (JWK) used with other parts of the application, such as inline hooks. For information on how to create inline hooks, see [inline hooks](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/). + + > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: IdentityProvider x-displayName: Identity Providers description: The Identity Providers API provides operations to manage federations with external Identity Providers (IdP). For example, your app can support signing in with credentials from Apple, Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (`OIDC`) protocol. + - name: IdentityProviderKeys + x-displayName: Identity Provider Keys + description: The Identity Provider Keys API provides operations to manage Key Credentials for Identity Providers. + - name: IdentityProviderSigningKeys + x-displayName: Identity Provider Signing Keys + description: |- + The Identity Provider Signing Keys API provides operations to manage signing Key Credentials and Certificate Signing Requests for Identity Providers. + > **Note:** Okta currently uses the same key for both request signing and the decryption of SAML assertions that the IdP encrypts. Changing your signing key also changes your decryption key. + - name: IdentityProviderUsers + x-displayName: Identity Provider Users + description: The Identity Provider Users API provides operations to manage Identity Provider Users. - name: IdentitySource x-displayName: Identity Sources description: The Okta Identity Source API provides a mechanism to synchronize an HR source (the custom identity source) with Okta user profiles in an org. @@ -252,21 +395,76 @@ tags: To represent a relationship, create a Linked Object definition that specifies a `primary` (parent) relationship and an `associated` (child) relationship, and then add a link in which the appropriate user is assigned to each side of that link type. - ## Links between User Types + ## Links between user types + + If you created multiple user types (see [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/)), they all share the same Linked Object definitions. For example, if you have separate user types for employees and contractors, a link could designate an employee as the manager for a contractor, with the contractor being a subordinate of that employee. + + ## Link definition operations + + Link definition operations allow you to manage the creation and removal of the link definitions. If you remove a link definition, links based on that definition are unavailable. - If you created multiple User Types, they all share the same Linked Object definitions. For example, if you have separate User Types for employees and contractors, a link could designate an employee as the manager for a contractor, with the contractor being a subordinate of that employee. + > **Note:** Links reappear if you recreate the definition. However, Okta is likely to change this behavior so that links don't reappear. Don't rely on this behavior in production environments. - name: LogStream x-displayName: Log Streaming - description: The Log Streaming API provides operations to manage log stream configurations for an org. You can configure up to two log stream integrations per org. + description: The Log Streaming API provides operations to manage Log Stream configurations for an org. You can configure up to two Log Stream integrations per org. - name: NetworkZone x-displayName: Network Zones description: |- - The Okta Network Zones API provides operations to manage Zones in your organization. There are two usage Zone types: Policy Network Zones and Blocklist Network Zones. Policy Network Zones are used to guide policy decisions. Blocklist Network Zones are used to deny access from certain IP addresses, locations, proxy types, or Autonomous System Numbers (ASNs) before policy evaluation. + The Network Zones API provides operations to manage system default and custom zones in your Okta org. + Network Zones are configurable boundaries that you can use to grant or restrict access to resources in your organization. + They're used for two purposes: + * `POLICY`: Network Zones used to guide policy decisions + * `BLOCKLIST`: Network Zones used to deny access from certain IP addresses, locations, Autonomous System Numbers (ASNs), proxy types, or IP service categories before policy evaluation + > **Note:** The Network Zone blocklist applies to all URLs for the org. + + See [Network zones](https://help.okta.com/okta_help.htm?id=ext_Security_Network) in the Okta product documentation. + + Your Okta org provides the following default system Network Zones that you can modify and use: + * `LegacyIpZone`: The system default IP Network Zone + * `BlockedIpZone`: The system default IP Blocklist Network Zone + * `DefaultEnhancedDynamicZone`: The system default Enhanced Dynamic Network Zone + + You can create and use the following custom Network Zones: + * IP Network Zone (`IP`): Allows you to define network perimeters around a set of IPs + * Dynamic Network Zone (`DYNAMIC`): Allows you to define network perimeters around location, IP type, or ASNs + * Enhanced Dynamic Network Zone (`DYNAMIC_V2`): Extends the Dynamic Network Zone and allows you to include or exclude specific locations, ASNs, or IP service categories + + > **Notes:** + > * To create multiple Network Zones, you must have Adaptive MFA enabled in your Okta org. + > * Enhanced Dynamic Network Zones is a [self-service Early Access (EA)](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature. You must enable **Enhanced Dynamic Network Zones** in your Org settings to access this API. See [Manage Early Access and Beta features](https://help.okta.com/okta_help.htm?id=ext_secur_manage_ea_bata). + - name: OktaApplicationSettings + x-displayName: Okta Application Settings + description: The Okta Application Settings API provides operations to manage settings for Okta apps in your org. + - name: OktaPersonalSettings + x-displayName: Okta Personal Settings + description: The Okta Personal Settings API provides operations to manage the [Okta Personal](https://www.okta.com/products/okta-personal/workforce) settings of your Okta org. + - name: OrgCreator + x-displayName: Org Creator + description: |- + > **Note:** You need to have the **Platform—Multi-org Deployment** product to enable the **Org Creator API** feature. Contact your Okta account team for more information. - A default system Policy Network Zone is provided in your Okta org. You can use the Network Zones API to modify the default Policy Network Zone or to create a custom Policy or Blocklist Network Zone. When you create your custom Zone, you can specify if the Zone is an IP Zone or a Dynamic Zone. An IP Zone allows you to define network perimeters around a set of IPs, whereas a Dynamic Zone allows you to define network perimeters around location, IP type, and ASNs. - - name: OrgSetting - x-displayName: Org Settings - description: The Org Settings API provides operations to manage your org account settings such as contact information, granting Okta Support access, and more. + The Org Creator API provides an operation to create Okta orgs (child orgs) based on features from your current org (the parent org). See [Org Creator](https://developer.okta.com/docs/concepts/org-creator/). + - name: OrgSettingAdmin + x-displayName: Org Admin Settings + description: The Org Admin Settings API provides operations to manage the admin settings for your Okta org. + - name: OrgSettingCommunication + x-displayName: Org Communication Settings + description: The Org Communication Settings API provides operations to manage the communication settings for your Okta org. For example, opt users in or out of communication emails. + - name: OrgSettingContact + x-displayName: Org Contacts + description: The Org Contacts API provides operations to manage the contact types of your Okta org. + - name: OrgSettingCustomization + x-displayName: Org Customization + description: The Org Customization API provides operations to retrieve and modify custom settings for your Okta org. + - name: OrgSettingGeneral + x-displayName: Org General Settings + description: The Org General Settings API provides operations to manage the general settings of your Okta org. + - name: OrgSettingMetadata + x-displayName: Org Metadata + description: The Org Metadata API provides operation to fetch metadata for your Okta org. + - name: OrgSettingSupport + x-displayName: Org Support Settings + description: The Org Support Settings API provides operations to manage the support settings for your Okta org. - name: Policy x-displayName: Policies description: |- @@ -281,44 +479,124 @@ tags: description: The Mappings API provides operations to manage the mapping of Profile properties between an Okta User and an App User using [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language). More information on Okta User and App User Profiles can be found in Okta's [User profiles](https://developer.okta.com/docs/concepts/user-profiles/#what-is-the-okta-universal-directory). - name: PushProvider x-displayName: Push Providers - description: The Push Providers API provides operations to manage Push Providers for your organization. x-okta-lifecycle: - features: - - CUSTOM_PUSH_AUTHENTICATOR + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + description: |- + The Okta Push Providers API provides a centralized integration platform to fetch and manage push provider configurations. Okta administrators can use these APIs to provide their push provider credentials, for example from APNs and FCM, so that Okta can send push notifications to their own custom app authenticator applications. + + The Push Providers API supports the following **Authorization Schemes**: + * SSWS - [API tokens](https://developer.okta.com/docs/reference/core-okta-api/#authentication) + * Bearer - [OAuth2.0 and OpenID Connect](https://developer.okta.com/docs/concepts/oauth-openid/) + + > **Notes:** + > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/reference/core-okta-api/#authentication). + > * You can use the Push Providers API as part of the "Create a custom authenticator" flow. See the [Custom authenticator integration guide](https://developer.okta.com/docs/guides/authenticators-custom-authenticator/android/main/). - name: RateLimitSettings x-displayName: Rate Limit Settings description: The Rate Limit Settings APIs provide operations to manage settings and configurations surrounding rate limiting in your Okta organization. - name: Realm x-displayName: Realms - description: The realm API provides operations to manage realms - - name: ResourceSet - x-displayName: Resource Sets - description: The Resource Sets API provides operations to manage Resource Sets as custom collections of resources. You can use Resource Sets to assign Custom Roles to administrators who are scoped to the designated resources. See [Supported Resources](https://developer.okta.com/docs/concepts/role-assignment/#supported-resources). + description: The Realms API provides operations to manage realms + - name: RealmAssignment + x-displayName: Realm Assignments + description: The Realm Assignments API provides operations to manage Realm Assignments - name: RiskEvent x-displayName: Risk Events description: The Risk Events API provides the ability for third-party risk providers to send risk events to Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. - name: RiskProvider x-displayName: Risk Providers - description: The Risk Providers API provides the ability to manage the Risk Providers within Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. - - name: Role - x-displayName: Roles + description: The Risk Providers API enables you to manage the Risk Providers within Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. + - name: RoleAssignmentAUser + x-displayName: User Role Assignments + description: The User Role Assignments APIs allow you to assign roles and designate third-party admin status to Users. + - name: RoleAssignmentBGroup + x-displayName: Group Role Assignments + description: The Group Role Assignments APIs allow you to assign roles and designate third-party admin status to Groups. + - name: RoleAssignmentClient + x-displayName: Client Role Assignments + description: The Client Role Assignments APIs allow you to assign roles and designate third-party admin status to public client apps. + - name: RoleBTargetAdmin + x-displayName: User Role Targets description: |- - The Roles API provides operations to manage administrative Role assignments for a User. - - Role listing APIs provide a union of both standard and Custom Roles assigned to a User or Group. - - name: RoleAssignment - x-displayName: Role Assignments - description: These APIs allow you to assign custom roles to user and groups, as well as designate Third-Party Administrator status to a user or group. - - name: RoleTarget - x-displayName: Role Targets + User role targets are a way of limiting the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to an admin User within your org. + You can define admin roles to target Groups, Applications, and Application Instances. + + * **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group. + * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. + * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. + + > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Set Resources](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). + - name: RoleBTargetBGroup + x-displayName: Group Role Targets description: |- - Role targets are a way of defining permissions for admin roles into a smaller subset of Groups or Apps within your org. Targets limit an admin's permissions to a targeted area of the org. You can define admin roles to target Groups, Applications, and Application Instances. + Group role targets allow you to limit the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to a Group within your org. + You can define admin roles to target Groups, Applications, and Application Instances. * **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group. - * **App targets:** Grant an admin permission to manage all instances of the specified Apps. Target Apps are Okta catalog Apps. For example, you can have multiple configurations of an Okta catalog App, such as Salesforce or Facebook. When you add a Salesforce or Facebook App as a target, that grants the admin permission to manage all the instances of those Apps and create new instances of them. - * **App Instance targets:** Grant an admin permission to manage an instance of one App or instances of multiple Apps. App Instances are specific Apps that admins have created in their org. For example, there may be a Salesforce App configured differently for each sales region of a company. When you create an App Instance target, you can assign an admin to manage only two instances of the configured Salesforce Apps and then also to manage an instance of another configured App such as Workday. + * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. + * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. + + > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Set Resources](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). + - name: RoleBTargetClient + x-displayName: Client Role Targets + description: |- + Client role targets allow you to limit the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to a client (Application) within your org. + You can define admin roles to target Groups, Applications, and Application Instances. + + * **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group. + * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. + * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. + + > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Sets](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). + - name: RoleCResourceSet + x-displayName: Resource Sets + description: The Resource Sets API provides operations to manage Resource Sets as a custom set of resources. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources). + - name: RoleCResourceSetResource + x-displayName: Resource Set Resources + description: The Resource Set Resources API provides operations to manage Resources within a Resource Set. You can add or remove Resources in Resource Sets. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources). + - name: RoleDResourceSetBinding + x-displayName: Role Resource Set Bindings + description: The Role Resource Set Bindings API provides operations to assign members to a [Custom Role](/openapi/okta-management/management/tag/RoleECustom/) that targets resources in a [Resource Set](/openapi/okta-management/management/tag/RoleCResourceSet/). The returned Role Resource Set Binding is a single unique combination of a principal, a resource set, and a custom role. You can assign custom roles to admins who are scoped to the designated resources in a resource set. + - name: RoleDResourceSetBindingMember + x-displayName: Role Resource Set Binding Members + description: The Role Resource Set Binding Members API provides operations to manage members in a [Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/). + - name: RoleECustom + x-displayName: Custom Roles + description: The Custom Roles API provides operations to manage custom roles that limit an admin's access to a subset of permissions and resources. + - name: RoleECustomPermission + x-displayName: Custom Role Permissions + description: The Custom Role Permissions API provides operations to manage the permissions assigned to a Custom Role. + - name: SSFReceiver + x-displayName: SSF Receiver + description: |- + <x-lifecycle class="oie"></x-lifecycle> + > This feature is only available with Identity Threat Protection in Identity Engine. - > **Note:** Don't use these operations with a Custom Role ID. Custom Role assignments always require a target Resource Set. See [Role Assignments](https://developer.okta.com/docs/concepts/role-assignment/) for more information. + Okta uses the [Shared Signals Framework (SSF)](https://sharedsignals.guide/) to receive security-related events and other data-subject signals from third-party security vendors. In this scenario, commonly used terms for third-party vendors that send signals are "transmitters", Okta is the "receiver", and the connection between the two entities is referred to as a "stream." + + The SSF Receiver API allows you to manage SSF vendor stream configurations between the transmitter and Okta. A stream is configured by [creating a Security Events Provider](/openapi/okta-management/management/tag/SSFReceiver/#tag/SSFReceiver/operation/createSecurityEventsProviderInstance) object in your Okta org. You can create a Security Events Provider object in Okta with a published well-known URL or an issuer-and-JWKS combination. + + After the Security Events Provider object is created for a transmitter, the provider can use the [SSF Security Event Tokens](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SSFSecurityEventToken/) API to publish events to Okta. While the SSF allows ingestion through push and poll-based operations, Okta currently supports only push-based operations. + - name: SSFSecurityEventToken + x-displayName: SSF Security Event Tokens + description: |- + <x-lifecycle class="oie"></x-lifecycle> + > This feature is only available with Identity Threat Protection in Identity Engine. + + The Shared Signals Framework (SSF) Security Event Tokens API allows third-party security event providers to send Security Event Tokens (SETs) to Okta. The provider must be configured in Okta as a Security Events Provider instance before transmitting a SET to Okta. See [Create a Security Events Provider](/openapi/okta-management/management/tag/SSFReceiver/#tag/SSFReceiver/operation/createSecurityEventsProviderInstance). After the token is verified, any appropriate action is performed upon ingestion. + + Okta uses the Shared Signals Framework (SSF) defined by the [OpenID Shared Signals and Events Framework specification](https://openid.net/specs/openid-sse-framework-1_0.html). A risk signal is ingested as a Security Event Token (SET), a type of JSON Web Token (JWT) that must comply with the SET standard: [RFC 8417 - Security Event Token(SET)](https://datatracker.ietf.org/doc/html/rfc8417). The `security.events.provider.receive_event` System Log event is created when a SET is published to Okta successfully. + - name: SSFTransmitter + x-displayName: SSF Transmitter + description: |- + <x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle> + > **Note:** The SSF Transmitter API is a [self-service Early Access (EA)](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature. You must enable the **Enable Managed Apple ID federation and provisioning** feature in your Org settings to access this feature. See [Manage Early Access and Beta features](https://help.okta.com/okta_help.htm?id=ext_secur_manage_ea_bata). + + Okta uses the [Shared Signals Framework (SSF)](https://sharedsignals.guide) to send security-related events and other data-subject signals to third-party security vendors. In this scenario, commonly used terms for third-party vendors that receive signals are "receivers", Okta is the "transmitter", and the connection between the two entities is referred to as a "stream." + + The SSF Transmitter API allows you to manage SSF stream configurations between the receiver that receives signals transmitted by Okta. Okta sends signals in the form of [Security Event Tokens (SETs)](https://datatracker.ietf.org/doc/html/rfc8417) to a third-party SSF receiver. To enable the transmission of signals from Okta, you must create an SSF Stream using the SSF Transmitter API and configure the third-party receiver to accept signals from Okta. - name: Schema x-displayName: Schemas description: |- @@ -330,14 +608,45 @@ tags: [JSON Schema](http://json-schema.org/) is a lightweight declarative format for describing the structure, constraints, and validation of JSON documents. > **Note:** Okta implements only a subset of [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) and [JSON Schema Draft 2020-12](https://json-schema.org/specification.html). This document describes which parts apply to Okta, and any extensions Okta has made to [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) and [JSON Schema Draft 2020-12](https://json-schema.org/specification.html). + + ### Unique Attributes + You can enforce uniqueness for custom properties in Okta user profiles or the Okta group profile, such as an employee identification number. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile. Different user types can have the same or different unique properties (up to the limit of five per type). + + Unique properties in Okta user profiles share a single namespace across all [user types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) in an org. If user types A and B both contain the property `ice cream` and you identify it as unique in both profiles, then if a user of type A has the value `chocolate`, no other users of type A or B (or any other user type that declares `ice cream` as unique) can have that value. + + Properties that aren't unique also aren't tracked for uniqueness. Suppose the property `candy` is unique in type E and not unique in type F. If a user of type E has the value `caramel` for the `candy` property, no other users of type E can also have the value `caramel`, but any number of users of type F can already have or later be assigned the value `caramel`. Furthermore, because `candy` is not unique in type F, any values users of type F may have are not considered when enforcing uniqueness for users of type E. No matter how many users of type F already have the value `cotton`, it might be assigned to a user of type E as long as no other such user already has that value. + + If you attempt to create or update a user with a duplicate value for a custom user property with a uniqueness restriction, the user creation or update operation fails. The user isn't created or updated until you enter a unique value. Similarly, creating or updating a group fails when the request contains a value for a unique custom group property that is duplicated by another group. + + `null` values don't enter into the uniqueness calculation. If the unique property isn't also specified as being required, you can also omit the value entirely. Multiple users or groups can omit the property and not violate uniqueness. + + To enforce uniqueness for custom properties, you can either add new unique custom properties or update existing custom properties to be unique. + + #### Add new unique custom property + + You can use the [add property to user profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [add property to group profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to add one or more unique custom user or group properties. Specify `"unique": true` on the properties to be marked as unique. The response shows the properties with `"unique": "UNIQUE_VALIDATED"` and uniqueness is then enforced on those properties. + + #### Update existing custom property to be unique + + You can use the [update user profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [update group profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to mark existing custom user or group properties as unique by specifying `"unique": true` on the properties to be marked as unique. + + After the request to mark existing custom properties as unique is submitted, an asynchronous validation check is performed to make sure that there are no existing duplicate entries. If you have a significant number of users or groups, the validation can take some time. + + A uniqueness status of `"unique": "PENDING_UNIQUENESS"` indicates that the validation check is still in progress. Use the Universal Directory page in the Admin Console (**Directory** > **Directory Integrations**) to track the status of the validation check. After the validation completes, if you submit a retrieve user schema request or a retreive group schema request, the property's uniqueness status changes to `UNIQUE_VALIDATED` if no duplicate records are found, and uniqueness is then enforced on that property. Otherwise, if duplicate records are found, the `unique` attribute of the schema property isn't shown in the get schema request and uniqueness isn't enforced on the schema property. + + #### Update existing unique custom property to be non-unique + + You can use the [update user profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [update group profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to change existing unique custom user or group properties to be non-unique by specifying `"unique": false` on the properties to be changed to non-unique. The response shows the properties without the `unique` attribute and the uniqueness constraint is then removed on those properties. + + **Note:** If multiple user types declare a property as unique and you remove the uniqueness constraint on one type, there may be a delay before users of other types that declare the property as unique can be assigned values formerly held by users of the first type. - name: Session x-displayName: Sessions description: |- Okta uses a cookie-based authentication mechanism to maintain a user's authentication Session across web requests. The Okta Sessions API provides operations to create and manage authentication Sessions for users in your Okta organization. - >**Note:** Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [FAQ: How Blocked Third Party Cookies Can Potentially Impact Your Okta Environment](https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment). - - >**Note:** The Sessions API doesn't support direct authentication. Direct authentication is supported through the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#authentication-operations) or through OIDC using the [Resource Owner Password flow](https://developer.okta.com/docs/guides/implement-grant-type/ropassword/main/). + >**Notes:** + > * Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies). + > * The Sessions API doesn't support direct authentication. Direct authentication is supported through the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#authentication-operations) or through OIDC using the [Resource Owner Password flow](https://developer.okta.com/docs/guides/implement-grant-type/ropassword/main/). ### Session cookie @@ -360,9 +669,9 @@ tags: - name: SystemLog x-displayName: System Log description: |- - The System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. + The Okta System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. - The System Log API provides near real-time, read-only access to your organization's system log and is the programmatic counterpart of the [System Log UI](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog). + The Okta System Log API provides near real-time, read-only access to your organization's system log and is the programmatic counterpart of the [System Log UI](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog). The terms "event" and "log event" are often used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system, and a "log" or "log event" is the recorded fact. @@ -372,9 +681,7 @@ tags: * Development debugging * Event introspection and audit - The System Log API isn't intended for use as a Database as a Service (DBaaS) or to serve data directly to downstream consumers without an intermediate data store. - - See [Events API Migration](https://developer.okta.com/docs/concepts/events-api-migration/) for information on migrating from the Events API to the System Log API. + > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: Template x-displayName: SMS Templates description: |- @@ -383,6 +690,33 @@ tags: > **Note:** Only SMS custom Templates are available through the API. SMS Templates customize the SMS message that is sent to users. One default SMS Template is provided. All custom Templates must have the variable `${code}` as part of the text. The `${code}` variable is replaced with the actual SMS code when the message is sent. Optionally, you can also use the variable `${org.name}`. If a Template contains `${org.name}`, it is replaced with the organization name before the SMS message is sent. + + ### SMS Template macros + + Only two macros are supported for SMS Templates: + + | <div style="width:200px">Type</div> | Description | + | -------------------- | ----------- | + | ${code} | The one-time verification code that's required for a user to sign in. | + | ${org.name} | The Okta org name that the user is trying to authenticate into. | + + >**Note:** The length of your SMS message can't exceed 160 characters. If the verification code portion of the message falls outside of the 160-character limit, your message isn't sent. + - name: Themes + x-displayName: Themes + description: |- + These endpoints allow you to customize the look and feel of pages and templates, including the following: + * The Okta-hosted sign-in page + * The sign-out page + * Error pages + * Email templates + * The Okta End-User Dashboard + + Each new org contains Okta default branding. You can upload your own assets (colors, background image, logo, and favicon) to replace the default assets. Then you can publish these assets directly to your pages and templates. + + > **Notes:** + > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). + > * Okta optimizes the `primaryColorContrastHex` and `secondaryColorContrastHex` properties for the highest contrast between the font color and the background or button color. To disable or override the contrast auto-detection, update either contrast value with an accepted contrast hex code. Any update disables future automatic optimizations for the contrast hex. + > * Contrast color is used by pages to optimize the opacity of text color when primary or secondary color is used as the background. - name: ThreatInsight x-displayName: ThreatInsight description: |- @@ -402,32 +736,109 @@ tags: When external URLs are requested during sign-in, sign-out, or recovery operations, Okta checks those URLs against the allowed list of Trusted Origins. Trusted Origins also enable browser-based applications to access Okta APIs from JavaScript (CORS). If the origins aren't specified, the related operation (redirect or Okta API access) isn't permitted. - You can also configure Trusted Origins to allow iFrame embedding of Okta resources, such as Okta sign-in pages and the Okta End-User Dashboard, within that origin. This is an Early Access feature. To enable it, contact [Okta Support](https://support.okta.com/help/s/). + You can also configure Trusted Origins to allow iFrame embedding of Okta resources, such as Okta sign-in pages and the Okta End-User Dashboard, within that origin. - > **Note:** This Early Access feature is supported for Okta domains only. It isn't currently supported for custom domains. + > **Notes:** + > * This feature is supported for Okta domains only. It isn't currently supported for custom domains. + > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: UISchema x-displayName: UI Schema description: |- The Okta UI Schema API allows you to control how inputs appear on an enrollment form. The UI Schema API is only available as a part of Okta Identity Engine. - If you’re not sure which solution you’re using, check the footer on any page of the Admin Console. The version number is appended with E for Identity Engine orgs and C for Classic Engine orgs. + If you're not sure which solution you're using, check the footer on any page of the Admin Console. The version number is appended with E for Identity Engine orgs and C for Classic Engine orgs. - name: User x-displayName: Users - description: The User API provides operations to manage users in your organization. + description: "The Users API provides operations to manage users in your organization.\n> **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs.\n> OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/).\n\n### User status\nThe following diagram shows the flow of user status:\n![STAGED, PROVISIONED, ACTIVE, RECOVERY, LOCKED_OUT, PASSWORD_EXPIRED, or DEPROVISIONED](../../../../../images/users/okta-user-status.png)\n\n### User creation scenarios\n\n The following table describes the user experience and expectation of user status and welcome screen, depending on which options (security question and answer, password, and activate query) are defined during user creation.\n\n **User creation details and outcomes**\n\n | Security Q & A | Password | Activate Query Parameter | User Status | Login Credential | Welcome Screen |\n | ----- | -------- | ------------------------ | ------------- | ---------------------- | -------------- |\n | | | FALSE | `STAGED` | | |\n | | | TRUE | `PROVISIONED` or `ACTIVE` | One-Time Token (Email) or Email | X |\n | X | | FALSE | `STAGED` | | |\n | X | | TRUE | `PROVISIONED` or `ACTIVE` | One-Time Token (Email) or Email | X |\n | | X | FALSE | `STAGED` | | |\n | | X | TRUE | `ACTIVE` | Password | X |\n | X | X | FALSE | `STAGED` | | |\n | X | X | TRUE | `ACTIVE` | Password | |\n\nCreating users with a `FEDERATION` or `SOCIAL` provider sets the user status to either `ACTIVE` or `STAGED` based on the `activate` query parameter since these two providers don't support a `password` or `recovery_question` credential.\n\nMore information about the use cases are in the following sections and in the examples for [Create a user](/openapi/okta-management/management/tag/User/#tag/User/operation/createUser).\n\n#### Create user with Optional Password enabled\n\nWhen Optional Password is enabled, the user status following user creation can be affected by the enrollment policy. See [Create an authenticator enrollment policy](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-mfa-policy).\nBased on the group memberships that are specified when the user is created, a password may or may not be required to make the user's status `ACTIVE`.\n\nIf the enrollment policy that applies to the user (as determined by the groups assigned to the user) specifies that the Password authenticator is `required`, then in the case where the user is created without a password, the user is in the `PROVISIONED` status and\na One-Time Token is sent to the user through email. If the user is created with a password, then their status is set to ACTIVE, and they can immediately sign in using their Password authenticator.\n\nIf the enrollment policy that applies to the groups specified for the newly created user indicates that password is `optional` or `disabled`, then the Administrator can't specify a password for the user. Instead, the user status is set to `ACTIVE` and the user can immediately sign in using their Email authenticator. If policy permits, and the user so chooses, they can enroll a password after they sign in.\n\n#### Create user without credentials\n\nCreates a user without a `password` or a `recovery question & answer`.\n\nIf appropriate, when the user is activated, an email is sent to the user with an activation token that the user can use to complete the activation process.\nThis is the default flow for new user registration using the administrator UI.\n\n#### Create user with recovery question\n\nCreates a user without a `password`.\n\nWhen the user is activated, an email is sent to the user with an activation token that can be used to complete the activation process.\nThis flow is useful if migrating users from an existing user store.\n\n#### Create user with password\n\nCreates a user without a `recovery question & answer`.\n\nThe new user is able to sign in after activation with the assigned password. This flow is common when developing a custom user registration experience.\n> **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.\n\n#### Create User with imported hashed password\n\nCreates a user with a specified `hashed password`.\n\nThe new user is able to sign in after activation with the specified password.\n\nThis flow is common when migrating users from another data store in cases where we want to allow the users to retain their current passwords.\n> **Important:** Do not generate or send a one-time activation token when activating users with an imported password. Users should login with their imported password.\n\n#### Create user with password import inline hook\n\nCreates a user with a `Password Hook` object specifying that a password inline hook should be used to handle password verification.\n\nThe password inline hook is triggered to handle verification of the end user's password the first time the user tries to sign in, with Okta calling the password inline hook to check that the password the user supplied is valid. If the password is valid, Okta stores the hash of the password that was provided and can authenticate the user independently from then on. See [Password import inline hook](https://developer.okta.com/docs/reference/password-hook/) for more details.\n\nThe new user is able to sign in after activation with the valid password. This flow supports migrating users from another data store in cases where we wish to allow the users to retain their current passwords.\n> **Important:** Don't generate or send a one-time activation token when activating users with an password inline hook. Users should sign in with their existing password to be imported using the password import inline hook.\n\n#### Create user with password & recovery question\n\nCreates a new user with a `password` and `recovery question & answer`.\n\nThe new user is able to log in with the assigned password after activation. This flow is common when developing a custom user-registration experience.\n> **Important:** Don't generate or send a one-time activation token when activating users with an assigned password. Users should login with their assigned password.\n\n#### Create user with authentication provider\n\nCreates a new passwordless user with a `SOCIAL` or `FEDERATION` authentication provider that must be authenticated via a trusted Identity Provider.\n\n#### Create user in Group\n\nCreates a user that is added to the specified groups upon creation.\n\nUse this in conjunction with other create operations for a Group Administrator that is scoped to create users only in specified groups. The request may specify up to 20 group ids. (This limit applies only when creating a user. The user may later be added to more groups.)\n\n#### Create user with non-default user type\n\nCreates a user with a specified user type (see [User Types](https://developer.okta.com/docs/reference/api/user-types)). The type specification may be included with any of the above Create user operations; this example demonstrates creating a user without credentials.\nThe user type determines which [Schema](/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can be assigned a different user type only by an admin via a full replacement [PUT operation](https://developer.okta.com/docs/reference/api/user-types/#update-user-type).\n\n### Links object\n\nThe links object specifies link relations. See [`_links`](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=_links&t=response).\n\n> **Note:** This links object is different from [Linked Objects](/openapi/okta-management/management/tag/LinkedObject/).\n\n#### Individual users versus collection of users\n\nFor an individual user result, the links object contains a full set of link relations available for that user as determined by your policies. For a collection of users, the links object contains only the `self` link. Operations that return a collection of users include [List all users](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) and [List all member users](openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroupUsers).\n\nThe following table shows some links that may be available on a user, as determined by your policies:\n\n| Link Relation Type | Description |\n|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n|self\t | A self-referential link to this user |\n|activate\t | Lifecycle action to [activate the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) |\n|deactivate |\tLifecycle action to [deactivate the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/deactivateUser) |\n|suspend |\tLifecycle action to [suspend the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/suspendUser) |\n|unsuspend |\tLifecycle action to [unsuspend the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/unsuspendUser) |\n|resetPassword |\tLifecycle action to [trigger a password reset](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) |\n|expirePassword |\tLifecycle action to [expire the user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/expirePassword) |\n|resetFactors |\tLifecycle action to [reset all MFA factors](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/resetFactors) |\n|unlock |\tLifecycle action to [unlock a locked-out user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/unlockUser) |\n|forgotPassword |\t[Resets a user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/forgotPassword) by validating the user's recovery credential. |\n|changePassword |\t[Changes a user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changePassword) validating the user's current password |\n|changeRecoveryQuestion |\t[Changes a user's recovery credential](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changeRecoveryQuestion) by validating the user's current password |" + - name: UserCred + x-displayName: User Credentials + description: The User Credentials API provides operations to manage user credentials in your org. - name: UserFactor x-displayName: User Factors - description: The Factors API provides operations to enroll, manage, and verify factors for multifactor authentication (MFA). Manage both administration and end-user accounts, or verify an individual factor at any time. + description: |- + The Factors API provides operations to enroll, manage, and verify factors for multifactor authentication (MFA). Generally, authentication involves verifying a different one-time passcode (OTP). Manage both administration and end-user accounts, or verify an individual factor at any time. + Okta supports several different types of Factors: + + | Factor Type | Description | + |-----------------------|-------------| + | `call` | Software OTP sent using a voice call to a registered phone number | + | `sms` | Software OTP sent using SMS to a registered phone number | + | `email` | Software OTP sent using email | + | `question` | Additional knowledge-based security question | + | `push` | Out-of-band verification using a push notification to a device and transaction verification with digital signature | + | `token` | Software or hardware OTP sent to a device | + | `token:hardware` | Hardware OTP sent to a device | + | `token:hotp` | Custom [TOTP](https://www.ietf.org/rfc/rfc6238.txt) factor that uses an extension of the HMAC-based one-time passcode (HOTP) algorithm | + | `token:software:totp` | Software time-based one-time passcode (TOTP) | + | `u2f` | Hardware Universal 2nd Factor (U2F) device | + | `web` | HTML inline frame (iframe) for embedding verification from a third party | + | `webauthn` | Hardware WebAuthn device | + | `signed_nonce` | Okta Fastpass (device-bound authentication). This is available for OIE orgs if the org has users that have enrolled with Okta Verify after the org started using OIE. | + - name: UserGrant + x-displayName: User Grants + description: |- + The User Grants API provides operations to manage user consent Grants in your org. + + A consent represents a user's explicit permission to allow an app to access resources protected by scopes. Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they've already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scope is deactivated or deleted. + + > **Hint:** For all grant operations, you can use `me` instead of the `userId` in an endpoint that contains `/users`, in an active session with no SSWS token (API token). For example: `https://${yourOktaDomain}/api/v1/users/me/grants` returns all the grants for the active session user. + + > **Note:** Some browsers have begun blocking third-party cookies by default, disrupting Okta functionality in certain flows. For more information, see [FAQ: How Blocking Third Party Cookies Can Potentially Impact Your Okta Environment](https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment). + - name: UserLifecycle + x-displayName: User Lifecycle + description: |- + The User Lifecycle API provides lifecycle operations, which are non-idempotent operations that initiate a state transition for a user's status. Some operations are asynchronous while others are synchronous. + The user's current status limits what operations are allowed. + - name: UserLinkedObject + x-displayName: User Linked Objects + description: |- + The User Linked Objects API provides operations to manage User Linked Objects in your org. + Use link value operations to assign Users to a relationship, represented by a pair of `primary` and `associated` links. See also the [Linked Objects API](/openapi/okta-management/management/tag/LinkedObject/). + + For these operations, the examples use consistent IDs so that you can follow the operations more easily: + * `manager` is the `primary` relationship and is assigned `00u5t60iloOHN9pBi0h7` + * `subordinate` is the `associated` relationship and is assigned to IDs `00u5zex6ztMbOZhF50h7` and `00u1tsf0nQKavLDUh0g5` + - name: UserOAuth + x-displayName: User OAuth 2.0 Token Management + description: |- + The User OAuth 2.0 Token Management API provides operations to manage tokens issued by an Authorization Server for a particular User and Client in your org. For example, you can revoke every active refresh token for a User in the context of a specific Client. You can also [revoke specific tokens](https://developer.okta.com/docs/guides/revoke-tokens/main/) or [manage tokens at the authorization server level](/openapi/okta-management/management/tag/AuthorizationServer/). + + Read [Validate Access Tokens](https://developer.okta.com/docs/guides/validate-access-tokens/) to understand more about how OAuth 2.0 tokens work. + - name: UserResources + x-displayName: User Resources + description: The User Resources API provides operations related to User resources. + - name: UserRisk + x-displayName: User Risk + description: |- + <x-lifecycle class="oie"></x-lifecycle> + > This feature is only available with Identity Threat Protection in Identity Engine. + + The User Risk API enables you to manage a user's risk level within Okta. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + - name: UserSessions + x-displayName: User Sessions + description: The User Sessions API provides operations to manage User sessions in your org. - name: UserType x-displayName: User Types - description: The User Types API provides operations to manage User Types. + description: The User Types API provides operations to manage user types. + - name: WebAuthnPreregistration + x-displayName: WebAuthn Preregistration + description: The WebAuthn Preregistration API provides a flow to initiate and set up WebAuthn Preregistration authenticator enrollments through third-party fulfillment providers. +externalDocs: + description: Find more info here + url: https://developer.okta.com/docs/reference/core-okta-api/#design-principles paths: /.well-known/app-authenticator-configuration: get: x-okta-lifecycle: - features: - - CUSTOM_PUSH_AUTHENTICATOR + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] summary: Retrieve the Well-Known App Authenticator Configuration - description: Retrieves the well-known app authenticator configuration, which includes an app authenticator's settings, supported methods and various other configuration details + description: Retrieves the well-known app authenticator configuration. Includes an app authenticator's settings, supported methods, and other details. operationId: getWellKnownAppAuthenticatorConfiguration parameters: - name: oauthClientId @@ -445,6 +856,9 @@ paths: type: array items: $ref: '#/components/schemas/WellKnownAppAuthenticatorConfiguration' + examples: + AuthenticatorConfiguration: + $ref: '#/components/examples/WellKnownAppAuthenticatorConfigurationCustomApp' '400': $ref: '#/components/responses/ErrorMissingRequiredParameter400' '429': @@ -455,7 +869,7 @@ paths: /.well-known/okta-organization: get: summary: Retrieve the Well-Known Org Metadata - description: Retrieves the well-known org metadata, which includes the id, configured custom domains, authentication pipeline, and various other org settings + description: Retrieves the well-known org metadata, which includes the org ID, configured custom domains, authentication pipeline, and various other org settings operationId: getWellknownOrgMetadata responses: '200': @@ -473,7 +887,42 @@ paths: $ref: '#/components/responses/ErrorTooManyRequests429' security: [] tags: - - OrgSetting + - OrgSettingMetadata + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /.well-known/ssf-configuration: + get: + summary: Retrieve the SSF Transmitter metadata + description: Retrieves SSF Transmitter configuration metadata. This includes all supported endpoints and key information about certain properties of the Okta org as the transmitter, such as `delivery_methods_supported`, `issuer`, and `jwks_uri`. + operationId: getWellknownSsfMetadata + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/WellKnownSSFMetadata' + examples: + wellKnownSSFMetadataExample: + $ref: '#/components/examples/wellKnownSSFMetadataExample' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: [] + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/agentPools: get: summary: List all Agent Pools @@ -502,6 +951,9 @@ paths: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -532,6 +984,9 @@ paths: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Agent Pool update description: Creates an Agent pool update \n For user flow 2 manual update, starts the update immediately. \n For user flow 3, schedules the update based on the configured update window and delay. @@ -563,6 +1018,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/settings: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -589,6 +1047,9 @@ paths: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update an Agent Pool update settings description: Updates an agent pool update settings @@ -620,6 +1081,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -647,6 +1111,9 @@ paths: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update an Agent Pool update by id description: Updates Agent pool update and return latest agent pool update @@ -678,6 +1145,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Agent Pool update description: Deletes Agent pool update @@ -697,6 +1167,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/activate: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -724,6 +1197,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/deactivate: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -751,6 +1227,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/pause: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -778,6 +1257,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/resume: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -805,6 +1287,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/retry: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -832,6 +1317,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/stop: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -859,19 +1347,14 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/api-tokens: get: summary: List all API Token Metadata description: Lists all the metadata of the active API tokens operationId: listApiTokens - parameters: - - $ref: '#/components/parameters/queryAfter' - - $ref: '#/components/parameters/queryLimit' - - name: q - in: query - description: Finds a token that matches the name or clientName. - schema: - type: string responses: '200': description: OK @@ -894,6 +1377,9 @@ paths: - okta.apiTokens.read tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/api-tokens/current: delete: summary: Revoke the Current API Token @@ -910,12 +1396,15 @@ paths: - apiToken: [] tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/api-tokens/{apiTokenId}: parameters: - $ref: '#/components/parameters/pathApiTokenId' get: summary: Retrieve an API Token's Metadata - description: Retrieves the metadata for an active API token by id + description: Retrieves the metadata for an active API token by `apiTokenId` operationId: getApiToken responses: '200': @@ -939,6 +1428,53 @@ paths: - okta.apiTokens.read tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Upsert an API Token Network Condition + description: Upserts an API Token Network Condition by `apiTokenId` + operationId: upsertApiToken + requestBody: + content: + application/json: + example: + name: api_token_name + clientName: client_name + userId: 00uabcdefg1234567890 + network: + connection: ANYWHERE + created: '2021-11-09T20:38:10.000Z' + schema: + $ref: '#/components/schemas/ApiTokenUpdate' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ApiToken' + examples: + HCaptcha: + $ref: '#/components/examples/ApiTokenMetadataResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apiTokens.manage + tags: + - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke an API Token description: Revokes an API token by `apiTokenId` @@ -958,39 +1494,59 @@ paths: - okta.apiTokens.manage tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps: get: summary: List all Applications - description: Lists all applications with pagination. A subset of apps can be returned that match a supported filter expression or query. + description: Lists all apps in the org with pagination. A subset of apps can be returned that match a supported filter expression or query. The results are [paginated](/#pagination) according to the `limit` parameter. If there are multiple pages of results, the header contains a `next` link. Treat the link as an opaque value (follow it, don't parse it). operationId: listApplications parameters: - name: q in: query + description: Searches for apps with `name` or `label` properties that starts with the `q` value using the `startsWith` operation schema: type: string + example: Okta - name: after in: query - description: Specifies the pagination cursor for the next page of apps + description: Specifies the [pagination](/#pagination) cursor for the next page of results. Treat this as an opaque value obtained through the `next` link relationship. schema: type: string + example: 16278919418571 + - name: useOptimization + in: query + description: Specifies whether to use query optimization. If you specify `useOptimization=true` in the request query, the response contains a subset of app instance properties. + schema: + type: boolean + default: false - name: limit in: query - description: Specifies the number of results for a page + description: Specifies the number of results per page schema: type: integer format: int32 default: -1 + maximum: 200 - name: filter in: query - description: Filters apps by status, user.id, group.id or credentials.signing.kid expression - schema: - type: string - - name: expand - in: query - description: Traverses users link relationship and optionally embeds Application User resource + description: Filters apps by `status`, `user.id`, `group.id`, `credentials.signing.kid` or `name` expression that supports the `eq` operator schema: type: string + examples: + ActiveStatusEx: + value: status eq "ACTIVE" + summary: Filter for active apps + NameFilterEx: + value: name eq "okta_org2org" + summary: Filter for apps with `okta_org2org` name + CredKidEx: + value: credentials.signing.kid eq "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-F1bm4" + summary: Filter for apps using a specific key + - $ref: '#/components/parameters/queryAppsExpand' - name: includeNonDeleted + description: Specifies whether to include non-active, but not deleted apps in the results in: query schema: type: boolean @@ -1004,6 +1560,15 @@ paths: type: array items: $ref: '#/components/schemas/Application' + examples: + ResponseExample1: + $ref: '#/components/examples/GetApplicationsByUserResponseEx' + ResponseExample2: + $ref: '#/components/examples/GetApplicationsByGroupResponseEx' + ResponseExample3: + $ref: '#/components/examples/GetApplicationsByKeyResponseEx' + ResponseExample4: + $ref: '#/components/examples/GetApplicationsByNameResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -1014,9 +1579,17 @@ paths: - okta.apps.read tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Application - description: Creates a new application to your Okta organization + description: | + Creates an app instance in your Okta org. + + You can either create an OIN app instance or a custom app instance: + * OIN app instances have prescribed `name` (key app definition) and `signOnMode` options. See the [OIN schemas](/openapi/okta-management/management/tag/Application/#tag/Application/schema/GoogleApplication) for the request body. + * For custom app instances, select the [signOnMode](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/signOnMode&t=request) that pertains to your app and specify the required parameters in the request body. operationId: createApplication parameters: - name: activate @@ -1035,6 +1608,25 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStoreEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0Ex' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectEx' required: true responses: '200': @@ -1043,6 +1635,25 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkAppResponseEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginAppResponseEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthResponseEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStoreResponseEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationResponseEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginResponseEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldResponseEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0ResponseEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1055,70 +1666,15 @@ paths: - okta.apps.manage tags: - Application - /api/v1/apps/${appId}/sso/saml/metadata: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/google/{appId}/oauth2/callback: + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/office365/{appId}/oauth2/callback: parameters: - $ref: '#/components/parameters/pathAppId' - get: - summary: Preview the application SAML metadata - description: Previews the SSO SAML metadata for an application - operationId: previewSAMLmetadataForApplication - responses: - '200': - description: OK - content: - text/xml: - schema: - type: string - description: SAML metadata in XML - format: xml - examples: - previewSAML: - summary: SAML metadata example - value: | - <?xml version="1.0" encoding="UTF-8"?> - <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="exk39sivhuytV2D8H0h7"> - <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> - <md:KeyDescriptor use="signing"> - <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> - <ds:X509Data> - <ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAVGNO4qeMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEG - A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU - MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJ - ARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODUwMDhaFw0xNzEyMTAxODUxMDdaMIGUMQswCQYD - VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG - A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEc - MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC - ggEBALAakG48bgcTWHdwmVLHig0mkiRejxIVm3wbzrNSJcBruTq2zCYZ1rGfVxTYON8kJqvkXPmv - kzWKhpEkvhubL+mx29XpXY0AsNIfgcm5xIV56yhXSvlMdqzGo3ciRwoACaF+ClNLxmXK9UTZD89B - bVVGCG5AEvja0eCQ0GYsO5i9aSI5aTroab8Aew31PuWl/RGQWmjVy8+7P4wwkKKJNKCpxMYDlhfa - WRp0zwUSbUCO0qEyeAYdZx6CLES4FGrDi/7D6G+ewWC+kbz1tL1XpF2Dcg3+IOlHrV6VWzz3rG39 - v9zFIncjvoQJFDGWhpqGqcmXvgH0Ze3SVcVF01T+bK0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA - AHmnSZ4imjNrIf9wxfQIcqHXEBoJ+oJtd59cw1Ur/YQY9pKXxoglqCQ54ZmlIf4GghlcZhslLO+m - NdkQVwSmWMh6KLxVM18/xAkq8zyKbMbvQnTjFB7x45bgokwbjhivWqrB5LYHHCVN7k/8mKlS4eCK - Ci6RGEmErjojr4QN2xV0qAqP6CcGANgpepsQJCzlWucMFKAh0x9Kl8fmiQodfyLXyrebYsVnLrMf - jxE1b6dg4jKvv975tf5wreQSYZ7m//g3/+NnuDKkN/03HqhV7hTNi1fyctXk8I5Nwgyr+pT5LT2k - YoEdncuy+GQGzE9yLOhC4HNfHQXpqp2tMPdRlw==</ds:X509Certificate> - </ds:X509Data> - </ds:KeyInfo> - </md:KeyDescriptor> - <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> - <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> - <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://{yourOktaDomain}/app/sample-app/exk39sivhuytV2D8H0h7/sso/saml"/> - <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://{yourOktaDomain}/app/sample-app/exk39sivhuytV2D8H0h7/sso/saml"/> - </md:IDPSSODescriptor> - </md:EntityDescriptor> - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.apps.read - tags: - - ApplicationSSO /api/v1/apps/{appId}: parameters: - $ref: '#/components/parameters/pathAppId' @@ -1129,8 +1685,12 @@ paths: parameters: - name: expand in: query + description: |- + An optional query parameter to return the specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property. + Valid value: `expand=user/{userId}` schema: type: string + example: user/0oa1gjh63g214q0Hq0g4 responses: '200': description: Success @@ -1138,6 +1698,9 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + RetrieveEx1: + $ref: '#/components/examples/GetApplicationsResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1150,9 +1713,16 @@ paths: - okta.apps.read tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Application - description: Replaces an application + description: | + Replaces properties for an application + > **Notes:** + > * All required properties must be specified in the request body + > * You can't modify system-assigned properties, such as `id`, `name`, `status`, `created`, and `lastUpdated`. The values for these properties in the PUT request body are ignored. operationId: replaceApplication x-codegen-request-body-name: application requestBody: @@ -1160,6 +1730,25 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkPutEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginPutEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthPutEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStorePutEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationPutEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginPutEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldPutEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0PutEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectPutEx' required: true responses: '200': @@ -1168,6 +1757,25 @@ paths: application/json: schema: $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkPutResponseEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginPutResponseEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthPutResponseEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStorePutResponseEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationPutResponseEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginPutResponseEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldPutResponseEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0PutResponseEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectPutResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1182,6 +1790,9 @@ paths: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Application description: Deletes an inactive application @@ -1202,6 +1813,9 @@ paths: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default: parameters: - $ref: '#/components/parameters/pathAppId' @@ -1215,10 +1829,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/ProvisioningConnection' + $ref: '#/components/schemas/ProvisioningConnectionResponse' examples: - ProvisioningConnectionResponseExample: - $ref: '#/components/examples/ProvisioningConnectionTokenResponseEx' + ProvisioningConnectionTokenZscalerEx: + $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileZscalerEx' + ProvisioningConnectionTokenOrg2OrgEx: + $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx' + ProvisioningConnectionOauthO365Ex: + $ref: '#/components/examples/ProvisioningConnectionOauthResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1231,6 +1849,9 @@ paths: - okta.apps.read tags: - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update the default Provisioning Connection description: Updates the default Provisioning Connection for an app @@ -1245,24 +1866,36 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/ProvisioningConnectionRequest' + oneOf: + - $ref: '#/components/schemas/ProvisioningConnectionTokenRequest' + - $ref: '#/components/schemas/ProvisioningConnectionOauthRequest' examples: - ProvisioningConnectionTokenExample: + ProvisioningConnectionTokenZscalerEx: $ref: '#/components/examples/ProvisioningConnectionTokenRequestEx' - ProvisioningConnectionOauthExample: - $ref: '#/components/examples/ProvisioningConnectionOauthRequestEx' + ProvisioningConnectionTokenOrg2OrgEx: + $ref: '#/components/examples/ProvisioningConnectionTokenOrg2OrgRequestEx' + ProvisioningConnectionOauthO365Ex: + $ref: '#/components/examples/ProvisioningConnectionOauthO365RequestEx' required: true responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ProvisioningConnectionResponse' '201': description: Created content: application/json: schema: - $ref: '#/components/schemas/ProvisioningConnection' + $ref: '#/components/schemas/ProvisioningConnectionResponse' examples: - ProvisioningConnectionTokenExample: - $ref: '#/components/examples/ProvisioningConnectionTokenResponseEx' - ProvisioningConnectionOauthExample: + ProvisioningConnectionTokenZscalerEx: + $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileZscalerEx' + ProvisioningConnectionTokenOrg2OrgEx: + $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx' + ProvisioningConnectionOauthO365Ex: $ref: '#/components/examples/ProvisioningConnectionOauthResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' @@ -1278,6 +1911,9 @@ paths: - okta.apps.manage tags: - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAppId' @@ -1300,6 +1936,9 @@ paths: - okta.apps.manage tags: - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAppId' @@ -1322,6 +1961,9 @@ paths: - okta.apps.manage tags: - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs: parameters: - $ref: '#/components/parameters/pathAppId' @@ -1349,10 +1991,17 @@ paths: - oauth2: - okta.apps.read tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Generate a Certificate Signing Request - description: Generates a new key pair and returns the Certificate Signing Request for it + description: |- + Generates a new key pair and returns the Certificate Signing Request(CSR) for it. The information in a CSR is used by the Certificate Authority (CA) to verify and create your certificate. It also contains the public key that is included in your certificate. + + Returns CSR in `pkcs#10` format if the `Accept` media type is `application/pkcs10` or a CSR object if the `Accept` media type is `application/json`. + > **Note:** The key pair isn't listed in the Key Credentials for the app until it's published. operationId: generateCsrForApplication x-codegen-request-body-name: metadata requestBody: @@ -1364,10 +2013,36 @@ paths: responses: '201': description: Created + headers: + Content-Type: + schema: + type: string + description: The Content-Type of the response + examples: + pkcs10Header: + summary: application/pkcs10 Content-Type header + value: application/pkcs10; filename=okta.p10 + json: + summary: application/json Content-Type header + value: application/json + Content-Transfer-Encoding: + schema: + type: string + description: Encoding of the response + example: base64 content: + application/pkcs10: + schema: + $ref: '#/components/schemas/AppCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/AppCsrPkcs10Response' application/json: schema: $ref: '#/components/schemas/Csr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/AppCsrJsonResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1381,22 +2056,54 @@ paths: - oauth2: - okta.apps.manage tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs/{csrId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathCsrId' get: summary: Retrieve a Certificate Signing Request - description: Retrieves a certificate signing request for the app by `id` + description: |- + Retrieves a Certificate Signing Request (CSR) for the app by `csrId`. + + Returns a Base64-encoded CSR in DER format if the `Accept` media type is `application/pkcs10` or a CSR object if the `Accept` media type is `application/json`. operationId: getCsrForApplication responses: '200': description: Success + headers: + Content-Type: + schema: + type: string + description: The Content-Type of the response + examples: + pkcs10Header: + summary: application/pkcs10 Content-Type header + value: application/pkcs10; filename=okta.p10 + json: + summary: application/json Content-Type header + value: application/json + Content-Transfer-Encoding: + schema: + type: string + description: Encoding of the response + example: base64 content: application/json: schema: $ref: '#/components/schemas/Csr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/AppCsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/AppCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/AppCsrPkcs10Response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1408,10 +2115,13 @@ paths: - oauth2: - okta.apps.read tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke a Certificate Signing Request - description: Revokes a certificate signing request and deletes the key pair from the application + description: Revokes a Certificate Signing Request and deletes the key pair from the app operationId: revokeCsrFromApplication responses: '204': @@ -1428,14 +2138,19 @@ paths: - oauth2: - okta.apps.manage tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs/{csrId}/lifecycle/publish: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathCsrId' post: summary: Publish a Certificate Signing Request - description: Publishes a certificate signing request for the app with a signed X.509 certificate and adds it into the application key credentials + description: |- + Publishes a Certificate Signing Request (CSR) for the app with a signed X.509 certificate and adds it into the Application Key Credentials. + > **Note:** Publishing a certificate completes the lifecycle of the CSR and it's no longer accessible. operationId: publishCsrFromApplication requestBody: required: true @@ -1444,16 +2159,26 @@ paths: schema: type: string format: binary + description: |- + X.509 certificate in `CER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: '@certificate.pem' x-okta-operationId: publishBinaryCerCert application/pkix-cert: schema: type: string format: binary + description: |- + X.509 certificate in `DER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q== x-okta-operationId: publishBinaryDerCert application/x-pem-file: schema: type: string format: binary + description: X.509 certificate in `PEM` format + example: '@certificate.pem' x-okta-operationId: publishBinaryPemCert responses: '201': @@ -1462,8 +2187,261 @@ paths: application/json: schema: $ref: '#/components/schemas/JsonWebKey' + examples: + PublishCSR: + $ref: '#/components/examples/KeyCredentialExample' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorPublishCSRCertDoesNotMatchCSR: + $ref: '#/components/examples/ErrorPublishCSRCertDoesNotMatchCSR' + ErrorPublishCSRCertValidityLessThan90Days: + $ref: '#/components/examples/ErrorPublishCSRCertValidityLessThan90Days' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks: + parameters: + - $ref: '#/components/parameters/pathAppId' + get: + summary: List all the OAuth 2.0 Client JSON Web Keys + description: Lists all JSON Web Keys for an OAuth 2.0 client app + operationId: listJwk + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + OAuthClientJsonWebKeyListResponseExample: + $ref: '#/components/examples/oAuthClientJsonWebKeyListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Add a JSON Web Key + description: |- + Adds a new JSON Web Key to the client’s JSON Web Keys. + > **Note:** This API doesn't allow you to add a key if the existing key doesn't have a `kid`. This is also consistent with how the [Dynamic Client Registration](/openapi/okta-oauth/oauth/tag/Client/) or [Applications](/openapi/okta-management/management/tag/Application/) APIs behave, as they don't allow the creation of multiple keys without `kids`. Use the [Replace an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) or the [Replace a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/replaceClient) operation to update the JWKS or [Delete an OAuth 2.0 Client JSON Web Key](/openapi/okta-management/management/tag/ApplicationSSOCredentialOAuth2ClientAuth/#tag/ApplicationSSOCredentialOAuth2ClientAuth/operation/deletejwk) and re-add the key with a `kid`. + operationId: addJwk + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBody' + examples: + createOAuth2ClientJsonWebKeyRequestBody: + $ref: '#/components/examples/oAuthClientJsonWebKeyRequest' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + newOAuth2ClientSecretResponse: + $ref: '#/components/examples/oAuthClientJsonWebKey' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorClientJsonWebKeyNonUniqueKid: + $ref: '#/components/examples/ErrorClientJsonWebKeyNonUniqueKid' + ErrorClientJsonWebKeyDuplicateKid: + $ref: '#/components/examples/ErrorClientJsonWebKeyDuplicateKid' + ErrorClientJsonWebKeyKidLengthTooShort: + $ref: '#/components/examples/ErrorClientJsonWebKeyKidLengthTooShort' + ErrorClientJsonWebKeyTooManyKids: + $ref: '#/components/examples/ErrorClientJsonWebKeyTooManyKids' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks/{keyId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + get: + summary: Retrieve an OAuth 2.0 Client JSON Web Key + description: Retrieves an OAuth 2.0 Client JSON Web Key by `keyId`. + operationId: getJwk + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + OAuthClientJsonWebKeyResponseExample: + $ref: '#/components/examples/oAuthClientJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an OAuth 2.0 Client JSON Web Key + description: Deletes an OAuth 2.0 Client JSON Web Key by `keyId`. You can only delete an inactive key. + operationId: deletejwk + responses: + '204': + description: No Content + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeleteActiveJsonWebKey: + $ref: '#/components/examples/ErrorDeleteActiveJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + post: + summary: Activate an OAuth 2.0 Client JSON Web Key + description: Activates an OAuth 2.0 Client JSON Web Key by `keyId` + operationId: activateOAuth2ClientJsonWebKey + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + activateOAuth2ClientJsonWebKeyResponse: + $ref: '#/components/examples/oAuthClientJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + post: + summary: Deactivate an OAuth 2.0 Client JSON Web Key + description: Deactivates an OAuth 2.0 Client JSON Web Key by `keyId`. + operationId: deactivateOAuth2ClientJsonWebKey + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientJsonWebKey' + examples: + deactivateOAuth2ClientJsonWebKeyResponse: + $ref: '#/components/examples/deactivateOAuth2ClientJsonWebKeyResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod: + $ref: '#/components/examples/ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod' + ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm: + $ref: '#/components/examples/ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1475,13 +2453,16 @@ paths: - oauth2: - okta.apps.manage tags: - - ApplicationCredentials + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all Key Credentials - description: Lists all key credentials for an application + description: Lists all key credentials for an app operationId: listApplicationKeys responses: '200': @@ -1492,6 +2473,9 @@ paths: type: array items: $ref: '#/components/schemas/JsonWebKey' + examples: + ListAllKeyCredentialsExample: + $ref: '#/components/examples/ListAllKeyCredentialsExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1503,19 +2487,27 @@ paths: - oauth2: - okta.apps.read tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys/generate: parameters: - $ref: '#/components/parameters/pathAppId' post: summary: Generate a Key Credential - description: Generates a new X.509 certificate for an application key credential + description: |- + Generates a new X.509 certificate for an app key credential + > **Note:** To update an Application with the newly generated key credential, use the [Replace an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) request with the new [credentials.signing.kid](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing/kid&t=request) value in the request body. You can provide just the [Signing Credential object](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing&t=request) instead of the entire [Application Credential object](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials&t=request). operationId: generateApplicationKey parameters: - name: validityYears + description: Expiry years of the Application Key Credential in: query + required: true schema: type: integer + example: 5 responses: '201': description: Created @@ -1523,6 +2515,18 @@ paths: application/json: schema: $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorKeyCredentialInvalidValidity: + $ref: '#/components/examples/ErrorKeyCredentialInvalidValidity' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1534,14 +2538,17 @@ paths: - oauth2: - okta.apps.manage tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys/{keyId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathKeyId' get: summary: Retrieve a Key Credential - description: Retrieves a specific application key credential by kid + description: Retrieves a specific Application Key Credential by `kid` operationId: getApplicationKey responses: '200': @@ -1550,6 +2557,9 @@ paths: application/json: schema: $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1561,14 +2571,21 @@ paths: - oauth2: - okta.apps.read tags: - - ApplicationCredentials + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys/{keyId}/clone: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathKeyId' post: summary: Clone a Key Credential - description: Clones a X.509 certificate for an application key credential from a source application to target application. + description: |- + Clones an X.509 certificate for an Application Key Credential from a source app to a target app. + + For step-by-step instructions to clone a credential, see [Share application key credentials for IdPs across apps](https://developer.okta.com/docs/guides/sharing-cert/main/). + > **Note:** Sharing certificates isn't a recommended security practice. operationId: cloneApplicationKey parameters: - name: targetAid @@ -1577,6 +2594,7 @@ paths: required: true schema: type: string + example: 0ouuytCAJSSDELFTUIDS responses: '201': description: Created @@ -1584,6 +2602,262 @@ paths: application/json: schema: $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorKeyCredentialCloneDuplicateKey: + $ref: '#/components/examples/ErrorKeyCredentialCloneDuplicateKey' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets: + parameters: + - $ref: '#/components/parameters/pathAppId' + get: + summary: List all OAuth 2.0 Client Secrets + description: Lists all client secrets for an OAuth 2.0 client app + operationId: listOAuth2ClientSecrets + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + OAuthClientSecretListResponseExample: + $ref: '#/components/examples/oAuthClientSecretListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an OAuth 2.0 Client Secret + description: |- + Creates an OAuth 2.0 Client Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects. + > **Note:** This API lets you bring your own secret. If [token_endpoint_auth_method](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/credentials/oauthClient/token_endpoint_auth_method&t=request) of the app is `client_secret_jwt`, then the minimum length of `client_secret` is 32 characters. If no secret is specified in the request, Okta adds a new system-generated secret. + operationId: createOAuth2ClientSecret + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecretRequestBody' + examples: + createOAuth2ClientSecretSystemGeneratedRequestBody: + $ref: '#/components/examples/createOAuth2ClientSecretSystemGeneratedRequestBody' + createOAuth2ClientSecretCustomRequestBody: + $ref: '#/components/examples/createOAuth2ClientSecretCustomRequestBody' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + newOAuth2ClientSecretResponse: + $ref: '#/components/examples/oAuth2ClientSecretResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorClientSecretTooLong: + $ref: '#/components/examples/ErrorClientSecretTooLong' + ErrorClientSecretTooShort: + $ref: '#/components/examples/ErrorClientSecretTooShort' + ErrorClientSecretTooShortJWT: + $ref: '#/components/examples/ErrorClientSecretTooShortWithClientSecretJWT' + ErrorClientSecretPrivateKeyJWT: + $ref: '#/components/examples/ErrorClientSecretWithPrivateKeyJWT' + ErrorClientSecretNonAscii: + $ref: '#/components/examples/ErrorClientSecretNonAscii' + ErrorMaxNumberOfSecrets: + $ref: '#/components/examples/ErrorMaxNumberOfSecrets' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets/{secretId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' + get: + summary: Retrieve an OAuth 2.0 Client Secret + description: Retrieves an OAuth 2.0 Client Secret by `secretId` + operationId: getOAuth2ClientSecret + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + OAuthClientSecretResponseExample: + $ref: '#/components/examples/oAuth2ClientSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an OAuth 2.0 Client Secret + description: Deletes an OAuth 2.0 Client Secret by `secretId`. You can only delete an inactive Secret. + operationId: deleteOAuth2ClientSecret + responses: + '204': + description: No Content + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeleteActiveClientSecret: + $ref: '#/components/examples/ErrorDeleteActiveSecret' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' + post: + summary: Activate an OAuth 2.0 Client Secret + description: Activates an OAuth 2.0 Client Secret by `secretId` + operationId: activateOAuth2ClientSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + activateOAuth2ClientSecretResponse: + $ref: '#/components/examples/activateOAuth2ClientSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' + post: + summary: Deactivate an OAuth 2.0 Client Secret + description: Deactivates an OAuth 2.0 Client Secret by `secretId`. You can't deactivate a secret if it's the only secret of the client. + operationId: deactivateOAuth2ClientSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + deactivateOAuth2ClientSecretResponse: + $ref: '#/components/examples/deactivateOAuth2ClientSecretResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeactivateTheOnlyClientSecret: + $ref: '#/components/examples/ErrorDeactivateTheOnlyClientSecret' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1595,16 +2869,18 @@ paths: - oauth2: - okta.apps.manage tags: - - ApplicationCredentials + - ApplicationSSOCredentialOAuth2ClientAuth + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/features: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all Features description: | - Lists all features for an application - > **Note:** The only application feature currently supported is `USER_PROVISIONING`. - > This request returns an error if provisioning isn't enabled for the application. + Lists all features for an app + > **Note:** This request returns an error if provisioning isn't enabled for the app. > To set up provisioning, see [Update the default Provisioning Connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication). operationId: listFeaturesForApplication responses: @@ -1640,13 +2916,16 @@ paths: - okta.apps.read tags: - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/features/{featureName}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathFeatureName' get: summary: Retrieve a Feature - description: Retrieves a Feature object for an application + description: Retrieves a Feature object for an app operationId: getFeatureForApplication responses: '200': @@ -1670,20 +2949,27 @@ paths: - okta.apps.read tags: - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Update a Feature description: | - Updates a Feature object for an application + Updates a Feature object for an app > **Note:** This endpoint supports partial updates. operationId: updateFeatureForApplication requestBody: content: application/json: schema: - $ref: '#/components/schemas/CapabilitiesObject' + oneOf: + - $ref: '#/components/schemas/CapabilitiesObject' + - $ref: '#/components/schemas/CapabilitiesInboundProvisioningObject' examples: UpdateAppFeatureEx: $ref: '#/components/examples/UpdateAppFeatureRequestEx' + UpdateInboundProvisioningFeatureEx: + $ref: '#/components/examples/UpdateInboundProvisioningFeatureRequestEx' required: true responses: '200': @@ -1695,6 +2981,8 @@ paths: examples: UpdateAppFeatureEx: $ref: '#/components/examples/UpdateAppFeatureResponseEx' + UpdateInboundProvisioningFeatureEx: + $ref: '#/components/examples/UpdateInboundProvisioningFeatureResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1709,6 +2997,9 @@ paths: - okta.apps.manage tags: - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/grants: parameters: - $ref: '#/components/parameters/pathAppId' @@ -1717,7 +3008,7 @@ paths: description: Lists all scope consent Grants for the app operationId: listScopeConsentGrants parameters: - - $ref: '#/components/parameters/queryExpand' + - $ref: '#/components/parameters/queryAppGrantsExpand' responses: '200': description: Success @@ -1727,6 +3018,9 @@ paths: type: array items: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + ListAppGrantsExample: + $ref: '#/components/examples/ListAppGrantsEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1739,6 +3033,9 @@ paths: - okta.appGrants.read tags: - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Grant consent to scope description: Grants consent for the app to request an OAuth 2.0 Okta scope @@ -1749,6 +3046,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsPostEx' required: true responses: '201': @@ -1757,6 +3057,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1771,6 +3074,9 @@ paths: - okta.appGrants.manage tags: - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/grants/{grantId}: parameters: - $ref: '#/components/parameters/pathAppId' @@ -1780,7 +3086,7 @@ paths: description: Retrieves a single scope consent Grant object for the app operationId: getScopeConsentGrant parameters: - - $ref: '#/components/parameters/queryExpand' + - $ref: '#/components/parameters/queryAppGrantsExpand' responses: '200': description: Success @@ -1788,6 +3094,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1800,6 +3109,9 @@ paths: - okta.appGrants.read tags: - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke an app Grant description: Revokes permission for the app to grant the given scope @@ -1820,34 +3132,33 @@ paths: - okta.appGrants.manage tags: - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/groups: parameters: - $ref: '#/components/parameters/pathAppId' get: - summary: List all Assigned Groups - description: Lists all group assignments for an application + summary: List all Application Groups + description: Lists all app group assignments operationId: listApplicationGroupAssignments parameters: - name: q in: query + description: |- + Specifies a filter for a list of assigned groups returned based on their names. The value of `q` is matched against the group `name`. + This filter only supports the `startsWith` operation that matches the `q` string against the beginning of the [Group name](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=profile/name&t=response). schema: type: string + example: test - name: after in: query - description: Specifies the pagination cursor for the next page of assignments - schema: - type: string - - name: limit - in: query - description: Specifies the number of results for a page - schema: - type: integer - format: int32 - default: -1 - - name: expand - in: query + description: Specifies the pagination cursor for the `next` page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string + example: 16275000448691 + - $ref: '#/components/parameters/queryGroupAssignmentLimit' + - $ref: '#/components/parameters/queryGroupAssignmentWithMetadataExpand' responses: '200': description: Success @@ -1857,6 +3168,9 @@ paths: type: array items: $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + listGroupAssignmentsResponseExample: + $ref: '#/components/examples/GroupAssignmentExListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1869,29 +3183,19 @@ paths: - okta.apps.read tags: - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/groups/{groupId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathGroupId' get: - summary: Retrieve an Assigned Group - description: Retrieves an application group assignment + summary: Retrieve an Application Group + description: Retrieves an app group assignment operationId: getApplicationGroupAssignment parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: groupId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/queryGroupAssignmentWithGroupExpand' responses: '200': description: Success @@ -1899,6 +3203,9 @@ paths: application/json: schema: $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + getGroupAssignmentResponseExample: + $ref: '#/components/examples/EmbeddedGroupAssignmentSampleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1911,27 +3218,66 @@ paths: - okta.apps.read tags: - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Assign a Group - description: Assigns a group to an application + summary: Assign an Application Group + description: |- + Assigns a [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) to an app, which in turn assigns the app to each [User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/) that belongs to the group. + The resulting Application User [scope](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers!c=200&path=scope&t=response) is `GROUP` since the assignment was from the group membership. operationId: assignGroupToApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: groupId - in: path - required: true - schema: - type: string x-codegen-request-body-name: applicationGroupAssignment requestBody: content: application/json: schema: $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + putGroupAssignmentRequestExample: + $ref: '#/components/examples/GroupAssignmentPutRequestExample' + required: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + putGroupAssignmentResponseExample: + $ref: '#/components/examples/GroupAssignmentPutResponseExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + patch: + summary: Update an Application Group + description: Updates a group assignment to an app + operationId: updateGroupAssignmentToApplication + requestBody: + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/JsonPatchOperation' + examples: + groupAssignmentPatchRequetExample: + $ref: '#/components/examples/GroupAssignmentPatchRequestExample' required: false responses: '200': @@ -1940,6 +3286,9 @@ paths: application/json: schema: $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + patchGroupAssignmentResponseExample: + $ref: '#/components/examples/GroupAssignmentPatchResponseExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1954,21 +3303,13 @@ paths: - okta.apps.manage tags: - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a Group - description: Unassigns a group from an application + summary: Unassign an Application Group + description: Unassigns a Group from an app operationId: unassignApplicationFromGroup - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: groupId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -1985,6 +3326,9 @@ paths: - okta.apps.manage tags: - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAppId' @@ -2008,6 +3352,9 @@ paths: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAppId' @@ -2031,6 +3378,9 @@ paths: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/logo: parameters: - $ref: '#/components/parameters/pathAppId' @@ -2078,18 +3428,21 @@ paths: - okta.apps.manage tags: - ApplicationLogos + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/policies/{policyId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathPolicyId' put: - summary: Assign an application to a Policy + summary: Assign an Authentication Policy description: |- - Assigns an application to an [authentication policy](/openapi/okta-management/management/tag/Policy/), identified by `policyId`. - If the application was previously assigned to another policy, this operation replaces that assignment with the updated policy identified by `policyId`. + Assigns an app to an [authentication policy](/openapi/okta-management/management/tag/Policy/), identified by `policyId`. + If the app was previously assigned to another policy, this operation replaces that assignment with the updated policy identified by `policyId`. > **Note:** When you [merge duplicate authentication policies](https://help.okta.com/okta_help.htm?type=oie&id=ext-merge-auth-policies), - the policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email. + the policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email with merged results. operationId: assignApplicationPolicy responses: '204': @@ -2106,37 +3459,111 @@ paths: - okta.apps.manage tags: - ApplicationPolicies - /api/v1/apps/{appId}/tokens: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/apps/{appId}/sso/saml/metadata: parameters: - $ref: '#/components/parameters/pathAppId' get: - summary: List all OAuth 2.0 Tokens - description: Lists all tokens for the application - operationId: listOAuth2TokensForApplication + summary: Preview the application SAML metadata + description: Previews the SSO SAML metadata for an application + operationId: previewSAMLmetadataForApplication parameters: - - name: expand - in: query - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit + - name: kid in: query + required: true schema: type: integer - format: int32 - default: 20 + example: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo responses: '200': - description: Success + description: OK + content: + text/xml: + schema: + type: string + description: SAML metadata in XML + examples: + previewSAML: + summary: SAML metadata example + value: | + <?xml version="1.0" encoding="UTF-8"?> + <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="exk39sivhuytV2D8H0h7"> + <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> + <md:KeyDescriptor use="signing"> + <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:X509Data> + <ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAVGNO4qeMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEG + A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU + MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJ + ARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODUwMDhaFw0xNzEyMTAxODUxMDdaMIGUMQswCQYD + VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG + A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEc + MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC + ggEBALAakG48bgcTWHdwmVLHig0mkiRejxIVm3wbzrNSJcBruTq2zCYZ1rGfVxTYON8kJqvkXPmv + kzWKhpEkvhubL+mx29XpXY0AsNIfgcm5xIV56yhXSvlMdqzGo3ciRwoACaF+ClNLxmXK9UTZD89B + bVVGCG5AEvja0eCQ0GYsO5i9aSI5aTroab8Aew31PuWl/RGQWmjVy8+7P4wwkKKJNKCpxMYDlhfa + WRp0zwUSbUCO0qEyeAYdZx6CLES4FGrDi/7D6G+ewWC+kbz1tL1XpF2Dcg3+IOlHrV6VWzz3rG39 + v9zFIncjvoQJFDGWhpqGqcmXvgH0Ze3SVcVF01T+bK0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA + AHmnSZ4imjNrIf9wxfQIcqHXEBoJ+oJtd59cw1Ur/YQY9pKXxoglqCQ54ZmlIf4GghlcZhslLO+m + NdkQVwSmWMh6KLxVM18/xAkq8zyKbMbvQnTjFB7x45bgokwbjhivWqrB5LYHHCVN7k/8mKlS4eCK + Ci6RGEmErjojr4QN2xV0qAqP6CcGANgpepsQJCzlWucMFKAh0x9Kl8fmiQodfyLXyrebYsVnLrMf + jxE1b6dg4jKvv975tf5wreQSYZ7m//g3/+NnuDKkN/03HqhV7hTNi1fyctXk8I5Nwgyr+pT5LT2k + YoEdncuy+GQGzE9yLOhC4HNfHQXpqp2tMPdRlw==</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </md:KeyDescriptor> + <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> + <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> + <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://{yourOktaDomain}/app/sample-app/exk39sivhuytV2D8H0h7/sso/saml"/> + <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://{yourOktaDomain}/app/sample-app/exk39sivhuytV2D8H0h7/sso/saml"/> + </md:IDPSSODescriptor> + </md:EntityDescriptor> + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSO + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/tokens: + parameters: + - $ref: '#/components/parameters/pathAppId' + get: + summary: List all Application Refresh Tokens + description: | + Lists all refresh tokens for an app + + > **Note:** The results are [paginated](/#pagination) according to the `limit` parameter. + > If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). + operationId: listOAuth2TokensForApplication + parameters: + - $ref: '#/components/parameters/queryAppGrantsExpand' + - $ref: '#/components/parameters/queryAppAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success content: application/json: schema: type: array items: - $ref: '#/components/schemas/OAuth2Token' + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + getOAuth2TokenForApplicationListExample: + $ref: '#/components/examples/OAuth2RefreshTokenResponseListEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2149,9 +3576,12 @@ paths: - okta.apps.read tags: - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Revoke all OAuth 2.0 Tokens - description: Revokes all tokens for the specified application + summary: Revoke all Application Tokens + description: Revokes all OAuth 2.0 refresh tokens for the specified app. Any access tokens issued with these refresh tokens are also revoked, but access tokens issued without a refresh token aren't affected. operationId: revokeOAuth2TokensForApplication responses: '204': @@ -2169,26 +3599,29 @@ paths: - okta.apps.manage tags: - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/tokens/{tokenId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathTokenId' get: - summary: Retrieve an OAuth 2.0 Token - description: Retrieves a token for the specified application + summary: Retrieve an Application Token + description: Retrieves a refresh token for the specified app operationId: getOAuth2TokenForApplication parameters: - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/queryAppGrantsExpand' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2Token' + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + getOAuth2TokenForApplicationExample: + $ref: '#/components/examples/OAuth2RefreshTokenResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2201,9 +3634,12 @@ paths: - okta.apps.read tags: - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Revoke an OAuth 2.0 Token - description: Revokes the specified token for the specified application + summary: Revoke an Application Token + description: Revokes the specified token for the specified app operationId: revokeOAuth2TokenForApplication responses: '204': @@ -2221,42 +3657,21 @@ paths: - okta.apps.manage tags: - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/users: parameters: - $ref: '#/components/parameters/pathAppId' get: - summary: List all assigned Users + summary: List all Application Users description: Lists all assigned users for an app operationId: listApplicationUsers parameters: - - name: q - in: query - schema: - type: string - - name: query_scope - in: query - schema: - type: string - - name: after - in: query - description: specifies the pagination cursor for the next page of assignments - schema: - type: string - - name: limit - in: query - description: specifies the number of results for a page - schema: - type: integer - format: int32 - default: -1 - - name: filter - in: query - schema: - type: string - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/queryAppAfter' + - $ref: '#/components/parameters/queryAppLimit' + - $ref: '#/components/parameters/queryAppUserQ' + - $ref: '#/components/parameters/queryAppUserExpand' responses: '200': description: Success @@ -2266,6 +3681,9 @@ paths: type: array items: $ref: '#/components/schemas/AppUser' + examples: + ListAppUsersExample: + $ref: '#/components/examples/AppUserListEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2278,24 +3696,36 @@ paths: - okta.apps.read tags: - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Assign a User + summary: Assign an Application User description: |- - Assigns a user to an app with credentials and an app-specific [profile](/openapi/okta-management/management/tag/Application/#tag/Application/operation/assignUserToApplication!c=200&path=profile&t=response). - Profile mappings defined for the app are applied first before applying any profile properties that are specified in the request. + Assigns a user to an app for: - > **Notes:** - > * You need to specify the `id` and omit the `credentials` parameter in the request body only for - `signOnMode` or authentication schemes (`credentials.scheme`) that don't require credentials. - > * You can only specify profile properties that aren't defined by profile mappings when Universal Directory is enabled. - > * If your SSO app requires a profile but doesn't have provisioning enabled, you need to add a profile to the request body. + * SSO only<br> + Assignments to SSO apps typically don't include a user profile. + However, if your SSO app requires a profile but doesn't have provisioning enabled, you can add profile attributes in the request body. + + * SSO and provisioning<br> + Assignments to SSO and provisioning apps typically include credentials and an app-specific profile. + Profile mappings defined for the app are applied first before applying any profile properties that are specified in the request body. + > **Notes:** + > * When Universal Directory is enabled, you can only specify profile properties that aren't defined in profile mappings. + > * Omit mapped properties during assignment to minimize assignment errors. operationId: assignUserToApplication x-codegen-request-body-name: appUser requestBody: content: application/json: schema: - $ref: '#/components/schemas/AppUser' + $ref: '#/components/schemas/AppUserAssignRequest' + examples: + AppUserSSOEx: + $ref: '#/components/examples/AppUserAssignSSORequest' + AppUserProvEx: + $ref: '#/components/examples/AppUserAssignProvRequest' required: true responses: '200': @@ -2304,10 +3734,15 @@ paths: application/json: schema: $ref: '#/components/schemas/AppUser' + examples: + AppUserSSOEx: + $ref: '#/components/examples/AppUserSSOResponse' + AppUserProvEx: + $ref: '#/components/examples/AppUserProvResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/responses/ErrorAppUserForbidden403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': @@ -2318,19 +3753,19 @@ paths: - okta.apps.manage tags: - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/users/{userId}: parameters: - $ref: '#/components/parameters/pathAppId' - - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathAppUserId' get: - summary: Retrieve an assigned User - description: Retrieves a specific user assignment for app by `id` + summary: Retrieve an Application User + description: Retrieves a specific user assignment for a specific app operationId: getApplicationUser parameters: - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/queryAppUserExpand' responses: '200': description: Success @@ -2338,6 +3773,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AppUser' + examples: + GetAppUserExample: + $ref: '#/components/examples/AppUserProvExpandResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2350,16 +3788,24 @@ paths: - okta.apps.read tags: - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update an App Profile for an assigned User - description: Updates a user's profile for an application + summary: Update an Application User + description: Updates the profile or credentials of a user assigned to an app operationId: updateApplicationUser x-codegen-request-body-name: appUser requestBody: content: application/json: schema: - $ref: '#/components/schemas/AppUser' + $ref: '#/components/schemas/AppUserUpdateRequest' + examples: + AppUserUpdateCredEx: + $ref: '#/components/examples/AppUserUpdateCredRequest' + AppUserUpdateProfileEx: + $ref: '#/components/examples/AppUserUpdateProfileRequest' required: true responses: '200': @@ -2368,10 +3814,15 @@ paths: application/json: schema: $ref: '#/components/schemas/AppUser' + examples: + AppUserUpdateCredEx: + $ref: '#/components/examples/AppUserCredUpdateResponse' + AppUserUpdateProfileEx: + $ref: '#/components/examples/AppUserProfUpdateResponse' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/responses/ErrorAppUserUpdateBadRequest400' '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/responses/ErrorAppUserForbidden403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': @@ -2382,13 +3833,23 @@ paths: - okta.apps.manage tags: - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign an App User - description: Unassigns a user from an application + summary: Unassign an Application User + description: |- + Unassigns a user from an app + + For directories like Active Directory and LDAP, they act as the owner of the user's credential with Okta delegating authentication (DelAuth) to that directory. + If this request is successful for a user when DelAuth is enabled, then the user is in a state with no password. You can then reset the user's password. + + > **Important:** This is a destructive operation. You can't recover the user's app profile. If the app is enabled for provisioning and configured to deactivate users, the user is also deactivated in the target app. operationId: unassignUserFromApplication parameters: - name: sendEmail in: query + description: Sends a deactivation email to the administrator if `true` schema: type: boolean default: false @@ -2409,6 +3870,48 @@ paths: - okta.apps.manage tags: - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appName}/{appId}/oauth2/callback: + parameters: + - $ref: '#/components/parameters/pathOAuthProvisioningAppName' + - $ref: '#/components/parameters/pathAppId' + post: + summary: Verify the Provisioning Connection + description: | + Verifies the OAuth 2.0-based connection as part of the OAuth 2.0 consent flow. The validation of the consent flow is the last step of the provisioning setup for an OAuth 2.0-based connection. + Currently, this operation only supports `office365`,`google`, `zoomus`, and `slack` apps. + operationId: verifyProvisioningConnectionForApplication + parameters: + - name: code + in: query + schema: + type: string + description: Unique string associated with each authentication request + - name: state + in: query + schema: + type: string + description: A temporary code string that the client exchanges for an access token + responses: + '204': + description: No content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/authenticators: get: summary: List all Authenticators @@ -2421,7 +3924,7 @@ paths: application/json: schema: items: - $ref: '#/components/schemas/Authenticator' + $ref: '#/components/schemas/AuthenticatorBase' type: array examples: OrgAuthenticatorsEx: @@ -2436,6 +3939,11 @@ paths: - okta.authenticators.read tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: summary: Create an Authenticator description: Creates an authenticator @@ -2446,7 +3954,7 @@ paths: description: Whether to execute the activation lifecycle operation when Okta creates the authenticator schema: type: boolean - default: false + default: true x-codegen-request-body-name: authenticator requestBody: $ref: '#/components/requestBodies/AuthenticatorRequestBody' @@ -2465,6 +3973,11 @@ paths: - okta.authenticators.manage tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/authenticators/{authenticatorId}: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' @@ -2487,6 +4000,11 @@ paths: - okta.authenticators.read tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine put: summary: Replace an Authenticator description: Replaces the properties for an Authenticator identified by `authenticatorId` @@ -2511,6 +4029,11 @@ paths: - okta.authenticators.manage tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' @@ -2533,6 +4056,11 @@ paths: - okta.authenticators.manage tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' @@ -2542,7 +4070,7 @@ paths: operationId: deactivateAuthenticator responses: '200': - $ref: '#/components/responses/AuthenticatorResponse' + $ref: '#/components/responses/AuthenticatorResponseInactiveWebAuthn' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2555,12 +4083,24 @@ paths: - okta.authenticators.manage tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/methods: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' get: summary: List all Methods of an Authenticator - description: Lists all Methods of an Authenticator identified by `authenticatorId` + description: |- + Lists all Methods of an Authenticator identified by `authenticatorId` + > **Note:** <x-lifecycle class="ea"></x-lifecycle> + > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + > This feature has several limitations when enrolling a security key: + > - Enrollment is currently unsupported on Firefox. + > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + > - If prompted during enrollment, users must allow Okta to see the make and model of the security key. operationId: listAuthenticatorMethods responses: '200': @@ -2571,6 +4111,11 @@ paths: type: array items: $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + Phone: + $ref: '#/components/examples/AuthenticatorMethodPhone' + WebAuthn: + $ref: '#/components/examples/AuthenticatorMethodWebauth' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2583,13 +4128,25 @@ paths: - okta.authenticators.read tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/methods/{methodType}: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' - $ref: '#/components/parameters/pathMethodType' get: - summary: Retrieve a Method - description: Retrieves a Method identified by `methodType` of an Authenticator identified by `authenticatorId` + summary: Retrieve an Authenticator Method + description: |- + Retrieves a Method identified by `methodType` of an Authenticator identified by `authenticatorId` + > **Note:** <x-lifecycle class="ea"></x-lifecycle> + > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + > This feature has several limitations when enrolling a security key: + > - Enrollment is currently unsupported on Firefox. + > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + > - If prompted during enrollment, users must allow Okta to see the make and model of the security key. operationId: getAuthenticatorMethod responses: '200': @@ -2598,6 +4155,13 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + sms: + $ref: '#/components/examples/AuthenticatorMethodSms' + voice: + $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' + webAuthn: + $ref: '#/components/examples/AuthenticatorMethodWebauth' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2610,9 +4174,21 @@ paths: - okta.authenticators.read tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine put: - summary: Replace a Method - description: Replaces a Method of `methodType` for an Authenticator identified by `authenticatorId` + summary: Replace an Authenticator Method + description: |- + Replaces a Method of `methodType` for an Authenticator identified by `authenticatorId` + > **Note:** <x-lifecycle class="ea"></x-lifecycle> + > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + > This feature has several limitations when enrolling a security key: + > - Enrollment is currently unsupported on Firefox. + > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + > - If prompted during enrollment, users must allow Okta to see the make and model of the security key. operationId: replaceAuthenticatorMethod requestBody: content: @@ -2626,6 +4202,13 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + sms: + $ref: '#/components/examples/AuthenticatorMethodSms' + voice: + $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' + webAuthn: + $ref: '#/components/examples/AuthenticatorMethodWebauth' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2640,13 +4223,25 @@ paths: - okta.authenticators.manage tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' - $ref: '#/components/parameters/pathMethodType' post: summary: Activate an Authenticator Method - description: Activates a Method for an Authenticator identified by `authenticatorId` and `methodType` + description: |- + Activates a Method for an Authenticator identified by `authenticatorId` and `methodType` + > **Note:** <x-lifecycle class="ea"></x-lifecycle> + > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + > This feature has several limitations when enrolling a security key: + > - Enrollment is currently unsupported on Firefox. + > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + > - If prompted during enrollment, users must allow Okta to see the make and model of the security key. operationId: activateAuthenticatorMethod responses: '200': @@ -2655,6 +4250,11 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + sms: + $ref: '#/components/examples/AuthenticatorMethodSms' + webAuthn: + $ref: '#/components/examples/AuthenticatorMethodWebauth' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2667,13 +4267,25 @@ paths: - okta.authenticators.manage tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' - $ref: '#/components/parameters/pathMethodType' post: summary: Deactivate an Authenticator Method - description: Deactivates a Method for an Authenticator identified by `authenticatorId` and `methodType` + description: |- + Deactivates a Method for an Authenticator identified by `authenticatorId` and `methodType` + > **Note:** <x-lifecycle class="ea"></x-lifecycle> + > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + > This feature has several limitations when enrolling a security key: + > - Enrollment is currently unsupported on Firefox. + > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + > - If prompted during enrollment, users must allow Okta to see the make and model of the security key. operationId: deactivateAuthenticatorMethod responses: '200': @@ -2682,6 +4294,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + voice: + $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2694,24 +4309,33 @@ paths: - okta.authenticators.manage tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/authorizationServers: get: summary: List all Authorization Servers - description: Lists all authorization servers + description: Lists all custom authorization servers in the org operationId: listAuthorizationServers parameters: - name: q in: query + description: Searches the `name` and `audiences` of authorization servers for matching values + example: customasone schema: type: string - name: limit in: query + description: 'Specifies the number of authorization server results on a page. Maximum value: 200' schema: type: integer format: int32 default: 200 - name: after in: query + description: Specifies the pagination cursor for the next page of authorization servers. Treat as an opaque value and obtain through the next link relationship. schema: type: string responses: @@ -2723,6 +4347,9 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServer' + examples: + ListAuthServers: + $ref: '#/components/examples/ListAuthServersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -2733,6 +4360,11 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: summary: Create an Authorization Server description: Creates an authorization server @@ -2743,6 +4375,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAuthServer: + $ref: '#/components/examples/CreateAuthServerBody' required: true responses: '201': @@ -2751,6 +4386,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAuthServer: + $ref: '#/components/examples/CreateAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2763,6 +4401,11 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -2777,6 +4420,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + RetrieveAuthServer: + $ref: '#/components/examples/RetrieveAuthServerResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2789,6 +4435,11 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: summary: Replace an Authorization Server description: Replaces an authorization server @@ -2799,6 +4450,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + ReplaceAuthServer: + $ref: '#/components/examples/ReplaceAuthServerBody' required: true responses: '200': @@ -2807,6 +4461,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + ReplaceAuthServer: + $ref: '#/components/examples/ReplaceAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2821,6 +4478,11 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: summary: Delete an Authorization Server description: Deletes an authorization server @@ -2841,22 +4503,28 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/associatedServers: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: - summary: List all Associated Authorization Servers - description: Lists all associated authorization servers by trusted type for the given `authServerId` + summary: List all associated Authorization Servers + description: Lists all associated Authorization Servers by trusted type for the given `authServerId` operationId: listAssociatedServersByTrustedType parameters: - name: trusted in: query - description: Searches trusted authorization servers when true, or searches untrusted authorization servers when false + description: Searches trusted authorization servers when `true` or searches untrusted authorization servers when `false` schema: type: boolean - name: q in: query - description: Searches the name or audience of the associated authorization servers + description: Searches for the name or audience of the associated authorization servers + example: customasone schema: type: string - name: limit @@ -2880,6 +4548,9 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServer' + examples: + ListAssocAuthServer: + $ref: '#/components/examples/ListAssocAuthServerResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2891,10 +4562,15 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: - summary: Create the Associated Authorization Servers - description: Creates the trusted relationships between the given authorization server and other authorization servers + summary: Create an associated Authorization Server + description: Creates trusted relationships between the given authorization server and other authorization servers operationId: createAssociatedServers x-codegen-request-body-name: associatedServerMediated requestBody: @@ -2902,6 +4578,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AssociatedServerMediated' + examples: + CreateAssocAuthServer: + $ref: '#/components/examples/CreateAssocAuthServerBody' required: true responses: '200': @@ -2912,6 +4591,9 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAssocAuthServer: + $ref: '#/components/examples/CreateAssocAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2925,14 +4607,19 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/associatedServers/{associatedServerId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathAssociatedServerId' delete: - summary: Delete an Associated Authorization Server - description: Deletes an associated authorization server + summary: Delete an associated Authorization Server + description: Deletes an associated Authorization Server operationId: deleteAssociatedServer responses: '204': @@ -2949,13 +4636,18 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/claims: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: - summary: List all Custom Token Claims - description: Lists all custom token claims + summary: List all custom token Claims + description: Lists all custom token Claims defined for a specified custom authorization server operationId: listOAuth2Claims responses: '200': @@ -2966,6 +4658,9 @@ paths: type: array items: $ref: '#/components/schemas/OAuth2Claim' + examples: + ListCustomTokenClaims: + $ref: '#/components/examples/ListCustomTokenClaimsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2977,10 +4672,15 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: - summary: Create a Custom Token Claim - description: Creates a custom token claim + summary: Create a custom token Claim + description: Creates a custom token Claim for a custom authorization server operationId: createOAuth2Claim x-codegen-request-body-name: oAuth2Claim requestBody: @@ -2988,6 +4688,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + CreateCustomTokenClaim: + $ref: '#/components/examples/CreateCustomTokenClaimBody' required: true responses: '201': @@ -2996,6 +4699,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + CreateCustomTokenClaim: + $ref: '#/components/examples/CreateCustomTokenClaimResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3009,14 +4715,19 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/claims/{claimId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathClaimId' get: - summary: Retrieve a Custom Token Claim - description: Retrieves a custom token claim + summary: Retrieve a custom token Claim + description: Retrieves a custom token Claim by the specified `claimId` operationId: getOAuth2Claim responses: '200': @@ -3025,6 +4736,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + RetrieveCustomTokenClaim: + $ref: '#/components/examples/RetrieveCustomTokenClaimResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3036,10 +4750,15 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: - summary: Replace a Custom Token Claim - description: Replaces a custom token claim + summary: Replace a custom token Claim + description: Replaces a custom token Claim specified by the `claimId` operationId: replaceOAuth2Claim x-codegen-request-body-name: oAuth2Claim requestBody: @@ -3047,6 +4766,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + ReplaceCustomTokenClaim: + $ref: '#/components/examples/ReplaceCustomTokenClaimBody' required: true responses: '200': @@ -3055,6 +4777,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + ReplaceCustomTokenClaim: + $ref: '#/components/examples/ReplaceCustomTokenClaimResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3068,10 +4793,15 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: - summary: Delete a Custom Token Claim - description: Deletes a custom token claim + summary: Delete a custom token Claim + description: Deletes a custom token Claim specified by the `claimId` operationId: deleteOAuth2Claim responses: '204': @@ -3088,13 +4818,18 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/clients: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: - summary: List all Clients - description: Lists all clients + summary: List all Client resources for an authorization server + description: Lists all Client resources for which the specified authorization server has tokens operationId: listOAuth2ClientsForAuthorizationServer responses: '200': @@ -3105,6 +4840,9 @@ paths: type: array items: $ref: '#/components/schemas/OAuth2Client' + examples: + ListClients: + $ref: '#/components/examples/ListClientsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3116,26 +4854,34 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathClientId' get: - summary: List all Refresh Tokens for a Client - description: Lists all refresh tokens for a client + summary: List all refresh tokens for a Client + description: Lists all refresh tokens issued by an authorization server for a specific Client operationId: listRefreshTokensForAuthorizationServerAndClient parameters: - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string - name: after in: query + description: Specifies the pagination cursor for the next page of tokens schema: type: string - name: limit in: query + description: The maximum number of tokens to return (maximum 200) schema: type: integer format: int32 @@ -3149,6 +4895,9 @@ paths: type: array items: $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + ListRefreshTokenClients: + $ref: '#/components/examples/ListRefreshTokensClientsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3160,10 +4909,15 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: - summary: Revoke all Refresh Tokens for a Client - description: Revokes all refresh tokens for a client + summary: Revoke all refresh tokens for a Client + description: Revokes all refresh tokens for a Client operationId: revokeRefreshTokensForAuthorizationServerAndClient responses: '204': @@ -3180,19 +4934,25 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathClientId' - $ref: '#/components/parameters/pathTokenId' get: - summary: Retrieve a Refresh Token for a Client - description: Retrieves a refresh token for a client + summary: Retrieve a refresh token for a Client + description: Retrieves a refresh token for a Client operationId: getRefreshTokenForAuthorizationServerAndClient parameters: - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string responses: @@ -3202,6 +4962,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + RetrieveRefreshTokenClient: + $ref: '#/components/examples/RetrieveRefreshTokenClientResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3213,10 +4976,15 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: - summary: Revoke a Refresh Token for a Client - description: Revokes a refresh token for a client + summary: Revoke a refresh token for a Client + description: Revokes a refresh token for a Client operationId: revokeRefreshTokenForAuthorizationServerAndClient responses: '204': @@ -3233,13 +5001,18 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/credentials/keys: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all Credential Keys - description: Lists all credential keys + description: Lists all of the current, future, and expired Keys used by the Custom Authorization Server operationId: listAuthorizationServerKeys responses: '200': @@ -3249,7 +5022,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + ListAuthorizationServerKeys: + $ref: '#/components/examples/ListAuthorizationServerKeys' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3261,13 +5037,65 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/credentials/keys/{keyId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathCredentialKeyId' + get: + summary: Retrieve an Authorization Server Key + description: Retrieves an Authorization Server Key specified by the `keyId` + operationId: getAuthorizationServerKey + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + ActiveAuthorizationServerKey: + $ref: '#/components/examples/ActiveAuthorizationServerKey' + NextAuthorizationServerKey: + $ref: '#/components/examples/NextAuthorizationServerKey' + ExpiredAuthorizationServerKey: + $ref: '#/components/examples/ExpiredAuthorizationServerKey' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate: parameters: - $ref: '#/components/parameters/pathAuthServerId' post: summary: Rotate all Credential Keys - description: Rotates all credential keys + description: |- + Rotates the current Keys for a Custom Authorization Server. If you rotate Keys, + the `ACTIVE` Key becomes the `EXPIRED` Key, the `NEXT` Key becomes the `ACTIVE` Key, + and the Custom Authorization Server immediately begins using the new active + Key to sign tokens. + + > **Note:** Okta rotates your Keys automatically in `AUTO` mode. You can rotate Keys + yourself in either mode. If Keys are rotated manually, you should invalidate any intermediate cache + and fetch the Keys again using the Keys endpoint. operationId: rotateAuthorizationServerKeys x-codegen-request-body-name: use requestBody: @@ -3284,9 +5112,19 @@ paths: schema: type: array items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + RotateAuthorizationServerKeys: + $ref: '#/components/examples/ListAuthorizationServerKeys' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidRotateUse: + $ref: '#/components/examples/InvalidRotateUse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3298,7 +5136,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3322,6 +5165,11 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3345,6 +5193,11 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3361,6 +5214,9 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + ListAuthorizationServerPolicies: + $ref: '#/components/examples/ListAuthorizationServerPolicies' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3372,7 +5228,12 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: summary: Create a Policy description: Creates a policy @@ -3383,6 +5244,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + CreateAuthorizationServerPolicyRule: + $ref: '#/components/examples/CreateAuthorizationServerPolicyRequest' required: true responses: '201': @@ -3391,6 +5255,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3404,7 +5271,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3420,6 +5292,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3431,7 +5306,12 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: summary: Replace a Policy description: Replaces a policy @@ -3442,6 +5322,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + UpdateAuthorizationServerPolicyRule: + $ref: '#/components/examples/UpdateAuthorizationServerPolicyRequest' required: true responses: '200': @@ -3450,6 +5333,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3463,7 +5349,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: summary: Delete a Policy description: Deletes a policy @@ -3483,7 +5374,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3507,7 +5403,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3531,7 +5432,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3549,6 +5455,9 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + ListAuthorizationServerPolicyRules: + $ref: '#/components/examples/ListAuthorizationServerPolicyRules' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3560,7 +5469,12 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: summary: Create a Policy Rule description: Creates a policy rule for the specified Custom Authorization Server and Policy @@ -3570,7 +5484,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest' + examples: + CreateAuthorizationServerPolicyRule: + $ref: '#/components/examples/CreateAuthorizationServerPolicyRuleRequest' required: true responses: '201': @@ -3579,6 +5496,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3592,7 +5512,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3609,6 +5534,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3620,7 +5548,12 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: summary: Replace a Policy Rule description: Replaces the configuration of the Policy Rule defined in the specified Custom Authorization Server and Policy @@ -3630,7 +5563,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest' + examples: + UpdateAuthorizationServerPolicyRule: + $ref: '#/components/examples/UpdateAuthorizationServerPolicyRuleRequest' required: true responses: '200': @@ -3639,6 +5575,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3652,7 +5591,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: summary: Delete a Policy Rule description: Deletes a Policy Rule defined in the specified Custom Authorization Server and Policy @@ -3672,7 +5616,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3697,7 +5646,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3722,7 +5676,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/scopes: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3733,22 +5692,29 @@ paths: parameters: - name: q in: query + description: Searches the `name` of Custom Token Scopes for matching values schema: type: string - name: filter in: query + description: Filter expression for Custom Token Scopes schema: type: string - - name: cursor + - name: after in: query + description: |- + Specifies the pagination cursor for the next page of scopes. + Treat the after cursor as an opaque value and obtain it through the next link relationship. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query + description: |- + Specifies the number of objects to return per page. + If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: integer - format: int32 - default: -1 + maximum: 200 responses: '200': description: Success @@ -3758,6 +5724,9 @@ paths: type: array items: $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleScopes: + $ref: '#/components/examples/ExampleOAuth2Scopes' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3769,7 +5738,12 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: summary: Create a Custom Token Scope description: Creates a custom token scope @@ -3780,6 +5754,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' + examples: + CreateOAuth2ScopeRequest: + $ref: '#/components/examples/CreateOAuth2ScopeRequest' required: true responses: '201': @@ -3788,6 +5765,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleOAuth2Scope: + $ref: '#/components/examples/ExampleOAuth2Scope' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3801,7 +5781,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/scopes/{scopeId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' @@ -3817,6 +5802,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleOAuth2Scope: + $ref: '#/components/examples/ExampleOAuth2Scope' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3828,7 +5816,12 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: summary: Replace a Custom Token Scope description: Replaces a custom token scope @@ -3839,6 +5832,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' + examples: + UpdateOAuth2Scope: + $ref: '#/components/examples/UpdateOAuth2ScopeRequest' required: true responses: '200': @@ -3847,6 +5843,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' + examples: + UpdatedOAuth2Scope: + $ref: '#/components/examples/UpdatedOAuth2ScopeResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3860,7 +5859,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: summary: Delete a Custom Token Scope description: Deletes a custom token scope @@ -3880,7 +5884,12 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/behaviors: get: summary: List all Behavior Detection Rules @@ -3905,6 +5914,9 @@ paths: - okta.behaviors.read tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Behavior Detection Rule description: Creates a new behavior detection rule @@ -3948,6 +5960,9 @@ paths: - okta.behaviors.manage tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/behaviors/{behaviorId}: parameters: - $ref: '#/components/parameters/pathBehaviorId' @@ -3981,6 +5996,9 @@ paths: - okta.behaviors.read tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Behavior Detection Rule description: Replaces a Behavior Detection Rule by `behaviorId` @@ -4033,6 +6051,9 @@ paths: - okta.behaviors.manage tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Behavior Detection Rule description: Deletes a Behavior Detection Rule by `behaviorId` @@ -4059,6 +6080,9 @@ paths: - okta.behaviors.manage tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/behaviors/{behaviorId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathBehaviorId' @@ -4088,6 +6112,9 @@ paths: - okta.behaviors.manage tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/behaviors/{behaviorId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathBehaviorId' @@ -4117,19 +6144,22 @@ paths: - okta.behaviors.manage tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands: - parameters: - - $ref: '#/components/parameters/queryExpandBrand' - - $ref: '#/components/parameters/queryAfter' - - $ref: '#/components/parameters/queryLimit' - - $ref: '#/components/parameters/queryFilter' get: summary: List all Brands description: Lists all the brands in your org operationId: listBrands + parameters: + - $ref: '#/components/parameters/queryExpandBrand' + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + - $ref: '#/components/parameters/queryFilter' responses: '200': - description: OK + description: Successfully returned the list of brands content: application/json: schema: @@ -4148,7 +6178,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Brand description: Creates a new brand in your org @@ -4163,7 +6196,7 @@ paths: $ref: '#/components/examples/CreateBrandRequest' responses: '201': - description: Created + description: Successfully created the brand content: application/json: schema: @@ -4175,6 +6208,15 @@ paths: $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '409': + description: Could not create the new brand because same name already exist. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Cannot create brand with the same name: + $ref: '#/components/examples/ErrorCreateBrandExists' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: @@ -4182,18 +6224,22 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}: parameters: - $ref: '#/components/parameters/pathBrandId' - - $ref: '#/components/parameters/queryExpandBrand' get: summary: Retrieve a Brand description: Retrieves a brand by `brandId` operationId: getBrand + parameters: + - $ref: '#/components/parameters/queryExpandBrand' responses: '200': - description: OK + description: Successfully retrieved the brand content: application/json: schema: @@ -4212,10 +6258,19 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Brand - description: Replaces a brand by `brandId` + description: |+ + Replaces a brand by `brandId` + + Passing an invalid `brandId` returns a `404 Not Found` status code with the error code `E0000007`. + + Not providing `agreeToCustomPrivacyPolicy` with `customPrivacyPolicyUrl` returns a `400 Bad Request` status code with the error code `E0000001`. + operationId: replaceBrand x-codegen-request-body-name: brand requestBody: @@ -4229,7 +6284,7 @@ paths: required: true responses: '200': - description: OK + description: Successfully replaced the brand content: application/json: schema: @@ -4250,7 +6305,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a brand description: Deletes a brand by `brandId` @@ -4280,7 +6338,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/domains: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4290,7 +6351,7 @@ paths: operationId: listBrandDomains responses: '200': - description: OK + description: Successfully returned the list of domains for the brand content: application/json: schema: @@ -4306,7 +6367,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4333,7 +6397,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error/customized: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4364,7 +6431,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Customized Error Page description: Replaces the customized error page. The customized error page appears in your live environment. @@ -4400,7 +6470,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete the Customized Error Page description: Deletes the customized error page. As a result, the default error page appears in your live environment. @@ -4420,7 +6493,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error/default: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4446,7 +6522,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error/preview: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4477,7 +6556,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Preview Error Page description: Replaces the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`. @@ -4513,7 +6595,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete the Preview Error Page description: Deletes the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`. @@ -4533,7 +6618,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4560,7 +6648,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/customized: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4591,7 +6682,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Customized Sign-in Page description: Replaces the customized sign-in page. The customized sign-in page appears in your live environment. @@ -4627,7 +6721,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete the Customized Sign-in Page description: Deletes the customized sign-in page. As a result, the default sign-in page appears in your live environment. @@ -4647,7 +6744,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/default: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4673,7 +6773,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/preview: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4704,7 +6807,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Preview Sign-in Page description: Replaces the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`. @@ -4740,7 +6846,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete the Preview Sign-in Page description: Deletes the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`. @@ -4760,7 +6869,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/widget-versions: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4789,7 +6901,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-out/customized: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4815,7 +6930,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Sign-out Page Settings description: Replaces the sign-out page settings @@ -4846,13 +6964,16 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: List all Email Templates - description: Lists all email templates + description: Lists all supported email templates operationId: listEmailTemplates parameters: - $ref: '#/components/parameters/queryAfter' @@ -4866,7 +6987,7 @@ paths: schema: type: array items: - $ref: '#/components/schemas/EmailTemplate' + $ref: '#/components/schemas/EmailTemplateResponse' examples: List email templates response: $ref: '#/components/examples/ListEmailTemplateResponse' @@ -4886,7 +7007,10 @@ paths: - oauth2: - okta.templates.read tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4903,7 +7027,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/EmailTemplate' + $ref: '#/components/schemas/EmailTemplateResponse' examples: Get email template response: $ref: '#/components/examples/GetEmailTemplateResponse' @@ -4918,14 +7042,20 @@ paths: - oauth2: - okta.templates.read tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/customizations: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: summary: List all Email Customizations - description: Lists all customizations of an email template + description: | + Lists all customizations of an email template + + <x-lifecycle class="ea"></x-lifecycle> If Custom languages for Okta Email Templates is enabled, all existing customizations are retrieved, including customizations for additional languages. If disabled, only customizations for Okta-supported languages are returned. operationId: listEmailCustomizations parameters: - $ref: '#/components/parameters/queryAfter' @@ -4953,10 +7083,16 @@ paths: - oauth2: - okta.templates.read tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Email Customization - description: Creates a new email customization + description: | + Creates a new Email Customization + + <x-lifecycle class="ea"></x-lifecycle> If Custom languages for Okta Email Templates is enabled, you can create a customization for any BCP47 language in addition to the Okta-supported languages. operationId: createEmailCustomization x-codegen-request-body-name: instance requestBody: @@ -5001,10 +7137,16 @@ paths: - oauth2: - okta.templates.manage tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete all Email Customizations - description: Deletes all customizations for an email template + description: | + Deletes all customizations for an email template + + <x-lifecycle class="ea"></x-lifecycle> If Custom languages for Okta Email Templates is enabled, all customizations are deleted, including customizations for additional languages. If disabled, only customizations in Okta-supported languages are deleted. operationId: deleteAllCustomizations responses: '204': @@ -5021,7 +7163,10 @@ paths: - oauth2: - okta.templates.manage tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5029,7 +7174,10 @@ paths: - $ref: '#/components/parameters/pathCustomizationId' get: summary: Retrieve an Email Customization - description: Retrieves an email customization by its unique identifier + description: | + Retrieves an email customization by its unique identifier + + <x-lifecycle class="ea"></x-lifecycle> If Custom languages for Okta Email Templates is disabled, requests to retrieve an additional language customization by ID result in a `404 Not Found` error response. operationId: getEmailCustomization responses: '200': @@ -5052,10 +7200,16 @@ paths: - oauth2: - okta.templates.read tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Email Customization - description: Replaces an existing email customization using the property values provided + description: | + Replaces an email customization using property values + + <x-lifecycle class="ea"></x-lifecycle> If Custom languages for Okta Email Templates is disabled, requests to update a customization for an additional language return a `404 Not Found` error response. operationId: replaceEmailCustomization x-codegen-request-body-name: instance requestBody: @@ -5103,10 +7257,16 @@ paths: - oauth2: - okta.templates.manage tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Email Customization - description: Deletes an email customization by its unique identifier + description: | + Deletes an Email Customization by its unique identifier + + <x-lifecycle class="ea"></x-lifecycle> If Custom languages for Okta Email Templates is disabled, deletion of an existing additional language customization by ID doesn't register. operationId: deleteEmailCustomization responses: '204': @@ -5132,7 +7292,10 @@ paths: - oauth2: - okta.templates.manage tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}/preview: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5140,7 +7303,10 @@ paths: - $ref: '#/components/parameters/pathCustomizationId' get: summary: Retrieve a Preview of an Email Customization - description: Retrieves a preview of an email customization. All variable references (e.g., `${user.profile.firstName}`) are populated using the current user's context. + description: | + Retrieves a Preview of an Email Customization. All variable references are populated from the current user's context. For example, `${user.profile.firstName}`. + + <x-lifecycle class="ea"></x-lifecycle> If Custom languages for Okta Email Templates is disabled, requests for the preview of an additional language customization by ID return a `404 Not Found` error response. operationId: getCustomizationPreview responses: '200': @@ -5163,14 +7329,22 @@ paths: - oauth2: - okta.templates.read tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/default-content: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: summary: Retrieve an Email Template Default Content - description: Retrieves an email template's default content + description: | + Retrieves an email template's default content + + <x-lifecycle class="ea"></x-lifecycle> Defaults to the current user's language given the following: + - Custom languages for Okta Email Templates is enabled + - An additional language is specified for the `language` parameter operationId: getEmailDefaultContent parameters: - $ref: '#/components/parameters/queryLanguage' @@ -5195,14 +7369,22 @@ paths: - oauth2: - okta.templates.read tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/default-content/preview: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: - summary: Retrieve a Preview of the Email Template Default Content - description: Retrieves a preview of an email template's default content. All variable references (e.g., `${user.profile.firstName}`) are populated using the current user's context. + summary: Retrieve a Preview of the Email Template default content + description: | + Retrieves a preview of an Email Template's default content. All variable references are populated using the current user's context. For example, `${user.profile.firstName}`. + + <x-lifecycle class="ea"></x-lifecycle> Defaults to the current user's language given the following: + - Custom languages for Okta Email Templates is enabled + - An additional language is specified for the `language` parameter operationId: getEmailDefaultPreview parameters: - $ref: '#/components/parameters/queryLanguage' @@ -5227,7 +7409,10 @@ paths: - oauth2: - okta.templates.read tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/settings: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5242,7 +7427,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/EmailSettings' + $ref: '#/components/schemas/EmailSettingsResponse' examples: Get email template settings response: $ref: '#/components/examples/EmailSettingsResponse' @@ -5257,7 +7442,10 @@ paths: - oauth2: - okta.templates.read tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Email Template Settings description: Replaces an email template's settings @@ -5268,8 +7456,15 @@ paths: schema: $ref: '#/components/schemas/EmailSettings' responses: - '204': + '200': description: Successfully updated the email template's settings. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailSettings' + examples: + Update email template settings: + $ref: '#/components/examples/EmailSettingsResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -5292,7 +7487,10 @@ paths: - oauth2: - okta.templates.manage tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/test: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5302,6 +7500,7 @@ paths: description: |- Sends a test email to the current user’s primary and secondary email addresses. The email content is selected based on the following priority: 1. The email customization for the language specified in the `language` query parameter. + <x-lifecycle class="ea"></x-lifecycle> If Custom languages for Okta Email Templates is enabled and the `language` parameter is an additional language, the test email uses the customization corresponding to the language. 2. The email template's default customization. 3. The email template’s default content, translated to the current user's language. operationId: sendTestEmail @@ -5322,23 +7521,32 @@ paths: - oauth2: - okta.templates.read tags: - - Customization + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/themes: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: List all Themes - description: Lists all the themes in your brand + description: |- + Lists all the themes in your brand. + + > **Important:** Currently each org supports only one Theme, therefore this contains a single object only. operationId: listBrandThemes responses: '200': - description: OK + description: Successfully returned the list of themes content: application/json: schema: type: array items: $ref: '#/components/schemas/ThemeResponse' + examples: + Get themes response: + $ref: '#/components/examples/ListThemesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5350,7 +7558,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5361,11 +7572,14 @@ paths: operationId: getBrandTheme responses: '200': - description: OK + description: Successfully retrieved the theme content: application/json: schema: $ref: '#/components/schemas/ThemeResponse' + examples: + Get theme response: + $ref: '#/components/examples/GetThemeResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5377,7 +7591,10 @@ paths: - oauth2: - okta.brands.read tags: - - Customization + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Theme description: Replaces a theme for a brand @@ -5387,15 +7604,21 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Theme' + $ref: '#/components/schemas/UpdateThemeRequest' + examples: + Update theme request: + $ref: '#/components/examples/UpdateThemeRequest' required: true responses: '200': - description: OK + description: Successfully replaced the theme content: application/json: schema: $ref: '#/components/schemas/ThemeResponse' + examples: + Update theme response: + $ref: '#/components/examples/UpdateThemeResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -5409,7 +7632,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}/background-image: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5433,7 +7659,7 @@ paths: description: background image file responses: '201': - description: Created + description: Content Created content: application/json: schema: @@ -5451,7 +7677,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete the Background Image description: Deletes a Theme background image @@ -5471,7 +7700,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}/favicon: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5485,7 +7717,7 @@ paths: multipart/form-data: schema: type: object - description: The file must be in PNG, or ico format and less than ?? in size and 128 x 128 dimensions + description: The file must be in PNG or ICO format and have a 1:1 ratio with a maximum dimension of 512 x 512 properties: file: type: string @@ -5513,7 +7745,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete the Favicon description: Deletes a Theme favicon. The theme will use the default Okta favicon. @@ -5533,7 +7768,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}/logo: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5575,7 +7813,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete the Logo description: Deletes a Theme logo. The theme will use the default Okta logo. @@ -5595,7 +7836,10 @@ paths: - oauth2: - okta.brands.manage tags: - - Customization + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/captchas: get: summary: List all CAPTCHA Instances @@ -5620,6 +7864,11 @@ paths: - okta.captchas.read tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: summary: Create a CAPTCHA instance description: Creates a new CAPTCHA instance. Currently, an org can only configure a single CAPTCHA instance. @@ -5669,6 +7918,11 @@ paths: - okta.captchas.manage tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/captchas/{captchaId}: parameters: - $ref: '#/components/parameters/pathCaptchaId' @@ -5700,6 +7954,11 @@ paths: - okta.captchas.read tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: summary: Update a CAPTCHA Instance description: Partially updates the properties of a specified CAPTCHA instance @@ -5742,6 +8001,11 @@ paths: - okta.captchas.manage tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine put: summary: Replace a CAPTCHA Instance description: Replaces the properties for a specified CAPTCHA instance @@ -5784,6 +8048,11 @@ paths: - okta.captchas.manage tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: summary: Delete a CAPTCHA Instance description: |- @@ -5815,9 +8084,14 @@ paths: - okta.captchas.manage tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/device-assurances: get: - summary: List all Device Assurance Policies + summary: List all device assurance policies description: Lists all device assurance policies operationId: listDeviceAssurancePolicies responses: @@ -5839,9 +8113,14 @@ paths: - okta.deviceAssurance.read tags: - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: - summary: Create a Device Assurance Policy - description: Creates a new Device Assurance Policy + summary: Create a device assurance policy + description: Creates a new device assurance policy operationId: createDeviceAssurancePolicy x-codegen-request-body-name: deviceAssurance requestBody: @@ -5864,6 +8143,18 @@ paths: $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest' WindowsWithThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest' required: true responses: '200': @@ -5887,6 +8178,18 @@ paths: $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' WindowsWithThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -5899,12 +8202,17 @@ paths: - okta.deviceAssurance.manage tags: - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/device-assurances/{deviceAssuranceId}: parameters: - $ref: '#/components/parameters/pathDeviceAssuranceId' get: - summary: Retrieve a Device Assurance Policy - description: Retrieves a Device Assurance Policy by `deviceAssuranceId` + summary: Retrieve a device assurance policy + description: Retrieves a device assurance policy by `deviceAssuranceId` operationId: getDeviceAssurancePolicy responses: '200': @@ -5928,6 +8236,18 @@ paths: $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' WindowsWithThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -5940,9 +8260,14 @@ paths: - okta.deviceAssurance.read tags: - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine put: - summary: Replace a Device Assurance Policy - description: Replaces a Device Assurance Policy by `deviceAssuranceId` + summary: Replace a device assurance policy + description: Replaces a device assurance policy by `deviceAssuranceId` operationId: replaceDeviceAssurancePolicy x-codegen-request-body-name: deviceAssurance requestBody: @@ -5965,6 +8290,18 @@ paths: $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest' WindowsWithThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest' required: true responses: '200': @@ -5988,6 +8325,18 @@ paths: $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' WindowsWithThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -6002,9 +8351,14 @@ paths: - okta.deviceAssurance.manage tags: - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: - summary: Delete a Device Assurance Policy - description: Deletes a Device Assurance Policy by `deviceAssuranceId`. If the Device Assurance Policy is currently being used in the org Authentication Policies, the delete will not be allowed. + summary: Delete a device assurance policy + description: Deletes a device assurance policy by `deviceAssuranceId`. If the device assurance policy is currently being used in the org Authentication Policies, the delete will not be allowed. operationId: deleteDeviceAssurancePolicy responses: '204': @@ -6031,6 +8385,14 @@ paths: - okta.deviceAssurance.manage tags: - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/device-checks/{deviceCheckId}: + parameters: + - $ref: '#/components/parameters/pathDeviceCheckId' /api/v1/devices: get: summary: List all Devices @@ -6042,7 +8404,12 @@ paths: This operation requires [URL encoding](https://www.w3.org/TR/html4/interact/forms.html#h-17.13.4.1). For example, `search=profile.displayName eq "Bob"` is encoded as `search=profile.displayName%20eq%20%22Bob%22`. operationId: listDevices parameters: - - $ref: '#/components/parameters/queryAfter' + - name: after + in: query + schema: + type: string + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination) for more information. + example: 200u3des4afA47rYJu1d7 - name: limit in: query schema: @@ -6050,12 +8417,14 @@ paths: minimum: 1 maximum: 200 default: 200 + example: 20 description: A limit on the number of objects to return (recommend `20`) - name: search in: query description: A SCIM filter expression that filters the results. Searches include all Device `profile` properties and the Device `id`, `status`, and `lastUpdated` properties. schema: type: string + example: lastUpdated gt "2019-06-01T09:00:00.000Z" examples: Devices that have a `status` of `ACTIVE`: value: status eq "ACTIVE" @@ -6071,11 +8440,23 @@ paths: value: profile.sid sw "S-1" - name: expand in: query + description: Includes associated user details and management status for the device in the `_embedded` attribute schema: type: string - # enum: - # - user # TODO: REVISIT WITH API TEAM - description: Lists associated users for the device in `_embedded` element + example: userSummary + enum: + - user + - userSummary + x-enumDescriptions: + user: Lists full details for associated users + userSummary: Lists summaries for associated users + examples: + UserFullDetails: + summary: Get a detailed list of associated users + value: user + UserSummaries: + summary: Get the list of associated user summaries + value: userSummary responses: '200': description: OK @@ -6084,8 +8465,11 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Device' + $ref: '#/components/schemas/DeviceList' examples: + APIDevicesResponseUserSummaryExample: + type: array + $ref: '#/components/examples/APIDevicesListAllUserSummaryResponse' APIDevicesResponseExample: type: array $ref: '#/components/examples/APIDevicesListAllResponse' @@ -6099,6 +8483,11 @@ paths: - okta.devices.read tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices/{deviceId}: parameters: - $ref: '#/components/parameters/pathDeviceId' @@ -6128,10 +8517,15 @@ paths: - okta.devices.read tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: summary: Delete a Device description: |- - Deletes (permanently) a device by `deviceId` if it has a status of `DEACTIVATED`. You can transition the device to `DEACTIVATED` status using the [Deactivate a Device](#tag/Device/operation/deactivateDevice) endpoint. + Deletes (permanently) a device by `deviceId` if it has a status of `DEACTIVATED`. You can transition the device to `DEACTIVATED` status using the [Deactivate a Device](/openapi/okta-management/management/tag/Device/#tag/Device/operation/deactivateDevice) endpoint. This request is destructive and deletes all of the profile data related to the device. Once deleted, device data can't be recovered. However, reenrollment creates a new device record. > **Note:** Attempts to delete a device that isn't in a `DEACTIVATED` state raise an error. operationId: deleteDevice @@ -6158,6 +8552,11 @@ paths: - okta.devices.manage tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathDeviceId' @@ -6182,6 +8581,11 @@ paths: - okta.devices.manage tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathDeviceId' @@ -6210,6 +8614,11 @@ paths: - okta.devices.manage tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/suspend: parameters: - $ref: '#/components/parameters/pathDeviceId' @@ -6236,6 +8645,11 @@ paths: - okta.devices.manage tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/unsuspend: parameters: - $ref: '#/components/parameters/pathDeviceId' @@ -6260,6 +8674,11 @@ paths: - okta.devices.manage tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices/{deviceId}/users: parameters: - $ref: '#/components/parameters/pathDeviceId' @@ -6292,6 +8711,53 @@ paths: - okta.devices.read tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/directories/{appInstanceId}/groups/modify: + parameters: + - $ref: '#/components/parameters/appInstanceId' + post: + summary: Update an AD Group membership + description: Updates an AD Group membership directly in AD + operationId: updateADGroupMembership + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AgentAction' + required: true + responses: + '200': + description: OK + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '502': + $ref: '#/components/responses/Error502NoConnectedAgents' + '504': + $ref: '#/components/responses/Error504AgentTimeOut' + security: + - oauth2: + - okta.directories.groups.manage + tags: + - DirectoriesIntegration + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/domains: get: summary: List all Custom Domains @@ -6314,36 +8780,42 @@ paths: - okta.domains.read tags: - CustomDomain - # post: - # summary: Create a Custom Domain - # description: Creates your custom domain - # operationId: createCustomDomain - # x-codegen-request-body-name: domain - # requestBody: - # content: - # application/json: - # schema: - # $ref: '#/components/schemas/DomainRequest' - # required: true - # responses: - # '200': - # description: Success - # content: - # application/json: - # schema: - # $ref: '#/components/schemas/DomainResponse' - # '400': - # $ref: '#/components/responses/ErrorApiValidationFailed400' - # '403': - # $ref: '#/components/responses/ErrorAccessDenied403' - # '429': - # $ref: '#/components/responses/ErrorTooManyRequests429' - # security: - # - apiToken: [] - # - oauth2: - # - okta.domains.manage - # tags: - # - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Custom Domain + description: Creates your custom domain + operationId: createCustomDomain + x-codegen-request-body-name: domain + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DomainRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/DomainResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.domains.manage + tags: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/domains/{domainId}: parameters: - $ref: '#/components/parameters/pathDomainId' @@ -6370,6 +8842,9 @@ paths: - okta.domains.read tags: - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Custom Domain's Brand description: Replaces a custom domain's brand @@ -6401,6 +8876,9 @@ paths: - okta.domains.manage tags: - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Custom Domain description: Deletes a custom domain by `domainId` @@ -6421,12 +8899,20 @@ paths: - okta.domains.manage tags: - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/domains/{domainId}/certificate: parameters: - $ref: '#/components/parameters/pathDomainId' put: summary: Upsert the Custom Domain's Certificate - description: Upserts (creates or renews) the `MANUAL` certificate for the custom domain. If the `certificateSourceType` in the domain is `OKTA_MANAGED`, it becomes `MANUAL` and Okta no longer manages and renews certificates for this domain since a user-managed certificate has been provided. + description: |- + Upserts (creates or renews) the `MANUAL` certificate for the custom domain + + > **Notes:** + > * If the existing `certificateSourceType` is `OKTA_MANAGED`, this operation changes the source type to `MANUAL`. Okta no longer manages and renews certificates for this domain after you provide a user-managed certificate. + > * Okta supports TLS certificates and private keys that are PEM-encoded and 2048, 3072, or 4096 bits. See the [Custom domain guide](https://developer.okta.com/docs/guides/custom-url-domain/main/) for more details. operationId: upsertCertificate x-codegen-request-body-name: certificate requestBody: @@ -6453,6 +8939,9 @@ paths: - okta.domains.manage tags: - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/domains/{domainId}/verify: parameters: - $ref: '#/components/parameters/pathDomainId' @@ -6479,6 +8968,12 @@ paths: - okta.domains.manage tags: - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/dr/status/{domain}: + parameters: + - $ref: '#/components/parameters/domain' /api/v1/email-domains: parameters: - $ref: '#/components/parameters/queryExpandEmailDomain' @@ -6508,6 +9003,9 @@ paths: - okta.emailDomains.read tags: - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Email Domain description: Creates an Email Domain in your org @@ -6555,6 +9053,9 @@ paths: - okta.emailDomains.manage tags: - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/email-domains/{emailDomainId}: parameters: - $ref: '#/components/parameters/pathEmailDomainId' @@ -6585,6 +9086,9 @@ paths: - okta.emailDomains.read tags: - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Email Domain description: Replaces associated username and sender display name by `emailDomainId` @@ -6623,6 +9127,9 @@ paths: - okta.emailDomains.manage tags: - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Email Domain description: Deletes an Email Domain by `emailDomainId` @@ -6652,6 +9159,9 @@ paths: - okta.emailDomains.manage tags: - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/email-domains/{emailDomainId}/verify: parameters: - $ref: '#/components/parameters/pathEmailDomainId' @@ -6692,10 +9202,13 @@ paths: - okta.emailDomains.manage tags: - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/email-servers: get: summary: List all enrolled SMTP servers - description: Lists all the enrolled custom email SMTP servers + description: Lists all the enrolled custom SMTP server configurations operationId: listEmailServers responses: '200': @@ -6714,9 +9227,14 @@ paths: - okta.emailServers.read tags: - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: summary: Create a custom SMTP server - description: Creates a custom email SMTP server configuration for your organization + description: Creates a custom email SMTP server configuration for your org operationId: createEmailServer requestBody: content: @@ -6742,12 +9260,17 @@ paths: - okta.emailServers.manage tags: - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/email-servers/{emailServerId}: parameters: - $ref: '#/components/parameters/pathEmailServerId' get: summary: Retrieve an SMTP Server configuration - description: Retrieves a configuration of your organization's custom SMTP server with the given ID + description: Retrieves the specified custom SMTP server configuration operationId: getEmailServer responses: '200': @@ -6768,9 +9291,14 @@ paths: - okta.emailServers.read tags: - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine patch: summary: Update an SMTP Server configuration - description: Updates one or more fields of your organization's custom SMTP Server configuration + description: Updates the specified custom SMTP server configuration operationId: updateEmailServer requestBody: content: @@ -6798,9 +9326,14 @@ paths: - okta.emailServers.manage tags: - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: summary: Delete an SMTP Server configuration - description: Deletes your organization's custom SMTP server with the given ID + description: Deletes the specified custom SMTP server configuration operationId: deleteEmailServer responses: '204': @@ -6817,12 +9350,17 @@ paths: - okta.emailServers.manage tags: - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/email-servers/{emailServerId}/test: parameters: - $ref: '#/components/parameters/pathEmailServerId' post: summary: Test an SMTP Server configuration - description: Tests your organization's custom SMTP Server with the given ID + description: Tests the specified custom SMTP Server configuration operationId: testEmailServer requestBody: content: @@ -6846,6 +9384,11 @@ paths: - okta.emailServers.manage tags: - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/eventHooks: get: summary: List all Event Hooks @@ -6860,6 +9403,9 @@ paths: type: array items: $ref: '#/components/schemas/EventHook' + examples: + RetrieveAllEventHooks: + $ref: '#/components/examples/RetrieveAllEventHooks' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -6870,9 +9416,23 @@ paths: - okta.eventHooks.read tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Event Hook - description: Creates an event hook + description: |- + Creates a new event hook for your organization in `ACTIVE` status. You pass an event hook object in the JSON payload + of your request. That object represents the set of required information about the event hook you're registering, including: + * The URI of your external service + * The [events](https://developer.okta.com/docs/reference/api/event-types/) in Okta you want to subscribe to + * An optional event hook filter that can reduce the number of event hook calls. This is a self-service Early Access (EA) feature. + See [Create an event hook filter](https://developer.okta.com/docs/concepts/event-hooks/#create-an-event-hook-filter). + + Additionally, you can specify a secret API key for Okta to pass to your external service endpoint for security verification. Note that the API key you set here is unrelated to the Okta API token + you must supply when making calls to Okta APIs. Optionally, you can specify extra headers that Okta passes to your external + service with each call. + Your external service must use a valid HTTPS endpoint. operationId: createEventHook x-codegen-request-body-name: eventHook requestBody: @@ -6880,6 +9440,11 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + CreateAnEventHook: + $ref: '#/components/examples/CreateAnEventHook' + CreateAnEventHookWithFilter: + $ref: '#/components/examples/CreateAnEventHookWithFilter' required: true responses: '200': @@ -6888,6 +9453,11 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + CreateAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' + CreateAnEventHookWithFilter: + $ref: '#/components/examples/RetrieveAnEventHookWithFilter' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -6900,6 +9470,9 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}: parameters: - $ref: '#/components/parameters/pathEventHookId' @@ -6914,6 +9487,9 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + RetrieveAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6926,9 +9502,16 @@ paths: - okta.eventHooks.read tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Event Hook - description: Replaces an event hook + description: |- + Replaces an event hook. Okta validates the new properties before replacing the existing values. + Some event hook properties are immutable and can't be updated. Refer to the parameter description in the request body schema. + + >**Note:** Updating the `channel` property requires you to verify the hook again. operationId: replaceEventHook x-codegen-request-body-name: eventHook requestBody: @@ -6936,6 +9519,9 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + ReplaceAnEventHook: + $ref: '#/components/examples/ReplaceAnEventHookWithFilter' required: true responses: '200': @@ -6944,6 +9530,9 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + ReplaceAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHookWithFilter' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -6958,9 +9547,14 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Event Hook - description: Deletes an event hook + description: |- + Deletes the event hook that matches the provided `id`. After deletion, the event hook is unrecoverable. + As a safety precaution, you can only delete event hooks with a status of `INACTIVE`. operationId: deleteEventHook responses: '204': @@ -6978,12 +9572,15 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathEventHookId' post: summary: Activate an Event Hook - description: Activates an event hook + description: Activates the event hook that matches the provided `id` operationId: activateEventHook responses: '200': @@ -6992,6 +9589,9 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + ActivateAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7004,12 +9604,15 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathEventHookId' post: summary: Deactivate an Event Hook - description: Deactivates an event hook + description: Deactivates the event hook that matches the provided `id` operationId: deactivateEventHook responses: '200': @@ -7018,6 +9621,9 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + DeactivateAnEventHook: + $ref: '#/components/examples/RetrieveADeactivatedEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7030,12 +9636,21 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}/lifecycle/verify: parameters: - $ref: '#/components/parameters/pathEventHookId' post: summary: Verify an Event Hook - description: Verifies an event hook + description: |- + Verifies that the event hook matches the provided `eventHookId`. To verify ownership, your endpoint must send information back to Okta in JSON format. See [Event hooks](https://developer.okta.com/docs/concepts/event-hooks/#one-time-verification-request). + + Only `ACTIVE` and `VERIFIED` event hooks can receive events from Okta. + + If a response is not received within 3 seconds, the outbound request times out. One retry is attempted after a timeout or error response. + If a successful response still isn't received, this operation returns a 400 error with more information about the failure. operationId: verifyEventHook responses: '200': @@ -7044,6 +9659,11 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + VerifyAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7056,10 +9676,13 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/features: get: summary: List all Features - description: Lists all features + description: Lists all self-service features for your org operationId: listFeatures responses: '200': @@ -7070,6 +9693,10 @@ paths: type: array items: $ref: '#/components/schemas/Feature' + examples: + FeaturesList: + summary: List all self-service features for your org + $ref: '#/components/examples/ListFeaturesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -7080,12 +9707,15 @@ paths: - okta.features.read tags: - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/features/{featureId}: parameters: - $ref: '#/components/parameters/pathFeatureId' get: summary: Retrieve a Feature - description: Retrieves a feature + description: Retrieves a feature by ID operationId: getFeature responses: '200': @@ -7094,6 +9724,10 @@ paths: application/json: schema: $ref: '#/components/schemas/Feature' + examples: + FeaturesRetrieve: + summary: Retrieve a Feature by ID + $ref: '#/components/examples/RetrieveFeaturesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7106,12 +9740,18 @@ paths: - okta.features.read tags: - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/features/{featureId}/dependencies: parameters: - $ref: '#/components/parameters/pathFeatureId' get: - summary: List all Dependencies - description: Lists all dependencies + summary: List all dependencies + description: |- + Lists all feature dependencies for a specified feature. + + A feature's dependencies are the features that it requires to be enabled in order for itself to be enabled. operationId: listFeatureDependencies responses: '200': @@ -7122,6 +9762,10 @@ paths: type: array items: $ref: '#/components/schemas/Feature' + examples: + FeaturesDependenciesList: + summary: List all Dependencies + $ref: '#/components/examples/ListFeatureDependenciesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7134,12 +9778,18 @@ paths: - okta.features.read tags: - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/features/{featureId}/dependents: parameters: - $ref: '#/components/parameters/pathFeatureId' get: - summary: List all Dependents - description: Lists all dependents + summary: List all dependents + description: |- + Lists all feature dependents for the specified feature. + + A feature's dependents are the features that need to be disabled in order for the feature itself to be disabled. operationId: listFeatureDependents responses: '200': @@ -7150,6 +9800,10 @@ paths: type: array items: $ref: '#/components/schemas/Feature' + examples: + FeaturesDependentsList: + summary: List all feature dependents for the specified feature + $ref: '#/components/examples/ListFeatureDependentsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7162,17 +9816,32 @@ paths: - okta.features.read tags: - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/features/{featureId}/{lifecycle}: parameters: - $ref: '#/components/parameters/pathFeatureId' - $ref: '#/components/parameters/pathLifecycle' post: - summary: Update a Feature Lifecycle - description: Updates a feature lifecycle + summary: Update a Feature lifecycle + description: |- + Updates a feature's lifecycle status. Use this endpoint to enable or disable a feature for your org. + + Use the `mode=force` parameter to override dependency restrictions for a particular feature. Normally, you can't enable a feature if it has one or more dependencies that aren't enabled. + + When you use the `mode=force` parameter while enabling a feature, Okta first tries to enable any disabled features that this feature may have as dependencies. If you don't pass the `mode=force` parameter and the feature has dependencies that need to be enabled before the feature is enabled, a 400 error is returned. + + When you use the `mode=force` parameter while disabling a feature, Okta first tries to disable any enabled features that this feature may have as dependents. If you don't pass the `mode=force` parameter and the feature has dependents that need to be disabled before the feature is disabled, a 400 error is returned. + + The following chart shows the different state transitions for a feature. + + ![State transitions of a feature](../../../../../images/features/update-ssfeat-flowchart.png '#width=500px;') operationId: updateFeatureLifecycle parameters: - name: mode in: query + description: Indicates if you want to force enable or disable a feature. Supported value is `force`. schema: type: string responses: @@ -7182,6 +9851,10 @@ paths: application/json: schema: $ref: '#/components/schemas/Feature' + examples: + FeaturesUpdate: + summary: Update the feature lifecycle status + $ref: '#/components/examples/UpdateFeatureLifecycleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7194,55 +9867,197 @@ paths: - okta.features.manage tags: - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/first-party-app-settings/{appName}: + parameters: + - $ref: '#/components/parameters/pathFirstPartyAppName' + get: + summary: Retrieve the Okta Application Settings + description: Retrieves the settings for an Okta app (also known as an Okta first-party app) + operationId: getFirstPartyAppSettings + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - OktaApplicationSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Okta Application Settings + description: Replaces the settings for an Okta app (also known as an Okta first-party app) + operationId: replaceFirstPartyAppSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - OktaApplicationSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups: get: summary: List all Groups - description: Lists all groups with pagination support. A subset of groups can be returned that match a supported filter expression or query. + description: |- + Lists all Groups with pagination support. + + The number of Groups returned depends on the specified [`limit`](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!in=query&path=limit&t=request), if you have a search, filter, and/or query parameter set, and if that parameter is not null. We recommend using a limit less than or equal to 200. + + A subset of Groups can be returned that match a supported filter expression, query, or search criteria. + + > **Note:** Results from the filter or query parameter are driven from an eventually consistent datasource. The synchronization lag is typically less than one second. + See [Filtering](https://developer.okta.com/docs/api/#filter) for more information on expressions. operationId: listGroups parameters: - name: q in: query - description: Searches the name property of groups for matching value + description: |- + Finds a Group that matches the `name` property + > **Note:** Paging and searching are currently mutually exclusive. You can't page a query. The default limit for a query is 300 results. Query is intended for an auto-complete picker use case where users refine their search string to constrain the results. schema: type: string + example: West&limit=10 - name: filter in: query - description: Filter expression for groups + description: |- + [Filter expression](https://developer.okta.com/docs/reference/core-okta-api/#filter) for Groups + > **Note:** All filters must be [URL encoded](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. schema: type: string + examples: + filterById: + value: id eq "00g1emaKYZTWRYYRRTSK" + summary: Filter group with a specific ID + filterByType: + value: type eq "OKTA_GROUP" + summary: Filter groups that are of the type `OKTA_GROUP` + filterByTypeAndProfileLastUpdatedAfterDate: + value: type eq "OKTA_GROUP" and lastUpdated gt "2016-11-11T00:00:00.000Z" + summary: Filter groups that are of the type `OKTA_GROUP` with Profile updated after 11/11/2015 + filterByTypeAndProfileOrMembershipUpdatedBeforeDate: + value: type eq "OKTA_GROUP" and (lastUpdated lt "2015-11-11T00:00:00.000Z" or lastMembershipUpdated lt "2015-11-11T00:00:00.000Z") + summary: Filter groups that are of the type `OKTA_GROUP` with Profile or memberships updated before 11/11/2015 - name: after in: query - description: Specifies the pagination cursor for the next page of groups + description: Specifies the pagination cursor for the next page of Groups. The `after` cursor should be treated as an opaque value and obtained through the next link relation. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query - description: Specifies the number of group results in a page + description: |- + Specifies the number of Group results in a page. + + Don't write code that depends on the default or maximum value, as it might change. If you receive an `HTTP 500` status code, you likely exceeded the request timeout. Retry your request with a smaller `limit` and [page the results](https://developer.okta.com/docs/api/#pagination). + + The Okta default Everyone group isn't returned for users with a Group Admin role. + + >**Note:** We strongly encourage using a limit that's less than or equal to 200. Any number greater than 200 affects performance and accuracy. schema: type: integer format: int32 - default: 10000 + maximum: 10000 - name: expand in: query - description: If specified, it causes additional metadata to be included in the response. + description: If specified, additional metadata is included in the response. Possible values are `stats` and `app`. schema: type: string - name: search in: query - description: Searches for groups with a supported filtering expression for all attributes except for _embedded, _links, and objectClass + description: |- + Searches for groups with a supported [filtering](https://developer.okta.com/docs/reference/core-okta-api/#filter) expression for all attributes except for `_embedded`, `_links`, and `objectClass`. + + Search currently performs a `startsWith` match but it should be considered an implementation detail and might change without notice in the future. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). + + Using search requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding), for example, `search=type eq "OKTA_GROUP"` is encoded as `search=type+eq+%22OKTA_GROUP%22`. + + This operation searches many properties: + * Any group profile property, including imported app group profile properties. + * The top-level properties `id`, `created`, `lastMembershipUpdated`, `lastUpdated`, and `type`. + * The [source](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links/source&t=response) of groups with type of `APP_GROUP`, accessed as `source.id`. + You can also use `sortBy` and `sortOrder` parameters. schema: type: string + examples: + searchByType: + value: type eq "APP_GROUP" + summary: Search for Groups that have a type of `APP_GROUP` + searchByLastMembershipUpdatedAfterDate: + value: lastMembershipUpdated gt "2014-01-01T00:00:00.000Z" + summary: Search for Groups whose memberships were last updated after a specific timestamp + searchById: + value: id eq "00gak46y5hydV6NdM0g4" + summary: Search for Groups with the specified ID (`00gak46y5hydV6NdM0g4`) + searchByProfileName: + value: profile.name eq "West Coast Users" + summary: Search for Groups that have a `name` of `West Coast Users` + searchBySamAccountName: + value: profile.samAccountName sw "West Coast" + summary: Search for Groups whose `samAccountName` starts with `West Coast` + searchBySourceId: + value: source.id eq "0oa2v0el0gP90aqjJ0g7" + summary: Search for Groups that have the source app with a specified `source.id` (`0oa2v0el0gP90aqjJ0g7`) + searchByIdTypeAndCreationDate: + value: type eq "APP_GROUP" and (created lt "2014-01-01T00:00:00.000Z" and source.id eq "0oa2v0el0gP90aqjJ0g7") + summary: List groups of type `APP_GROUP` that were created before 01/01/2014 and whose source app has the ID 0oa2v0el0gP90aqjJ0g7 - name: sortBy in: query - description: Specifies field to sort by and can be any single property (for search queries only). + description: Specifies field to sort by **(for search queries only)**. `sortBy` can be any single property, for example `sortBy=profile.name`. schema: type: string example: lastUpdated - name: sortOrder in: query - description: |- - Specifies sort order `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` is not present. - Groups with the same value for the `sortBy` parameter are ordered by `id`. + description: 'Specifies sort order: `asc` or `desc` (for search queries only). This parameter is ignored if if `sortBy` is not present. Groups with the same value for the `sortBy` property will be ordered by `id`' schema: type: string default: asc @@ -7255,6 +10070,9 @@ paths: type: array items: $ref: '#/components/schemas/Group' + examples: + ListGroupExample: + $ref: '#/components/examples/list-groups-examples' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -7265,16 +10083,24 @@ paths: - okta.groups.read tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a Group - description: Creates a new group with `OKTA_GROUP` type - operationId: createGroup + summary: Add a Group + description: |- + Adds a new Group with the `OKTA_GROUP` type to your org + > **Note:** App import operations are responsible for syncing Groups with `APP_GROUP` type such as Active Directory Groups. See + [About groups](https://help.okta.com/okta_help.htm?id=Directory_Groups). + operationId: addGroup x-codegen-request-body-name: group requestBody: content: application/json: schema: - $ref: '#/components/schemas/Group' + properties: + profile: + $ref: '#/components/schemas/OktaUserGroupProfile' required: true responses: '200': @@ -7283,6 +10109,9 @@ paths: application/json: schema: $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -7295,10 +10124,13 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/rules: get: - summary: List all Group Rules - description: Lists all group rules + summary: List all Group rules + description: Lists all Group rules for your org operationId: listGroupRules parameters: - name: limit @@ -7308,6 +10140,8 @@ paths: type: integer format: int32 default: 50 + minimum: 1 + maximum: 200 - name: after in: query description: Specifies the pagination cursor for the next page of rules @@ -7315,12 +10149,12 @@ paths: type: string - name: search in: query - description: Specifies the keyword to search fules for + description: Specifies the keyword to search rules for schema: type: string - name: expand in: query - description: If specified as `groupIdToGroupNameMap`, then show group names + description: If specified as `groupIdToGroupNameMap`, then displays group names schema: type: string x-okta-added-version: 1.3.0 @@ -7333,6 +10167,9 @@ paths: type: array items: $ref: '#/components/schemas/GroupRule' + examples: + ListGroupRulesExample: + $ref: '#/components/examples/list-group-rules-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -7342,17 +10179,25 @@ paths: - oauth2: - okta.groups.read tags: - - Group + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a Group Rule - description: Creates a group rule to dynamically add users to the specified group if they match the condition + summary: Create a Group rule + description: |- + Creates a Group rule to dynamically add Users to the specified Group if they match the condition + > **Note:** Group rules are created with the status set to `'INACTIVE'`. operationId: createGroupRule x-codegen-request-body-name: groupRule requestBody: content: application/json: schema: - $ref: '#/components/schemas/GroupRule' + $ref: '#/components/schemas/CreateGroupRuleRequest' + examples: + GroupRuleExample: + $ref: '#/components/examples/create-group-rule-request-example' required: true responses: '200': @@ -7361,6 +10206,9 @@ paths: application/json: schema: $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -7372,17 +10220,21 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/rules/{groupRuleId}: parameters: - $ref: '#/components/parameters/pathGroupRuleId' get: - summary: Retrieve a Group Rule - description: Retrieves a specific group rule by `groupRuleId` + summary: Retrieve a Group rule + description: Retrieves a specific Group rule by ID from your org operationId: getGroupRule parameters: - name: expand in: query + description: If specified as `groupIdToGroupNameMap`, then show Group names schema: type: string responses: @@ -7392,6 +10244,9 @@ paths: application/json: schema: $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7403,10 +10258,17 @@ paths: - oauth2: - okta.groups.read tags: - - Group + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace a Group Rule - description: Replaces a group rule. Only `INACTIVE` rules can be updated. + summary: Replace a Group rule + description: |- + Replaces a Group rule + > **Notes:** You only can update rules with a Group whose status is set to `'INACTIVE'`. + > + > You currently can't update the `action` section. operationId: replaceGroupRule x-codegen-request-body-name: groupRule requestBody: @@ -7414,6 +10276,9 @@ paths: application/json: schema: $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' required: true responses: '200': @@ -7435,17 +10300,21 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a group Rule + summary: Delete a Group Rule description: Deletes a specific group rule by `groupRuleId` operationId: deleteGroupRule parameters: - name: removeUsers in: query - description: Indicates whether to keep or remove users from groups assigned by this rule. + description: If set to `true`, removes Users from Groups assigned by this rule schema: type: boolean + default: false responses: '202': description: Accepted @@ -7461,13 +10330,16 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/rules/{groupRuleId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathGroupRuleId' post: summary: Activate a Group Rule - description: Activates a specific group rule by `groupRuleId` + description: Activates a specific Group rule by ID from your org operationId: activateGroupRule responses: '204': @@ -7484,13 +10356,16 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/rules/{groupRuleId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathGroupRuleId' post: summary: Deactivate a Group Rule - description: Deactivates a specific group rule by `groupRuleId` + description: Deactivates a specific Group rule by ID from your org operationId: deactivateGroupRule responses: '204': @@ -7507,13 +10382,16 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}: parameters: - $ref: '#/components/parameters/pathGroupId' get: summary: Retrieve a Group - description: Retrieves a group by `groupId` + description: Retrieves a specific Group by `id` from your org operationId: getGroup responses: '200': @@ -7522,6 +10400,9 @@ paths: application/json: schema: $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7534,16 +10415,25 @@ paths: - okta.groups.read tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Group - description: Replaces the profile for a group with `OKTA_GROUP` type + description: |- + Replaces the profile for a Group of `OKTA_GROUP` type from your org + > **Note :** You only can modify profiles for groups of the `OKTA_GROUP` type. + > + > App imports are responsible for updating profiles for groups of the `APP_GROUP` type, such as Active Directory groups. operationId: replaceGroup x-codegen-request-body-name: group requestBody: content: application/json: schema: - $ref: '#/components/schemas/Group' + properties: + profile: + $ref: '#/components/schemas/OktaUserGroupProfile' required: true responses: '200': @@ -7552,6 +10442,9 @@ paths: application/json: schema: $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -7566,9 +10459,14 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Group - description: Deletes a group with `OKTA_GROUP` type + description: |- + Deletes a Group of the `OKTA_GROUP` or `APP_GROUP` type from your org + > **Note:** You can't remove Groups of type `APP_GROUP` if they are used in a group push mapping. operationId: deleteGroup responses: '204': @@ -7586,12 +10484,15 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/apps: parameters: - $ref: '#/components/parameters/pathGroupId' get: summary: List all Assigned Applications - description: Lists all applications that are assigned to a group + description: Lists all apps that are assigned to a Group. See [Application Groups API](/openapi/okta-management/management/tag/ApplicationGroups/). operationId: listAssignedApplicationsForGroup parameters: - name: after @@ -7615,6 +10516,9 @@ paths: type: array items: $ref: '#/components/schemas/Application' + examples: + ListAppsExample: + $ref: '#/components/examples/list-apps-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7627,6 +10531,9 @@ paths: - okta.groups.read tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/owners: parameters: - $ref: '#/components/parameters/pathGroupId' @@ -7635,7 +10542,7 @@ paths: description: Lists all owners for a specific group operationId: listGroupOwners parameters: - - name: filter + - name: search in: query description: SCIM Filter expression for group owners. Allows to filter owners by type. schema: @@ -7677,17 +10584,16 @@ paths: - oauth2: - okta.groups.read tags: - - Group + - GroupOwner + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Assign a Group Owner description: Assigns a group owner operationId: assignGroupOwner parameters: - - name: groupId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/pathGroupId' requestBody: content: application/json: @@ -7720,7 +10626,10 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupOwner + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/owners/{ownerId}: parameters: - $ref: '#/components/parameters/pathGroupId' @@ -7744,19 +10653,19 @@ paths: - oauth2: - okta.groups.manage tags: - - Group + - GroupOwner + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/roles: parameters: - $ref: '#/components/parameters/pathGroupId' get: - summary: List all Assigned Roles of Group - description: Lists all assigned roles of group identified by `groupId` + summary: List all Group Role Assignments + description: Lists all assigned roles of a Group by `groupId` operationId: listGroupAssignedRoles parameters: - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/pathQueryRoleExpand' responses: '200': description: Success @@ -7765,7 +10674,16 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Role' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponseGroup' + Custom Roles: + $ref: '#/components/examples/CustomRolesListResponseGroup' + IAM-Based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponseGroup' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7777,23 +10695,36 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Assign a Role to a Group - description: Assigns a role to a group + description: |- + Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a Group. + + You can also assign a custom role to a Group, but the preferred method to assign a custom role to a Group is to create a binding between the Custom Role, the Resource Set, and the Group. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + > **Notes:** + > * The request payload is different for standard and custom role assignments. + > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. operationId: assignRoleToGroup parameters: - name: disableNotifications in: query - description: Setting this to `true` grants the group third-party admin status + description: Grants the Group third-party admin status when set to `true` schema: type: boolean + default: false x-codegen-request-body-name: assignRoleRequest requestBody: content: application/json: schema: - $ref: '#/components/schemas/AssignRoleRequest' + oneOf: + - $ref: '#/components/schemas/StandardRoleAssignmentSchema' + - $ref: '#/components/schemas/CustomRoleAssignmentSchema' required: true responses: '200': @@ -7801,7 +10732,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Role' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/CreateStandardRoleAssignmentResponseGroup' + Custom Roles: + $ref: '#/components/examples/CreateCustomRoleResponseGroup' + IAM-based Standard Roles: + $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup' '201': description: Success content: {} @@ -7818,14 +10758,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleAssignment - /api/v1/groups/{groupId}/roles/{roleId}: + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: Retrieve a Role assigned to Group - description: Retrieves a role identified by `roleId` assigned to group identified by `groupId` + summary: Retrieve a Group Role Assignment + description: Retrieves a Role assigned to a Group (identified by the `groupId`). The `roleAssignmentId` is the unique identifier for either a standard role Group Assignment object or a custom role Resource Set Binding object. operationId: getGroupAssignedRole responses: '200': @@ -7833,7 +10776,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Role' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/CreateStandardRoleAssignmentResponseGroup' + Custom Roles: + $ref: '#/components/examples/CreateCustomRoleResponseGroup' + IAM-based Standard Roles: + $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7845,10 +10797,13 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a Role from a Group - description: Unassigns a role identified by `roleId` assigned to group identified by `groupId` + summary: Unassign a Group Role + description: Unassigns a Role Assignment (identified by `roleAssignmentId`) from a Group (identified by the `groupId`) operationId: unassignRoleFromGroup responses: '204': @@ -7865,14 +10820,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleAssignment - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps: + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: List all Application Targets for an Application Administrator Role - description: Lists all App targets for an `APP_ADMIN` Role assigned to a Group. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID. + summary: List all Group Role Application Targets + description: Lists all app targets for an `APP_ADMIN` Role Assignment to a Group. The response includes a list of OIN-cataloged apps or app instances. The response payload for an app instance contains the `id` property, but an OIN-cataloged app doesn't. operationId: listApplicationTargetsForApplicationAdministratorRoleForGroup parameters: - name: after @@ -7905,15 +10863,18 @@ paths: - oauth2: - okta.roles.read tags: - - RoleTarget - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' put: - summary: Assign an Application Target to Administrator Role - description: Assigns an application target to administrator role + summary: Assign an Group Role Application Target + description: Assigns an OIN app target to an `APP_ADMIN` Role Assignment to a Group. When you assign the first OIN app target, you reduce the scope of the Role Assignment. The Role no longer applies to all app targets but applies only to the specified target. An OIN app target that's assigned to the Role overrides any existing instance targets of the OIN app. For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app with `facebook` for `appName` makes that user the administrator for all Facebook instances. operationId: assignAppTargetToAdminRoleForGroup responses: '200': @@ -7930,10 +10891,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign an Application Target from Application Administrator Role - description: Unassigns an application target from application administrator role + summary: Unassign a Group Role Application Target + description: | + Unassigns an OIN app target from an `APP_ADMIN` Role Assignment to a Group + + > **Note:** You can't remove the last app target from a Role Assignment, since this causes an exception. + > If you need a Role Assignment that applies to all apps, delete the `APP_ADMIN` Role Assignment and recreate a new one. See [Unassign a Group Role](/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup). operationId: unassignAppTargetToAdminRoleForGroup responses: '204': @@ -7950,16 +10918,21 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}/{appId}: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' - $ref: '#/components/parameters/pathAppId' put: - summary: Assign an Application Instance Target to Application Administrator Role - description: Assigns App Instance Target to App Administrator Role given to a Group + summary: Assign an Group Role Application Instance Target + description: |- + Assigns an app instance target to an `APP_ADMIN` Role Assignment to a Group. When you assign the first OIN app or app instance target, you reduce the scope of the Role Assignment. The Role no longer applies to all app targets, but applies only to the specified target. + > **Note:** You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app. For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app. operationId: assignAppInstanceTargetToAppAdminRoleForGroup responses: '204': @@ -7976,10 +10949,15 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign an Application Instance Target from an Application Administrator Role - description: Unassigns an application instance target from application administrator role + summary: Unassign an Group Role Application Instance Target + description: |- + Unassigns an app instance target from an `APP_ADMIN` Role Assignment to a Group + > **Note:** You can't remove the last app instance target from a Role Assignment since this causes an exception. > If you need a Role Assignment that applies to all apps, delete the `APP_ADMIN` Role Assignment and recreate a new one. See [Unassign a Group Role](/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup). operationId: unassignAppInstanceTargetToAppAdminRoleForGroup responses: '204': @@ -7996,14 +10974,19 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget - /api/v1/groups/{groupId}/roles/{roleId}/targets/groups: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: List all Group Targets for a Group Role - description: Lists all group targets for a group role + summary: List all Group Role Group Targets + description: | + Lists all Group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group. + If the Role isn't scoped to specific Group targets, an empty array `[]` is returned. operationId: listGroupTargetsForGroupRole parameters: - name: after @@ -8036,15 +11019,20 @@ paths: - oauth2: - okta.roles.read tags: - - RoleTarget - /api/v1/groups/{groupId}/roles/{roleId}/targets/groups/{targetGroupId}: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups/{targetGroupId}: parameters: - $ref: '#/components/parameters/pathGroupId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathTargetGroupId' put: - summary: Assign a Group Target to a Group Role - description: Assigns a group target to a group role + summary: Assign a Group Role Group Target + description: | + Assigns a Group target to a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group. + When you assign the first Group target, you reduce the scope of the Role Assignment. The Role no longer applies to all targets but applies only to the specified target. operationId: assignGroupTargetToGroupAdminRole responses: '204': @@ -8061,10 +11049,13 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a Group Target from a Group Role - description: Unassigns a group target from a group role + summary: Unassign a Group Role Group Target + description: Unassigns a Group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group. operationId: unassignGroupTargetFromGroupAdminRole responses: '204': @@ -8081,20 +11072,22 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/users: parameters: - $ref: '#/components/parameters/pathGroupId' get: summary: List all Member Users - description: Lists all users that are a member of a group + description: |- + Lists all users that are a member of a Group. + + The default user limit is set to a very high number due to historical reasons that are no longer valid for most orgs. This will change in a future version of this API. The recommended page limit is now `limit=200`. operationId: listGroupUsers parameters: - - name: after - in: query - description: Specifies the pagination cursor for the next page of users - schema: - type: string + - $ref: '#/components/parameters/queryAfter' - name: limit in: query description: Specifies the number of user results in a page @@ -8111,6 +11104,9 @@ paths: type: array items: $ref: '#/components/schemas/User' + examples: + ListMemberUserResponse: + $ref: '#/components/examples/ListUsersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -8123,13 +11119,18 @@ paths: - okta.groups.read tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/users/{userId}: parameters: - $ref: '#/components/parameters/pathGroupId' - $ref: '#/components/parameters/pathUserId' put: - summary: Assign a User - description: Assigns a user to a group with 'OKTA_GROUP' type + summary: Assign a User to a Group + description: |- + Assigns a User to a Group with the `OKTA_GROUP` type + > **Note:** You only can modify memberships for Groups of the `OKTA_GROUP` type. App imports are responsible for managing group memberships for Groups of the `APP_GROUP` type, such as Active Directory groups. operationId: assignUserToGroup responses: '204': @@ -8147,9 +11148,16 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a User - description: Unassigns a user from a group with 'OKTA_GROUP' type + summary: Unassign a User from a Group + description: |- + Unassigns a User from a Group with the `OKTA_GROUP` type + > **Note:** You only can modify memberships for groups of the `OKTA_GROUP` type. + > + > App imports are responsible for managing group memberships for groups of the `APP_GROUP` type, such as Active Directory groups. operationId: unassignUserFromGroup responses: '204': @@ -8167,6 +11175,9 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/hook-keys: get: summary: List all keys @@ -8194,14 +11205,24 @@ paths: - okta.inlineHooks.read tags: - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a key - description: | + description: |- Creates a key for use with other parts of the application, such as inline hooks - Use the key name to access this key for inline hook operations. + > **Note:** Use the key name to access this key for inline hook operations. The total number of keys that you can create in an Okta org is limited to 50. + + The response is a [Key object](https://developer.okta.com/docs/reference/api/hook-keys/#key-object) that represents the + key that you create. The `id` property in the response serves as the unique ID for the key, which you can specify when + invoking other CRUD operations. The `keyId` provided in the response is the alias of the public key that you can use to get + details of the public key data in a separate call. + + > **Note:** The keyId is the alias of the public key that you can use to retrieve the public key. operationId: createHookKey x-codegen-request-body-name: keyRequest requestBody: @@ -8216,7 +11237,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/HookKey' + $ref: '#/components/schemas/DetailedHookKeyInstance' examples: ResponseExample: $ref: '#/components/examples/CreateHookKeyResponse' @@ -8232,12 +11253,18 @@ paths: - okta.inlineHooks.manage tags: - HookKey - /api/v1/hook-keys/public/{publicKeyId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/hook-keys/public/{keyId}: parameters: - $ref: '#/components/parameters/pathPublicKeyId' get: summary: Retrieve a public key - description: Retrieves a public key by `keyId` + description: |- + Retrieves a public key by `keyId` + + >**Note:** keyId is the alias of the public key. operationId: getPublicKey responses: '200': @@ -8245,7 +11272,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/_embedded' examples: ResponseExample: $ref: '#/components/examples/RetrievePublicKeyResponse' @@ -8261,13 +11288,25 @@ paths: - okta.inlineHooks.read tags: - HookKey - /api/v1/hook-keys/{hookKeyId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/hook-keys/{id}: parameters: - $ref: '#/components/parameters/pathHookKeyId' get: - summary: Retrieve a key - description: Retrieves a key by `hookKeyId` + summary: Retrieve a key by ID + description: |- + Retrieves the public portion of the Key object using the `id` parameter + + >**Note:** The `?expand=publickey` query parameter optionally returns the full object including the details of the public key in the response body's `_embedded` property. operationId: getHookKey + parameters: + - name: id + description: A valid key ID + in: path + schema: + type: string responses: '200': description: Success @@ -8275,9 +11314,9 @@ paths: application/json: schema: $ref: '#/components/schemas/HookKey' - examples: - ResponseExample: - $ref: '#/components/examples/RetrieveKeyResponse' + examples: + ResponseExample: + $ref: '#/components/examples/RetrieveKeyResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -8290,14 +11329,17 @@ paths: - okta.inlineHooks.read tags: - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a key - description: | - Replaces a key by `hookKeyId` + description: |- + Replaces a key by `id` This request replaces existing properties after passing validation. - Note: The only parameter that you can update is the name of the key, which must be unique at all times. + > **Note:** The only parameter that you can update is the name of the key, which must be unique at all times. operationId: replaceHookKey x-codegen-request-body-name: keyRequest requestBody: @@ -8312,10 +11354,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/HookKey' - examples: - ResponseExample: - $ref: '#/components/examples/ReplaceKeyResponse' + $ref: '#/components/schemas/DetailedHookKeyInstance' + examples: + ResponseExample: + $ref: '#/components/examples/ReplaceKeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -8330,10 +11372,13 @@ paths: - okta.inlineHooks.manage tags: - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a key description: | - Deletes a key by `hookKeyId`. After being deleted, the key is unrecoverable. + Deletes a key by `id`. After being deleted, the key is unrecoverable. As a safety precaution, only keys that aren't being used are eligible for deletion. operationId: deleteHookKey @@ -8353,6 +11398,9 @@ paths: - okta.inlineHooks.manage tags: - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/assignees/users: get: summary: List all Users with Role Assignments @@ -8360,9 +11408,11 @@ paths: operationId: listUsersWithRoleAssignments parameters: - name: after + description: Specifies the pagination cursor for the next page of targets in: query schema: type: string + required: false - name: limit in: query description: Specifies the number of results returned. Defaults to `100`. @@ -8370,6 +11420,7 @@ paths: type: integer format: int32 default: 100 + required: false responses: '200': description: Success @@ -8393,7 +11444,321 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/governance/bundles: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + get: + summary: List all Governance Bundles for the Admin Console + description: Lists all Governance Bundles for the Admin Console in your org + operationId: listGovernanceBundles + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundlesResponse' + examples: + GovernanceBundlesResponse: + $ref: '#/components/examples/GovernanceBundlesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + post: + summary: Create a Governance Bundle for the Admin Console in RAMP + description: Creates a Governance Bundle for the Admin Console in RAMP + operationId: createGovernanceBundle + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundleCreateRequest' + examples: + GovernanceBundleCreateRequestStandardRole: + $ref: '#/components/examples/GovernanceBundleCreateRequestStandardRole' + GovernanceBundleCreateRequestScopedStandardRole: + $ref: '#/components/examples/GovernanceBundleCreateRequestScopedStandardRole' + GovernanceBundleCreateRequestCustomRole: + $ref: '#/components/examples/GovernanceBundleCreateRequestCustomRole' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundle' + examples: + createGovernanceBundleResponse: + $ref: '#/components/examples/GovernanceBundle' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + /api/v1/iam/governance/bundles/{bundleId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' + get: + summary: Retrieve a Governance Bundle from RAMP + description: Retrieves a Governance Bundle from RAMP + operationId: getGovernanceBundle + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundle' + examples: + GovernanceBundle: + $ref: '#/components/examples/GovernanceBundle' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + put: + summary: Replace a Governance Bundle in RAMP + description: Replaces a Governance Bundle in RAMP + operationId: replaceGovernanceBundle + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundleUpdateRequest' + examples: + GovernanceBundleUpdateRequestStandardRole: + $ref: '#/components/examples/GovernanceBundleUpdateRequestStandardRole' + GovernanceBundleUpdateRequestScopedStandardRole: + $ref: '#/components/examples/GovernanceBundleUpdateRequestScopedStandardRole' + GovernanceBundleUpdateRequestCustomRole: + $ref: '#/components/examples/GovernanceBundleUpdateRequestCustomRole' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundle' + examples: + GovernanceBundle: + $ref: '#/components/examples/GovernanceBundle' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + delete: + summary: Delete a Governance Bundle from RAMP + description: Deletes a Governance Bundle from RAMP + operationId: deleteGovernanceBundle + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + /api/v1/iam/governance/bundles/{bundleId}/entitlements: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' + get: + summary: List all Entitlements for a Governance Bundle + description: Lists all Entitlements specific to a Governance Bundle + operationId: listBundleEntitlements + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/BundleEntitlementsResponse' + examples: + BundleEntitlementsResponse: + $ref: '#/components/examples/BundleEntitlementsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + /api/v1/iam/governance/bundles/{bundleId}/entitlements/{entitlementId}/values: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' + - $ref: '#/components/parameters/pathEntitlementId' + get: + summary: List all Entitlement Values for a Bundle Entitlement + description: Lists all Entitlement Values specific to a Bundle Entitlement + operationId: listBundleEntitlementValues + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EntitlementValuesResponse' + examples: + EntitlementValuesResponse: + $ref: '#/components/examples/EntitlementValuesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + /api/v1/iam/governance/optIn: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + get: + summary: Retrieve the opt-in status from RAMP + description: Retrieves the opt-in status of the Admin Console from RAMP + operationId: getOptInStatus + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptInStatusResponse: + $ref: '#/components/examples/OptInStatusResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + post: + summary: Opt in the Admin Console to RAMP + description: Opts in the Admin Console to RAMP + operationId: optIn + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptInStatusResponse: + $ref: '#/components/examples/OptInStatusResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + /api/v1/iam/governance/optOut: + post: + summary: Opt out the Admin Console from RAMP + description: Opts out the Admin Console from RAMP + operationId: optOut + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptOutStatusResponse: + $ref: '#/components/examples/OptOutStatusResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/iam/resource-sets: get: summary: List all Resource Sets @@ -8420,10 +11785,16 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Resource Set - description: Creates a new Resource Set + description: |- + Creates a new Resource Set. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources). + + > **Note:** The maximum number of `resources` allowed in a Resource Set object is 1000. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn). operationId: createResourceSet x-codegen-request-body-name: instance requestBody: @@ -8463,13 +11834,16 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet - /api/v1/iam/resource-sets/{resourceSetId}: + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' get: summary: Retrieve a Resource Set - description: Retrieves a Resource Set by `resourceSetId` + description: Retrieves a Resource Set by `resourceSetIdOrLabel` operationId: getResourceSet responses: '200': @@ -8492,10 +11866,13 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Resource Set - description: Replaces a Resource Set by `resourceSetId` + description: Replaces the label and description of a Resource Set operationId: replaceResourceSet x-codegen-request-body-name: instance requestBody: @@ -8505,7 +11882,7 @@ paths: $ref: '#/components/schemas/ResourceSet' examples: Example Request: - $ref: '#/components/examples/ResourceSetRequest' + $ref: '#/components/examples/ReplaceResourceSetRequest' required: true responses: '200': @@ -8530,10 +11907,13 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Resource Set - description: Deletes a role by `resourceSetId` + description: Deletes a Resource Set by `resourceSetIdOrLabel` operationId: deleteResourceSet responses: '204': @@ -8557,13 +11937,16 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet - /api/v1/iam/resource-sets/{resourceSetId}/bindings: + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' get: - summary: List all Bindings - description: Lists all Resource Set bindings with pagination support + summary: List all Role Resource Set Bindings + description: Lists all Bindings for a Resource Set with pagination support operationId: listBindings parameters: - $ref: '#/components/parameters/queryAfter' @@ -8588,10 +11971,13 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a Resource Set Binding - description: Creates a new Resource Set binding + summary: Create a Role Resource Set Binding + description: Creates a Binding for the Resource Set, Custom Role, and members (Users or Groups) operationId: createResourceSetBinding x-codegen-request-body-name: instance requestBody: @@ -8633,14 +12019,17 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet - /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}: + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathRoleIdOrLabel' get: - summary: Retrieve a Binding - description: Retrieves a Resource Set binding by `resourceSetId` and `roleIdOrLabel` + summary: Retrieve a Role Resource Set Binding + description: Retrieves the Binding of a Role (identified by `roleIdOrLabel`) in a Resource Set (identified by `resourceSetIdOrLabel`) operationId: getBinding responses: '200': @@ -8663,10 +12052,13 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a Binding - description: Deletes a Resource Set binding by `resourceSetId` and `roleIdOrLabel` + summary: Delete a Role Resource Set Binding + description: Deletes a Binding of a Role (identified by `roleIdOrLabel`) and a Resource Set (identified by `resourceSetIdOrLabel`) operationId: deleteBinding responses: '204': @@ -8690,14 +12082,17 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet - /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}/members: + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathRoleIdOrLabel' get: - summary: List all Members of a binding - description: Lists all members of a Resource Set binding with pagination support + summary: List all Role Resource Set Binding Members + description: Lists all members of a Role Resource Set Binding with pagination support operationId: listMembersOfBinding parameters: - $ref: '#/components/parameters/queryAfter' @@ -8722,10 +12117,13 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true patch: - summary: Add more Members to a binding - description: Adds more members to a Resource Set binding + summary: Add more Role Resource Set Binding Members + description: Adds more members to a Role Resource Set Binding operationId: addMembersToBinding x-codegen-request-body-name: instance requestBody: @@ -8767,15 +12165,18 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet - /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}/members/{memberId}: + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members/{memberId}: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathRoleIdOrLabel' - $ref: '#/components/parameters/pathMemberId' get: - summary: Retrieve a Member of a binding - description: Retrieves a member identified by `memberId` for a binding + summary: Retrieve a Role Resource Set Binding Member + description: Retrieves a Member (identified by `memberId`) that belongs to a Role Resource Set Binding operationId: getMemberOfBinding responses: '200': @@ -8798,10 +12199,13 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a Member from a binding - description: Unassigns a member identified by `memberId` from a binding + summary: Unassign a Role Resource Set Bindiing Member + description: Unassigns a Member (identified by `memberId`) from a Role Resource Set Binding operationId: unassignMemberFromBinding x-codegen-request-body-name: instance responses: @@ -8826,13 +12230,16 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet - /api/v1/iam/resource-sets/{resourceSetId}/resources: + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' get: - summary: List all Resources of a Resource Set - description: Lists all resources that make up the Resource Set + summary: List all Resource Set Resources + description: Lists all Resources for the Resource Set operationId: listResourceSetResources responses: '200': @@ -8855,11 +12262,14 @@ paths: - oauth2: - okta.roles.read tags: - - ResourceSet + - RoleCResourceSetResource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true patch: - summary: Add more Resource to a Resource Set - description: Adds more resources to a Resource Set - operationId: addResourceSetResource + summary: Add more Resources to a Resource Set + description: Adds more Resources to a Resource Set + operationId: addResourceSetResources x-codegen-request-body-name: instance requestBody: content: @@ -8900,14 +12310,17 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet - /api/v1/iam/resource-sets/{resourceSetId}/resources/{resourceId}: + - RoleCResourceSetResource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources/{resourceId}: parameters: - - $ref: '#/components/parameters/pathResourceSetId' + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathResourceId' delete: - summary: Delete a Resource from a Resource Set - description: Deletes a resource identified by `resourceId` from a Resource Set + summary: Delete a Resource Set Resource + description: Deletes a Resource (identified by `resourceId`) from a Resource Set operationId: deleteResourceSetResource responses: '204': @@ -8931,11 +12344,14 @@ paths: - oauth2: - okta.roles.manage tags: - - ResourceSet + - RoleCResourceSetResource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/roles: get: - summary: List all Roles - description: Lists all roles with pagination support + summary: List all Custom Roles + description: Lists all Custom Roles with pagination support operationId: listRoles parameters: - $ref: '#/components/parameters/queryAfter' @@ -8958,10 +12374,13 @@ paths: - oauth2: - okta.roles.read tags: - - Role + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a Role - description: Creates a new role + summary: Create a Custom Role + description: Creates a Custom Role operationId: createRole x-codegen-request-body-name: instance requestBody: @@ -9001,7 +12420,10 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/roles/{roleIdOrLabel}: parameters: - $ref: '#/components/parameters/pathRoleIdOrLabel' @@ -9030,10 +12452,13 @@ paths: - oauth2: - okta.roles.read tags: - - Role + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace a Role - description: Replaces a role by `roleIdOrLabel` + summary: Replace a Custom Role + description: Replaces the label and description for a Custom Role by `roleIdOrLabel` operationId: replaceRole x-codegen-request-body-name: instance requestBody: @@ -9043,7 +12468,7 @@ paths: $ref: '#/components/schemas/UpdateIamRoleRequest' examples: Example Request: - $ref: '#/components/examples/RoleRequest' + $ref: '#/components/examples/ReplaceRoleRequest' required: true responses: '200': @@ -9068,10 +12493,13 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a Role - description: Deletes a role by `roleIdOrLabel` + summary: Delete a Custom Role + description: Deletes a Custom Role by `roleIdOrLabel` operationId: deleteRole responses: '204': @@ -9095,13 +12523,16 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/roles/{roleIdOrLabel}/permissions: parameters: - $ref: '#/components/parameters/pathRoleIdOrLabel' get: - summary: List all Permissions - description: Lists all permissions of the role by `roleIdOrLabel` + summary: List all Custom Role Permissions + description: Lists all permissions for a Custom Role by `roleIdOrLabel` operationId: listRolePermissions responses: '200': @@ -9124,14 +12555,17 @@ paths: - oauth2: - okta.roles.read tags: - - Role + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/roles/{roleIdOrLabel}/permissions/{permissionType}: parameters: - $ref: '#/components/parameters/pathRoleIdOrLabel' - $ref: '#/components/parameters/pathPermissionType' get: - summary: Retrieve a Permission - description: Retrieves a permission by `permissionType` + summary: Retrieve a Custom Role Permission + description: Retrieves a permission (identified by `permissionType`) for a Custom Role operationId: getRolePermission responses: '200': @@ -9141,8 +12575,10 @@ paths: schema: $ref: '#/components/schemas/Permission' examples: - Example Response: + Example Response without conditions: $ref: '#/components/examples/PermissionResponse' + Example Response with conditions: + $ref: '#/components/examples/PermissionResponseWithConditions' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9154,23 +12590,28 @@ paths: - oauth2: - okta.roles.read tags: - - Role + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a Permission - description: Creates a permission specified by `permissionType` to the role + summary: Create a Custom Role Permission + description: Creates a permission (specified by `permissionType`) for a Custom Role operationId: createRolePermission x-codegen-request-body-name: instance requestBody: x-okta-lifecycle: - features: - - CUSTOM_ADMIN_ROLES_CONDITIONS + lifecycle: GA + isGenerallyAvailable: true content: application/json: schema: $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' examples: - Example Request: - $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExample' + Example Request with include: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude' + Example Request with exclude: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude' required: false responses: '204': @@ -9188,13 +12629,16 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: x-okta-lifecycle: - features: - - CUSTOM_ADMIN_ROLES_CONDITIONS - summary: Replace a Permission - description: Replaces a permission specified by `permissionType` in the role + lifecycle: GA + isGenerallyAvailable: true + summary: Replace a Custom Role Permission + description: Replaces a permission (specified by `permissionType`) for a Custom Role operationId: replaceRolePermission x-codegen-request-body-name: instance requestBody: @@ -9203,8 +12647,10 @@ paths: schema: $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' examples: - Example Request: - $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExample' + Example Request with include: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude' + Example Request with exclude: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude' required: false responses: '200': @@ -9229,10 +12675,10 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustomPermission delete: - summary: Delete a Permission - description: Deletes a permission from a role by `permissionType` + summary: Delete a Custom Role Permission + description: Deletes a permission (identified by `permissionType`) from a Custom Role operationId: deleteRolePermission responses: '204': @@ -9256,13 +12702,16 @@ paths: - oauth2: - okta.roles.manage tags: - - Role + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/identity-sources/{identitySourceId}/sessions: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' get: summary: List all Identity Source Sessions - description: Lists all identity source sessions for the given identity source instance + description: Lists all Identity Source Sessions for the given Identity Source instance operationId: listIdentitySourceSessions responses: '200': @@ -9288,9 +12737,13 @@ paths: - okta.identitySources.read tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] post: summary: Create an Identity Source Session - description: Creates an identity source session for the given identity source instance + description: Creates an Identity Source Session for the given Identity Source instance operationId: createIdentitySourceSession responses: '200': @@ -9298,12 +12751,10 @@ paths: content: application/json: schema: - type: object - items: - $ref: '#/components/schemas/IdentitySourceSession' + $ref: '#/components/schemas/IdentitySourceSession' examples: - sessionsList: - $ref: '#/components/examples/ListSessionsResponse' + session: + $ref: '#/components/examples/GetSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9316,13 +12767,17 @@ paths: - okta.identitySources.manage tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' get: summary: Retrieve an Identity Source Session - description: Retrieves an identity source session for a given identity source id and session id + description: Retrieves an Identity Source Session for a given Identity Source ID and session ID operationId: getIdentitySourceSession responses: '200': @@ -9332,8 +12787,8 @@ paths: schema: $ref: '#/components/schemas/IdentitySourceSession' examples: - Session: - $ref: '#/components/examples/ListSessionsResponse' + session: + $ref: '#/components/examples/GetSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9346,9 +12801,13 @@ paths: - okta.identitySources.read tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] delete: summary: Delete an Identity Source Session - description: Deletes an identity source session for a given `identitySourceId` and `sessionId` + description: Deletes an Identity Source Session for a given `identitySourceId` and `sessionId` operationId: deleteIdentitySourceSession responses: '204': @@ -9365,19 +12824,26 @@ paths: - okta.identitySources.manage tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-delete: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the data to be deleted in Okta - description: Uploads entities that need to be deleted in Okta from the identity source for the given session + description: Uploads external IDs of entities that need to be deleted in Okta from the Identity Source for the given session operationId: uploadIdentitySourceDataForDelete requestBody: content: application/json: schema: $ref: '#/components/schemas/BulkDeleteRequestBody' + examples: + bulkDeletePayload: + $ref: '#/components/examples/bulkDeletePayload' responses: '202': description: Accepted @@ -9395,19 +12861,26 @@ paths: - okta.identitySources.manage tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-upsert: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the data to be upserted in Okta - description: Uploads entities that need to be upserted in Okta from the identity source for the given session + description: Uploads entities that need to be inserted or updated in Okta from the Identity Source for the given session operationId: uploadIdentitySourceDataForUpsert requestBody: content: application/json: schema: $ref: '#/components/schemas/BulkUpsertRequestBody' + examples: + bulkUpsertPayload: + $ref: '#/components/examples/bulkUpsertPayload' responses: '202': description: Accepted @@ -9425,13 +12898,17 @@ paths: - okta.identitySources.manage tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/start-import: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Start the import from the Identity Source - description: Starts the import from the identity source described by the uploaded bulk operations + description: Starts the import from the Identity Source described by the uploaded bulk operations operationId: startImportFromIdentitySource responses: '200': @@ -9439,11 +12916,9 @@ paths: content: application/json: schema: - type: object - items: - $ref: '#/components/schemas/IdentitySourceSession' + $ref: '#/components/schemas/IdentitySourceSession' examples: - sessionsList: + triggeredSession: $ref: '#/components/examples/TriggerSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' @@ -9457,6 +12932,10 @@ paths: - okta.identitySources.manage tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/idps: get: summary: List all Identity Providers @@ -9465,26 +12944,17 @@ paths: parameters: - name: q in: query - description: Searches the name property of IdPs for matching value - schema: - type: string - - name: after - in: query - description: Specifies the pagination cursor for the next page of IdPs + description: Searches the `name` property of IdPs for matching value schema: type: string - - name: limit - in: query - description: Specifies the number of IdP results in a page - schema: - type: integer - format: int32 - default: 20 + example: Example SAML + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' - name: type in: query - description: Filters IdPs by type + description: Filters IdPs by `type` schema: - type: string + $ref: '#/components/schemas/IdentityProviderType' responses: '200': description: Success @@ -9494,6 +12964,9 @@ paths: type: array items: $ref: '#/components/schemas/IdentityProvider' + examples: + MultipleIdPsResponse: + $ref: '#/components/examples/MultipleIdPsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -9504,16 +12977,60 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Identity Provider - description: Creates a new identity provider integration + description: |- + Creates a new Identity Provider integration. + + #### SAML 2.0 Identity Provider + + You must first add the IdP's signature certificate to the IdP key store before you can add a SAML 2.0 IdP with a `kid` credential reference. + + Don't use `fromURI` to automatically redirect a user to a particular app after successfully authenticating with a third-party IdP. Instead, use SAML deep links. Using `fromURI` isn't tested or supported. For more information about using deep links when signing users in using an SP-initiated flow, see [Understanding SP-Initiated Login flow](https://developer.okta.com/docs/concepts/saml/#understanding-sp-initiated-login-flow). + + Use SAML deep links to automatically redirect the user to an app after successfully authenticating with a third-party IdP. To use deep links, assemble these three parts into a URL: + + * SP ACS URL<br> + For example: `https://${yourOktaDomain}/sso/saml2/:idpId` + * The app to which the user is automatically redirected after successfully authenticating with the IdP <br> + For example: `/app/:app-location/:appId/sso/saml` + * Optionally, if the app is an outbound SAML app, you can specify the `relayState` passed to it.<br> + For example: `?RelayState=:anyUrlEncodedValue` + + The deep link for the above three parts is:<br> + `https://${yourOktaDomain}/sso/saml2/:idpId/app/:app-location/:appId/sso/saml?RelayState=:anyUrlEncodedValue` + + #### Smart Card X509 Identity Provider + + You must first add the IdP's server certificate to the IdP key store before you can add a Smart Card `X509` IdP with a `kid` credential reference. + You need to upload the whole trust chain as a single key using the [Key Store API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderKeys/#tag/IdentityProviderKeys/operation/createIdentityProviderKey). + Depending on the information stored in the smart card, select the proper [template](https://developer.okta.com/docs/reference/okta-expression-language/#idp-user-profile) `idpuser.subjectAltNameEmail` or `idpuser.subjectAltNameUpn`. operationId: createIdentityProvider x-codegen-request-body-name: identityProvider requestBody: + description: IdP settings content: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + CreateGenericOidcIdPRequest: + $ref: '#/components/examples/CreateGenericOidcIdPRequest' + CreateSamlIdPRequest: + $ref: '#/components/examples/CreateSamlIdPRequest' + CreateAppleIdPRequest: + $ref: '#/components/examples/CreateAppleIdPRequest' + CreateFacebookIdPRequest: + $ref: '#/components/examples/CreateFacebookIdPRequest' + CreateGoogleIdPRequest: + $ref: '#/components/examples/CreateGoogleIdPRequest' + CreateMicrosoftIdPRequest: + $ref: '#/components/examples/CreateMicrosoftIdPRequest' + CreateSmartCardIdPRequest: + $ref: '#/components/examples/CreateSmartCardIdPRequest' required: true responses: '200': @@ -9522,6 +13039,21 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + CreateGenericOidcIdpResponse: + $ref: '#/components/examples/GenericOidcIdpResponse' + CreateSamlIdPResponse: + $ref: '#/components/examples/SamlIdPResponse' + CreateAppleIdPResponse: + $ref: '#/components/examples/AppleIdPResponse' + CreateFacebookIdPResponse: + $ref: '#/components/examples/FacebookIdPResponse' + CreateGoogleIdPResponse: + $ref: '#/components/examples/GoogleIdPResponse' + CreateMicrosoftIdPResponse: + $ref: '#/components/examples/MicrosoftIdPResponse' + CreateSmartCardIdPResponse: + $ref: '#/components/examples/SmartCardIdPResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -9534,24 +13066,17 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/credentials/keys: get: - summary: List all Credential Keys - description: Lists all IdP key credentials + summary: List all IdP Key Credentials + description: Lists all IdP Key Credentials operationId: listIdentityProviderKeys parameters: - - name: after - in: query - description: Specifies the pagination cursor for the next page of keys - schema: - type: string - - name: limit - in: query - description: Specifies the number of key results in a page - schema: - type: integer - format: int32 - default: 20 + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success @@ -9560,7 +13085,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + ListIdPKeyCredentialsResponse: + $ref: '#/components/examples/MultipleIdPKeyCredentialsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -9570,17 +13098,22 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create an X.509 Certificate Public Key - description: Creates a new X.509 certificate credential to the IdP key store. + summary: Create an IdP Key Credential + description: |- + Creates a new X.509 certificate credential in the IdP key store + > **Note:** RSA-based certificates are supported for all IdP types. Okta currently supports EC-based certificates only for the `X509` IdP type. For EC-based certificates we support only P-256, P-384, and P-521 curves. operationId: createIdentityProviderKey x-codegen-request-body-name: jsonWebKey requestBody: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPCertificateCredential' required: true responses: '200': @@ -9588,7 +13121,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -9600,12 +13136,15 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider - /api/v1/idps/credentials/keys/{idpKeyId}: + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/credentials/keys/{kid}: parameters: - - $ref: '#/components/parameters/pathIdpKeyId' + - $ref: '#/components/parameters/pathKid' get: - summary: Retrieve an Credential Key + summary: Retrieve an IdP Key Credential description: Retrieves a specific IdP Key Credential by `kid` operationId: getIdentityProviderKey responses: @@ -9614,7 +13153,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9626,10 +13168,54 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an IdP Key Credential + description: Replaces an IdP Key Credential by `kid` + operationId: replaceIdentityProviderKey + requestBody: + description: Updated IdP Key Credential + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialRequest: + $ref: '#/components/examples/IdPKeyCredentialRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a Signing Credential Key - description: Deletes a specific IdP Key Credential by `kid` if it is not currently being used by an Active or Inactive IdP + summary: Delete an IdP Key Credential + description: Deletes a specific IdP Key Credential by `kid` if it isn't currently being used by an active or inactive IdP operationId: deleteIdentityProviderKey responses: '204': @@ -9646,7 +13232,10 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}: parameters: - $ref: '#/components/parameters/pathIdpId' @@ -9661,6 +13250,11 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + GenericOidcIdpResponse: + $ref: '#/components/examples/GenericOidcIdpResponse' + SamlIdPResponse: + $ref: '#/components/examples/SamlIdPResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9673,16 +13267,23 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Identity Provider description: Replaces an identity provider integration by `idpId` operationId: replaceIdentityProvider x-codegen-request-body-name: identityProvider requestBody: + description: Updated configuration for the IdP content: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + ReplaceIdPRequest: + $ref: '#/components/examples/ReplaceIdPRequestResponse' required: true responses: '200': @@ -9691,6 +13292,9 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + ReplaceIdPResponse: + $ref: '#/components/examples/ReplaceIdPRequestResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -9705,9 +13309,15 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Identity Provider - description: Deletes an identity provider integration by `idpId` + description: |- + Deletes an identity provider integration by `idpId` + * All existing IdP users are unlinked with the highest order profile source taking precedence for each IdP user. + * Unlinked users keep their existing authentication provider such as `FEDERATION` or `SOCIAL`. operationId: deleteIdentityProvider responses: '204': @@ -9725,6 +13335,9 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/csrs: parameters: - $ref: '#/components/parameters/pathIdpId' @@ -9740,7 +13353,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Csr' + $ref: '#/components/schemas/IdPCsr' + examples: + MultipleIdPCsrsResponse: + $ref: '#/components/examples/MultipleIdPCsrsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9752,10 +13368,15 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Generate a Certificate Signing Request - description: Generates a new key pair and returns a Certificate Signing Request for it + description: |- + Generates a new key pair and returns a Certificate Signing Request (CSR) for it + > **Note:** The private key isn't listed in the [Signing Key Credentials for IdP](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderSigningKeys/#tag/IdentityProviderSigningKeys/operation/listIdentityProviderSigningKeys) until it's published. operationId: generateCsrForIdentityProvider x-codegen-request-body-name: metadata requestBody: @@ -9770,7 +13391,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Csr' + $ref: '#/components/schemas/IdPCsr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/CsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/IdPCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/CsrPkcs10Response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -9784,14 +13414,17 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}: parameters: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathIdpCsrId' get: summary: Retrieve a Certificate Signing Request - description: Retrieves a specific Certificate Signing Request model by id + description: Retrieves a specific Certificate Signing Request by `id` operationId: getCsrForIdentityProvider responses: '200': @@ -9799,7 +13432,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Csr' + $ref: '#/components/schemas/IdPCsr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/CsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/IdPCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/CsrPkcs10Response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9811,10 +13453,13 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke a Certificate Signing Request - description: Revokes a certificate signing request and deletes the key pair from the IdP + description: Revokes a CSR and deletes the key pair from the IdP operationId: revokeCsrForIdentityProvider responses: '204': @@ -9831,32 +13476,49 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}/lifecycle/publish: parameters: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathIdpCsrId' post: summary: Publish a Certificate Signing Request - description: Publishes a certificate signing request with a signed X.509 certificate and adds it into the signing key credentials for the IdP + description: |- + Publishes the CSR with a signed X.509 certificate and adds it into the signing Key Credentials for the IdP + > **Notes:** + > * Publishing a certificate completes the lifecycle of the CSR, and it's no longer accessible. + > * If the validity period of the certificate is less than 90 days, a 400 error response is returned. operationId: publishCsrForIdentityProvider requestBody: required: true content: - application/x-x509-ca-cert: + application/pkix-cert: schema: type: string format: binary - x-okta-operationId: publishBinaryCerCertForIdentityProvider - application/pkix-cert: + description: |- + X.509 certificate in `DER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q== + x-okta-operationId: publishBinaryDerCertForIdentityProvider + application/x-x509-ca-cert: schema: type: string format: binary - x-okta-operationId: publishBinaryDerCertForIdentityProvider + description: |- + X.509 certificate in `CER` format. + The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. + example: '@certificate.cer' + x-okta-operationId: publishBinaryCerCertForIdentityProvider application/x-pem-file: schema: type: string format: binary + description: X.509 certificate in `PEM` format + example: '@certificate.pem' x-okta-operationId: publishBinaryPemCertForIdentityProvider responses: '201': @@ -9864,7 +13526,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -9878,13 +13540,16 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/keys: parameters: - $ref: '#/components/parameters/pathIdpId' get: - summary: List all Signing Credential Keys - description: Lists all signing key credentials for an IdP + summary: List all signing Key Credentials for IdP + description: Lists all signing Key Credentials for an IdP operationId: listIdentityProviderSigningKeys responses: '200': @@ -9894,7 +13559,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + MultipleIdPSigningKeyCredentialsResponse: + $ref: '#/components/examples/MultipleIdPSigningKeyCredentialsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9906,13 +13574,18 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/keys/generate: parameters: - $ref: '#/components/parameters/pathIdpId' post: - summary: Generate a new Signing Credential Key - description: Generates a new X.509 certificate for an IdP signing key credential to be used for signing assertions sent to the IdP + summary: Generate a new signing Key Credential for IdP + description: |- + Generates a new X.509 certificate for an IdP signing Key Credential to be used for signing assertions sent to the IdP. IdP signing keys are read-only. + > **Note:** To update an IdP with the newly generated Key Credential, [update your IdP](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider) using the returned key's `kid` in the [signing credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/credentials/signing/kid&t=request). operationId: generateIdentityProviderSigningKey parameters: - name: validityYears @@ -9922,13 +13595,18 @@ paths: schema: type: integer format: int32 + minimum: 2 + maximum: 10 responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9940,13 +13618,16 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/keys/{idpKeyId}: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/keys/{kid}: parameters: - $ref: '#/components/parameters/pathIdpId' - - $ref: '#/components/parameters/pathIdpKeyId' + - $ref: '#/components/parameters/pathKid' get: - summary: Retrieve a Signing Credential Key + summary: Retrieve a signing Key Credential for IdP description: Retrieves a specific IdP Key Credential by `kid` operationId: getIdentityProviderSigningKey responses: @@ -9955,7 +13636,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9967,19 +13651,27 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/keys/{idpKeyId}/clone: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/keys/{kid}/clone: parameters: - $ref: '#/components/parameters/pathIdpId' - - $ref: '#/components/parameters/pathIdpKeyId' + - $ref: '#/components/parameters/pathKid' post: - summary: Clone a Signing Credential Key - description: Clones a X.509 certificate for an IdP signing key credential from a source IdP to target IdP + summary: Clone a signing Key Credential for IdP + description: |- + Clones an X.509 certificate for an IdP signing Key Credential from a source IdP to target IdP + > **Caution:** Sharing certificates isn't a recommended security practice. + + > **Note:** If the key is already present in the list of Key Credentials for the target IdP, you receive a 400 error response. operationId: cloneIdentityProviderKey parameters: - name: targetIdpId in: query required: true + description: '`id` of the target IdP' schema: type: string responses: @@ -9988,7 +13680,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10000,7 +13695,10 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathIdpId' @@ -10015,6 +13713,9 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + ActivateIdPResponse: + $ref: '#/components/examples/ActivateIdPResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10027,6 +13728,9 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathIdpId' @@ -10041,6 +13745,9 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProvider' + examples: + DeactivateIdPResponse: + $ref: '#/components/examples/DeactivateIdPResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10053,36 +13760,26 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/users: parameters: - $ref: '#/components/parameters/pathIdpId' get: - summary: List all Users - description: Lists all users linked to the identity provider + summary: List all Users for IdP + description: Lists all the Users linked to an Identity Provider operationId: listIdentityProviderApplicationUsers parameters: - - name: q - in: query - description: Searches the name property of IdPs for matching value - schema: - type: string - - name: after - in: query - description: Specifies the pagination cursor for the next page of IdPs - schema: - type: string - - name: limit - in: query - description: Specifies the number of IdP results in a page - schema: - type: integer - format: int32 - default: 20 + - $ref: '#/components/parameters/queryFilter' + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' - name: expand in: query description: Expand user data schema: type: string + example: user responses: '200': description: Success @@ -10092,6 +13789,9 @@ paths: type: array items: $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + ListIdPUsersResponse: + $ref: '#/components/examples/ListIdPUsersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10103,14 +13803,17 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/users/{userId}: parameters: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathUserId' get: - summary: Retrieve a User - description: Retrieves a linked IdP user by ID + summary: Retrieve a User for IdP + description: Retrieves a linked IdP User by ID operationId: getIdentityProviderApplicationUser responses: '200': @@ -10119,6 +13822,9 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + IdPAppUserResponse: + $ref: '#/components/examples/IdPAppUserResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10130,10 +13836,17 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Link a User to a Social IdP - description: Links an Okta user to an existing Social Identity Provider. This does not support the SAML2 Identity Provider Type + summary: Link a User to IdP + description: |- + Links an Okta User to an existing SAML or social Identity Provider. + + The SAML Identity Provider must have `honorPersistentNameId` set to `true` to use this API. + The [Name Identifier Format](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/settings&t=request) of the incoming assertion must be `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`. operationId: linkUserToIdentityProvider x-codegen-request-body-name: userIdentityProviderLinkRequest requestBody: @@ -10149,6 +13862,9 @@ paths: application/json: schema: $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + LinkIdPAppUserResponse: + $ref: '#/components/examples/LinkIdPAppUserResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -10162,10 +13878,13 @@ paths: - oauth2: - okta.users.manage tags: - - IdentityProvider + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unlink a User from IdP - description: Unlinks the link between the Okta user and the IdP user + description: Unlinks the Okta User and the IdP User. The next time the User federates into Okta through this IdP, they have to re-link their account according to the account link policy. operationId: unlinkUserFromIdentityProvider responses: '204': @@ -10182,14 +13901,20 @@ paths: - oauth2: - okta.idps.manage tags: - - IdentityProvider + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/users/{userId}/credentials/tokens: parameters: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathUserId' get: - summary: List all Tokens from a OIDC Identity Provider - description: Lists the tokens minted by the Social Authentication Provider when the user authenticates with Okta via Social Auth + summary: List all Tokens from OIDC IdP + description: |- + Lists the tokens minted by the Social Authentication Provider when the user authenticates with Okta via Social Auth. + + Okta doesn't import all the User information from a social provider. If the app needs information that isn't imported, it can get the User token from this endpoint. Then the app can make an API call to the social provider with the token to request the additional information. operationId: listSocialAuthTokens responses: '200': @@ -10200,6 +13925,9 @@ paths: type: array items: $ref: '#/components/schemas/SocialAuthToken' + examples: + SocialAuthTokensResponse: + $ref: '#/components/examples/SocialAuthTokensResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10211,17 +13939,28 @@ paths: - oauth2: - okta.idps.read tags: - - IdentityProvider + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/inlineHooks: get: - summary: List all Inline Hooks - description: Lists all inline hooks + summary: List all inline hooks + description: |- + Lists all inline hooks or all inline hooks of a specific type. + + When listing a specific inline hook, you need to specify its type. The following types are currently supported: + | Type Value | Name | + |------------------------------------|----------------------------------------------------------------| + | `com.okta.import.transform` | [User import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createUserImportInlineHook) | + | `com.okta.oauth2.tokens.transform` | [Token inline hook]((/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTokenInlineHook) | + | `com.okta.saml.tokens.transform` | [SAML assertion inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createSAMLAssertionInlineHook) | + | `com.okta.telephony.provider` | [Telephony inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTelephonyInlineHook) | + | `com.okta.user.credential.password.import` | [Password import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook)| + | `com.okta.user.pre-registration` | [Registration inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook) | operationId: listInlineHooks parameters: - - name: type - in: query - schema: - type: string + - $ref: '#/components/parameters/inlineHookType' responses: '200': description: Success @@ -10231,6 +13970,9 @@ paths: type: array items: $ref: '#/components/schemas/InlineHook' + examples: + InlineHooktMgmtListAllexample: + $ref: '#/components/examples/InlineHooktMgmtListAllexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -10241,16 +13983,50 @@ paths: - okta.inlineHooks.read tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create an Inline Hook - description: Creates an inline hook + summary: Create an inline hook + description: |- + Creates an inline hook + + This endpoint creates an inline hook for your org in an `ACTIVE` status. You need to pass an inline hooks object in the JSON payload of your request. + That object represents the set of required information about the inline hook that you're registering, including: + + * The URI of your external service endpoint + * The type of inline hook you're registering + * The type of authentication you're registering + + There are two authentication options that you can configure for your inline hook: HTTP headers and OAuth 2.0 tokens. + + HTTP headers let you specify a secret API key that you want Okta to pass to your external service endpoint (so that your external service can check for its presence as a security measure). + + >**Note:** The API key that you set here is unrelated to the Okta API token you must supply when making calls to Okta APIs. + + You can also optionally specify extra headers that you want Okta to pass to your external service with each call. + + To configure HTTP header authentication, see parameters for the `config` object. + + OAuth 2.0 tokens provide enhanced security between Okta and your external service. You can configure these tokens for the following types—client secret and private key. + + >**Note:** Your external service's endpoint needs to be a valid HTTPS endpoint. The URI you specify should always begin with `https://`. + + The total number of inline hooks that you can create in an Okta org is limited to 50, which is a combined total for any combination of inline hook types. operationId: createInlineHook - x-codegen-request-body-name: inlineHook + x-codegen-request-body-name: inlineHookCreate requestBody: content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + $ref: '#/components/schemas/InlineHookCreate' + examples: + CreateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtCreateHTTPRequest' + CreateInlineHookOAuthClientSecret: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthClientSecretRequest' + CreateInlineHookOAuthPrivateKey: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthPrivateKeyRequest' required: true responses: '200': @@ -10258,7 +14034,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + $ref: '#/components/schemas/InlineHookCreateResponse' + examples: + CreateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtCreateHTTPResponse' + CreateInlineHookOAuthClientSecret: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthClientSecretResponse' + CreateInlineHookOAuthPrivateKey: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthPrivateKeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -10271,6 +14054,9 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}: parameters: - $ref: '#/components/parameters/pathInlineHookId' @@ -10285,6 +14071,13 @@ paths: application/json: schema: $ref: '#/components/schemas/InlineHook' + examples: + InlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtHTTPexample' + InlineHookOAuthClientSecret: + $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample' + InlineHookOAuthPrivateKey: + $ref: '#/components/examples/InlineHookMgmtOauthPKJexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10297,16 +14090,66 @@ paths: - okta.inlineHooks.read tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update an Inline Hook + description: Updates an inline hook by `inlineHookId` + operationId: updateInlineHook + x-codegen-request-body-name: inlineHook + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHookReplace' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHook' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace an Inline Hook - description: Replaces an inline hook by `inlineHookId` + summary: Replace an inline hook + description: |- + Replaces an inline hook by `inlineHookId`. The submitted inline hook properties replace the existing properties after passing validation. + + >**Note:** Some properties are immutable and can't be updated. operationId: replaceInlineHook x-codegen-request-body-name: inlineHook requestBody: content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + $ref: '#/components/schemas/InlineHookReplace' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest' required: true responses: '200': @@ -10315,6 +14158,9 @@ paths: application/json: schema: $ref: '#/components/schemas/InlineHook' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -10329,9 +14175,12 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete an Inline Hook - description: Deletes an inline hook by `inlineHookId`. Once deleted, the Inline Hook is unrecoverable. As a safety precaution, only Inline Hooks with a status of INACTIVE are eligible for deletion. + summary: Delete an inline hook + description: Deletes an inline hook by `inlineHookId`. After it's deleted, the inline hook is unrecoverable. As a safety precaution, only inline hooks with a status of `INACTIVE` are eligible for deletion. operationId: deleteInlineHook responses: '204': @@ -10349,19 +14198,49 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/execute: parameters: - $ref: '#/components/parameters/pathInlineHookId' post: - summary: Execute an Inline Hook - description: Executes the inline hook by `inlineHookId` using the request body as the input. This will send the provided data through the Channel and return a response if it matches the correct data contract. This execution endpoint should only be used for testing purposes. + summary: Execute an inline hook + description: |- + Executes the inline hook that matches the provided `inlineHookId` by using the request body as the input. This inline hook sends the provided + data through the `channel` object and returns a response if it matches the correct data contract. Otherwise it returns an error. You need to + construct a JSON payload that matches the payloads that Okta would send to your external service for this inline hook type. + + A timeout of three seconds is enforced on all outbound requests, with one retry in the event of a timeout or an error response from the remote system. + If a successful response isn't received after the request, a 400 error is returned with more information about what failed. + + >**Note:** This execution endpoint isn't tied to any other functionality in Okta, and you should only use it for testing purposes. operationId: executeInlineHook x-codegen-request-body-name: payloadData requestBody: content: application/json: schema: - $ref: '#/components/schemas/InlineHookPayload' + oneOf: + - $ref: '#/components/schemas/PasswordImportRequestExecute' + - $ref: '#/components/schemas/TelephonyRequestExecute' + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + - $ref: '#/components/schemas/TokenRequest' + - $ref: '#/components/schemas/SAMLPayloadExecute' + - $ref: '#/components/schemas/UserImportRequestExecute' + examples: + PasswordImportPayloadExample: + $ref: '#/components/examples/PasswordImportPayloadExample' + TelephonyPayloadExample: + $ref: '#/components/examples/TelephonyPayloadExample' + ProfileEnrollmentRequest: + $ref: '#/components/examples/ProfileEnrollmentRequest' + TokenPayLoadExample: + $ref: '#/components/examples/TokenPayLoadExample' + SAMLPayloadExample: + $ref: '#/components/examples/SAMLPayLoadExample' + UserImportPayloadExample: + $ref: '#/components/examples/UserImportPayloadExample' required: true responses: '200': @@ -10369,7 +14248,26 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/InlineHookResponse' + oneOf: + - $ref: '#/components/schemas/PasswordImportResponse' + - $ref: '#/components/schemas/TelephonyResponse' + - $ref: '#/components/schemas/RegistrationInlineHookResponse' + - $ref: '#/components/schemas/TokenHookResponse' + - $ref: '#/components/schemas/SAMLHookResponse' + - $ref: '#/components/schemas/UserImportResponse' + examples: + PasswordImportPayloadExample: + $ref: '#/components/examples/PasswordImportVerifiedResponse' + TelephonyPayloadExample: + $ref: '#/components/examples/TelephonySuccessResponse' + ProfileEnrollmentRequest: + $ref: '#/components/examples/ProfileEnrollmentResponse' + TokenPayLoadExample: + $ref: '#/components/examples/TokenHookResponse' + SAMLPayloadExample: + $ref: '#/components/examples/SAMLHookResponseExample' + UserImportPayloadExample: + $ref: '#/components/examples/UserImportChangeAppUserProfileExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -10384,6 +14282,9 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathInlineHookId' @@ -10398,6 +14299,9 @@ paths: application/json: schema: $ref: '#/components/schemas/InlineHook' + examples: + ActivateAnInlineHook: + $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10410,6 +14314,9 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathInlineHookId' @@ -10424,6 +14331,9 @@ paths: application/json: schema: $ref: '#/components/schemas/InlineHook' + examples: + DeactivateAnInlineHook: + $ref: '#/components/examples/InlineHookMgmtHTTPexampleDeactivate' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10436,6 +14346,9 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/logStreams: get: summary: List all Log Streams @@ -10472,6 +14385,10 @@ paths: - okta.logStreams.read tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] post: summary: Create a Log Stream description: Creates a new Log Stream object @@ -10515,6 +14432,10 @@ paths: - okta.logStreams.manage tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/logStreams/{logStreamId}: parameters: - $ref: '#/components/parameters/pathLogStreamId' @@ -10544,6 +14465,10 @@ paths: - okta.logStreams.read tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] put: summary: Replace a Log Stream description: |- @@ -10591,6 +14516,10 @@ paths: - okta.logStreams.manage tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] delete: summary: Delete a Log Stream description: Deletes a Log Stream object from your org by ID @@ -10618,6 +14547,10 @@ paths: - okta.logStreams.manage tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/logStreams/{logStreamId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathLogStreamId' @@ -10647,6 +14580,10 @@ paths: - okta.logStreams.manage tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/logStreams/{logStreamId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathLogStreamId' @@ -10676,44 +14613,64 @@ paths: - okta.logStreams.manage tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/logs: get: summary: List all System Log Events - description: Lists all system log events. The Okta System Log API provides read access to your organization’s system log. This API provides more functionality than the Events API + description: Lists all System Log Events operationId: listLogEvents parameters: - name: since + description: Filters the lower time bound of the log events `published` property for bounded queries or persistence time for polling queries in: query schema: type: string - format: date-time + format: ISO 8601 compliant timestamp + default: 7 days prior to until - name: until + description: Filters the upper time bound of the log events `published` property for bounded queries or persistence time for polling queries. + in: query + schema: + type: string + format: ISO 8601 compliant timestamp + default: current time + - name: after + description: Retrieves the next page of results. Okta returns a link in the HTTP Header (`rel=next`) that includes the after query parameter in: query schema: type: string - format: date-time + format: Opaque token - name: filter + description: Filter expression that filters the results. All operators except [ ] are supported. See [Filter](https://developer.okta.com/docs/api/#filter). in: query schema: type: string + format: SCIM Filter expression - name: q + description: Filters log events results by one or more case insensitive keywords. in: query schema: type: string + format: URL encoded string. Max length is 40 characters per keyword, with a maximum of 10 keyword filters per query (before encoding) - name: limit + description: Sets the number of results that are returned in the response in: query schema: type: integer + format: Integer between 0 and 1000 default: 100 - name: sortOrder + description: The order of the returned events that are sorted by the `published` property in: query schema: type: string + enum: + - ASCENDING + - DESCENDING default: ASCENDING - - name: after - in: query - schema: - type: string responses: '200': description: Success @@ -10723,6 +14680,11 @@ paths: type: array items: $ref: '#/components/schemas/LogEvent' + examples: + ListLogs: + $ref: '#/components/examples/ListLogs' + LogTargetChangeDetails: + $ref: '#/components/examples/LogTargetChangeDetails' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -10733,6 +14695,10 @@ paths: - okta.logs.read tags: - SystemLog + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/mappings: get: summary: List all Profile Mappings @@ -10789,6 +14755,10 @@ paths: - okta.profileMappings.read tags: - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/mappings/{mappingId}: parameters: - $ref: '#/components/parameters/pathMappingId' @@ -10819,6 +14789,10 @@ paths: - okta.profileMappings.read tags: - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] post: summary: Update a Profile Mapping description: Updates an existing profile mapping by adding, updating, or removing one or many property mappings @@ -10868,66 +14842,27 @@ paths: - okta.profileMappings.manage tags: - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/meta/layouts/apps/{appName}: parameters: - $ref: '#/components/parameters/pathAppName' - get: - summary: Retrieve the links for UI schemas for an Application - description: Retrieves the links for UI schemas for an Application given `appName` - operationId: getAppUISchemaLinks - responses: - '200': - description: successful operation - content: - application/json: - schema: - $ref: '#/components/schemas/ApplicationLayouts' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.schemas.read - tags: - - Schema /api/v1/meta/layouts/apps/{appName}/sections/{section}/{operation}: parameters: - $ref: '#/components/parameters/pathAppName' - $ref: '#/components/parameters/pathSection' - $ref: '#/components/parameters/pathOperation' - get: - summary: Retrieve the UI schema for a section - description: Retrieves the UI schema for an Application given `appName`, `section` and `operation` - operationId: getAppUISchema - responses: - '200': - description: successful operation - content: - application/json: - schema: - $ref: '#/components/schemas/ApplicationLayout' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.schemas.read - tags: - - Schema /api/v1/meta/schemas/apps/{appId}/default: parameters: - $ref: '#/components/parameters/pathAppId' get: - summary: Retrieve the default Application User Schema for an Application - description: Retrieves the Schema for an App User + summary: Retrieve the default App User Schema for an App + description: |- + Retrieves the default Schema for an App User. + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to apps. All users assigned to a given app use the same App User Schema. Therefore, unlike the User Schema operations, the App User Schema operations all specify `default` and don't accept a Schema ID. operationId: getApplicationUserSchema responses: '200': @@ -10948,9 +14883,15 @@ paths: - okta.schemas.read tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update the default Application User Schema for an Application - description: Partially updates on the User Profile properties of the Application User Schema + summary: Update the App User Profile Schema for an App + description: |- + Updates the App User Schema. This updates, adds, or removes one or more custom profile properties or the nullability of a base property in the App User Schema for an app. Changing a base property's nullability (for example, the value of its `required` field) is allowed only if it is nullable in the default predefined Schema for the App. + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to apps. All users assigned to a given app use the same App User Schema. Therefore, unlike the User Schema operations, the App User Schema operations all specify `default` and don't accept a Schema ID. operationId: updateApplicationUserProfile x-codegen-request-body-name: body requestBody: @@ -10986,10 +14927,16 @@ paths: - okta.schemas.manage tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/schemas/group/default: get: summary: Retrieve the default Group Schema - description: Retrieves the group schema + description: |- + Retrieves the Group Schema + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to groups. All groups use the same Group Schema. Unlike User Schema operations, Group Schema operations all specify `default` and don't accept a Schema ID. operationId: getGroupSchema parameters: [] responses: @@ -11012,9 +14959,17 @@ paths: - okta.schemas.read tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update the default Group Schema - description: Updates the default group schema. This updates, adds, or removes one or more custom Group Profile properties in the schema. + summary: Update the Group Profile Schema + description: |- + Updates the Group Profile schema. This updates, adds, or removes one or more custom profile properties in a Group Schema. Currently Okta does not support changing base Group Profile properties. + + The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to groups. All groups use the same Group Schema. Unlike User Schema operations, Group Schema operations all specify `default` and don't accept a Schema ID. + + **Note:** Since POST is interpreted as a partial update, you must set properties explicitly to null to remove them from the Schema. operationId: updateGroupSchema requestBody: content: @@ -11046,10 +15001,13 @@ paths: - okta.schemas.manage tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/schemas/logStream: get: summary: List the Log Stream Schemas - description: Lists the schema for all log stream types visible for this org + description: Lists the Schema for all Log Stream types visible for this org operationId: listLogStreamSchemas responses: '200': @@ -11073,12 +15031,16 @@ paths: - okta.logStreams.read tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/meta/schemas/logStream/{logStreamType}: parameters: - $ref: '#/components/parameters/pathLogStreamType' get: summary: Retrieve the Log Stream Schema for the schema type - description: Retrieves the schema for a Log Stream type. The `logStreamType` element in the URL specifies the Log Stream type, which is either `aws_eventbridge` or `splunk_cloud_logstreaming`. Use the `aws_eventbridge` literal to retrieve the AWS EventBridge type schema, and use the `splunk_cloud_logstreaming` literal retrieve the Splunk Cloud type schema. + description: Retrieves the Schema for a Log Stream type. The `logStreamType` element in the URL specifies the Log Stream type, which is either `aws_eventbridge` or `splunk_cloud_logstreaming`. Use the `aws_eventbridge` literal to retrieve the AWS EventBridge type schema, and use the `splunk_cloud_logstreaming` literal retrieve the Splunk Cloud type schema. operationId: getLogStreamSchema responses: '200': @@ -11104,10 +15066,14 @@ paths: - okta.logStreams.read tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/meta/schemas/user/linkedObjects: get: summary: List all Linked Object Definitions - description: Lists all linked object definitions + description: Lists all Linked Object definitions operationId: listLinkedObjectDefinitions responses: '200': @@ -11118,6 +15084,9 @@ paths: type: array items: $ref: '#/components/schemas/LinkedObject' + examples: + ListLinkedObjectsEx: + $ref: '#/components/examples/ListLinkedObjects' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -11128,9 +15097,12 @@ paths: - okta.linkedObjects.read tags: - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Linked Object Definition - description: Creates a linked object definition + description: Creates a Linked Object definition operationId: createLinkedObjectDefinition x-codegen-request-body-name: linkedObject requestBody: @@ -11138,6 +15110,9 @@ paths: application/json: schema: $ref: '#/components/schemas/LinkedObject' + examples: + CreateLinkedObjectRequestEx: + $ref: '#/components/examples/CreateLinkedObjectRequest' required: true responses: '201': @@ -11146,10 +15121,22 @@ paths: application/json: schema: $ref: '#/components/schemas/LinkedObject' + examples: + CreateLinkedObjectResponseEx: + $ref: '#/components/examples/CreateLinkedObjectResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '409': + description: Conflict + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorInvalidLinkedObjectDefEx: + $ref: '#/components/examples/ErrorInvalidLinkedObjectDef' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: @@ -11158,12 +15145,15 @@ paths: - okta.linkedObjects.manage tags: - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/schemas/user/linkedObjects/{linkedObjectName}: parameters: - $ref: '#/components/parameters/pathLinkedObjectName' get: summary: Retrieve a Linked Object Definition - description: Retrieves a linked object definition + description: Retrieves a Linked Object definition operationId: getLinkedObjectDefinition responses: '200': @@ -11172,6 +15162,9 @@ paths: application/json: schema: $ref: '#/components/schemas/LinkedObject' + examples: + CreateLinkedObjectResponseEx: + $ref: '#/components/examples/CreateLinkedObjectResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11184,9 +15177,12 @@ paths: - okta.linkedObjects.read tags: - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Linked Object Definition - description: Deletes a linked object definition + description: Deletes the Linked Object definition specified by either the `primary` or `associated` name. The entire definition is removed, regardless of which name that you specify. operationId: deleteLinkedObjectDefinition responses: '204': @@ -11204,12 +15200,15 @@ paths: - okta.linkedObjects.manage tags: - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/schemas/user/{schemaId}: parameters: - $ref: '#/components/parameters/pathSchemaId' get: summary: Retrieve a User Schema - description: Retrieves the schema for a Schema Id + description: Retrieves the Schema for a User Type operationId: getUserSchema responses: '200': @@ -11233,9 +15232,15 @@ paths: - okta.schemas.read tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update a User Schema - description: Partially updates on the User Profile properties of the user schema + description: |- + Updates a User Schema. This updates, adds, or removes one or more profile properties in a User Schema. + + Unlike custom User Profile properties, limited changes are allowed to base User Profile properties (permissions, nullability of the `firstName` and `lastName` properties, or pattern for `login`). A property cannot be removed from the default Schema if it is being referenced as a [matchAttribute](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/) in SAML2 IdPs. Currently, all validation of SAML assertions is only performed against the default user type. operationId: updateUserProfile x-codegen-request-body-name: userSchema requestBody: @@ -11271,6 +15276,9 @@ paths: - okta.schemas.manage tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/types/user: get: summary: List all User Types @@ -11298,6 +15306,9 @@ paths: - okta.userTypes.read tags: - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a User Type description: |- @@ -11336,6 +15347,9 @@ paths: - okta.userTypes.manage tags: - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/types/user/{typeId}: parameters: - $ref: '#/components/parameters/pathTypeId' @@ -11365,10 +15379,13 @@ paths: - okta.userTypes.read tags: - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update a User Type description: |- - Updates an existing User Type. + Updates an existing User Type. This operation is a partial update. > **Note**: You can only update the `displayName` and `description` elements. The `name` of an existing User Type can't be changed. operationId: updateUserType x-codegen-request-body-name: userType @@ -11405,10 +15422,13 @@ paths: - okta.userTypes.manage tags: - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a User Type description: |- - Replaces an existing User Type. + Replaces an existing User Type. This operation is a full update. > **Note**: The `name` of an existing User Type can't be changed, but must be part of the request body. You can only replace the `displayName` and `description` elements. operationId: replaceUserType x-codegen-request-body-name: userType @@ -11444,6 +15464,9 @@ paths: - okta.userTypes.manage tags: - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a User Type description: |- @@ -11466,6 +15489,9 @@ paths: - okta.userTypes.manage tags: - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/uischemas: get: summary: List all UI Schemas @@ -11494,6 +15520,11 @@ paths: - okta.uischemas.read tags: - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: summary: Create a UI Schema description: Creates an input for an enrollment form @@ -11530,6 +15561,11 @@ paths: - okta.uischemas.manage tags: - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/meta/uischemas/{id}: parameters: - $ref: '#/components/parameters/UISchemaId' @@ -11560,6 +15596,11 @@ paths: - okta.uischemas.read tags: - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine put: summary: Replace a UI Schema description: Replaces a UI Schema by `id` @@ -11598,6 +15639,11 @@ paths: - okta.uischemas.manage tags: - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: summary: Delete a UI Schema description: Deletes a UI Schema by `id` @@ -11620,10 +15666,15 @@ paths: - okta.uischemas.manage tags: - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/org: get: - summary: Retrieve the Org Settings - description: Retrieves the org settings + summary: Retrieve the Org General Settings + description: Retrieves the Org General Settings operationId: getOrgSettings parameters: [] responses: @@ -11633,6 +15684,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -11642,16 +15696,22 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingGeneral + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update the Org Settings - description: Partially updates the org settings depending on provided fields + summary: Update the Org General Settings + description: Updates partial Org General Settings operationId: updateOrgSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/UpdateOrgSettingEx' responses: '200': description: Success @@ -11659,6 +15719,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11670,10 +15733,13 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingGeneral + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace the Org Settings - description: Replaces the settings of your organization + summary: Replace the Org General Settings + description: Replaces the Org General Settings for your Okta org operationId: replaceOrgSettings x-codegen-request-body-name: orgSetting requestBody: @@ -11681,6 +15747,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/UpdateOrgSettingEx' required: true responses: '200': @@ -11689,6 +15758,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11700,12 +15772,15 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingGeneral + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/captcha: get: summary: Retrieve the Org-wide CAPTCHA Settings description: |- - Retrieves the CAPTCHA settings object for your organization. + Retrieves the CAPTCHA settings object for your organization > **Note**: If the current organization hasn't configured CAPTCHA Settings, the request returns an empty object. operationId: getOrgCaptchaSettings responses: @@ -11730,10 +15805,15 @@ paths: - okta.captchas.read tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine put: summary: Replace the Org-wide CAPTCHA Settings description: |- - Replaces the CAPTCHA settings object for your organization. + Replaces the CAPTCHA settings object for your organization > **Note**: You can disable CAPTCHA for your organization by setting `captchaId` and `enabledPages` to `null`. operationId: replacesOrgCaptchaSettings requestBody: @@ -11779,6 +15859,11 @@ paths: - okta.captchas.manage tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: summary: Delete the Org-wide CAPTCHA Settings description: Deletes the CAPTCHA settings object for your organization @@ -11798,11 +15883,16 @@ paths: - okta.captchas.manage tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/org/contacts: get: - summary: Retrieve the Org Contact Types - description: Retrieves Contact Types of your organization - operationId: getOrgContactTypes + summary: List all Org Contact Types + description: Lists all Org Contact Types for your Okta org + operationId: listOrgContactTypes parameters: [] responses: '200': @@ -11813,6 +15903,9 @@ paths: items: $ref: '#/components/schemas/OrgContactTypeObj' type: array + examples: + orgContactTypeEx: + $ref: '#/components/examples/orgContactTypeResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -11822,13 +15915,16 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingContact + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/contacts/{contactType}: parameters: - $ref: '#/components/parameters/pathContactType' get: - summary: Retrieve the User of the Contact Type - description: Retrieves the URL of the User associated with the specified Contact Type + summary: Retrieve the Contact Type User + description: Retrieves the ID and the User resource associated with the specified Contact Type operationId: getOrgContactUser responses: '200': @@ -11837,6 +15933,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgContactUser' + examples: + contactTypeUserEx: + $ref: '#/components/examples/orgContactUserResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11848,9 +15947,12 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingContact + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace the User of the Contact Type + summary: Replace the Contact Type User description: Replaces the User associated with the specified Contact Type operationId: replaceOrgContactUser x-codegen-request-body-name: orgContactUser @@ -11859,6 +15961,11 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgContactUser' + examples: + contactTypeUserEx: + summary: Contact User + value: + userId: 00ux3u0ujW1r5AfZC1d7 required: true responses: '200': @@ -11867,6 +15974,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgContactUser' + examples: + contactTypeUserEx: + $ref: '#/components/examples/orgContactUserResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11880,11 +15990,20 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingContact + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/email/bounces/remove-list: post: - summary: Remove Emails from Email Provider Bounce List - description: Removes a list of email addresses to be removed from the set of email addresses that are bounced + summary: Remove Bounced Emails + description: | + Removes emails from an email service bounce list. + + The emails submitted in this operation are removed from the bounce list by an asynchronous job. + Any email address that passes validation is accepted for the removal process, even if there are other email addresses in the request that failed validation. + + > **Note:** If there are validation errors for all email addresses, a `200 OK` HTTP status is still returned. operationId: bulkRemoveEmailAddressBounces requestBody: content: @@ -11893,6 +16012,7 @@ paths: $ref: '#/components/schemas/BouncesRemoveListObj' examples: example-1: + summary: Request example value: emailAddresses: - name@company.com @@ -11900,13 +16020,14 @@ paths: - name@okta@com responses: '200': - description: Deletes the provided list of emails from the set of email addresses that are bounced so that the provider resumes sending emails to those addresses. + description: OK content: application/json: schema: $ref: '#/components/schemas/BouncesRemoveListResult' examples: example-1: + summary: Response example value: errors: - emailAddress: unknown.email@okta.com @@ -11924,22 +16045,207 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - EmailCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/factors/yubikey_token/tokens: + parameters: + - name: after + in: query + description: Specifies the pagination cursor for the next page of tokens + schema: + type: string + - name: expand + in: query + description: Embeds the [User](/openapi/okta-management/management/tag/User/) resource if the YubiKey Token is assigned to a user and `expand` is set to `user` + schema: + type: string + - name: filter + in: query + description: The expression used to filter tokens + schema: + type: string + enum: + - profile.email + - profile.serial + - activated + - user.id + - created + - status + - lastVerified + - name: forDownload + in: query + description: Returns tokens in a CSV to download instead of in the response. When you use this query parameter, the `limit` default changes to 1000. + schema: + type: boolean + default: false + - name: limit + in: query + description: Specifies the number of results per page + schema: + type: integer + default: 20 + maximum: 200 + - name: sortBy + in: query + description: The value of how the tokens are sorted + schema: + type: string + enum: + - profile.email + - profile.serial + - activated + - user.id + - created + - status + - lastVerified + - name: sortOrder + in: query + description: Specifies the sort order, either `ASC` or `DESC` + schema: + type: string + enum: + - ASC + - DESC + get: + summary: List all YubiKey OTP Tokens + description: Lists all YubiKey OTP Tokens + operationId: listYubikeyOtpTokens + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + ListYubikeyOptTokensResponse: + $ref: '#/components/examples/ListYubikeyOptTokensResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Upload a YubiKey OTP Seed + description: Uploads a seed for a user to enroll a YubiKey OTP + operationId: uploadYubikeyOtpTokenSeed + requestBody: + content: + application/json: + schema: + type: object + properties: + serialNumber: + type: string + description: The unique identifier assigned to each YubiKey device + publicId: + type: string + description: The Yubikey's public ID + privateId: + type: string + description: The Yubikey's private ID + aesKey: + type: string + description: The cryptographic key used in the AES algorithm to encrypt and decrypt YubiKey OTP + examples: + uploadYubikeyOtpSeedRequest: + $ref: '#/components/examples/UploadYubikeyTokenSeedRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + yubikeyToken: + $ref: '#/components/examples/UploadYubikeyTokenSeedResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/factors/yubikey_token/tokens/{tokenId}: + parameters: + - $ref: '#/components/parameters/yubikeyTokenId' + get: + summary: Retrieve a YubiKey OTP Token + description: Retrieves the specified YubiKey OTP Token by `id` + operationId: getYubikeyOtpTokenById + parameters: + - name: tokenId + in: path + required: true + description: The YubikeyOTP token ID + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + Token: + $ref: '#/components/examples/GetYubikeyOptTokenResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/logo: post: summary: Upload the Org Logo - description: Uploads and replaces the logo for your organization. The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling. + description: Uploads and replaces the logo for your organization operationId: uploadOrgLogo requestBody: content: multipart/form-data: schema: - description: The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling. type: object properties: file: type: string format: binary + description: The file must be in PNG, JPG, or GIF format and less than 1 MB in size. For best results use landscape orientation, a transparent background, and a minimum size of 420px by 120px to prevent upscaling. required: - file description: logo file @@ -11957,11 +16263,78 @@ paths: - oauth2: - okta.apps.manage tags: - - OrgSetting + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/orgSettings/thirdPartyAdminSetting: + get: + summary: Retrieve the Org Third-Party Admin Setting + description: Retrieves the Third-Party Admin Setting. See [Configure third-party administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) in the Okta product documentation. + operationId: getThirdPartyAdminSetting + parameters: [] + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ThirdPartyAdminSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update the Org Third-Party Admin Setting + description: | + Updates the Third-Party Admin Setting. + This setting allows third-party admins to perform administrative actions in the Admin Console, but they can't do any of the following: + * Receive Okta admin email notifications + * Contact Okta support + * Sign in to the Okta Help Center + + See [Configure third-party administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) in the Okta product documentation. + operationId: updateThirdPartyAdminSetting + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ThirdPartyAdminSetting' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ThirdPartyAdminSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/preferences: get: summary: Retrieve the Org Preferences - description: Retrieves preferences of your organization + description: Retrieves preferences of your Okta org operationId: getOrgPreferences parameters: [] responses: @@ -11971,6 +16344,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgPreferences' + examples: + retrieveOrgPrefEx: + $ref: '#/components/examples/orgShowFooterPrefResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -11980,12 +16356,15 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/preferences/hideEndUserFooter: post: - summary: Update the Preference to Hide the Okta Dashboard Footer - description: Updates the preference hide the Okta UI footer for all end users of your organization - operationId: updateOrgHideOktaUIFooter + summary: Set the Hide Dashboard Footer Preference + description: Sets the preference to hide the Okta UI footer for all end users of your org + operationId: setOrgHideOktaUIFooter parameters: [] responses: '200': @@ -11994,6 +16373,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgPreferences' + examples: + hideOrgPrefEx: + $ref: '#/components/examples/orgHideFooterPrefResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -12003,12 +16385,15 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/preferences/showEndUserFooter: post: - summary: Update the Preference to Show the Okta Dashboard Footer - description: Updates the preference to show the Okta UI footer for all end users of your organization - operationId: updateOrgShowOktaUIFooter + summary: Set the Show Dashboard Footer Preference + description: Sets the preference to show the Okta UI footer for all end users of your org + operationId: setOrgShowOktaUIFooter parameters: [] responses: '200': @@ -12017,6 +16402,151 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgPreferences' + examples: + showOrgPrefEx: + $ref: '#/components/examples/orgShowFooterPrefResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/aerial: + get: + summary: Retrieve Okta Aerial consent for your Org + description: Retrieves the Okta Aerial consent grant details for your Org. Returns a 404 Not Found error if no consent has been granted. + operationId: getAerialConsent + parameters: [] + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentDetails' + examples: + example-read-grant-response: + $ref: '#/components/examples/AerialConsentDetails' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-no-already-present-response: + $ref: '#/components/examples/AerialGrantAlreadyPresentErrorResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Consent hasn't been given and there are no grants to any Aerial Accounts + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-no-grant-found-response: + $ref: '#/components/examples/AerialGrantNotFoundResponse' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/org/privacy/aerial/grant: + post: + summary: Grant Okta Aerial access to your Org + description: Grants an Okta Aerial account access to your Org. If the org is a child org, consent is taken from the parent org. Grant calls directly to the child are not allowed. + operationId: grantAerialConsent + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsent' + examples: + example-grant-call: + description: Request body to grant an Okta Aerial account access to your Org + value: + accountId: 0200bs0617vvhv2v675mch1cukp + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentDetails' + examples: + example-grant-success-response: + $ref: '#/components/examples/AerialConsentDetails' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-invalid-account-id: + $ref: '#/components/examples/AerialConsentInvalidAccountIdResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/org/privacy/aerial/revoke: + post: + summary: Revoke Okta Aerial access to your Org + description: Revokes access of an Okta Aerial account to your Org. The revoke operation will fail if the org has already been added to an Aerial account. + operationId: revokeAerialConsent + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsent' + examples: + example-revoke-request: + description: Request body for revoking an Okta Aerial account + value: + accountId: 0200bs0617vvhv2v675mch1cukp + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentRevoked' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-org-is-linked: + $ref: '#/components/examples/AerialConsentOrgAlreadyLinkedResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -12026,11 +16556,15 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] /api/v1/org/privacy/oktaCommunication: get: summary: Retrieve the Okta Communication Settings - description: Retrieves Okta Communication Settings of your organization + description: Retrieves Okta Communication Settings of your org operationId: getOktaCommunicationSettings parameters: [] responses: @@ -12040,6 +16574,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' + examples: + retrieveOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptOutResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -12049,11 +16586,14 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingCommunication + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication/optIn: post: - summary: Opt in all Users to Okta Communication emails - description: Opts in all users of this org to Okta Communication emails + summary: Opt in to Okta User Communication Emails + description: Opts in all users of this org to Okta communication emails operationId: optInUsersToOktaCommunicationEmails parameters: [] responses: @@ -12063,6 +16603,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' + examples: + optInOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptInResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -12072,11 +16615,14 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingCommunication + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication/optOut: post: - summary: Opt out all Users from Okta Communication emails - description: Opts out all users of this org from Okta Communication emails + summary: Opt out of Okta User Communication Emails + description: Opts out all users of this org from Okta communication emails operationId: optOutUsersFromOktaCommunicationEmails parameters: [] responses: @@ -12086,6 +16632,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' + examples: + optOutOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptOutResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -12095,11 +16644,14 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingCommunication + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport: get: summary: Retrieve the Okta Support Settings - description: Retrieves Okta Support Settings of your organization + description: Retrieves Okta Support Settings for your org operationId: getOrgOktaSupportSettings parameters: [] responses: @@ -12109,6 +16661,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + RetrieveOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -12118,7 +16673,10 @@ paths: - oauth2: - okta.orgs.read tags: - - OrgSetting + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/extend: post: summary: Extend Okta Support Access @@ -12132,6 +16690,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + ExtendOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -12141,10 +16702,13 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/grant: post: - summary: Grant Okta Support Access to your Org + summary: Grant Okta Support Access description: Grants Okta Support temporary access your org as an administrator for eight hours operationId: grantOktaSupport parameters: [] @@ -12155,6 +16719,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + GrantOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -12164,11 +16731,14 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/revoke: post: summary: Revoke Okta Support Access - description: Revokes Okta Support access to your organization + description: Revokes Okta Support access to your org operationId: revokeOktaSupport parameters: [] responses: @@ -12178,6 +16748,64 @@ paths: application/json: schema: $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + examples: + RevokeOktaSupportEx: + $ref: '#/components/examples/orgSupportSettingsRevokeResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/settings/clientPrivilegesSetting: + get: + summary: Retrieve the Default Public Client App Role Setting + description: Retrieves the org setting to assign the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) to new public client apps + operationId: getClientPrivilegesSetting + parameters: [] + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ClientPrivilegesSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Assign the Default Public Client App Role Setting + description: Assigns the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) as the default role for new public client apps + operationId: assignClientPrivilegesSetting + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ClientPrivilegesSetting' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ClientPrivilegesSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -12187,8 +16815,58 @@ paths: - oauth2: - okta.orgs.manage tags: - - OrgSetting -# Policy Begin + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/orgs: + post: + summary: Create an org + description: |- + Creates an org (child org) that has the same features as the current requesting org (parent org). + A child org inherits any new features added to the parent org, but new features added to the child org aren't propagated back to the parent org. + > **Notes:** + > * Some features associated with products, such as Atspoke, Workflows, and Okta Identity Governance, aren't propagated to the child org. + > * Wait at least 30 seconds after a 201-Created response before you make API requests to the new child org. + > * For rate limits, see [Org creation rate limits](https://developer.okta.com/docs/reference/rl-additional-limits/#org-creation-rate-limits). + operationId: createChildOrg + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ChildOrg' + examples: + CreateChildOrg: + $ref: '#/components/examples/CreateChildOrgRequestEx' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/ChildOrg' + examples: + CreateChildOrg: + $ref: '#/components/examples/CreateChildOrgResponseEx' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + '500': + $ref: '#/components/responses/ErrorInternalServer500' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgCreator + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies: get: summary: List all Policies @@ -12200,24 +16878,67 @@ paths: required: true schema: type: string + enum: + - OKTA_SIGN_ON + - PASSWORD + - MFA_ENROLL + - IDP_DISCOVERY + - ACCESS_POLICY + - PROFILE_ENROLLMENT + - POST_AUTH_SESSION + - ENTITY_RISK + description: Specifies the type of policy to return. The following policy types are available only with the Okta Identity Engine - `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, and `ENTITY_RISK`. - name: status in: query schema: type: string + description: Refines the query by the `status` of the policy - `ACTIVE` or `INACTIVE` + - name: q + in: query + schema: + type: string + description: Refines the query by policy name prefix (startWith method) passed in as `q=string` - name: expand in: query schema: type: string default: '' + - name: sortBy + in: query + schema: + type: string + description: Refines the query by sorting on the policy `name` in ascending order + - name: limit + in: query + schema: + type: string + description: Defines the number of policies returned, see [Pagination](https://developer.okta.com/docs/api/#pagination) + - name: resourceId + in: query + schema: + type: string + description: Reference to the associated authorization server + - name: after + in: query + schema: + type: string + description: End page cursor for pagination, see [Pagination](https://developer.okta.com/docs/api/#pagination) responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/Policy' + $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -12228,12 +16949,16 @@ paths: - okta.policies.read tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Policy - description: Creates a policy + description: Creates a policy. There are many types of policies that you can create. See [Policies](https://developer.okta.com/docs/concepts/policies/) for an overview of the types of policies available and then links to more indepth information. operationId: createPolicy parameters: - name: activate + description: This query parameter is only valid for Classic Engine orgs. in: query schema: type: boolean @@ -12252,6 +16977,15 @@ paths: application/json: schema: $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12264,6 +16998,57 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/simulate: + parameters: + - $ref: '#/components/parameters/simulateParameter' + post: + summary: Create a Policy Simulation + description: |- + Creates a policy or policy rule simulation. The access simulation evaluates policy and policy rules based on the existing policy rule configuration. + The evaluation result simulates what the real-world authentication flow is and what policy rules have been applied or matched to the authentication flow. + operationId: createPolicySimulation + x-codegen-request-body-name: simulatePolicy + requestBody: + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/SimulatePolicyBody' + examples: + SimulatePolicy: + $ref: '#/components/examples/SimulatePolicyBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SimulatePolicyResponse' + examples: + SimulatePolicy: + $ref: '#/components/examples/SimulatePolicyResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/policies/{policyId}: parameters: - $ref: '#/components/parameters/pathPolicyId' @@ -12284,6 +17069,15 @@ paths: application/json: schema: $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12296,6 +17090,9 @@ paths: - okta.policies.read tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Policy description: Replaces the properties of a Policy identified by `policyId` @@ -12314,6 +17111,15 @@ paths: application/json: schema: $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12328,6 +17134,9 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Policy description: Deletes a policy @@ -12347,6 +17156,9 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/app: parameters: - $ref: '#/components/parameters/pathPolicyId' @@ -12379,6 +17191,9 @@ paths: - okta.policies.read tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/clone: parameters: - $ref: '#/components/parameters/pathPolicyId' @@ -12393,6 +17208,15 @@ paths: application/json: schema: $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: '#/components/examples/mfa-enroll-policy-response' + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12407,6 +17231,11 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/policies/{policyId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathPolicyId' @@ -12430,6 +17259,9 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathPolicyId' @@ -12453,6 +17285,9 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/mappings: parameters: - $ref: '#/components/parameters/pathPolicyId' @@ -12469,6 +17304,9 @@ paths: type: array items: $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-list-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12481,6 +17319,9 @@ paths: - okta.policies.read tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Map a resource to a Policy description: Maps a resource to a Policy identified by `policyId` @@ -12498,6 +17339,9 @@ paths: application/json: schema: $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12512,6 +17356,9 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/mappings/{mappingId}: parameters: - $ref: '#/components/parameters/pathPolicyId' @@ -12527,6 +17374,9 @@ paths: application/json: schema: $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12539,6 +17389,9 @@ paths: - okta.policies.read tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a policy resource Mapping description: Deletes the resource Mapping for a Policy identified by `policyId` and `mappingId` @@ -12559,9 +17412,13 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/rules: parameters: - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/limitParameter' get: summary: List all Policy Rules description: Lists all policy rules @@ -12575,6 +17432,17 @@ paths: type: array items: $ref: '#/components/schemas/PolicyRule' + examples: + okta-sign-on: + $ref: '#/components/examples/list-all-sign-on-policy-rule-response' + password: + $ref: '#/components/examples/list-all-password-policy-rule-response' + idp-discovery: + $ref: '#/components/examples/list-all-idp-discovery-policy-rule-response' + mfa-enroll: + $ref: '#/components/examples/list-all-mfa-enroll-policy-rule-response' + profile-enrollment: + $ref: '#/components/examples/list-all-profile-enrollment-policy-rule-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12587,10 +17455,23 @@ paths: - okta.policies.read tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Policy Rule - description: Creates a policy rule + description: |- + Creates a policy rule + + > **Note:** You can't create additional rules for the `PROFILE_ENROLLMENT` or `POST_AUTH_SESSION` policies. operationId: createPolicyRule + parameters: + - name: activate + description: Set this parameter to `false` to create an `INACTIVE` rule. + in: query + schema: + type: boolean + default: true x-codegen-request-body-name: policyRule requestBody: content: @@ -12604,17 +17485,28 @@ paths: $ref: '#/components/examples/sspr-enabled-sso-step-up' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up' + EnableSsprOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP' Enable2FAPreciseAuth: - $ref: "#/components/examples/twofa-enabled-disallow-password-allow-phishing" + $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing' EnableSpecificRoutingRule: - $ref: "#/components/examples/idp-discovery-specific-routing-rule" + $ref: '#/components/examples/idp-discovery-specific-routing-rule' EnableDynamicRoutingRule: - $ref: "#/components/examples/idp-discovery-dynamic-routing-rule" - x-okta-feature-flag-amends: - IDX_SSPR_EXTENDED_PRIMARY_FACTORS: - examples: - EnableSsprWithConstraints: - $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints' + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' + CreateAuthPolicyRuleDevicePlatformCondition: + $ref: '#/components/examples/create-auth-policy-rule-condition' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule' + RadiusRule: + $ref: '#/components/examples/radius-rule' + CloudRule: + $ref: '#/components/examples/cloud-rule' + DenyRule: + $ref: '#/components/examples/deny-rule' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints' required: true responses: '200': @@ -12630,17 +17522,28 @@ paths: $ref: '#/components/examples/sspr-enabled-sso-step-up-response' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up-response' + EnableSsprWithOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP-response' Enable2FAPreciseAuth: $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing-response' EnableSpecificRoutingRule: - $ref: "#/components/examples/idp-discovery-specific-routing-rule-response" + $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' EnableDynamicRoutingRule: - $ref: "#/components/examples/idp-discovery-dynamic-routing-rule-response" - x-okta-feature-flag-amends: - IDX_SSPR_EXTENDED_PRIMARY_FACTORS: - examples: - EnableSsprWithConstraints: - $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' + CreateAuthPolicyRuleDevicePlatformCondition: + $ref: '#/components/examples/create-auth-policy-rule-condition-response' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12655,6 +17558,9 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/rules/{ruleId}: parameters: - $ref: '#/components/parameters/pathPolicyId' @@ -12677,11 +17583,24 @@ paths: $ref: '#/components/examples/sspr-enabled-sso-step-up-update' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up-update' - x-okta-feature-flag-amends: - IDX_SSPR_EXTENDED_PRIMARY_FACTORS: - examples: - EnableSsprWithConstraints: - $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' + EnableSsprWithOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP-update' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12694,6 +17613,9 @@ paths: - okta.policies.read tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Policy Rule description: Replaces the properties for a Policy Rule identified by `policyId` and `ruleId` @@ -12711,11 +17633,24 @@ paths: $ref: '#/components/examples/sspr-enabled-sso-step-up-update' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up-update' - x-okta-feature-flag-amends: - IDX_SSPR_EXTENDED_PRIMARY_FACTORS: - examples: - EnableSsprWithConstraints: - $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' + UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints: + $ref: '#/components/examples/update-auth-policy-rule-condition' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule' + RadiusRule: + $ref: '#/components/examples/radius-rule' + CloudRule: + $ref: '#/components/examples/cloud-rule' + DenyRule: + $ref: '#/components/examples/deny-rule' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' required: true responses: '200': @@ -12731,11 +17666,24 @@ paths: $ref: '#/components/examples/sspr-enabled-sso-step-up-response' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up-response' - x-okta-feature-flag-amends: - IDX_SSPR_EXTENDED_PRIMARY_FACTORS: - examples: - EnableSsprWithConstraints: - $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' + UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints: + $ref: '#/components/examples/update-auth-policy-rule-condition-response' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12750,6 +17698,9 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Policy Rule description: Deletes a Policy Rule identified by `policyId` and `ruleId` @@ -12770,6 +17721,9 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathPolicyId' @@ -12793,6 +17747,9 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathPolicyId' @@ -12816,49 +17773,9 @@ paths: - okta.policies.manage tags: - Policy - /api/v1/policies/simulate: - parameters: - - $ref: '#/components/parameters/simulateParameter' - post: - summary: Create a Policy Simulation - description: |- - Creates a policy or policy rule simulation. The access simulation evaluates policy and policy rules based on the existing policy rule configuration. - The evaluation result simulates what the real-world authentication flow is and what policy rules have been applied or matched to the authentication flow. - operationId: createPolicySimulation - x-codegen-request-body-name: simulatePolicy - requestBody: - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/SimulatePolicyBody' - examples: - SimulatePolicy: - $ref: '#/components/examples/SimulatePolicyBody' - required: true - responses: - '204': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/SimulatePolicyResponse' - examples: - SimulatePolicy: - $ref: '#/components/examples/SimulatePolicyResponse' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.policies.read - tags: - - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/principal-rate-limits: get: summary: List all Principal Rate Limits @@ -12901,6 +17818,9 @@ paths: - okta.principalRateLimits.read tags: - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Principal Rate Limit description: Creates a new Principal Rate Limit entity. In the current release, we only allow one Principal Rate Limit entity per org and principal. @@ -12941,6 +17861,9 @@ paths: - okta.principalRateLimits.manage tags: - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/principal-rate-limits/{principalRateLimitId}: parameters: - $ref: '#/components/parameters/pathPrincipalRateLimitId' @@ -12970,6 +17893,9 @@ paths: - okta.principalRateLimits.read tags: - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Principal Rate Limit description: Replaces a principal rate limit entity by `principalRateLimitId` @@ -13010,6 +17936,9 @@ paths: - okta.principalRateLimits.manage tags: - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/push-providers: get: summary: List all Push Providers @@ -13026,6 +17955,39 @@ paths: description: OK content: application/json: + example: + value: + - id: ppchvbeucdTgqeiGxR0g4 + providerType: APNS + name: Example Push Provider 1 + lastUpdatedDate: '2022-01-00T00:00:00.000Z' + configuration: + keyId: ABC123DEFG + teamId: DEF123GHIJ + fileName: fileName.p8 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} + hints: + allow: + - DELETE + - GET + - PUT + - id: ppctekcmngGaqeiBxB0g4 + providerType: FCM + name: Example Push Provider 2 + lastUpdatedDate: '2022-01-00T00:00:00.000Z' + configuration: + projectId: PROJECT_ID + fileName: fileName.json + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} + hints: + allow: + - DELETE + - GET + - PUT schema: type: array items: @@ -13040,9 +18002,14 @@ paths: - okta.pushProviders.read tags: - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: summary: Create a Push Provider - description: Creates a new push provider + description: Creates a new push provider. Each Push Provider must have a unique `name`. operationId: createPushProvider x-codegen-request-body-name: pushProvider requestBody: @@ -13080,6 +18047,11 @@ paths: - okta.pushProviders.manage tags: - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/push-providers/{pushProviderId}: parameters: - $ref: '#/components/parameters/pathPushProviderId' @@ -13111,6 +18083,11 @@ paths: - okta.pushProviders.read tags: - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine put: summary: Replace a Push Provider description: Replaces a push provider by `pushProviderId` @@ -13153,6 +18130,11 @@ paths: - okta.pushProviders.manage tags: - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: summary: Delete a Push Provider description: Deletes a push provider by `pushProviderId`. If the push provider is currently being used in the org by a custom authenticator, the delete will not be allowed. @@ -13182,6 +18164,11 @@ paths: - okta.pushProviders.manage tags: - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/rate-limit-settings/admin-notifications: get: summary: Retrieve the Rate Limit Admin Notification Settings @@ -13209,6 +18196,9 @@ paths: - okta.rateLimits.read tags: - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Rate Limit Admin Notification Settings description: Replaces the Rate Limit Admin Notification Settings and returns the configured properties @@ -13249,6 +18239,9 @@ paths: - okta.rateLimits.manage tags: - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/rate-limit-settings/per-client: get: summary: Retrieve the Per-Client Rate Limit Settings @@ -13278,6 +18271,9 @@ paths: - okta.rateLimits.read tags: - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Per-Client Rate Limit Settings description: Replaces the Per-Client Rate Limit Settings and returns the configured properties @@ -13322,6 +18318,9 @@ paths: - okta.rateLimits.manage tags: - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/rate-limit-settings/warning-threshold: get: summary: Retrieve the Rate Limit Warning Threshold Percentage @@ -13347,6 +18346,9 @@ paths: - okta.rateLimits.read tags: - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Rate Limit Warning Threshold Percentage description: Replaces the Rate Limit Warning Threshold Percentage and returns the configured property @@ -13382,37 +18384,17 @@ paths: - okta.rateLimits.manage tags: - RateLimitSettings - /api/v1/realms: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/realm-assignments: get: - summary: List all Realms - description: Lists all Realms - operationId: listRealms + summary: List all Realm Assignments + description: Lists all Realm Assignments + operationId: listRealmAssignments parameters: - - name: limit - in: query - description: Specifies the number of results returned. Defaults to 10 if `search` is provided. - schema: - type: integer - format: int32 - default: 200 + - $ref: '#/components/parameters/queryLimit' - $ref: '#/components/parameters/queryAfter' - - name: search - in: query - description: Searches for Realms with a supported filtering expression for most properties - schema: - type: string - - name: sortBy - in: query - description: Specifies field to sort by and can be any single property (for search queries only). - schema: - type: string - example: profile.name - - name: sortOrder - in: query - description: Specifies sort order `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` isn't present. - schema: - type: string - default: asc responses: '200': description: OK @@ -13421,10 +18403,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Realm' + $ref: '#/components/schemas/RealmAssignment' examples: - Realm Lists: - $ref: '#/components/examples/ListRealmsResponse' + AssignmentLists: + $ref: '#/components/examples/ListRealmAssignmentsResponse' '403': description: Forbidden content: @@ -13436,27 +18418,154 @@ paths: security: - apiToken: [] - oauth2: - - okta.realms.read + - okta.realmAssignments.read tags: - - Realm + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] post: - summary: Create a Realm - description: Creates a new Realm - operationId: createRealm + summary: Create a Realm Assignment + description: Creates a new Realm Assignment + operationId: createRealmAssignment x-codegen-request-body-name: body requestBody: content: application/json: schema: - $ref: '#/components/schemas/Realm' + $ref: '#/components/schemas/CreateRealmAssignmentRequest' required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/RealmAssignment' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realm-assignments/operations: + get: + summary: List all Realm Assignment operations + description: Lists all Realm Assignment operations. The upper limit is 200 and operations are sorted in descending order from most recent to oldest by id + operationId: listRealmAssignmentOperations + parameters: + - $ref: '#/components/parameters/queryLimit' + - $ref: '#/components/parameters/queryAfter' responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/Realm' + type: array + items: + $ref: '#/components/schemas/OperationResponse' + examples: + Executions: + value: + - id: rre4mje4ez6B2a7B60g7 + type: realm:assignment + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + realmId: 00g1b7rvh0xPLKXFf0g5 + realmName: Realm Name + assignmentOperation: + configuration: + id: 0pr1b7rxZj2ibQzfP0g5 + name: Realm Assignment 1 + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + numUserMoved: 50 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7 + method: GET + - id: rre4mje4ez7B2a7B60g7 + type: realm:assignment + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + assignmentOperation: + configuration: + id: ALL + name: All Assignments + numUserMoved: 50 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez7B2a7B60g7 + method: GET + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.read + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Execute a Realm Assignment + description: Executes a Realm Assignment + operationId: executeRealmAssignment + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OperationRequest' + examples: + ExecuteSpecificAssignment: + value: + assignmentId: 0pr1b7rxZj2ibQzfP0g5 + ExecuteAllAssignments: + value: + assignmentId: ALL + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OperationResponse' + examples: + Execution: + $ref: '#/components/examples/OperationResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13466,28 +18575,32 @@ paths: security: - apiToken: [] - oauth2: - - okta.realms.manage + - okta.realmAssignments.manage tags: - - Realm - /api/v1/realms/{realmId}: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realm-assignments/{assignmentId}: parameters: - - $ref: '#/components/parameters/pathRealmId' + - $ref: '#/components/parameters/assignmentId' get: - summary: Retrieve a Realm - description: Retrieves a Realm - operationId: getRealm + summary: Retrieve a Realm Assignment + description: Retrieves a Realm Assignment + operationId: getRealmAssignment responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/Realm' + $ref: '#/components/schemas/RealmAssignment' examples: - DefaultRealm: - $ref: '#/components/examples/DefaultRealmResponse' - NonDefaultRealm: - $ref: '#/components/examples/RealmResponse' + RealmAssignment: + $ref: '#/components/examples/GetRealmAssignmentResponse' + CatchAllRealmAssignment: + $ref: '#/components/examples/DefaultRealmAssignment' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13499,19 +18612,23 @@ paths: security: - apiToken: [] - oauth2: - - okta.realms.read + - okta.realmAssignments.read tags: - - Realm - post: - summary: Update a Realm - description: Updates a Realm - operationId: updateRealm + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + put: + summary: Replace a Realm Assignment + description: Replaces a Realm Assignment + operationId: replaceRealmAssignment x-codegen-request-body-name: body requestBody: content: application/json: schema: - $ref: '#/components/schemas/Realm' + $ref: '#/components/schemas/UpdateRealmAssignmentRequest' required: true responses: '200': @@ -13519,7 +18636,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Realm' + $ref: '#/components/schemas/RealmAssignment' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13531,13 +18648,281 @@ paths: security: - apiToken: [] - oauth2: - - okta.realms.manage + - okta.realmAssignments.manage tags: - - Realm + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] delete: - summary: Delete a Realm - description: Deletes a Realm permanently. This operation can only be performed after disassociating other entities like Users and Identity Providers from a Realm. - operationId: deleteRealm + summary: Delete a Realm Assignment + description: Deletes a Realm Assignment + operationId: deleteRealmAssignment + responses: + '204': + description: No Content + content: {} + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realm-assignments/{assignmentId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/assignmentId' + post: + summary: Activate a Realm Assignment + description: Activates a Realm Assignment + operationId: activateRealmAssignment + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realm-assignments/{assignmentId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/assignmentId' + post: + summary: Deactivate a Realm Assignment + description: Deactivates a Realm Assignment + operationId: deactivateRealmAssignment + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realms: + get: + summary: List all Realms + description: Lists all Realms + operationId: listRealms + parameters: + - name: limit + in: query + description: Specifies the number of results returned. Defaults to 10 if `search` is provided. + schema: + type: integer + format: int32 + default: 200 + - $ref: '#/components/parameters/queryAfter' + - name: search + in: query + description: Searches for Realms with a supported filtering expression for most properties + schema: + type: string + - name: sortBy + in: query + description: Specifies field to sort by and can be any single property (for search queries only). + schema: + type: string + example: profile.name + - name: sortOrder + in: query + description: Specifies sort order `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` isn't present. + schema: + type: string + default: asc + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Realm' + examples: + Realm Lists: + $ref: '#/components/examples/ListRealmsResponse' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.read + tags: + - Realm + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Create a Realm + description: Creates a new Realm + operationId: createRealm + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateRealmRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Realm' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.manage + tags: + - Realm + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/realms/{realmId}: + parameters: + - $ref: '#/components/parameters/pathRealmId' + get: + summary: Retrieve a Realm + description: Retrieves a Realm + operationId: getRealm + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Realm' + examples: + DefaultRealm: + $ref: '#/components/examples/DefaultRealmResponse' + NonDefaultRealm: + $ref: '#/components/examples/RealmResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.read + tags: + - Realm + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + put: + summary: Replace the realm profile + description: Replaces the realm profile + operationId: replaceRealm + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateRealmRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Realm' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.manage + tags: + - Realm + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + delete: + summary: Delete a Realm + description: Deletes a Realm permanently. This operation can only be performed after disassociating other entities like Users and Identity Providers from a Realm. + operationId: deleteRealm responses: '204': description: No Content @@ -13568,6 +18953,13 @@ paths: - okta.realms.manage tags: - Realm + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/resource-selectors/{resourceSelectorId}: + parameters: + - $ref: '#/components/parameters/pathResourceSelectorId' /api/v1/risk/events/ip: post: summary: Send multiple Risk Events @@ -13610,6 +19002,10 @@ paths: - okta.riskEvents.manage tags: - RiskEvent + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] /api/v1/risk/providers: get: summary: List all Risk Providers @@ -13637,6 +19033,10 @@ paths: - okta.riskProviders.read tags: - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] post: summary: Create a Risk Provider description: Creates a Risk Provider object. A maximum of three Risk Provider objects can be created. @@ -13680,6 +19080,10 @@ paths: - okta.riskProviders.manage tags: - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] /api/v1/risk/providers/{riskProviderId}: parameters: - $ref: '#/components/parameters/pathRiskProviderId' @@ -13709,6 +19113,10 @@ paths: - okta.riskProviders.read tags: - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] put: summary: Replace a Risk Provider description: Replaces the properties for a given Risk Provider object ID @@ -13747,6 +19155,10 @@ paths: - okta.riskProviders.manage tags: - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] delete: summary: Delete a Risk Provider description: Deletes a Risk Provider object by its ID @@ -13774,6 +19186,10 @@ paths: - okta.riskProviders.manage tags: - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] /api/v1/roles/{roleRef}/subscriptions: parameters: - $ref: '#/components/parameters/pathRoleRef' @@ -13802,6 +19218,9 @@ paths: - okta.roles.read tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/roles/{roleRef}/subscriptions/{notificationType}: parameters: - $ref: '#/components/parameters/pathRoleRef' @@ -13829,6 +19248,9 @@ paths: - okta.roles.read tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/roles/{roleRef}/subscriptions/{notificationType}/subscribe: parameters: - $ref: '#/components/parameters/pathRoleRef' @@ -13852,6 +19274,9 @@ paths: - okta.roles.manage tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/roles/{roleRef}/subscriptions/{notificationType}/unsubscribe: parameters: - $ref: '#/components/parameters/pathRoleRef' @@ -13875,71 +19300,185 @@ paths: - okta.roles.manage tags: - Subscription - /api/v1/sessions: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/security-events-providers: + get: + summary: List all Security Events Providers + description: Lists all Security Events Provider instances + operationId: listSecurityEventsProviderInstances + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + list: + $ref: '#/components/examples/ListOfSecurityEventsProviderInstances' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.read + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: - summary: Create a Session with session token - description: Creates a new Session for a user with a valid session token. Use this API if, for example, you want to set the session cookie yourself instead of allowing Okta to set it, or want to hold the session ID to delete a session through the API instead of visiting the logout URL. - operationId: createSession - x-codegen-request-body-name: createSessionRequest + summary: Create a Security Events Provider + description: Creates a Security Events Provider instance + operationId: createSecurityEventsProviderInstance + x-codegen-request-body-name: instance requestBody: + required: true content: application/json: schema: - $ref: '#/components/schemas/CreateSessionRequest' - required: true + $ref: '#/components/schemas/SecurityEventsProviderRequest' + examples: + well-known-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderRequestWellKnownUrl' + issuer-and-JWKS-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderRequestIssuerAndJwksUrl' responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/Session' + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + well-known-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' + issuer-and-JWKS-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderResponseIssuerAndJwksUrl' '400': - description: Bad Request + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] + - oauth2: + - okta.securityEventsProviders.manage tags: - - Session - /api/v1/sessions/{sessionId}: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/security-events-providers/{securityEventProviderId}: parameters: - - $ref: '#/components/parameters/pathSessionId' + - $ref: '#/components/parameters/pathSecurityEventProviderId' get: - summary: Retrieve a Session - description: Retrieves information about the Session specified by the given session ID - operationId: getSession + summary: Retrieve the Security Events Provider + description: Retrieves the Security Events Provider instance specified by `id` + operationId: getSecurityEventsProviderInstance responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/Session' + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + get: + $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.read + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a Security Events Provider + description: Replaces a Security Events Provider instance specified by `id` + operationId: replaceSecurityEventsProviderInstance + x-codegen-request-body-name: instance + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderRequest' + examples: + well-known-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderRequestWellKnownUrl' + issuer-and-JWKS-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderRequestIssuerAndJwksUrl' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + well-known-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' + issuer-and-JWKS-URL-provided: + $ref: '#/components/examples/SecurityEventsProviderResponseIssuerAndJwksUrl' '400': - description: Bad Request + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - - okta.sessions.read + - okta.securityEventsProviders.manage tags: - - Session + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: - summary: Revoke a Session - description: Revokes the specified Session - operationId: revokeSession + summary: Delete a Security Events Provider + description: Deletes a Security Events Provider instance specified by `id` + operationId: deleteSecurityEventsProviderInstance responses: '204': description: No Content content: {} + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13949,74 +19488,104 @@ paths: security: - apiToken: [] - oauth2: - - okta.sessions.manage + - okta.securityEventsProviders.manage tags: - - Session - /api/v1/sessions/{sessionId}/lifecycle/refresh: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/activate: parameters: - - $ref: '#/components/parameters/pathSessionId' + - $ref: '#/components/parameters/pathSecurityEventProviderId' post: - summary: Refresh a Session - description: Refreshes an existing Session using the `id` for that Session. A successful response contains the refreshed Session with an updated `expiresAt` timestamp. - operationId: refreshSession + summary: Activate a Security Events Provider + description: |- + Activates a Security Events Provider instance by setting its status to `ACTIVE`. + This operation resumes the flow of events from the Security Events Provider to Okta. + operationId: activateSecurityEventsProviderInstance responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/Session' + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + activatedInstance: + $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - description: Not Found + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - - okta.sessions.manage + - okta.securityEventsProviders.manage tags: - - Session - /api/v1/templates/sms: - get: - summary: List all SMS Templates - description: Lists all custom SMS templates. A subset of templates can be returned that match a template type. - operationId: listSmsTemplates - parameters: - - name: templateType - in: query - schema: - $ref: '#/components/schemas/SmsTemplateType' + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathSecurityEventProviderId' + post: + summary: Deactivate a Security Events Provider + description: |- + Deactivates a Security Events Provider instance by setting its status to `INACTIVE`. + This operation stops the flow of events from the Security Events Provider to Okta. + operationId: deactivateSecurityEventsProviderInstance responses: '200': - description: Success + description: OK content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + deactivatedInstance: + $ref: '#/components/examples/DeactivatedSecurityEventsProviderResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - - okta.templates.read + - okta.securityEventsProviders.manage tags: - - Template + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/sessions: post: - summary: Create an SMS Template - description: Creates a new custom SMS template - operationId: createSmsTemplate - x-codegen-request-body-name: smsTemplate + summary: Create a Session with session token + description: Creates a new Session for a user with a valid session token. Use this API if, for example, you want to set the session cookie yourself instead of allowing Okta to set it, or want to hold the session ID to delete a session through the API instead of visiting the logout URL. + operationId: createSession + x-codegen-request-body-name: createSessionRequest requestBody: content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/CreateSessionRequest' + examples: + SessionsCreate: + $ref: '#/components/examples/CreateSessionBody' required: true responses: '200': @@ -14024,113 +19593,160 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/Session' + examples: + SessionsCreate: + summary: Create a new Session with a valid session token + $ref: '#/components/examples/CreateSessionResponse' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + description: Bad Request '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - - oauth2: - - okta.templates.manage tags: - - Template - /api/v1/templates/sms/{templateId}: - parameters: - - $ref: '#/components/parameters/pathTemplateId' + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/me: get: - summary: Retrieve an SMS Template - description: Retrieves a specific template by `id` - operationId: getSmsTemplate + summary: Retrieve the current Session + description: |- + Retrieves Session information for the current user. Use this method in a browser-based application to determine if the user is signed in. + + > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation. + operationId: getCurrentSession + parameters: + - in: header + name: Cookie + schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie + type: string + example: sid=abcde-123 or idx=abcde-123 responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/schemas/Session' + examples: + CurrentSessionsRetrieve: + summary: Retrieve current Session information + $ref: '#/components/examples/RetrieveCurrentSessionResponse' + '404': + description: Not Found + security: [] + tags: + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Close the current Session + description: |- + Closes the Session for the user who is currently signed in. Use this method in a browser-based application to sign out a user. + + > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation. + operationId: closeCurrentSession + parameters: + - in: header + name: Cookie + schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie + type: string + example: sid=abcde-123 or idx=abcde-123 + responses: + '204': + description: No Content + content: {} '404': $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.templates.read + security: [] tags: - - Template + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/me/lifecycle/refresh: post: - summary: Update an SMS Template - description: Updates an SMS template - operationId: updateSmsTemplate - x-codegen-request-body-name: smsTemplate - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/SmsTemplate' - required: true + summary: Refresh the current Session + description: |- + Refreshes the Session for the current user + + > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation. + operationId: refreshCurrentSession + parameters: + - in: header + name: Cookie + schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie + type: string + example: sid=abcde-123 or idx=abcde-123 responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' + $ref: '#/components/schemas/Session' + examples: + CurrentSessionsRefresh: + summary: Refersh current Session + $ref: '#/components/examples/RefreshCurrentSessionResponse' '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.templates.manage + description: Not Found + security: [] tags: - - Template - put: - summary: Replace an SMS Template - description: Replaces the SMS template - operationId: replaceSmsTemplate - x-codegen-request-body-name: smsTemplate - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/SmsTemplate' - required: true + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/{sessionId}: + parameters: + - $ref: '#/components/parameters/pathSessionId' + get: + summary: Retrieve a Session + description: Retrieves information about the Session specified by the given session ID + operationId: getSession responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/SmsTemplate' + $ref: '#/components/schemas/Session' + examples: + SessionsRetrieve: + summary: Retrieve Session information for a single session ID + $ref: '#/components/examples/RetrieveSessionResponse' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + description: Bad Request '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - $ref: '#/components/responses/ErrorResourceNotFound404' + description: Not Found '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - - okta.templates.manage + - okta.sessions.read tags: - - Template + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete an SMS Template - description: Deletes an SMS template - operationId: deleteSmsTemplate + summary: Revoke a Session + description: Revokes the specified Session + operationId: revokeSession responses: '204': description: No Content @@ -14144,13 +19760,478 @@ paths: security: - apiToken: [] - oauth2: - - okta.templates.manage + - okta.sessions.manage tags: - - Template - /api/v1/threats/configuration: - get: - summary: Retrieve the ThreatInsight Configuration - description: Retrieves the ThreatInsight configuration for the org + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/{sessionId}/lifecycle/refresh: + parameters: + - $ref: '#/components/parameters/pathSessionId' + post: + summary: Refresh a Session + description: Refreshes an existing Session using the `id` for that Session. A successful response contains the refreshed Session with an updated `expiresAt` timestamp. + operationId: refreshSession + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + SessionsRefresh: + summary: Refresh an existing Session using the session ID + $ref: '#/components/examples/RefreshSessionResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.sessions.manage + tags: + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/ssf/stream: + get: + summary: Retrieve the SSF Stream configuration(s) + description: |- + Retrieves either a list of all known SSF Stream configurations or the individual configuration if specified by ID. + + As Stream configurations are tied to a Client ID, only the Stream associated with the Client ID of the request OAuth 2.0 access token can be viewed. + operationId: getSsfStreams + parameters: + - in: query + name: stream_id + schema: + type: string + example: esc1k235GIIztAuGK0g5 + description: The ID of the specified SSF Stream configuration + responses: + '200': + description: OK + content: + application/json: + schema: + oneOf: + - type: array + title: List of Stream Configurations + items: + $ref: '#/components/schemas/StreamConfiguration' + - $ref: '#/components/schemas/StreamConfiguration' + examples: + listResponse: + $ref: '#/components/examples/listStreamConfigurationExample' + individualStreamResponse: + $ref: '#/components/examples/streamConfigurationExample' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.read + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create an SSF Stream + description: |- + Creates an SSF Stream for an event receiver to start receiving security events in the form of Security Event Tokens (SETs) from Okta. + + An SSF Stream is associated with the Client ID of the OAuth 2.0 access token used to create the stream. The Client ID is provided by Okta for an [OAuth 2.0 app integration](https://help.okta.com/okta_help.htm?id=ext_Apps_App_Integration_Wizard-oidc). One SSF Stream is allowed for each Client ID, hence, one SSF Stream is allowed for each app integration in Okta. + + A maximum of 10 SSF Stream configurations can be created for one org. + operationId: createSsfStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfigurationCreateRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace an SSF Stream + description: |- + Replaces all properties for an existing SSF Stream configuration. + + If the `stream_id` isn't provided in the request body, the associated stream with the Client ID (through the request OAuth 2.0 access token) is replaced. + operationId: replaceSsfStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + patch: + summary: Update an SSF Stream + description: |- + Updates properties for an existing SSF Stream configuration. + + If the `stream_id` isn't provided in the request body, the associated stream with the Client ID (through the request OAuth 2.0 access token) is updated. + operationId: updateSsfStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete an SSF Stream + description: |- + Deletes the specified SSF Stream. + + If the `stream_id` is not provided in the query string, the associated stream with the Client ID (through the request OAuth 2.0 access token) is deleted. Otherwise, the SSF Stream with the `stream_id` is deleted, if found. + operationId: deleteSsfStream + parameters: + - in: query + name: stream_id + schema: + type: string + example: esc1k235GIIztAuGK0g5 + description: The ID of the specified SSF Stream configuration + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/templates/sms: + get: + summary: List all SMS Templates + description: Lists all custom SMS templates. A subset of templates can be returned that match a template type. + operationId: listSmsTemplates + parameters: + - name: templateType + in: query + schema: + $ref: '#/components/schemas/SmsTemplateType' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/SmsTemplate' + examples: + SMS Template List response: + $ref: '#/components/examples/SMSTemplateListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an SMS Template + description: Creates a new custom SMS template + operationId: createSmsTemplate + x-codegen-request-body-name: smsTemplate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Create an SMS Template request: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Create an SMS Template response: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/templates/sms/{templateId}: + parameters: + - $ref: '#/components/parameters/pathTemplateId' + get: + summary: Retrieve an SMS Template + description: Retrieves a specific template by `id` + operationId: getSmsTemplate + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Get an SMS template response: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update an SMS Template + description: | + Updates only some of the SMS Template properties: + * All properties within the custom SMS Template that have values are updated. + * Any translation that doesn't exist is added. + * Any translation with a null or empty value is removed. + * Any translation with non-empty/null value is updated. + operationId: updateSmsTemplate + x-codegen-request-body-name: smsTemplate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Update an SMS Template request: + $ref: '#/components/examples/UpdateSMSTemplateRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Update an SMS Template response: + $ref: '#/components/examples/UpdateSMSTemplateResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an SMS Template + description: | + Replaces the SMS Template + > **Notes:** You can't update the default SMS Template. + operationId: replaceSmsTemplate + x-codegen-request-body-name: smsTemplate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Replace an SMS Template request: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Replace an SMS Template response: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an SMS Template + description: Deletes an SMS template + operationId: deleteSmsTemplate + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/threats/configuration: + get: + summary: Retrieve the ThreatInsight Configuration + description: Retrieves the ThreatInsight configuration for the org operationId: getCurrentConfiguration responses: '200': @@ -14172,6 +20253,9 @@ paths: - okta.threatInsights.read tags: - ThreatInsight + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update the ThreatInsight Configuration description: Updates the ThreatInsight configuration for the org @@ -14208,6 +20292,9 @@ paths: - okta.threatInsights.manage tags: - ThreatInsight + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/trustedOrigins: get: summary: List all Trusted Origins @@ -14215,23 +20302,32 @@ paths: operationId: listTrustedOrigins parameters: - name: q + description: A search string that will prefix match against the `name` and `origin` in: query schema: type: string - name: filter + description: | + [Filter](/#filter) Trusted Origins with a supported expression for a subset of properties. You can filter on the following properties: `name`, `origin`, `status`, and `type` (type of scopes). in: query schema: type: string + examples: + By name: + value: name eq "Example Trusted Origin" - name: after + description: The after cursor provided by a prior request. in: query schema: type: string - name: limit + description: Specifies the number of results. in: query schema: type: integer format: int32 - default: -1 + default: 20 + maximum: 200 responses: '200': description: Success @@ -14241,6 +20337,9 @@ paths: type: array items: $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginsResponse: + $ref: '#/components/examples/TrustedOriginsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -14251,6 +20350,9 @@ paths: - okta.trustedOrigins.read tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Trusted Origin description: Creates a trusted origin @@ -14260,7 +20362,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/TrustedOrigin' + $ref: '#/components/schemas/TrustedOriginWrite' + examples: + TrustedOriginBody: + $ref: '#/components/examples/TrustedOriginBody' + TrustedOriginBodyWithIframeEmbedding: + $ref: '#/components/examples/TrustedOriginBodyWithIframeEmbedding' + TrustedOriginBodyWithIframeEmbeddingSignIn: + $ref: '#/components/examples/TrustedOriginBodyWithIframeEmbeddingSignIn' required: true responses: '200': @@ -14269,6 +20378,13 @@ paths: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginResponse: + $ref: '#/components/examples/TrustedOriginResponse' + TrustedOriginResponseWithIframeEmbedding: + $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbedding' + TrustedOriginResponseWithIframeEmbeddingSignIn: + $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbeddingSignIn' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -14281,6 +20397,9 @@ paths: - okta.trustedOrigins.manage tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/trustedOrigins/{trustedOriginId}: parameters: - $ref: '#/components/parameters/pathTrustedOriginId' @@ -14295,6 +20414,13 @@ paths: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginResponse: + $ref: '#/components/examples/TrustedOriginResponse' + TrustedOriginResponseWithIframeEmbedding: + $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbedding' + TrustedOriginResponseWithIframeEmbeddingSignIn: + $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbeddingSignIn' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -14307,6 +20433,9 @@ paths: - okta.trustedOrigins.read tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Trusted Origin description: Replaces a trusted origin @@ -14317,6 +20446,11 @@ paths: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginPutBody: + $ref: '#/components/examples/TrustedOriginPutBody' + TrustedOriginPutBodyWithIframeEmbedding: + $ref: '#/components/examples/TrustedOriginPutBodyWithIframeEmbedding' required: true responses: '200': @@ -14325,6 +20459,11 @@ paths: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginPutResponse: + $ref: '#/components/examples/TrustedOriginPutResponse' + TrustedOriginPutResponseWithIFrameEmbedding: + $ref: '#/components/examples/TrustedOriginPutResponseWithIframeEmbedding' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -14339,6 +20478,9 @@ paths: - okta.trustedOrigins.manage tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Trusted Origin description: Deletes a trusted origin @@ -14359,12 +20501,15 @@ paths: - okta.trustedOrigins.manage tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathTrustedOriginId' post: summary: Activate a Trusted Origin - description: Activates a trusted origin + description: Activates a Trusted Origin. Sets the `status` to `ACTIVE`. operationId: activateTrustedOrigin responses: '200': @@ -14373,6 +20518,9 @@ paths: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginResponse: + $ref: '#/components/examples/TrustedOriginResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -14385,12 +20533,15 @@ paths: - okta.trustedOrigins.manage tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathTrustedOriginId' post: summary: Deactivate a Trusted Origin - description: Deactivates a trusted origin + description: Deactivates a Trusted Origin. Sets the `status` to `INACTIVE`. operationId: deactivateTrustedOrigin responses: '200': @@ -14399,6 +20550,9 @@ paths: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginInactiveResponse: + $ref: '#/components/examples/TrustedOriginInactiveResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -14411,15 +20565,27 @@ paths: - okta.trustedOrigins.manage tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users: get: - summary: List all Users - description: Lists all users that do not have a status of 'DEPROVISIONED' (by default), up to the maximum (200 for most orgs), with pagination. A subset of users can be returned that match a supported filter expression or search criteria. + summary: List all users + description: |- + Lists users in your org, with pagination in most cases. + + A subset of users can be returned that match a supported filter expression or search criteria. operationId: listUsers parameters: + - $ref: '#/components/parameters/OktaResponse' - name: q in: query - description: Finds a user that matches firstName, lastName, and email properties + description: |- + Finds users who match the specified query. This doesn't support pagination. + + This might not deliver optimal performance for large orgs, and is deprecated for such use cases. To ensure optimal performance, use a [`search` parameter](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!in=query&path=search&t=request) instead. + + Use the `q` parameter for a simple lookup of users by name, for example when creating a people picker. The value of `q` is matched against `firstName`, `lastName`, or `email`. This performs a `startsWith` match, but this is an implementation detail and can change without notice. You don't need to specify `firstName`, `lastName`, or `email`. schema: type: string - $ref: '#/components/parameters/queryAfter' @@ -14432,21 +20598,72 @@ paths: default: 200 - name: filter in: query - description: Filters users with a supported expression for a subset of properties + description: |- + Filters users with a supported expression for a subset of properties. + + This requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. Filtering is case-sensitive for attribute names and query values, while attribute operators are case-insensitive. + + Filtering supports the following limited number of properties: `status`, `lastUpdated`, `id`, `profile.login`, `profile.email`, `profile.firstName`, and `profile.lastName`. + + Additionally, filtering supports only the equal `eq` operator from the standard Okta API filtering semantics, except in the case of the `lastUpdated` property. This property can also use the inequality operators (`gt`, `ge`, `lt`, and `le`). For logical operators, only the logical operators `and` and `or` are supported. The `not` operator isn't supported. See [Filtering](https://developer.okta.com/docs/api/#filter) and [Operators](https://developer.okta.com/docs/api/#operators). schema: type: string + examples: + filterByStatus: + value: status eq "LOCKED_OUT" + summary: Filter users with status of `LOCKED_OUT` + filterByLogin: + value: profile.login eq "login@example.com" + summary: Filter users with a specified `login` + filterByDateRange: + value: filter=lastUpdated gt "2013-06-01T00:00:00.000Z" and lastUpdated lt "2014-01-01T00:00:00.000Z" + summary: Filter users updated after 06/01/2013 but before 01/01/2014 + filterByTypeAndProfileLastUpdatedAfterDate: + value: lastUpdated gt "2013-06-01T00:00:00.000Z" and (status eq "LOCKED_OUT" or status eq "RECOVERY") + summary: Filter users updated after 06/01/2013 but with a status of `LOCKED_OUT` or `RECOVERY` - name: search in: query - description: Searches for users with a supported filtering expression for most properties. Okta recommends using this parameter for search for best performance. + description: |- + Searches for users with a supported filtering expression for most properties. Okta recommends using this parameter for search for best performance. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). Use an ID lookup for records that you update to ensure your results contain the latest data. + + Property names in the search parameter are case sensitive, whereas operators (`eq`, `sw`, and so on) and string values are case insensitive. Unlike with user logins, diacritical marks are significant in search string values: a search for `isaac.brock` finds `Isaac.Brock`, but doesn't find a property whose value is `isáàc.bröck`. This operation requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `search=profile.department eq "Engineering"` is encoded as `search=profile.department%20eq%20%22Engineering%22`. + + > **Note:** If you use the special character `"` within a quoted string, it must also be escaped `\` and encoded. For example, `search=profile.lastName eq "bob"smith"` is encoded as `search=profile.lastName%20eq%20%22bob%5C%22smith%22`. + + This operation searches many properties: + * Any user profile property, including custom-defined properties + * The top-level properties `id`, `status`, `created`, `activated`, `statusChanged`, and `lastUpdated` + * The [user type](https://developer.okta.com/docs/reference/api/user-types/) accessed as `type.id` + + You can also use `sortBy` and `sortOrder` parameters. The `ne` (not equal) operator isn't supported, but you can obtain the same result by using `lt ... or ... gt`. For example, to see all users except those that have a status of `STAGED`, use `(status lt "STAGED" or status gt "STAGED")`. + + You can search properties that are arrays. If any element matches the search term, the entire array (object) is returned. Okta follows the [SCIM Protocol Specification](https://tools.ietf.org/html/rfc7644#section-3.4.2.2) for searching arrays. You can search multiple arrays, multiple values in an array, as well as using the standard logical and filtering operators. See [Filter](https://developer.okta.com/docs/reference/core-okta-api/#filter). schema: type: string + examples: + searchByStatus: + value: status eq "STAGED" + summary: Search for users that have a status of `STAGED` + searchByLastUpdatedAfterDate: + value: lastUpdated gt "2014-01-01T00:00:00.000Z" + summary: Search for users that have last updated after a specific timestamp + searchById: + value: id eq "00u1ero7vZFVEIYLWPBN" + summary: Search for groups with the specified ID (`00gak46y5hydV6NdM0g4`) + searchByProfileDepartmentCreatedAndStatus: + value: profile.department eq "Engineering" and (created lt "2014-01-01T00:00:00.000Z" or status eq "ACTIVE") + summary: Search for users in the department of `Engineering` who were created before `01/01/2014` or have a status of `ACTIVE` + searchArrayAttributes: + value: profile.arrayAttr eq "arrayAttrVal1" + summary: Searches for properties that are arrays. Custom user attribute `arrayAttr` that contains values ["arrayAttrVal1", "arrayAttrVal2"...] - name: sortBy in: query + description: Specifies field to sort by (for search queries only). This can be any single property, for example `sortBy=profile.lastName`. Users with the same value for the `sortBy` property will be ordered by `id`. schema: type: string - name: sortOrder in: query - description: Sorting is done in ASCII sort order (that is, by ASCII character value), but isn't case sensitive. + description: Specifies sort order asc or desc (for search queries only). Sorting is done in ASCII sort order (that is, by ASCII character value), but isn't case sensitive. `sortOrder` is ignored if `sortBy` is not present. schema: type: string responses: @@ -14460,12 +20677,7 @@ paths: $ref: '#/components/schemas/User' examples: UserList: - $ref: '#/components/examples/ListUsersResponse' - x-okta-feature-flag-amends: - UD_REALMS: - examples: - UserList: - $ref: '#/components/examples/ListRealmAwareUsersResponse' + $ref: '#/components/examples/ListRealmAwareUsersResponse' '403': description: Forbidden content: @@ -14480,20 +20692,37 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a User + summary: Create a user description: |- - Creates a new user in your Okta organization with or without credentials<br> - > **Legal Disclaimer**<br> - After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, - you agreed not to use Okta's service/product to spam and/or send unsolicited messages. - Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all - liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. + Creates a new user in your Okta org with or without credentials.<br> + > **Legal Disclaimer** + > + > After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, + > you agreed not to use Okta's service/product to spam and/or send unsolicited messages. + > Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all + > liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. + + All responses return the created user. Activation of a user is an asynchronous operation. The system performs group reconciliation during activation and assigns the user to all apps via direct or indirect relationships (group memberships). + * The user's `transitioningToStatus` property is `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation. + * The user's `status` is `ACTIVE` when the activation process is complete. + + The user is emailed a one-time activation token if activated without a password. + + > **Note:** If the user is assigned to an app that is configured for provisioning, the activation process triggers downstream provisioning to the app. It is possible for a user to sign in before these apps have been successfully provisioned for the user. + + > **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password. + + For more information about the various scenarios of creating a user listed in the examples, see the [User creation scenarios](/openapi/okta-management/management/tag/User/#user-creation-scenarios) section. operationId: createUser parameters: - name: activate in: query - description: Executes activation lifecycle operation when creating the user + description: Executes an [activation lifecycle](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) operation when creating the user schema: type: boolean default: true @@ -14505,7 +20734,7 @@ paths: default: false - name: nextLogin in: query - description: With activate=true, set nextLogin to "changePassword" to have the password be EXPIRED, so user must change it the next time they log in. + description: With `activate=true`, if `nextLogin=changePassword`, a user is created, activated, and the password is set to `EXPIRED`. The user must change it the next time they sign in. schema: $ref: '#/components/schemas/UserNextLogin' x-okta-added-version: 0.14.0 @@ -14515,6 +20744,25 @@ paths: application/json: schema: $ref: '#/components/schemas/CreateUserRequest' + examples: + Create user without credentials: + $ref: '#/components/examples/create-user-without-credentials-request' + Create user with recovery question: + $ref: '#/components/examples/create-user-with-recovery-question-request' + Create user with password: + $ref: '#/components/examples/create-user-with-password-request' + Create user with imported hashed password: + $ref: '#/components/examples/create-user-with-imported-hashed-password-request' + Create user with password import inline hook: + $ref: '#/components/examples/create-user-with-password-import-inline-hook-request' + Create user with password and recovery question: + $ref: '#/components/examples/create-user-with-password-and-recovery-question-request' + Create user with authentication provider: + $ref: '#/components/examples/create-user-with-authentication-provider-request' + Create user in group: + $ref: '#/components/examples/create-user-in-group-request' + Create user with non-default user type: + $ref: '#/components/examples/create-user-with-non-default-user-type-request' required: true responses: '200': @@ -14523,6 +20771,25 @@ paths: application/json: schema: $ref: '#/components/schemas/User' + examples: + Create user without credentials: + $ref: '#/components/examples/create-user-without-credentials-response' + Create user with recovery question: + $ref: '#/components/examples/create-user-with-recovery-question-response' + Create user with password: + $ref: '#/components/examples/create-user-with-password-response' + Create user with imported hashed password: + $ref: '#/components/examples/create-user-with-imported-hashed-password-response' + Create user with password import inline hook: + $ref: '#/components/examples/create-user-with-password-import-inline-hook-response' + Create user with password and recovery question: + $ref: '#/components/examples/create-user-with-password-and-recovery-question-response' + Create user with authentication provider: + $ref: '#/components/examples/create-user-with-authentication-provider-response' + Create user in group: + $ref: '#/components/examples/create-user-in-group-response' + Create user with non-default user type: + $ref: '#/components/examples/create-user-with-non-default-user-type-response' '400': description: Bad Request content: @@ -14550,20 +20817,70 @@ paths: - okta.users.manage tags: - User - /api/v1/users/{userId}: + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/me/lifecycle/delete_sessions: + post: + summary: End a current User session + description: |- + Ends Okta sessions for the currently signed in User. By default, the current session remains active. Use this method in a browser-based app. + > **Note:** This operation requires a session cookie for the User. The API token isn't allowed for this operation. + operationId: endUserSessions + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeepCurrent' + responses: + '200': + description: OK + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: [] + tags: + - UserSessions + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{id}: parameters: - - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathId' get: - summary: Retrieve a User - description: Retrieves a user from your Okta organization + summary: Retrieve a user + description: |- + Retrieves a user from your Okta org. + + You can substitute `me` for the `id` to fetch the current user linked to an API token or session cookie. + * The request returns the user linked to the API token that is specified in the Authorization header, not the user linked to the active session. Details of the admin user who granted the API token is returned. + * When the end user has an active Okta session, it is typically a CORS request from the browser. Therefore, it's possible to retrieve the current user without the Authorization header. + + When fetching a user by `login` or `login shortname`, [URL encode](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding) the request parameter to ensure that special characters are escaped properly. Logins with a `/` character can only be fetched by `id` due to URL issues with escaping the `/` character. If you don't know a user's ID, you can use the [List all users](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) endpoint to find it. + + > **Note:** Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies). operationId: getUser + parameters: + - $ref: '#/components/parameters/OktaResponse' + - $ref: '#/components/parameters/queryUserExpand' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/User' + $ref: '#/components/schemas/UserGetSingleton' + examples: + GetUserExample: + $ref: '#/components/examples/user-example' '403': description: Forbidden content: @@ -14584,21 +20901,46 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update a User - description: Updates a user partially determined by the request parameters + summary: Update a user + description: |- + Updates a user's profile or credentials with partial update semantics. + + > **Important:** Use the `POST` method for partial updates. Unspecified properties are set to null with `PUT`. + + `profile` and `credentials` can be updated independently or together with a single request. + > **Note**: Currently, the user type of a user can only be changed via a full replacement PUT operation. If the request parameters of a partial update include the type element from the user object, + the value must match the existing type of the user. Only admins are permitted to change the user type of a user; end users are not allowed to change their own user type. + + > **Note**: To update a current user's profile with partial semantics, the `/api/v1/users/me` endpoint can be invoked. + > + > A user can only update profile properties for which the user has write access. Within the profile, if the user tries to update the primary or the secondary email IDs, verification emails are sent to those email IDs, and the fields are updated only upon verification. + + If you are using this endpoint to set a password, it sets a password without validating existing user credentials. This is an administrative operation. For operations that validate credentials, refer to the `Reset Password`, `Forgot Password`, and `Change Password` endpoints. operationId: updateUser parameters: - name: strict in: query schema: type: boolean + description: If true, validates against minimum age and history password policy x-codegen-request-body-name: user requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserRequest' + examples: + Update user Profile: + $ref: '#/components/examples/update-user-profile-request' + Update user password: + $ref: '#/components/examples/update-user-set-password-request' + Set recovery question and answer: + $ref: '#/components/examples/update-user-set-recovery-question-and-answer' required: true responses: '200': @@ -14607,6 +20949,9 @@ paths: application/json: schema: $ref: '#/components/schemas/User' + examples: + Update user Response: + $ref: '#/components/examples/user-example' '400': description: Bad Request content: @@ -14633,13 +20978,22 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace a User - description: Replaces a user's profile and/or credentials using strict-update semantics + summary: Replace a user + description: |- + Replaces a user's profile, credentials, or both using strict-update semantics. + + All profile properties must be specified when updating a user's profile with a `PUT` method. Any property not specified in the request is deleted. + > **Important:** Don't use a `PUT` method for partial updates. operationId: replaceUser parameters: - name: strict in: query + description: If `true`, validates against minimum age and history password policy schema: type: boolean x-okta-added-version: 1.10.0 @@ -14648,7 +21002,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/User' + $ref: '#/components/schemas/UpdateUserRequest' + examples: + Replace user Request: + $ref: '#/components/examples/replace-user-request' required: true responses: '200': @@ -14657,6 +21014,9 @@ paths: application/json: schema: $ref: '#/components/schemas/User' + examples: + Replace user Response: + $ref: '#/components/examples/user-example' '400': description: Bad Request content: @@ -14683,17 +21043,36 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a User - description: Deletes a user permanently. This operation can only be performed on users that have a `DEPROVISIONED` status. **This action cannot be recovered!**. Calling this on an `ACTIVE` user will transition the user to `DEPROVISIONED`. + summary: Delete a user + description: |- + Deletes a user permanently. This operation can only be performed on users that have a `DEPROVISIONED` status. **This action can't be recovered!** + + This operation on a user that hasn't been deactivated causes that user to be deactivated. A second delete operation is required to delete the user. + + > **Note:** You can also perform user deletion asynchronously. To invoke asynchronous user deletion, pass an HTTP header `Prefer: respond-async` with the request. + + This header is also supported by user deactivation, which is performed if the delete endpoint is invoked on a user that hasn't been deactivated. operationId: deleteUser parameters: - name: sendEmail in: query + description: Sends a deactivation email to the admin if `true` schema: type: boolean default: false x-okta-added-version: 1.5.0 + - name: Prefer + in: header + required: false + schema: + type: string + enum: + - respond-async responses: '204': description: No Content @@ -14724,22 +21103,39 @@ paths: - okta.users.manage tags: - User - /api/v1/users/{userId}/appLinks: + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{id}/lifecycle/reactivate: parameters: - - $ref: '#/components/parameters/pathUserId' - get: - summary: List all Assigned Application Links - description: Lists all appLinks for all direct or indirect (via group membership) assigned applications - operationId: listAppLinks + - $ref: '#/components/parameters/pathId' + post: + summary: Reactivate a User + description: |- + Reactivates a user. + + This operation can only be performed on Users with a `PROVISIONED` or `RECOVERY` [status](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=status&t=response). + This operation restarts the activation workflow if for some reason the user activation wasn't completed when using the `activationToken` from [Activate User](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser). + + Users that don't have a password must complete the flow by completing [Reset Password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) and MFA enrollment steps to transition the user to `ACTIVE` status. + + If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link. + operationId: reactivateUser + parameters: + - name: sendEmail + in: query + description: Sends an activation email to the user if `true` + schema: + type: boolean + default: false responses: '200': description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/AppLink' + $ref: '#/components/schemas/UserActivationToken' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -14749,30 +21145,29 @@ paths: security: - apiToken: [] - oauth2: - - okta.users.read + - okta.users.manage tags: - - User - /api/v1/users/{userId}/blocks: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userIdOrLogin}/linkedObjects/{primaryRelationshipName}/{primaryUserId}: parameters: - - $ref: '#/components/parameters/pathUserId' - get: - summary: List all User Blocks - description: Lists information about how the user is blocked from accessing their account - operationId: listUserBlocks + - $ref: '#/components/parameters/pathUserIdOrLogin' + - $ref: '#/components/parameters/pathPrimaryRelationshipName' + - $ref: '#/components/parameters/pathPrimaryUserId' + put: + summary: Assign a Linked Object value for primary + description: |- + Assigns the first User as the `associated` and the second User as the `primary` for the specified relationship. + + If the first User is already associated with a different `primary` for this relationship, the previous link is removed. A Linked Object relationship can specify only one primary User for an associated User. + operationId: assignLinkedObjectValueForPrimary responses: - '200': + '204': description: Success - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/UserBlock' - examples: - BlocksUnknownDevices: - $ref: '#/components/examples/ListUserBlocksUnknownDevicesResponse' - BlocksAnyDevices: - $ref: '#/components/examples/ListUserBlocksAnyDevicesResponse' + content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -14780,17 +21175,160 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] - oauth2: - - okta.users.read + - okta.users.manage tags: - - User - /api/v1/users/{userId}/clients: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userIdOrLogin}/linkedObjects/{relationshipName}: + parameters: + - $ref: '#/components/parameters/pathUserIdOrLogin' + - $ref: '#/components/parameters/pathRelationshipName' + get: + summary: List the primary or all of the associated Linked Object values + description: |- + Lists either the `self` link for the primary User or all associated Users in the relationship specified by `relationshipName`. If the specified User isn't associated in any relationship, an empty array is returned. + + Use `me` instead of `id` to specify the current session User. + operationId: listLinkedObjectsForUser + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/ResponseLinks' + examples: + GetPrimaryLinkedObjectResponse: + $ref: '#/components/examples/GetPrimaryLinkedObjectResponse' + GetAssociatedLinkedObjectResponse: + $ref: '#/components/examples/GetAssociatedLinkedObjectsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a Linked Object value + description: |- + Deletes any existing relationship between the `associated` and `primary` user. For the `associated` User, this is specified by the ID. The `primary` name specifies the relationship. + + The operation is successful if the relationship is deleted or if the specified User isn't in the `associated` relationship for any instance of the specified `primary` and thus, no relationship is found. + operationId: deleteLinkedObjectForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/appLinks: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all Assigned App Links + description: Lists all App Links for all direct or indirect (via group membership) assigned apps + operationId: listAppLinks + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AppLink' + examples: + List App Links: + $ref: '#/components/examples/ListAppLinks' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserResources + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/blocks: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all user blocks + description: Lists information about how the user is blocked from accessing their account + operationId: listUserBlocks + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserBlock' + examples: + BlocksUnknownDevices: + $ref: '#/components/examples/ListUserBlocksUnknownDevicesResponse' + BlocksAnyDevices: + $ref: '#/components/examples/ListUserBlocksAnyDevicesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/clients: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: List all Clients - description: Lists all client resources for which the specified user has grants or tokens + description: Lists all Client resources for which the specified User has grants or tokens operationId: listUserClients responses: '200': @@ -14801,6 +21339,9 @@ paths: type: array items: $ref: '#/components/schemas/OAuth2Client' + examples: + List User Clients: + $ref: '#/components/examples/ListUserClients' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -14812,29 +21353,38 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserResources + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/clients/{clientId}/grants: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathClientId' get: summary: List all Grants for a Client - description: Lists all grants for a specified user and client + description: Lists all Grants for a specified User and client operationId: listGrantsForUserAndClient parameters: - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string - name: after in: query + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query + description: Specifies the number of tokens to return schema: type: integer format: int32 + minimum: 1 + maximum: 200 default: 20 responses: '200': @@ -14856,10 +21406,14 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke all Grants for a Client - description: Revokes all grants for the specified user and client + description: Revokes all Grants for the specified User and client operationId: revokeGrantsForUserAndClient responses: '204': @@ -14876,29 +21430,39 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/clients/{clientId}/tokens: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathClientId' get: summary: List all Refresh Tokens for a Client - description: Lists all refresh tokens issued for the specified User and Client + description: Lists all refresh Tokens issued for the specified User and client operationId: listRefreshTokensForUserAndClient parameters: - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string + example: scope - name: after in: query + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query + description: Specifies the number of tokens to return schema: type: integer format: int32 + minimum: 1 + maximum: 200 default: 20 responses: '200': @@ -14920,10 +21484,14 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke all Refresh Tokens for a Client - description: Revokes all refresh tokens issued for the specified User and Client + description: Revokes all refresh Tokens issued for the specified User and client operationId: revokeTokensForUserAndClient responses: '204': @@ -14940,7 +21508,11 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}: parameters: - $ref: '#/components/parameters/pathUserId' @@ -14948,22 +21520,15 @@ paths: - $ref: '#/components/parameters/pathTokenId' get: summary: Retrieve a Refresh Token for a Client - description: Retrieves a refresh token issued for the specified User and Client + description: Retrieves a refresh Token issued for the specified User and client operationId: getRefreshTokenForUserAndClient parameters: - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string - - name: limit - in: query - schema: - type: integer - default: 20 - - name: after - in: query - schema: - type: string + example: scope responses: '200': description: Success @@ -14982,10 +21547,14 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke a Token for a Client - description: Revokes the specified refresh token + description: Revokes the specified refresh Token operationId: revokeTokenForUserAndClient responses: '204': @@ -15002,19 +21571,32 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/credentials/change_password: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Change Password - description: Changes a user's password by validating the user's current password. This operation can only be performed on users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid password credential + summary: Update Password + description: |- + Updates a User's password by validating the User's current Password. + + This operation provides an option to delete all the sessions of the specified User. However, if the request is made in the context of a session owned by the specified User, that session isn't cleared. + + You can only perform this operation on Users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid [Password credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). + + The User transitions to `ACTIVE` status when successfully invoked in `RECOVERY` status. operationId: changePassword parameters: - name: strict in: query + description: If true, validates against password minimum age policy schema: type: boolean + default: false x-okta-added-version: 1.10.0 x-codegen-request-body-name: changePasswordRequest requestBody: @@ -15022,6 +21604,9 @@ paths: application/json: schema: $ref: '#/components/schemas/ChangePasswordRequest' + examples: + Change Password Request: + $ref: '#/components/examples/ChangePwdRequest' required: true responses: '200': @@ -15030,6 +21615,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserCredentials' + examples: + Change Password Response: + $ref: '#/components/examples/ChangePwdResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -15043,13 +21631,19 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/credentials/change_recovery_question: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Change Recovery Question - description: Changes a user's recovery question & answer credential by validating the user's current password. This operation can only be performed on users in **STAGED**, **ACTIVE** or **RECOVERY** `status` that have a valid password credential + summary: Update Recovery Question + description: |- + Updates a User's Recovery Question and answer credential by validating the User's current Password. + You can only perform this operation on Users in `STAGED`, `ACTIVE`, or `RECOVERY` status that have a valid [Password credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). operationId: changeRecoveryQuestion x-codegen-request-body-name: userCredentials requestBody: @@ -15057,6 +21651,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserCredentials' + examples: + Update Recovery Question Request: + $ref: '#/components/examples/UpdateRecQuestionRequest' required: true responses: '200': @@ -15065,6 +21662,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserCredentials' + examples: + Update Recovery Question Response: + $ref: '#/components/examples/UpdateRecQuestionResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -15078,28 +21678,50 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/credentials/forgot_password: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Initiate Forgot Password - description: Initiates the forgot password flow. Generates a one-time token (OTT) that can be used to reset a user's password. + summary: Start forgot password flow + description: |- + Starts the forgot password flow. + + Generates a one-time token (OTT) that you can use to reset a User's Password. + + The User must validate their security question's answer when visiting the reset link. This operation can only be performed on Users with an ACTIVE status and + a valid [Recovery Question credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/recovery_question&t=request). + + > **Note:** If you have migrated to Identity Engine, you can allow Users to recover passwords with any enrolled MFA authenticator. See [Self-service account recovery](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-sspr.htm?cshid=ext-config-sspr) + + If an email address is associated with multiple Users, keep in mind the following to ensure a successful password recovery lookup: + * Okta no longer includes deactivated Users in the lookup. + * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses. + + If `sendEmail` is `false`, returns a link for the User to reset their Password. This operation doesn't affect the status of the User. operationId: forgotPassword parameters: - name: sendEmail in: query + description: Sends a forgot password email to the User if `true` required: false schema: type: boolean default: true responses: '200': - description: Reset url + description: Reset URL content: application/json: schema: $ref: '#/components/schemas/ForgotPasswordResponse' + examples: + Forgot Password Response: + $ref: '#/components/examples/ForgotPwdResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15111,13 +21733,19 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/credentials/forgot_password_recovery_question: parameters: - $ref: '#/components/parameters/pathUserId' post: summary: Reset Password with Recovery Question - description: Resets the user's password to the specified password if the provided answer to the recovery question is correct + description: |- + Resets the User's password to the specified password if the provided answer to the recovery question is correct. + You must include the Recovery Question answer with the submission. operationId: forgotPasswordSetNewPassword parameters: - name: sendEmail @@ -15132,6 +21760,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserCredentials' + examples: + Forgot Password Recovery Question Request: + $ref: '#/components/examples/ForgotPwdRecoveryQuestionRequest' required: true responses: '200': @@ -15140,6 +21771,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserCredentials' + examples: + Forgot Password Recovery Question Response: + $ref: '#/components/examples/ForgotPwdRecoveryQuestionResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -15153,13 +21787,17 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors: parameters: - $ref: '#/components/parameters/pathUserId' get: - summary: List all Factors - description: Lists all the enrolled factors for the specified user + summary: List all enrolled Factors + description: Lists all enrolled Factors for the specified user operationId: listFactors responses: '200': @@ -15170,6 +21808,9 @@ paths: type: array items: $ref: '#/components/schemas/UserFactor' + examples: + ListFactorsResponse: + $ref: '#/components/examples/ListFactorsResults' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15182,34 +21823,72 @@ paths: - okta.users.read tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Enroll a Factor - description: Enrolls a user with a supported factor + description: |- + Enrolls a supported Factor for the specified user + + > **Note:** All responses return the enrolled Factor with a status of either `PENDING_ACTIVATION`` or `ACTIVE`. + + #### Additional SMS/Call Factor information + * **Rate limits**: Okta may return a `429 Too Many Requests` status code if you attempt to resend an SMS or a voice call challenge (OTP) within the same time window. The current [rate limit](https://developer.okta.com/docs/reference/rate-limits/) is one SMS/CALL challenge per phone number every 30 seconds. + * **Existing phone numbers**: Okta may return a `400 Bad Request` status code if a user attempts to enroll with a different phone number when the user has an existing mobile phone or has an existing phone with voice call capability. A user can enroll only one mobile phone for `sms` and enroll only one voice call capable phone for `call` factor. + + #### Additional WebAuthn Factor information + **Enroll WebAuthn response parameters** + * For detailed information on the Webauthn standard, including an up-to-date list of supported browsers, see [webauthn.me](https://a0.to/webauthnme-okta-docs). + + * In the enroll API response, the `response._embedded.activation` object contains properties used to help the client to create a new WebAuthn credential for use with Okta. See the [WebAuthn spec for PublicKeyCredentialCreationOptions](https://www.w3.org/TR/webauthn/#dictionary-makecredentialoptions). + + #### Additional Custom TOTP Factor information + + **Enroll Custom TOTP Factor** + * The enrollment process involves passing both the `factorProfileId` and `sharedSecret` properties for a token. + + * A Factor Profile represents a particular configuration of the Custom TOTP factor. It includes certain properties that match the hardware token that end users possess, such as the HMAC algorithm, passcode length, and time interval. There can be multiple Custom TOTP factor profiles per org, but users can only enroll in one Custom TOTP factor. Admins can [create Custom TOTP factor profiles](https://help.okta.com/okta_help.htm?id=ext-mfa-totp) in the Admin Console. Then, copy the `factorProfileId` from the Admin Console into the API request. + + * <x-lifecycle class="oie"></x-lifecycle> + For Custom TOTP enrollment, Okta automaticaly enrolls a user with a `token:software:totp` factor and the `push` factor if the user isn't currently enrolled with these factors. operationId: enrollFactor parameters: - name: updatePhone + description: If `true`, indicates that you are replacing the currently registered phone number for the specified user. This parameter is ignored if the existing phone number is used by an activated Factor. in: query schema: type: boolean default: false - name: templateId in: query - description: id of SMS template (only for SMS factor) + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors. If the provided ID doesn't exist, the default template is used instead. schema: type: string + example: cstk2flOtuCMDJK4b0g3 - name: tokenLifetimeSeconds + description: Defines how long the token remains valid in: query schema: type: integer format: int32 + minimum: 1 + maximum: 86400 default: 300 x-okta-added-version: 1.3.0 - name: activate + description: If `true`, the factor is immediately activated as part of the enrollment. An activation process isn't required. Currently auto-activation is supported by `sms`, `call`, `email` and `token:hotp` (Custom TOTP) Factor. in: query schema: type: boolean default: false x-okta-added-version: 1.3.0 + - name: Accept-Language + description: An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` Factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead. + in: header + schema: + type: string + example: fr x-codegen-request-body-name: body requestBody: description: Factor @@ -15217,6 +21896,33 @@ paths: application/json: schema: $ref: '#/components/schemas/UserFactor' + examples: + question: + $ref: '#/components/examples/EnrollFactorQuestionRequest' + sms: + $ref: '#/components/examples/EnrollFactorSmsRequest' + call: + $ref: '#/components/examples/EnrollFactorCallRequest' + token:software:totp: + $ref: '#/components/examples/EnrollFactorOVTotpRequest' + push: + $ref: '#/components/examples/EnrollFactorOVPushRequest' + google: + $ref: '#/components/examples/EnrollFactorGoogleRequest' + rsa_securId: + $ref: '#/components/examples/EnrollFactorRsaSecurIdRequest' + symantec_vip: + $ref: '#/components/examples/EnrollFactorSymantecVipRequest' + yubikey: + $ref: '#/components/examples/EnrollFactorYubikeyRequest' + email: + $ref: '#/components/examples/EnrollFactorEmailRequest' + u2f: + $ref: '#/components/examples/EnrollFactorU2fRequest' + webAuthn: + $ref: '#/components/examples/EnrollFactorWebauthnRequest' + customTotp: + $ref: '#/components/examples/EnrollFactorCustomTotpRequest' required: true responses: '200': @@ -15225,6 +21931,33 @@ paths: application/json: schema: $ref: '#/components/schemas/UserFactor' + examples: + question: + $ref: '#/components/examples/EnrollFactorQuestionResponse' + sms: + $ref: '#/components/examples/EnrollFactorSmsResponse' + call: + $ref: '#/components/examples/EnrollFactorCallResponse' + token:software:totp: + $ref: '#/components/examples/EnrollFactorOVTotpResponse' + push: + $ref: '#/components/examples/EnrollFactorOVPushResponse' + google: + $ref: '#/components/examples/EnrollFactorGoogleResponse' + rsa_securId: + $ref: '#/components/examples/EnrollFactorRsaSecurIdResponse' + symantec_vip: + $ref: '#/components/examples/EnrollFactorSymantecVipResponse' + yubikey: + $ref: '#/components/examples/EnrollFactorYubikeyResponse' + email: + $ref: '#/components/examples/EnrollFactorEmailResponse' + u2f: + $ref: '#/components/examples/EnrollFactorU2fResponse' + webAuthn: + $ref: '#/components/examples/EnrollFactorWebauthnResponse' + customTotp: + $ref: '#/components/examples/EnrollFactorCustomTotpResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -15239,12 +21972,15 @@ paths: - okta.users.manage tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/catalog: parameters: - $ref: '#/components/parameters/pathUserId' get: - summary: List all Supported Factors - description: Lists all the supported factors that can be enrolled for the specified user + summary: List all supported Factors + description: Lists all the supported Factors that can be enrolled for the specified user operationId: listSupportedFactors responses: '200': @@ -15254,7 +21990,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/UserFactor' + $ref: '#/components/schemas/UserFactorSupported' + examples: + SupportedFactorResponse: + $ref: '#/components/examples/SupportedFactorResults' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15267,22 +22006,33 @@ paths: - okta.users.read tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/questions: parameters: - $ref: '#/components/parameters/pathUserId' get: - summary: List all Supported Security Questions - description: Lists all available security questions for a user's `question` factor + x-okta-no-scope-required: true + summary: List all supported Security Questions + description: Lists all available Security Questions for the specified user operationId: listSupportedSecurityQuestions responses: '200': description: Success content: application/json: + example: + - question: disliked_food + questionText: What is the food you least liked as a child? + - question: name_of_first_plush_toy + questionText: What is the name of your first stuffed animal? + - question: first_award + questionText: What did you earn your first medal or award for? schema: type: array items: - $ref: '#/components/schemas/SecurityQuestion' + $ref: '#/components/schemas/UserFactorSecurityQuestionProfile' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15293,21 +22043,21 @@ paths: - apiToken: [] tags: - UserFactor + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathFactorId' get: summary: Retrieve a Factor - description: Retrieves a factor for the specified user + description: Retrieves an existing Factor for the specified user operationId: getFactor responses: '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/UserFactor' + $ref: '#/components/responses/GetFactorResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15320,12 +22070,19 @@ paths: - okta.users.read tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unenroll a Factor - description: Unenrolls an existing factor for the specified user, allowing the user to enroll a new factor + description: |- + Unenrolls an existing Factor for the specified user. This allows the user to enroll a new Factor. + + > **Note**: If you unenroll the `push` or the `signed_nonce` Factors, Okta also unenrolls any other `totp`, `signed_nonce`, or Okta Verify `push` Factors associated with the user. operationId: unenrollFactor parameters: - name: removeRecoveryEnrollment + description: If `true`, removes the phone number as both a recovery method and a Factor. This parameter is only used for the `sms` and `call` Factors. in: query schema: type: boolean @@ -15346,20 +22103,41 @@ paths: - okta.users.manage tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathFactorId' post: summary: Activate a Factor - description: Activates a factor. The `sms` and `token:software:totp` factor types require activation to complete the enrollment process. + description: |- + Activates a Factor. Some Factors (`call`, `email`, `push`, `sms`, `token:software:totp`, `u2f`, and `webauthn`) require activation to complete the enrollment process. + + Okta enforces a rate limit of five activation attempts within five minutes. After a user exceeds the rate limit, Okta returns an error message. + + > **Note**: If the user exceeds their SMS, call, or email factor activate rate limit, then an OTP resend request (`/api/v1/users/${userId}}/factors/${factorId}/resend`) isn't allowed for the same Factor. operationId: activateFactor x-codegen-request-body-name: body requestBody: content: application/json: schema: - $ref: '#/components/schemas/ActivateFactorRequest' + $ref: '#/components/schemas/UserFactorActivateRequest' + examples: + token:software:totp: + $ref: '#/components/examples/FactorPasscodeRequest' + sms: + $ref: '#/components/examples/FactorPasscodeRequest' + call: + $ref: '#/components/examples/FactorPasscodeRequest' + email: + $ref: '#/components/examples/FactorPasscodeRequest' + u2f: + $ref: '#/components/examples/ActivateFactorU2fRequest' + webauthn: + $ref: '#/components/examples/ActivateFactorWebauthnRequest' required: false responses: '200': @@ -15367,7 +22145,22 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/UserFactor' + $ref: '#/components/schemas/UserFactorActivateResponse' + examples: + token:software:totp: + $ref: '#/components/examples/ActivateFactorTotpResponse' + sms: + $ref: '#/components/examples/ActivateFactorSmsResponse' + call: + $ref: '#/components/examples/ActivateFactorCallResponse' + push: + $ref: '#/components/examples/ActivateFactorPushResponse' + email: + $ref: '#/components/examples/ActivateFactorEmailResponse' + u2f: + $ref: '#/components/examples/ActivateFactorU2fResponse' + webauthn: + $ref: '#/components/examples/ActivateFactorWebauthnResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -15382,26 +22175,41 @@ paths: - okta.users.manage tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}/resend: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathFactorId' post: - summary: Resend a factor enrollment - description: Resends a factor challenge (SMS/call/email OTP) as part of an enrollment flow. The current rate limit is one OTP challenge (call or SMS) per device every 30 seconds. Okta round-robins between SMS providers with every resend request to help ensure delivery of an SMS OTP across different carriers. + summary: Resend a Factor enrollment + description: |- + Resends an `sms`, `call`, or `email` factor challenge as part of an enrollment flow + + For `call` and `sms` factors, Okta enforces a rate limit of one OTP challenge per device every 30 seconds. You can configure your `sms` and `call` factors to use a third-party telephony provider. See the [Telephony inline hook reference](https://developer.okta.com/docs/reference/telephony-hook/). Okta round-robins between SMS providers with every resend request to help ensure delivery of an SMS and Call OTPs across different carriers. + + > **Note**: Resend operations aren't allowed after a factor exceeds the activation rate limit. See [Activate a Factor](./#tag/UserFactor/operation/activateFactor). operationId: resendEnrollFactor parameters: - name: templateId in: query - description: ID of SMS template (only for SMS factor) + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors. schema: + example: cstk2flOtuCMDJK4b0g3 type: string requestBody: - description: Factor content: application/json: schema: - $ref: '#/components/schemas/UserFactor' + $ref: '#/components/schemas/ResendUserFactor' + examples: + sms: + value: + factorType: sms + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 required: true responses: '200': @@ -15409,7 +22217,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/UserFactor' + $ref: '#/components/schemas/ResendUserFactor' + examples: + sms: + $ref: '#/components/examples/EnrollFactorSmsResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -15424,14 +22235,17 @@ paths: - okta.users.manage tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}/transactions/{transactionId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathFactorId' - $ref: '#/components/parameters/pathTransactionId' get: - summary: Retrieve a Factor Transaction Status - description: Retrieves the factors verification transaction status + summary: Retrieve a Factor transaction status + description: Retrieves the status of a `push` Factor verification transaction operationId: getFactorTransactionStatus responses: '200': @@ -15439,7 +22253,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/VerifyUserFactorResponse' + $ref: '#/components/schemas/UserFactorPushTransaction' + examples: + WAITING: + $ref: '#/components/examples/UserFactorVerifyPushTransactionWaiting' + SUCCESS: + $ref: '#/components/examples/UserFactorVerifyPushTransactionApproved' + REJECTED: + $ref: '#/components/examples/UserFactorVerifyPushTransactionRejected' + TIMEOUT: + $ref: '#/components/examples/UserFactorVerifyPushTransactionTimeout' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15452,46 +22275,81 @@ paths: - okta.users.read tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}/verify: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathFactorId' post: - summary: Verify an MFA Factor - description: Verifies an OTP for a `token` or `token:hardware` factor + summary: Verify a Factor + description: |- + Verifies an OTP for a Factor. Some Factors (`call`, `email`, `push`, `sms`, `u2f`, and `webauthn`) must first issue a challenge before you can verify the Factor. Do this by making a request without a body. After a challenge is issued, make another request to verify the Factor. + + **Note**: To verify a `push` factor, use the **poll** link returned when you issue the challenge. See [Retrieve a Factor Transaction Status](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/getFactorTransactionStatus). operationId: verifyFactor parameters: - name: templateId + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors. in: query schema: type: string + example: cstk2flOtuCMDJK4b0g3 - name: tokenLifetimeSeconds + description: Defines how long the token remains valid in: query schema: type: integer format: int32 + minimum: 1 + maximum: 86400 default: 300 x-okta-added-version: 1.3.0 - name: X-Forwarded-For + description: Public IP address for the user agent in: header schema: type: string x-okta-added-version: 1.11.0 - name: User-Agent + description: Type of user agent detected when the request is made. Required to verify `push` Factors. in: header schema: type: string x-okta-added-version: 1.11.0 - name: Accept-Language + description: An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` Factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead. in: header schema: type: string + example: fr x-codegen-request-body-name: body requestBody: + description: Some Factors (`call`, `email`, `push`, `sms`, `u2f`, and `webauthn`) must first issue a challenge before you can verify the Factor. Do this by making a request without a body. After a challenge is issued, make another request to verify the Factor. content: application/json: schema: - $ref: '#/components/schemas/VerifyFactorRequest' + $ref: '#/components/schemas/UserFactorVerifyRequest' + examples: + sms verify: + $ref: '#/components/examples/FactorPasscodeRequest' + call verify: + $ref: '#/components/examples/FactorPasscodeRequest' + email verify: + $ref: '#/components/examples/FactorPasscodeRequest' + u2f verify: + $ref: '#/components/examples/UserFactorVerifyU2fRequest' + webAuthn verify: + $ref: '#/components/examples/UserFactorVerifyWebauthnRequest' + security question verify: + $ref: '#/components/examples/UserFactorVerifySecurityQuestionRequest' + totp verify: + $ref: '#/components/examples/FactorPasscodeRequest' + token verify: + $ref: '#/components/examples/FactorPasscodeRequest' + yubikey verify: + $ref: '#/components/examples/FactorPasscodeRequest' required: false responses: '200': @@ -15499,7 +22357,38 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/VerifyUserFactorResponse' + $ref: '#/components/schemas/UserFactorVerifyResponse' + examples: + sms challenge: + $ref: '#/components/examples/UserFactorChallengeSmsResponse' + sms verify: + $ref: '#/components/examples/UserFactorVerifySuccessSmsResponse' + call challenge: + $ref: '#/components/examples/UserFactorChallengeCallResponse' + call verify: + $ref: '#/components/examples/UserFactorVerifyCallSuccessResponse' + push challenge: + $ref: '#/components/examples/UserFactorChallengePushResponse' + email challenge: + $ref: '#/components/examples/UserFactorChallengeEmailResponse' + email verify: + $ref: '#/components/examples/UserFactorVerifyEmailSuccessResponse' + u2f challenge: + $ref: '#/components/examples/UserFactorChallengeU2fResponse' + u2f verify: + $ref: '#/components/examples/UserFactorVerifyU2fResponse' + webAuthn challenge: + $ref: '#/components/examples/UserFactorChallengeWebauthnResponse' + webAuthn verify: + $ref: '#/components/examples/UserFactorVerifyWebauthnResponse' + security question verify: + $ref: '#/components/examples/UserFactorVerifySuccessSqResponse' + totp verify: + $ref: '#/components/examples/UserFactorVerifySuccessTotpResponse' + token verify: + $ref: '#/components/examples/UserFactorVerifySuccessTokenResponse' + yubikey verify: + $ref: '#/components/examples/UserFactorVerifySuccessYubikeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -15514,31 +22403,41 @@ paths: - okta.users.manage tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/grants: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: List all User Grants - description: Lists all grants for the specified user + description: Lists all Grants for the specified user operationId: listUserGrants parameters: - name: scopeId in: query + description: The scope ID to filter on schema: type: string - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string + example: scope - name: after in: query + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query + description: Specifies the number of grants to return schema: type: integer format: int32 + minimum: 1 + maximum: 200 default: 20 responses: '200': @@ -15560,10 +22459,14 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke all User Grants - description: Revokes all grants for a specified user + description: Revokes all Grants for a specified User operationId: revokeUserGrants responses: '204': @@ -15580,20 +22483,26 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/grants/{grantId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathGrantId' get: summary: Retrieve a User Grant - description: Retrieves a grant for the specified user + description: Retrieves a Grant for the specified User operationId: getUserGrant parameters: - name: expand in: query + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string + example: scope responses: '200': description: Success @@ -15612,10 +22521,14 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke a User Grant - description: Revokes one grant for a specified user + description: Revokes one Grant for a specified User operationId: revokeUserGrant responses: '204': @@ -15632,13 +22545,17 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/groups: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: List all Groups - description: Lists all groups of which the user is a member + description: Lists all Groups of which the User is a member operationId: listUserGroups responses: '200': @@ -15649,6 +22566,9 @@ paths: type: array items: $ref: '#/components/schemas/Group' + examples: + List User Groups: + $ref: '#/components/examples/ListUserGroups' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15660,13 +22580,17 @@ paths: - oauth2: - okta.users.read tags: - - User + - UserResources + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/idps: parameters: - $ref: '#/components/parameters/pathUserId' get: - summary: List all Identity Providers - description: Lists the IdPs associated with the user + summary: List all Identity Providers for User + description: Lists the IdPs associated with the User operationId: listUserIdentityProviders responses: '200': @@ -15677,6 +22601,9 @@ paths: type: array items: $ref: '#/components/schemas/IdentityProvider' + examples: + MultipleIdPsResponse: + $ref: '#/components/examples/MultipleIdPsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15688,32 +22615,41 @@ paths: - oauth2: - okta.users.read tags: - - User + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathUserId' post: summary: Activate a User description: |- - Activates a user. This operation can only be performed on users with a `STAGED` or `DEPROVISIONED` status. - Activation of a user is an asynchronous operation. The user will have the `transitioningToStatus` - property with a value of `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation. - The user will have a status of `ACTIVE` when the activation process is complete. - > **Multibrand and User activation**<br> - If you want to send a branded User Activation email, change the subdomain of your request to the custom domain that's associated with the brand. - For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains). - <br><br> - > **Legal disclaimer**<br> - After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, - you agreed not to use Okta's service/product to spam and/or send unsolicited messages. - Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all - liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. + Activates a User. + + This operation can only be performed on Users with a `STAGED` or `DEPROVISIONED` status. Activation of a User is an asynchronous operation. + * The User will have the `transitioningToStatus` property with an `ACTIVE` value during activation to indicate that the user hasn't completed the asynchronous operation. + * The User will have an `ACTIVE` status when the activation process completes. + + Users who don't have a password must complete the welcome flow by visiting the activation link to complete the transition to `ACTIVE` status. + + > **Note:** If you want to send a branded User Activation email, change the subdomain of your request to the custom domain that's associated with the brand. + > For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains). + + > **Note:** If you have Optional Password enabled, visiting the activation link is optional for users who aren't required to enroll a password. + > See [Create user with Optional Password enabled](https://developer.okta.com/docs/reference/api/users/#create-user-with-optional-password-enabled). + + > **Legal disclaimer** + > After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, + > you agreed not to use Okta's service/product to spam and/or send unsolicited messages. + > Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all + > liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. operationId: activateUser parameters: - name: sendEmail in: query - description: Sends an activation email to the user if true - required: true + description: Sends an activation email to the user if `true` + required: false schema: type: boolean default: true @@ -15735,21 +22671,44 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathUserId' post: summary: Deactivate a User - description: 'Deactivates a user. This operation can only be performed on users that do not have a `DEPROVISIONED` status. While the asynchronous operation (triggered by HTTP header `Prefer: respond-async`) is proceeding the user''s `transitioningToStatus` property is `DEPROVISIONED`. The user''s status is `DEPROVISIONED` when the deactivation process is complete.' + description: |- + Deactivates a User. + + This operation can only be performed on Users that do not have a `DEPROVISIONED` status. + * The User's `transitioningToStatus` property is `DEPROVISIONED` during deactivation to indicate that the user hasn't completed the asynchronous operation. + * The User's status is `DEPROVISIONED` when the deactivation process is complete. + + > **Important:** Deactivating a User is a **destructive** operation. The User is deprovisioned from all assigned apps, which might destroy their data such as email or files. + **This action cannot be recovered!** + + You can also perform user deactivation asynchronously. To invoke asynchronous user deactivation, pass an HTTP header `Prefer: respond-async` with the request. operationId: deactivateUser parameters: - name: sendEmail in: query + description: Sends a deactivation email to the admin if `true` schema: type: boolean default: false x-okta-added-version: 1.5.0 + - name: Prefer + in: header + required: false + schema: + type: string + enum: + - respond-async + description: Request asynchronous processing responses: '200': description: OK @@ -15765,13 +22724,22 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/expire_password: parameters: - $ref: '#/components/parameters/pathUserId' post: summary: Expire Password - description: Expires a user's password and transitions the user to the status of `PASSWORD_EXPIRED` so that the user is required to change their password at their next login + description: |- + Expires the password. This operation transitions the User status to `PASSWORD_EXPIRED` so that the User must change their password the next time that they sign in. + <br> + If you have integrated Okta with your on-premises Active Directory (AD), then setting a User's Password as expired in Okta also expires the Password in AD. + When the User tries to sign in to Okta, delegated authentication finds the password-expired status in AD, + and the User is presented with the password-expired page where they can change their Password. operationId: expirePassword responses: '200': @@ -15780,6 +22748,9 @@ paths: application/json: schema: $ref: '#/components/schemas/User' + examples: + Expire Password Response: + $ref: '#/components/examples/ExpirePwdResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15791,18 +22762,29 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/expire_password_with_temp_password: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Expire Password and Set Temporary Password - description: Expires a user's password and transitions the user to the status of `PASSWORD_EXPIRED` so that the user is required to change their password at their next login, and also sets the user's password to a temporary password returned in the response - operationId: expirePasswordAndGetTemporaryPassword + summary: Expire Password with temporary password + description: |- + Expires the password and resets the User's Password to a temporary password. This operation transitions the User status to `PASSWORD_EXPIRED` so that the User must change their password the next time that they sign in. + User's Password is reset to a temporary password that is returned, and then the User's Password is expired. + If `revokeSessions` is included in the request with a value of `true`, the User's current outstanding sessions are revoked and require re-authentication. + <br> + If you have integrated Okta with your on-premises Active Directory (AD), then setting a User's Password as expired in Okta also expires the Password in AD. + When the User tries to sign in to Okta, delegated authentication finds the password-expired status in AD, + and the User is presented with the password-expired page where they can change their Password. + operationId: expirePasswordWithTempPassword parameters: - name: revokeSessions - description: When set to `true` (and the session is a user session), all user sessions are revoked except the current session. in: query + description: Revokes the User's existing sessions if `true` required: false schema: type: boolean @@ -15813,40 +22795,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/TempPassword' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.users.manage - tags: - - User - /api/v1/users/{userId}/lifecycle/reactivate: - parameters: - - $ref: '#/components/parameters/pathUserId' - post: - summary: Reactivate a User - description: Reactivates a user. This operation can only be performed on users with a `PROVISIONED` status. This operation restarts the activation workflow if for some reason the user activation was not completed when using the activationToken from [Activate User](#activate-user). - operationId: reactivateUser - parameters: - - name: sendEmail - in: query - description: Sends an activation email to the user if true - schema: - type: boolean - default: false - responses: - '200': - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/UserActivationToken' + $ref: '#/components/schemas/User' + examples: + Expire Password with Temp Password Response: + $ref: '#/components/examples/ExpirePwdWithTempPwdResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15858,13 +22810,17 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/reset_factors: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Reset all Factors - description: Resets all factors for the specified user. All MFA factor enrollments returned to the unenrolled state. The user's status remains ACTIVE. This link is present only if the user is currently enrolled in one or more MFA factors. + summary: Reset Factors + description: Resets all factors for the specified User. All MFA factor enrollments return to the unenrolled state. The User's status remains `ACTIVE`. This link is present only if the User is currently enrolled in one or more MFA factors. operationId: resetFactors responses: '200': @@ -15881,14 +22837,30 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/reset_password: parameters: - $ref: '#/components/parameters/pathUserId' post: - summary: Generate a Reset Password Token - description: Generates a one-time token (OTT) that can be used to reset a user's password. The OTT link can be automatically emailed to the user or returned to the API caller and distributed using a custom flow. - operationId: generateResetPasswordToken + summary: Reset password + description: |- + Resets password. Generates a one-time token (OTT) that you can use to reset a User's password. You can automatically email the OTT link to the User or return the OTT to the API caller and distribute using a custom flow. + + This operation transitions the User to the `RECOVERY` status. The User is then not able to sign in or initiate a forgot password flow until they complete the reset flow. + + This operation provides an option to delete all the User's sessions. However, if the request is made in the context of a session owned by the specified User, that session isn't cleared. + > **Note:** You can also use this API to convert a User with the Okta Credential Provider to use a Federated Provider. After this conversion, the User can't directly sign in with a password. + > To convert a federated User back to an Okta User, use the default API call. + + If an email address is associated with multiple Users, keep in mind the following to ensure a successful password recovery lookup: + * Okta no longer includes deactivated Users in the lookup. + * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses. + If `sendEmail` is `false`, returns a link for the User to reset their password. + operationId: resetPassword parameters: - name: sendEmail in: query @@ -15896,7 +22868,7 @@ paths: schema: type: boolean - name: revokeSessions - description: When set to `true` (and the session is a user session), all user sessions are revoked except the current session. + description: Revokes all User sessions, except for the current session, if set to `true` in: query required: false schema: @@ -15909,6 +22881,9 @@ paths: application/json: schema: $ref: '#/components/schemas/ResetPasswordToken' + examples: + Reset Password without Sending Email Response: + $ref: '#/components/examples/ResetPwdWithoutSendingEmailResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15920,18 +22895,27 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/suspend: parameters: - $ref: '#/components/parameters/pathUserId' post: summary: Suspend a User - description: Suspends a user. This operation can only be performed on users with an `ACTIVE` status. The user will have a status of `SUSPENDED` when the process is complete. + description: |- + Suspends a user. This operation can only be performed on Users with an `ACTIVE` status. The User has a `SUSPENDED` status when the process completes. + + Suspended users can't sign in to Okta. They can only be unsuspended or deactivated. Their group and app assignments are retained. operationId: suspendUser responses: '200': description: OK content: {} + '400': + $ref: '#/components/responses/ErrorMissingRequiredParameter400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15943,13 +22927,19 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/unlock: parameters: - $ref: '#/components/parameters/pathUserId' post: summary: Unlock a User - description: Unlocks a user with a `LOCKED_OUT` status or unlocks a user with an `ACTIVE` status that is blocked from unknown devices. Unlocked users have an `ACTIVE` status and can sign in with their current password. + description: |- + Unlocks a User with a `LOCKED_OUT` status or unlocks a User with an `ACTIVE` status that is blocked from unknown devices. Unlocked Users have an `ACTIVE` status and can sign in with their current password. + > **Note:** This operation works with Okta-sourced users. It doesn't support directory-sourced accounts such as Active Directory. operationId: unlockUser responses: '200': @@ -15966,18 +22956,24 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/unsuspend: parameters: - $ref: '#/components/parameters/pathUserId' post: summary: Unsuspend a User - description: Unsuspends a user and returns them to the `ACTIVE` state. This operation can only be performed on users that have a `SUSPENDED` status. + description: Unsuspends a user and returns them to the `ACTIVE` state. This operation can only be performed on users that have a `SUSPENDED` status. operationId: unsuspendUser responses: '200': description: Success content: {} + '400': + $ref: '#/components/responses/ErrorMissingRequiredParameter400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15989,59 +22985,30 @@ paths: - oauth2: - okta.users.manage tags: - - User - /api/v1/users/{userId}/linkedObjects/{primaryRelationshipName}/{primaryUserId}: - parameters: - - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathPrimaryRelationshipName' - - $ref: '#/components/parameters/pathPrimaryUserId' - put: - summary: Create a Linked Object for two Users - description: Creates a Linked Object for two users - operationId: setLinkedObjectForUser - responses: - '204': - description: Success - content: {} - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - oauth2: - - okta.users.manage - tags: - - User - /api/v1/users/{userId}/linkedObjects/{relationshipName}: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/risk: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRelationshipName' get: - summary: List all Linked Objects - description: Lists all linked objects for a user, relationshipName can be a primary or associated relationship name - operationId: listLinkedObjectsForUser - parameters: - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: -1 + summary: Retrieve the user's risk + description: Retrieves the User Risk object for a user ID + operationId: getUserRisk responses: '200': - description: Success + description: OK content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/ResponseLinks' + $ref: '#/components/schemas/UserRiskGetResponse' + examples: + UserRiskResponseExample: + $ref: '#/components/examples/UserRiskResponse' + UserRiskNoneResponseExample: + $ref: '#/components/examples/UserRiskNoneResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -16051,17 +23018,48 @@ paths: security: - apiToken: [] - oauth2: - - okta.users.read + - okta.userRisk.read tags: - - User - delete: - summary: Delete a Linked Object - description: Deletes linked objects for a user, relationshipName can be ONLY a primary relationship name - operationId: deleteLinkedObjectForUser + - UserRisk + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Upsert the user's risk + description: Upserts (creates or updates) the User Risk object for a user ID + operationId: upsertUserRisk + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserRiskRequest' + examples: + RiskProviderRequestExample: + $ref: '#/components/examples/UserRiskRequest' + required: true responses: - '204': - description: No Content - content: {} + '200': + description: Updated the user's risk + content: + application/json: + schema: + $ref: '#/components/schemas/UserRiskPutResponse' + examples: + UserRiskResponseExample: + $ref: '#/components/examples/UserRiskResponse' + '201': + description: Created the user's risk + content: + application/json: + schema: + $ref: '#/components/schemas/UserRiskPutResponse' + examples: + UserRiskResponseExample: + $ref: '#/components/examples/UserRiskResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -16071,21 +23069,23 @@ paths: security: - apiToken: [] - oauth2: - - okta.users.manage + - okta.userRisk.manage tags: - - User + - UserRisk + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/users/{userId}/roles: parameters: - $ref: '#/components/parameters/pathUserId' get: - summary: List all Roles assigned to a User - description: Lists all roles assigned to a user identified by `userId` + summary: List all user role assignments + description: Lists all roles assigned to a user (identified by `userId`) operationId: listAssignedRolesForUser parameters: - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/pathQueryRoleExpand' responses: '200': description: Success @@ -16094,7 +23094,16 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Role' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponse' + Custom Roles: + $ref: '#/components/examples/StandardAndCustomRolesListResponse' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -16106,10 +23115,20 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Assign a Role to a User - description: Assigns a role to a user identified by `userId` + summary: Assign a user role + description: |- + Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a user. + + You can also assign a custom role to a user, but the preferred method to assign a custom role to a user is to create a binding between the custom role, the resource set, and the user. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + > **Notes:** + > * The request payload is different for standard and custom role assignments. + > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. operationId: assignRoleToUser parameters: - name: disableNotifications @@ -16117,12 +23136,16 @@ paths: in: query schema: type: boolean + default: false x-codegen-request-body-name: assignRoleRequest requestBody: content: application/json: schema: - $ref: '#/components/schemas/AssignRoleRequest' + type: object + oneOf: + - $ref: '#/components/schemas/StandardRoleAssignmentSchema' + - $ref: '#/components/schemas/CustomRoleAssignmentSchema' required: true responses: '201': @@ -16130,7 +23153,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Role' + type: object + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRoleResponseUser' + Custom Roles: + $ref: '#/components/examples/CustomRoleResponseUser' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRoleResponseUser' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -16144,14 +23177,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleAssignment - /api/v1/users/{userId}/roles/{roleId}: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: Retrieve a Role assigned to a User - description: Retrieves a role identified by `roleId` assigned to a user identified by `userId` + summary: Retrieve a user role assignment + description: Retrieves a role assigned to a user (identified by `userId`). The `roleAssignmentId` parameter is the unique identifier for either a standard role assignment object or a custom role resource set binding object. operationId: getUserAssignedRole responses: '200': @@ -16159,7 +23195,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Role' + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRoleResponseUser' + Custom Roles: + $ref: '#/components/examples/CustomRoleResponseUser' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRoleResponseUser' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -16171,10 +23216,13 @@ paths: - oauth2: - okta.roles.read tags: - - RoleAssignment + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a Role from a User - description: Unassigns a role identified by `roleId` from a user identified by `userId` + summary: Unassign a user role + description: Unassigns a role assignment (identified by `roleAssignmentId`) from a user (identified by `userId`) operationId: unassignRoleFromUser responses: '204': @@ -16191,14 +23239,121 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleAssignment - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: Retrieve all User Role Governance Sources + description: Retrieves the governance sources of a Role (identified by `roleAssignmentId`) that's assigned to a User (identified by `userId`) + operationId: getUserAssignedRoleGovernance + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RoleGovernance' + examples: + Example Response: + $ref: '#/components/examples/GetUseRoleGovernanceResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGrantId' + get: + summary: Retrieve a User Role Governance Source + description: Retrieves a Governance Source (identified by `grantId`) for a Role (identified by `roleAssignmentId`) that's assigned to a User (identified by `userId`) + operationId: getRoleAssignmentGovernanceGrant + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RoleGovernanceSource' + examples: + Example Response: + $ref: '#/components/examples/GetRoleAssignmentGovernanceGrantResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}/resources: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGrantId' + get: + summary: Retrieve the User Role Governance Source Resources + description: Retrieves the resources of a Governance Source (identified by `grantId`) for a Role (identified by `roleAssignmentId`) that's assigned to a User (identified by `userId`) + operationId: getRoleAssignmentGovernanceGrantResources + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RoleGovernanceResources' + examples: + Example Response: + $ref: '#/components/examples/GetRoleAssignmentGovernanceGrantResources' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: List all Application Targets for Application Administrator Role - description: Lists all App targets for an `APP_ADMIN` Role assigned to a User. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID. + summary: List all admin role application targets + description: Lists all app targets for an `APP_ADMIN` role assigned to a user. The response is a list that includes OIN-cataloged apps or app instances. The response payload for an app instance contains the `id` property, but an OIN-cataloged app payload doesn't. operationId: listApplicationTargetsForApplicationAdministratorRoleForUser parameters: - name: after @@ -16231,10 +23386,13 @@ paths: - oauth2: - okta.roles.read tags: - - RoleTarget + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Assign all Apps as Target to Role - description: Assigns all Apps as Target to Role + summary: Assign all apps as target to role + description: Assigns all apps as target to role operationId: assignAllAppsAsTargetToRoleForUser responses: '200': @@ -16251,15 +23409,21 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' put: - summary: Assign an Application Target to Administrator Role - description: Assigns an application target to administrator role + summary: Assign an admin role application target + description: | + Assigns an OIN app target for an `APP_ADMIN` role assignment to an admin user. When you assign the first app target, you reduce the scope of the role assignment. + The role no longer applies to all app targets, but applies only to the specified target. Assigning an OIN app target overrides any existing app instance targets of the OIN app. + For example, if a user was assigned to administer a specific Facebook instance, a successful request to add an OIN app target with `facebook` for `appName` makes that user the administrator for all Facebook instances. operationId: assignAppTargetToAdminRoleForUser responses: '204': @@ -16276,10 +23440,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign an Application Target from an Application Administrator Role - description: Unassigns an application target from application administrator role + summary: Unassign an admin role application target + description: | + Unassigns an OIN app target from an `APP_ADMIN` role assignment to an admin user. + + > **Note:** You can't remove the last OIN app target from a role assignment since this causes an exception. + > If you need a role assignment that applies to all apps, delete the `APP_ADMIN` role assignment to the user and recreate a new one. operationId: unassignAppTargetFromAppAdminRoleForUser responses: '204': @@ -16296,16 +23467,24 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}/{appId}: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' - $ref: '#/components/parameters/pathAppId' put: - summary: Assign an Application Instance Target to an Application Administrator Role - description: Assigns anapplication instance target to appplication administrator role + summary: Assign an admin role application instance target + description: | + Assigns an app instance target to an `APP_ADMIN` role assignment to an admin user. When you assign the first OIN app or app instance target, you reduce the scope of the role assignment. + The role no longer applies to all app targets, but applies only to the specified target. + + > **Note:** You can target a mixture of both OIN app and app instance targets, but can't assign permissions to manage all instances of an OIN app and then assign a subset of permission to the same OIN app. + > For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app. operationId: assignAppInstanceTargetToAppAdminRoleForUser responses: '204': @@ -16322,10 +23501,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign an Application Instance Target from an Application Administrator Role - description: Unassigns an application instance target from an application administrator role + summary: Unassign an admin role application instance target + description: |- + Unassigns an app instance target from an `APP_ADMIN` role assignment to an admin user. + + > **Note:** You can't remove the last app instance target from a role assignment since this causes an exception. + > If you need a role assignment that applies to all apps, delete the `APP_ADMIN` role assignment and recreate a new one. operationId: unassignAppInstanceTargetFromAdminRoleForUser responses: '204': @@ -16342,14 +23528,19 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget - /api/v1/users/{userId}/roles/{roleId}/targets/groups: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' get: - summary: List all Group Targets for Role - description: Lists all group targets for role + summary: List all admin role group targets + description: | + Lists all group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. + If the role isn't scoped to specific group targets, an empty array `[]` is returned. operationId: listGroupTargetsForRole parameters: - name: after @@ -16382,15 +23573,20 @@ paths: - oauth2: - okta.roles.read tags: - - RoleTarget - /api/v1/users/{userId}/roles/{roleId}/targets/groups/{groupId}: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups/{groupId}: parameters: - $ref: '#/components/parameters/pathUserId' - - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathGroupId' put: - summary: Assign a Group Target to Role - description: Assigns a Group Target to Role + summary: Assign an admin role group target + description: | + Assigns a group target for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. + When you assign the first group target, you reduce the scope of the role assignment. The role no longer applies to all targets but applies only to the specified target. operationId: assignGroupTargetToUserRole responses: '204': @@ -16407,10 +23603,17 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a Group Target from Role - description: Unassigns a Group Target from Role + summary: Unassign an admin role group target + description: | + Unassigns a group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. + + > **Note:** You can't remove the last group target from a role assignment since this causes an exception. + > If you need a role assignment that applies to all groups, delete the role assignment to the user and recreate a new one. operationId: unassignGroupTargetFromUserAdminRole responses: '204': @@ -16427,13 +23630,18 @@ paths: - oauth2: - okta.roles.manage tags: - - RoleTarget + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/sessions: parameters: - $ref: '#/components/parameters/pathUserId' delete: - summary: Revoke all User Sessions - description: Revokes all active identity provider sessions of the user. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. + summary: Revoke all User sessions + description: |- + Revokes all active Identity Provider sessions of the User. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the User. + > **Note:** This operation doesn't clear the sessions created for web or native apps. operationId: revokeUserSessions parameters: - name: oauthTokens @@ -16457,13 +23665,17 @@ paths: - oauth2: - okta.users.manage tags: - - User + - UserSessions + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions: parameters: - $ref: '#/components/parameters/pathUserId' get: - summary: List all Subscriptions for a User - description: Lists all subscriptions available to a specified User. Returns an `AccessDeniedException` message if requests are made for another user. + summary: List all subscriptions for a user + description: Lists all subscriptions available to a specified user. Returns an `AccessDeniedException` message if requests are made for another user. operationId: listSubscriptionsUser parameters: - in: path @@ -16493,13 +23705,16 @@ paths: - okta.users.read tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions/{notificationType}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathNotificationType' get: - summary: Retrieve a Subscription for a User - description: Retrieves a subscription by `notificationType` for a specified User. Returns an `AccessDeniedException` message if requests are made for another user. + summary: Retrieve a subscription for a user + description: Retrieves a subscription by `notificationType` for a specified user. Returns an `AccessDeniedException` message if requests are made for another user. operationId: getSubscriptionsNotificationTypeUser parameters: - in: path @@ -16528,12 +23743,15 @@ paths: - okta.users.read tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions/{notificationType}/subscribe: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathNotificationType' post: - summary: Subscribe a User to a Specific Notification Type + summary: Subscribe a user to a specific notification type description: Subscribes the current user to a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. operationId: subscribeByNotificationTypeUser parameters: @@ -16559,12 +23777,15 @@ paths: - okta.users.manage tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions/{notificationType}/unsubscribe: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathNotificationType' post: - summary: Unsubscribe a User from a Specific Notification Type + summary: Unsubscribe a user from a specific notification type description: Unsubscribes the current user from a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. operationId: unsubscribeByNotificationTypeUser parameters: @@ -16590,11 +23811,14 @@ paths: - okta.users.manage tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/zones: get: summary: List all Network Zones description: |- - Lists all network zones with pagination. A subset of zones can be returned that match a supported filter expression or query. + Lists all Network Zones with pagination. A subset of zones can be returned that match a supported filter expression or query. This operation requires URL encoding. For example, `filter=(id eq "nzoul0wf9jyb8xwZm0g3" or id eq "nzoul1MxmGN18NDQT0g3")` is encoded as `filter=%28id+eq+%22nzoul0wf9jyb8xwZm0g3%22+or+id+eq+%22nzoul1MxmGN18NDQT0g3%22%29`. @@ -16603,24 +23827,24 @@ paths: parameters: - name: after in: query - description: Specifies the pagination cursor for the next page of network zones - example: 200u7yq5goxNFTiMjW1d7 schema: type: string + description: Specifies the pagination cursor for the next page of Network Zones + example: BlockedIpZones - name: limit in: query - description: Specifies the number of results for a page - example: 5 schema: type: integer + description: Specifies the number of results for a page format: int32 + example: 5 default: -1 - name: filter in: query - description: Filters zones by usage or ID expression - example: filter=%28id+eq+%22nzowc1U5Jh5xuAK0o0g3%22%29 schema: type: string + description: Filters zones by usage or ID expression + example: id eq "nzowc1U5Jh5xuAK0o0g3" responses: '200': description: Success @@ -16645,12 +23869,16 @@ paths: - okta.networkZones.read tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Network Zone description: |- - Creates a new network zone. - * At least one of either the `gateways` attribute or `proxies` attribute must be defined when creating a Network Zone. - * At least one of the following attributes must be defined: `proxyType`, `locations`, or `asns`. + Creates a Network Zone + * For an IP Network Zone, you must define either `gateways` or `proxies`. + * For a Dynamic Network Zone, you must define at least one of the following: `asns`, `locations`, or `proxyType`. + * For an Enhanced Dynamic Network Zone, you must define at least one of the following: `asns`, `locations`, or `ipServiceCategories`. operationId: createNetworkZone x-codegen-request-body-name: zone requestBody: @@ -16663,6 +23891,8 @@ paths: $ref: '#/components/examples/CreateIPPolicyNetworkZone' CreateIPPolicyBlocklistNetworkZone: $ref: '#/components/examples/CreateIPPolicyBlockListNetworkZone' + CreateEDNetworkZone: + $ref: '#/components/examples/CreateEDNZRequest' required: true responses: '200': @@ -16676,8 +23906,10 @@ paths: $ref: '#/components/examples/CreateIPPolicyNetworkZoneResponse' CreateIPPolicyBlocklistNetworkZone: $ref: '#/components/examples/CreateIPPolicyBlockListNetworkZoneResponse' + CreateEDNetworkZone: + $ref: '#/components/examples/CreateEDNZResponse' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/responses/NzErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -16688,12 +23920,15 @@ paths: - okta.networkZones.manage tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/zones/{zoneId}: parameters: - $ref: '#/components/parameters/pathZoneId' get: summary: Retrieve a Network Zone - description: Retrieves a network zone by `zoneId` + description: Retrieves a Network Zone by `zoneId` operationId: getNetworkZone responses: '200': @@ -16707,10 +23942,12 @@ paths: $ref: '#/components/examples/RetrieveNetworkZoneIP' RetrieveNetworkZoneDynamic: $ref: '#/components/examples/RetrieveNetworkZoneDynamic' + RetrieveNetworkZoneEnhancedDynamic: + $ref: '#/components/examples/CreateEDNZResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - $ref: '#/components/responses/ErrorResourceNotFound404' + $ref: '#/components/responses/NzErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: @@ -16719,11 +23956,14 @@ paths: - okta.networkZones.read tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Network Zone description: |- - Replaces a network zone by `zoneId`. The replaced network zone type must be the same as the existing type. - You may replace the usage (`POLICY`, `BLOCKLIST`) of a network zone by updating the `usage` attribute. + Replaces a Network Zone by `zoneId`. The replaced Network Zone type must be the same as the existing type. + You can replace the usage (`POLICY`, `BLOCKLIST`) of a Network Zone by updating the `usage` attribute. operationId: replaceNetworkZone x-codegen-request-body-name: zone requestBody: @@ -16746,11 +23986,11 @@ paths: ReplaceNetworkZone: $ref: '#/components/examples/ReplaceNetworkZoneResponse' '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' + $ref: '#/components/responses/NzErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - $ref: '#/components/responses/ErrorResourceNotFound404' + $ref: '#/components/responses/NzErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: @@ -16759,9 +23999,16 @@ paths: - okta.networkZones.manage tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Network Zone - description: Deletes network zone by `zoneId` + description: |- + Deletes a Network Zone by `zoneId` + > **Notes:** + > * You can't delete a Network Zone that's used by a [Policy](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) or [Rule](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyRules). + > * For Okta Identity Engine orgs, you can't delete a Network Zone with an ACTIVE `status`. <x-lifecycle class="oie"></x-lifecycle> operationId: deleteNetworkZone responses: '204': @@ -16770,7 +24017,7 @@ paths: '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - $ref: '#/components/responses/ErrorResourceNotFound404' + $ref: '#/components/responses/NzErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: @@ -16779,12 +24026,15 @@ paths: - okta.networkZones.manage tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/zones/{zoneId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathZoneId' post: summary: Activate a Network Zone - description: Activates a network zone by `zoneId` + description: Activates a Network Zone by `zoneId` operationId: activateNetworkZone responses: '200': @@ -16799,7 +24049,7 @@ paths: '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - $ref: '#/components/responses/ErrorResourceNotFound404' + $ref: '#/components/responses/NzErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: @@ -16808,12 +24058,15 @@ paths: - okta.networkZones.manage tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/zones/{zoneId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathZoneId' post: summary: Deactivate a Network Zone - description: Deactivates a network zone by `zoneId` + description: Deactivates a Network Zone by `zoneId` operationId: deactivateNetworkZone responses: '200': @@ -16828,7 +24081,7 @@ paths: '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': - $ref: '#/components/responses/ErrorResourceNotFound404' + $ref: '#/components/responses/NzErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: @@ -16837,6 +24090,80 @@ paths: - okta.networkZones.manage tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /attack-protection/api/v1/authenticator-settings: + get: + summary: Retrieve the Authenticator Settings + description: Retrieves the Authenticator Settings for an org + operationId: getAuthenticatorSettings + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - AttackProtection + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the Authenticator Settings + description: Replaces the Authenticator Settings for an org + operationId: replaceAuthenticatorSettings + x-codegen-request-body-name: authenticatorSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - AttackProtection + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /attack-protection/api/v1/user-lockout-settings: get: summary: Retrieve the User Lockout Settings @@ -16861,6 +24188,9 @@ paths: - okta.orgs.read tags: - AttackProtection + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the User Lockout Settings description: Replaces the User Lockout Settings for an org @@ -16898,6 +24228,147 @@ paths: - okta.orgs.manage tags: - AttackProtection + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /device-access/api/v1/desktop-mfa/enforce-number-matching-challenge-settings: + get: + summary: Retrieve the Desktop MFA Enforce Number Matching Challenge Org Setting + description: Retrieves the status of the Desktop MFA Enforce Number Matching Challenge push notifications feature. That is, whether or not the feature is enabled for your org. + operationId: getDesktopMFAEnforceNumberMatchingChallengeOrgSetting + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the Desktop MFA Enforce Number Matching Challenge Org Setting + description: Replaces the status of the Desktop MFA Enforce Number Matching Challenge push notifications feature. That is, whether or not the feature is enabled for your org. + operationId: replaceDesktopMFAEnforceNumberMatchingChallengeOrgSetting + x-codegen-request-body-name: DesktopMFAEnforceNumberMatchingChallengeOrgSetting + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /device-access/api/v1/desktop-mfa/recovery-pin-settings: + get: + summary: Retrieve the Desktop MFA Recovery PIN Org setting + description: Retrieves the status of the Desktop MFA Recovery PIN feature. That is, whether or not the feature is enabled for your org. + operationId: getDesktopMFARecoveryPinOrgSetting + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the Desktop MFA Recovery PIN Org Setting + description: Replaces the Desktop MFA Recovery PIN feature for your org + operationId: replaceDesktopMFARecoveryPinOrgSetting + x-codegen-request-body-name: DesktopMFARecoveryPinOrgSetting + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /integrations/api/v1/api-services: get: summary: List all API Service Integration instances @@ -16929,6 +24400,9 @@ paths: - okta.oauthIntegrations.read tags: - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an API Service Integration instance description: Creates and authorizes an API Service Integration instance @@ -16964,6 +24438,9 @@ paths: - apiToken: [] tags: - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /integrations/api/v1/api-services/{apiServiceId}: parameters: - $ref: '#/components/parameters/pathApiServiceId' @@ -16995,6 +24472,9 @@ paths: - okta.oauthIntegrations.read tags: - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an API Service Integration instance description: Deletes an API Service Integration instance by `id`. This operation also revokes access to scopes that were previously granted to this API Service Integration instance. @@ -17016,6 +24496,9 @@ paths: - okta.oauthIntegrations.manage tags: - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets: parameters: - $ref: '#/components/parameters/pathApiServiceId' @@ -17049,6 +24532,9 @@ paths: - okta.oauthIntegrations.read tags: - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an API Service Integration instance Secret description: Creates an API Service Integration instance Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects. @@ -17077,6 +24563,9 @@ paths: - okta.oauthIntegrations.manage tags: - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}: parameters: - $ref: '#/components/parameters/pathApiServiceId' @@ -17102,6 +24591,9 @@ paths: - okta.oauthIntegrations.manage tags: - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathApiServiceId' @@ -17134,6 +24626,9 @@ paths: - okta.oauthIntegrations.manage tags: - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathApiServiceId' @@ -17166,4089 +24661,20534 @@ paths: - okta.oauthIntegrations.manage tags: - ApiServiceIntegrations -components: - examples: - APIDevicesListAllResponse: - summary: Response example - value: - - id: guo4a5u7YAHhjXrMK0g4 - status: CREATED - created: '2019-10-02T18:03:07.000Z' - lastUpdated: '2019-10-02T18:03:07.000Z' - profile: - displayName: Example Device name 1 - platform: WINDOWS - serialNumber: XXDDRFCFRGF3M8MD6D - sid: S-1-11-111 - registered: true - secureHardwarePresent: false - diskEncryptionType: ALL_INTERNAL_VOLUMES - resourceType: UDDevice - resourceDisplayName: - value: Example Device name 1 - sensitive: false - resourceAlternateId: null - resourceId: guo4a5u7YAHhjXrMK0g4 - _links: - activate: - href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate - hints: - allow: - - POST - self: - href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4 - hints: - allow: - - GET - - PATCH - - PUT - users: - href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users - hints: - allow: - - GET - - id: guo4a5u7YAHhjXrMK0g5 - status: ACTIVE - created: '2023-06-21T23:24:02.000Z' - lastUpdated: '2023-06-21T23:24:02.000Z' - profile: - displayName: Example Device name 2 - platform: ANDROID - manufacturer: Google - model: Pixel 6 - osVersion: 13:2023-05-05 - registered: true - secureHardwarePresent: true - diskEncryptionType: USER - resourceType: UDDevice - resourceDisplayName: - value: Example Device name 2 - sensitive: false - resourceAlternateId: null - resourceId: guo4a5u7YAHhjXrMK0g5 - _links: - activate: - href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate - hints: - allow: - - POST - self: - href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5 - hints: - allow: - - GET - - PATCH - - PUT - users: - href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users - hints: - allow: - - GET - APIDevicesListAllUsersResponse: - summary: Response example - value: - created: '2021-08-20T17:13:35.000Z' - managementStatus: NOT_MANAGED - screenLockType: BIOMETRIC - user: - id: 00u17vh0q8ov8IU881d7 - status: ACTIVE - created: '2021-08-20T16:08:25.000Z' - activated: null - statusChanged: '2021-08-20T16:39:41.000Z' - lastLogin: '2023-04-18T17:54:12.000Z' - lastUpdated: '2021-12-20T18:27:30.000Z' - passwordChanged: '2021-12-20T18:27:30.000Z' - type: - id: oty17vh0n2EHVnbYF1d7 - profile: - firstName: Bunk - lastName: Moreland - mobilePhone: null - secondEmail: null - login: bunk.moreland@example.com - email: bunk.moreland@example.com - credentials: - password: null - provider: - type: OKTA - name: OKTA - _links: - suspend: - href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend - method: POST - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc17vh0n2EHVnbYF1d7 - resetPassword: - href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password - method: POST - forgotPassword: - href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password - method: POST - expirePassword: - href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password - method: POST - changeRecoveryQuestion: - href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question - method: POST - self: - href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 - resetFactors: - href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_factors - method: POST - type: - href: https://{yourOktaDomain}/api/v1/meta/types/user/oty17vh0n2EHVnbYF1d7 - changePassword: - href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password - method: POST - deactivate: - href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate - method: POST - APIServiceIntegrationInstanceSecretListResponse: - summary: Secrets list response example - value: - - id: ocs2f4zrZbs8nUa7p0g4 - status: INACTIVE - client_secret: '***DhOW' - secret_hash: yk4SVx4sUWVJVbHt6M-UPA - created: '2023-02-21T20:08:24.000Z' - lastUpdated: '2023-02-21T20:08:24.000Z' - _links: - activate: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate - hints: - allow: - - POST - delete: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 - hints: - allow: - - DELETE - - id: ocs2f50kZB0cITmYU0g4 - status: ACTIVE - client_secret: '***MQGQ' - secret_hash: 0WOOvBSzV9clc4Nr7Rbaug - created: '2023-04-06T21:32:33.000Z' - lastUpdated: '2023-04-06T21:32:33.000Z' - _links: - deactivate: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate - hints: - allow: - - POST - APIServiceIntegrationListResponse: - summary: List response example - value: - - id: 0oa72lrepvp4WqEET1d9 - type: my_app_cie - name: My App Cloud Identity Engine - createdAt: '2023-02-21T20:08:24.000Z' - createdBy: 00uu3u0ujW1P6AfZC2d5 - configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide - grantedScopes: - - okta.logs.read - - okta.groups.read - - okta.users.read - _links: - self: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 - hints: - allow: - - GET - - DELETE - client: - href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 - hints: - allow: - - GET - logo: - name: small - href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo - APIServiceIntegrationResponse: - summary: Response example - value: - id: 0oa72lrepvp4WqEET1d9 - type: my_app_cie - name: My App Cloud Identity Engine - createdAt: '2023-02-21T20:08:24.000Z' - createdBy: 00uu3u0ujW1P6AfZC2d5 - configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide - grantedScopes: - - okta.logs.read - - okta.groups.read - - okta.users.read - _links: - self: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 - hints: - allow: - - GET - - DELETE - client: - href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 - hints: - allow: - - GET - logo: - name: small - href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo - ActivateNetworkZone: - summary: Activated Network Zone response - value: - type: IP - id: nzowc1U5Jh5xuAK0o0g3 - name: LegacyIpZone - status: ACTIVE - usage: POLICY - created: '2019-05-17T18:44:31.000Z' - lastUpdated: '2019-05-21T13:50:49.000Z' - system: true - gateways: - - type: CIDR - value: 1.2.3.4/24 - proxies: - - type: RANGE - value: 3.3.4.5-3.3.4.15 - _links: - self: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 - hints: - allow: - - GET - - PUT - - DELETE - deactivate: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate - hints: - allow: - - POST - AddMappingBody: - summary: Update an existing profile mapping by adding one or more properties - value: - properties: - additionalProperties: - fullName: - expression: user.firstName + user.lastName - pushStatus: PUSH - nickName: - expression: user.nickName - pushStatus: PUSH - AddMappingResponse: - summary: Update an existing profile mapping by adding one or more properties - value: - id: prm1k47ghydIQOTBW0g4 - source: - id: otysbePhQ3yqt4cVv0g3 - name: user - type: user - _links: - self: - href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 - target: - id: 0oa1qmn4LZQQEH0wZ0g4 - name: okta_org2org - type: appuser - _links: - self: - href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/submissions/{submissionId}: + parameters: + - $ref: '#/components/parameters/pathSubmissionId' + /integrations/api/v1/submissions/{submissionId}/submit: + parameters: + - $ref: '#/components/parameters/pathSubmissionId' + /integrations/api/v1/submissions/{submissionId}/testing: + parameters: + - $ref: '#/components/parameters/pathSubmissionId' + /oauth2/v1/clients/{clientId}/roles: + parameters: + - $ref: '#/components/parameters/pathClientId' + get: + summary: List all Client Role Assignments + description: Lists all roles assigned to a Client Application identified by `clientId` + operationId: listRolesForClient + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponseClient' + Custom Roles: + $ref: '#/components/examples/CustomRolesListResponseClient' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponseClient' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Assign a Client Role + description: |- + Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a Client Application. + + You can also assign a custom role to a Client Application, but the preferred method to assign a custom role to a client is to create a binding between the Custom Role, the Resource Set, and the Client Application. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + > **Notes:** + > * The request payload is different for standard and custom role assignments. + > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. + operationId: assignRoleToClient + requestBody: + required: true + content: + application/json: schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default - properties: - fullName: - expression: user.firstName + user.lastName - pushStatus: PUSH - nickName: - expression: user.nickName - pushStatus: PUSH - _links: - self: - href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 - ApiTokenListMetadataResponse: - value: - - name: My API Token - userId: 00uabcdefg1234567890 - tokenWindow: P30D - id: 00Tabcdefg1234567890 - clientName: Okta API - expiresAt: 2021-12-11T20:38:10.000Z - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z - _links: - self: - href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 - hints: - allow: + oneOf: + - $ref: '#/components/schemas/StandardRoleAssignmentSchema' + - $ref: '#/components/schemas/CustomRoleAssignmentSchema' + examples: + Standard Role: + $ref: '#/components/examples/StandardRoleAssignmentRequest' + Custom Role Assignment: + $ref: '#/components/examples/CustomRoleAssignmentRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Role: + $ref: '#/components/examples/StandardRoleResponseClient' + Custom Role Assignment: + $ref: '#/components/examples/CustomRoleResponseClient' + IAM-based Role Assignment: + $ref: '#/components/examples/IAMStandardRolesListResponseClient' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: Retrieve a Client Role + description: Retrieves a Role Assignment (identified by `roleAssignmentId`) for a Client Application (identified by `clientId`) + operationId: retrieveClientRole + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Role: + $ref: '#/components/examples/StandardRoleResponseClient' + Custom Role Assignment: + $ref: '#/components/examples/CustomRoleResponseClient' + IAM-based Standard Role Assignment: + $ref: '#/components/examples/IAMStandardRoleResponseClient' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a Client Role + description: Unassigns a Role Assignment (identified by `roleAssignmentId`) from a Client Application (identified by `clientId`) + operationId: deleteRoleFromClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: List all Client Role Application Targets + description: Lists all OIN app targets for an `APP_ADMIN` Role that's assigned to a client Application (by `clientId`). + operationId: listAppTargetRoleToClient + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + put: + summary: Assign a Client Role Application Target + description: |- + Assigns an OIN app target for an `APP_ADMIN` Role Assignment to a client Application. When you assign an app target from the OIN catalog, you reduce the scope of the Role Assignment. + The Role applies to only app instances that are included in the specified OIN app target. + + An assigned OIN app target overrides any existing app instance targets. + For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app target with `facebook` for `appName` makes that user the administrator for all Facebook instances. + operationId: assignAppTargetRoleToClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a Client Role Application Target + description: |- + Unassigns an OIN app target for a Role Assignment to a client Application + + > **Note:** You can't remove the last OIN app target from a Role Assignment since operation causes an exception. + > If you need a Role assignment that applies to all apps, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). + operationId: removeAppTargetRoleFromClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + - $ref: '#/components/parameters/pathAppId' + put: + summary: Assign a Client Role Application Instance Target + description: |- + Assigns an app instance target to an `APP_ADMIN` Role Assignment to a client Application. When you assign the first OIN app or app instance target, you reduce the scope of the Role Assignment. + The Role no longer applies to all app targets, but applies only to the specified target. + + > **Note:** You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app. + For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage only specific configurations of the Salesforce app. + operationId: assignAppTargetInstanceRoleForClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a Client Role Application Instance Target + description: |- + Unassigns an OIN app instance target from a Role Assignment to a client Application + + > **Note:** You can't remove the last app instance target from a Role Assignment since this causes an exception. + > If you need a Role Assignment that applies to all the apps, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). + operationId: removeAppTargetInstanceRoleForClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + get: + summary: List all Client Role Group Targets + description: Lists all Group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client. If the Role isn't scoped to specific Group targets, an empty array `[]` is returned. + operationId: listGroupTargetRoleForClient + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Group' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups/{groupId}: + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGroupId' + put: + summary: Assign a Client Role Group Target + description: Assigns a Group target to a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client Application. When you assign the first Group target, you reduce the scope of the Role Assignment. The Role no longer applies to all targets, but applies only to the specified target. + operationId: assignGroupTargetRoleForClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a Client Role Group Target + description: |- + Unassigns a Group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client Application. + + > **Note:** You can't remove the last Group target from a Role Assignment, as it causes an exception. If you need a Role Assignment that applies to all Groups, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). + operationId: removeGroupTargetRoleFromClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /okta-personal-settings/api/v1/edit-feature: + put: + summary: Replace the Okta Personal admin settings + description: Replaces Okta Personal admin settings in a Workforce org + operationId: replaceOktaPersonalAdminSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OktaPersonalAdminFeatureSettings' + examples: + exampleSettings: + $ref: '#/components/examples/editFeatureExample' + required: true + responses: + '204': + description: No Content + content: {} + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.manage + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /okta-personal-settings/api/v1/export-blocklists: + get: + summary: List all blocked email domains + description: Lists all blocked email domains which are excluded from app migration + operationId: listPersonalAppsExportBlockList + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PersonalAppsBlockList' + examples: + exampleSettings: + $ref: '#/components/examples/getBlockListExample' + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.read + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the blocked email domains + description: Replaces the list of blocked email domains which are excluded from app migration + operationId: replaceBlockedEmailDomains + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PersonalAppsBlockList' + examples: + exampleSettings: + $ref: '#/components/examples/getBlockListExample' + required: true + responses: + '204': + description: No Content + content: {} + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.manage + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /privileged-access/api/v1/accounts/{id}: + parameters: + - $ref: '#/components/parameters/privilegedAccountId' + /privileged-access/api/v1/resources/{id}: + parameters: + - $ref: '#/components/parameters/privilegedResourceId' + /privileged-access/api/v1/resources/{id}/claim: + parameters: + - $ref: '#/components/parameters/privilegedResourceId' + /privileged-access/api/v1/resources/{id}/rotate-password: + parameters: + - $ref: '#/components/parameters/privilegedResourceId' + /security/api/v1/security-events: + post: + summary: Publish a Security Event Token + description: Publishes a Security Event Token (SET) sent by a Security Events Provider. After the token is verified, Okta ingests the event and performs any appropriate action. + operationId: publishSecurityEventTokens + x-codegen-request-body-name: Security Event Token + requestBody: + required: true + description: | + The request body is a signed [SET](https://datatracker.ietf.org/doc/html/rfc8417), which is a type of JSON Web Token (JWT). + + For SET JWT header and body descriptions, see [SET JWT header](/openapi/okta-management/management/tag/SSFSecurityEventToken/#tag/SSFSecurityEventToken/schema/SecurityEventTokenRequestJwtHeader) and [SET JWT body payload](/openapi/okta-management/management/tag/SSFSecurityEventToken/#tag/SSFSecurityEventToken/schema/SecurityEventTokenRequestJwtBody). + content: + application/secevent+jwt: + schema: + type: string + examples: + SET: + value: eyJraWQiOiJzYW1wbGVfa2lkIiwidHlwIjoic2ZXZlbnQra ... mrtmw + responses: + '202': + description: Accepted + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventTokenError' + security: [] + tags: + - SSFSecurityEventToken + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/activate: + post: + summary: Activate a Preregistered WebAuthn Factor + description: Activates a preregistered WebAuthn Factor. As part of this operation, Okta first decrypts and verifies the Factor PIN and enrollment data sent by the fulfillment provider. + operationId: activatePreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment Activation Request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationResponse' + '400': + description: PIN or Cred Requests Generation Failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorPinOrCredResponsesProcessingFailure' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/enroll: + post: + summary: Enroll a Preregistered WebAuthn Factor + description: Enrolls a preregistered WebAuthn Factor. This WebAuthn Factor has a longer challenge timeout period to accommodate the fulfillment request process. As part of this operation, Okta generates EC key-pairs used to encrypt the Factor PIN and enrollment data sent by the fulfillment provider. + operationId: enrollPreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment Initialization Request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationResponse' + '400': + description: PIN or Cred Requests Generation Failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorPinOrCredRequestsGenerationFailure' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/initiate-fulfillment-request: + post: + summary: Generate a Fulfillment Request + description: Generates a fulfillment request by sending a WebAuthn Preregistration event to start the flow. The Okta Workflows WebAuthn preregistration integration uses this to populate the fulfillment request. + operationId: generateFulfillmentRequest + x-codegen-request-body-name: body + requestBody: + description: Fulfillment Request + content: + application/json: + schema: + $ref: '#/components/schemas/FulfillmentRequest' + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/send-pin: + post: + summary: Send a PIN to user + description: Sends the decoded PIN for the specified WebAuthn Preregistration Enrollment. PINs are sent to the user's email. To resend the PIN, call this operation again. + operationId: sendPin + x-codegen-request-body-name: body + requestBody: + description: Send PIN Request + content: + application/json: + schema: + $ref: '#/components/schemas/PinRequest' + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/users/{userId}/enrollments: + parameters: + - $ref: '#/components/parameters/pathUserId' + get: + summary: List all WebAuthn Preregistration Factors + description: Lists all WebAuthn Preregistration Factors for the specified user + operationId: listWebAuthnPreregistrationFactors + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/WebAuthnPreregistrationFactor' + example: + - id: fwf23789dfs9asdf782 + factorType: webauthn + provider: FIDO + vendorName: FIDO + fulfillmentProvider: yubico + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: YubiKey 5C + presetPinAvailable: true + _links: + self: + href: https://example.okta.com/webauthn-registration/api/v1/users/00u15s1KDETTQMQYABRL/enrollments/fwf23789dfs9asdf782 + hints: + allow: + - DELETE + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/users/{userId}/enrollments/{authenticatorEnrollmentId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/authenticatorEnrollmentId' + delete: + summary: Delete a WebAuthn Preregistration Factor + description: Deletes a specific WebAuthn Preregistration Factor for a user + operationId: deleteWebAuthnPreregistrationFactor + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine +x-webhooks: + CreateTelephonyInlineHook: + post: + summary: Create a Telephony Inline Hook + description: |- + Creates an Okta Telephony inline hook request. This is an automated request from Okta to your third-party service endpoint. + + The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, + which specify the Okta commands to execute. + + >**Note:** The size of your response payload must be less than 256 KB. + + See also: + * For a general introduction to Okta inline hooks, see [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) + * For information on the API for registering external service endpoints with Okta, see [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) + * For an example implementation of a telephony inline hook, see [Telephony inline hook ](https://developer.okta.com/docs/guides/telephony-inline-hook) + + ### About + + The Okta telephony inline hook allows you to integrate your own custom code into Okta flows that send SMS or voice call messages. You can integrate this hook with enrollment, authentication, and recovery flows that involve the phone authenticator. Okta uses your external provider to deliver the one-time passcode (OTP) to the Requester. The provider can respond with commands that indicate if the delivery was successful or not. + + You can have only one active telephony inline hook per org. + + When you create a telephony inline hook, you must include the `authScheme` parameter. See [Create inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createInlineHook) and the [authScheme object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createInlineHook!path=channel/0/config/authScheme&t=request) + + ### Time-out behavior + + If the provider response times out, Okta attempts to send the OTP using the Okta telephony providers. See [Troubleshoot](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTelephonyInlineHook/#troubleshoot). + + >**Note:** The failover mechanism that uses the Okta telephony providers is heavily rate-limited. + + ### Troubleshoot + + This section explains several common causes of failure for telephony inline hooks. + + Note: Administrators can use the [Okta System Log](https://developer.okta.com/docs/reference/api/system-log/) to view errors. See the Troubleshooting section in the inline hooks topic for details on events captured by the Okta System Log. + + | Issue | Impact | Error Visibility | + |-------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|-------------------------------------------| + |External service fails to communicate or times out | Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider | Administrators only | + |External service responds with any HTTP status code besides `200` | Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider | Administrators only | + |External service returns an error object | Inline hook operation fails, OTP is sent to the Requester using an Okta telephony provider | Administrators, developers, and end users | + |Hook response is malformed or can't be mapped to the expected API response | Inline hook operation is skipped | Administrators only | + |Request header doesn't include an `authScheme` | Inline hook operation is skipped | Administrators only | + |Response uses an invalid status | Inline hook operation is skipped | Administrators only | + |Operation adds an active telephony inline hook when a hook exists | Inline hook operation is skipped | Administrators only | + operationId: createTelephonyInlineHook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/TelephonyRequest' + examples: + TelephonyPayloadExample: + $ref: '#/components/examples/TelephonyPayloadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/TelephonyResponse' + examples: + TelephonySuccessResponse: + $ref: '#/components/examples/TelephonySuccessResponse' + TelephonyFailureResponse: + $ref: '#/components/examples/TelephonyFailureResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook + CreatePasswordImportInlineHook: + post: + summary: Create a Password Import Inline Hook + description: |- + Creates a password import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, + and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, + which specify the Okta commands to execute. + + >**Note:** The size of your response payload must be less than 256 KB. + + The password import inline hook allows you to migrate users from another data store where you want the users to retain their current passwords. + Use this hook with the [Create user with password import inline hook flow](/openapi/okta-management/management/tag/User/#create-user-with-password-import-inline-hook) that's described in the [Users API](/openapi/okta-management/management/tag/User/). + + The password import inline hook is triggered when the user tries to sign in to Okta for the first time. Okta sends your external service the password that the user supplied. Your external service then needs to send a response to Okta indicating whether the password supplied by the end user is valid. + + If your service returns a response that indicates that the password is valid, Okta sets the password for the user. The password import inline hook won't need to call your service again. + However, if the Okta service is in read-only mode, it might not be possible to set the password. Okta then needs to call your service again the next time the user attempts to sign in. + See [Password inline hook and Okta read-only mode](#password-inline-hook-and-okta-read-only-mode) and [Removing password from existing user store](#password-removal-from-an-existing-user-store). + + >**Notes:** + > * Password policies don't apply to the password import inline hook. That is, if your external service validates the password, the password is imported even if it doesn't meet the Okta password policy requirements. + > * You can create only one password import inline hook per org. + + See also: + + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console + * [Password import inline hook](https://developer.okta.com/docs/guides/password-import-inline-hook/nodejs/main/) for an example implementation of this inline hook + + ### Enable a password import inline hook + + To enable a password import inline hook, you first need to register your external service endpoint with Okta and configure it as an inline hook of type `com.okta.user.credential.password.import`. + You can enable the hook using the Admin Console, see [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) or through the [Inline Hooks management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/). + When creating a user with the Users API, you need to use the [Create User with password import inline hook](/openapi/okta-management/management/tag/User/#create-user-with-password-import-inline-hook) use case. + This involves specifying a `credentials.password.hook` property in the request body. + + When the user that you have added attempts to sign in to Okta for the first time, the hook is triggered and Okta calls your external service. The call sends the credentials that the end user provided. Your service can check + the credentials and respond with a command to indicate whether the credentials are valid or not. + + ### Password inline hook and Okta read-only mode + + If your external service responds to Okta indicating that the credentials are valid, Okta saves the password and can authenticate the user independently from then on. However, if your Okta org is in a special [read-only mode](https://support.okta.com/help/s/article/What-is-Oktas-Readonly-Mode) + at the time the user signs in, then saving the password might not be possible. The next time the end user attempts to sign in, the password import inline hook needs to be called again. + + ### Password removal from an existing user store + + Because of the possibility of your org being in a special service mode, you shouldn't attempt to permanently delete user passwords from your existing user store until you can verify the success of the password import . An Okta System Log Event, `user.import.password`, is available for this purpose. An event of this type is created every time a password import inline hook is fired, with its `Event.Outcome` property providing a status of `FAILURE` or `SUCCESS` for the password import operation. + If the status is `SUCCESS`, Okta has successfully saved the end user's password, and it's safe to delete it from your previous user store. + + You can configure an [Event hook](https://developer.okta.com/docs/concepts/event-hooks/) to send this event type to you for use when triggering automated cleanup of end-user + passwords after successful migration. + operationId: createPasswordImportInlineHook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/PasswordImportRequest' + examples: + PasswordImportPayloadExample: + $ref: '#/components/examples/PasswordImportPayloadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/PasswordImportResponse' + examples: + PasswordImportVerifiedResponse: + $ref: '#/components/examples/PasswordImportVerifiedResponse' + PasswordImportUnVerifiedResponse: + $ref: '#/components/examples/PasswordImportUnVerifiedResponse' + '204': + description: No content - Unverified user response + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook + create-registration-hook: + post: + summary: Create a Registration Inline Hook + description: |- + Creates a registration inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, + and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, + which specify the Okta commands to execute. + + The Okta registration inline hook allows you to integrate your own custom code into Okta's [Profile Enrollment](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-profile-enrollment) flow. The hook is triggered after Okta receives the registration or profile update request. Your custom code can: + - Allow or deny the registration attempt, based on your own validation of the information the user has submitted + - Set or override the values that are populated in attributes of the user's Okta profile + > **Note:** Profile Enrollment and self-service registration (SSR) inline hooks only work with the [Okta Sign-In Widget](https://developer.okta.com/code/javascript/okta_sign-in_widget/) version 4.5 or later. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console + * [Registration inline hook](https://developer.okta.com/docs/guides/registration-inline-hook) for an example implementation of this inline hook + operationId: create-registration-hook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + examples: + ProfileEnrollmentRequest: + $ref: '#/components/examples/ProfileEnrollmentRequest' + ProgressiveProfileRequest: + $ref: '#/components/examples/ProgressiveProfileRequest' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/RegistrationResponse' + examples: + ProfileEnrollmentResponse: + $ref: '#/components/examples/ProfileEnrollmentResponse' + ProgressiveProfileResponse: + $ref: '#/components/examples/ProgressiveProfileResponse' + ProfileEnrollmentResponseDeny: + $ref: '#/components/examples/ProfileEnrollmentResponseDeny' + ProgressiveProfileResponseDeny: + $ref: '#/components/examples/ProgressiveProfileResponseDeny' + '204': + description: No content - Allow registration to proceed without any update. + tags: + - InlineHook + security: + - apiToken: [] + - oauth2: [] + x-okta-no-scope-required: true + CreateUserImportInlineHook: + post: + summary: Create a User Import Inline Hook + description: |- + Creates a user import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. + This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include + in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute. + + The user import inline hook enables you to add custom logic to the process of importing new users into Okta from an app. You can resolve conflicts in user name or other profile attributes, + modify values of profile attributes, and control whether the imported user is treated as a match for an existing user or not. The hook is invoked for each user being imported, + at the point immediately after any applicable profile attribute mappings have been applied, and any potential matches with existing users have been found, but before the Okta user profile is created. + + >**Note:** If the external service times out after receiving an Okta request, the Okta process flow continues and the user is created. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console + + >**Note:** The procedure for associating a user import inline hook with an app using the Admin Console can't be used with AD or LDAP. + operationId: createUserImportInlineHook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/UserImportRequest' + examples: + UserImportPayloadExample: + $ref: '#/components/examples/UserImportPayloadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/UserImportResponse' + examples: + UserImportChangeAppUserProfileExample: + $ref: '#/components/examples/UserImportChangeAppUserProfileExample' + UserImportChangeUserProfileExample: + $ref: '#/components/examples/UserImportChangeUserProfileExample' + UserImportCreateANewUserExample: + $ref: '#/components/examples/UserImportCreateANewUserExample' + UserImportMatchExample: + $ref: '#/components/examples/UserImportMatchExample' + UserImportErrorExample: + $ref: '#/components/examples/UserImportErrorExample' + '204': + description: No content - Use the default action + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook + create-saml-hook: + post: + summary: Create a SAML Assertion Inline Hook + description: |- + Creates a SAML Assertion inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute. + + This type of inline hook is triggered when Okta generates a SAML assertion in response to an authentication request. Before sending the SAML assertion to the app that will consume it, Okta calls out to your external service. Your external service can respond with commands to add attributes to the assertion or to modify its existing attributes. + + You can use this functionality to add data to assertions, which might be data that is sensitive, calculated at runtime, or complexly-structured and not appropriate for storing in Okta user profiles. Data added this way is never logged or stored by Okta. As an example, SAML assertions generated for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta. + + This inline hook works only when using custom SAML apps, not apps from the OIN. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * For a use case example of how to implement a SAML assertion inline hook, see [SAML assertion inline hook](https://developer.okta.com/docs/guides/saml-inline-hook) + * For steps to enable this inline hook, see [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook). + + ### Specify location within the assertion + + Specify the location within the assertion where you want to apply your operation using a slash-delimited path, which follows JSON Patch conventions. + + When you perform an `add` op to add a new attribute statement, begin with `/claims/` and follow that with the name of the new attribute that you're adding. + + When you modify an existing assertions statement, begin the path with `/subject/`, `/authentication/`, `/conditions/`, or `/claims/`, depending on which part of the assertion you want to modify. You then look deeper within the child elements using slash-delimited element names, for example, `/claims/array/attributeValues/1/value`. (The `/1/` in the path indicates the index of the array, using zero-based indexing.) + + ### URI claims + + Okta supports URI claims with SAML assertion hooks. When you need to replace or add a URI claim, encode the claim name within the command per the [JavaScript Object Notation (JSON) Pointer](https://tools.ietf.org/html/rfc6901) specification. Specifically, this replaces `~` with `~0` and `/` with `~1`. + + ### SessionNotOnOrAfter support + + In some scenarios, your service provider may require the `SessionNotOnOrAfter` attribute for the `<saml:AuthnStatement>` in the SAML assertion, which sets the provider session time correctly. Use `add` op with the path `/authentication/sessionLifetime` and a value for session lifetime in seconds to add this attribute. Okta calculates `SessionNotOnOrAfter` by adding the `/authentication/sessionLifetime` value to the `issueInstant` attribute and returns it in the SAML `data.assertion. + operationId: createSAMLAssertionInlineHook + requestBody: + required: true + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/SAMLPayLoad' + examples: + SAMLPayloadExample: + $ref: '#/components/examples/SAMLPayLoadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/SAMLHookResponse' + examples: + SAMLHookResponseExample: + $ref: '#/components/examples/SAMLHookResponseExample' + SAMLHookResponseWithURIFormat: + $ref: '#/components/examples/SAMLHookResponseWithURIFormat' + '204': + description: No content - Use the default action + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook + create-token-hook: + post: + summary: Create a Token inline hook + description: |- + Creates a Token inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. + + This type of inline hook is triggered when OAuth 2.0 and OpenID Connect (OIDC) tokens are minted by your Okta custom authorization server. Before sending the token to the requester, Okta calls out to your external service. Your service can then respond with commands to add custom claims to the token or to modify existing claims. + + Use this functionality to add data that is sensitive, calculated at runtime, or complexly structured and not appropriate for storing in Okta user profiles. Okta never logs nor stores data that is added this way. As an example, tokens minted for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta. + + In addition to adding custom claims, you can modify or remove an existing custom claim or an OIDC standard profile claim. You can also update how long an access token or an ID token is valid. + + This inline hook works only when using an [Okta custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/#create-an-authorization-server), not the built-in Okta org authorization server. + + See also: + * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks + * [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta + * For an example implementation of this inline hook, see [Token inline hook](https://developer.okta.com/docs/guides/token-inline-hook) + + ### Timeout behavior + After receiving the Okta request, if there's a response timeout, the Okta process flow proceeds with the original token returned. + + ### Enabling a token inline hook + To activate the inline hook, you first need to register your external service endpoint with Okta using the [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook). + You then need to associate the registered inline hook with a custom authorization server policy rule by completing the following steps: + 1. Go to **Security** > **API** > **Authorization Servers.** + 2. Select a custom authorization server from the list. + 3. Select **Access Policies** and select a policy to use with the hook. In most cases, pick the Default Policy. + 4. One of the policy's rules needs to trigger the inline hook. Click the pencil icon for a rule to edit it. If you only have one rule, edit the Default Policy Rule. + 5. Click the **Use this Inline Hook** dropdown menu. Any inline hooks that you have registered are listed. Select the hook that you would like to use. + 6. Click **Update Rule**. + + > **Note:** You can associate only one inline hook with each rule. + + ### Troubleshoot + This section covers what happens when a token inline hook flow fails either due to the external inline hook service returning an error object or not returning a successful response, or the inline hook patch fails. + > **Note:** Administrators can use the [Okta System Log](https://developer.okta.com/docs/reference/api/system-log/) to view errors. See the [Troubleshooting](https://developer.okta.com/docs/concepts/inline-hooks/#troubleshooting) section in the inline hooks concept piece for more information on the events related to inline hooks that the Okta System Log captures. + - When there's a communication failure with the external service, a timeout for example, the inline hook operation is skipped. The token is generated without any modification from the inline hook. + + **Who can see this error?** Administrators + + - When the external service returns a response with any other HTTP status code besides `200`, the inline hook operation is skipped. The token is generated without any modification from the inline hook. + + **Who can see this error?** Administrators + + - When the external service returns an error object in the response, the entire token inline hook flow fails with no token generated. + + **Who can see this error?** Administrators, developers, and end users. When the OAuth 2.0 client receives the error, the client developer can see that error if the client has the debug information. What the end user sees depends on how errors are handled within the client. + > **Note:** See the [error](https://developer.okta.com/docs/reference/token-hook/#error) section on this page for more information on what to include in the error object of your response and what the OAuth 2.0 error includes that Okta returns to the requestor of the token. + + - When a hook command (for example, updating, adding, and deleting claims) can't be performed, the inline hook operation is skipped. The token is generated without any modification from the inline hook. + + **Who can see this error?** Administrators + + The following actions result in an error: + - Using an invalid command. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`. + - Using an invalid operation + - Attempting to remove a system-specific claim + - Attempting to update a claim that doesn't exist + - Attempting to update an element within an array that doesn't exist or specifying an invalid index + - Attempting to remove a claim that doesn't exist + operationId: createTokenInlineHook + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/TokenRequest' + examples: + TokenPayLoadExample: + $ref: '#/components/examples/TokenPayLoadExample' + responses: + '200': + description: Successful response + content: + application/json: + schema: + $ref: '#/components/schemas/TokenHookResponse' + examples: + TokenHookResponse: + $ref: '#/components/examples/TokenHookResponse' + TokenHookResponseWithURIFormat: + $ref: '#/components/examples/TokenHookResponseWithURIFormat' + TokenHookResponseAppendArray: + $ref: '#/components/examples/TokenHookResponseAppendArray' + TokenHookReplaceExisting: + $ref: '#/components/examples/TokenHookReplaceExisting' + TokenHookReplaceInPath: + $ref: '#/components/examples/TokenHookReplaceInPath' + TokenHookModifyLifetime: + $ref: '#/components/examples/TokenHookModifyLifetime' + TokenHookRemoveClaim: + $ref: '#/components/examples/TokenHookRemoveClaim' + TokenHookRemoveFromArray: + $ref: '#/components/examples/TokenHookRemoveFromArray' + TokenHookRemoveFromObject: + $ref: '#/components/examples/TokenHookRemoveFromObject' + TokenHookErrorExample: + $ref: '#/components/examples/TokenHookErrorExample' + '204': + description: No content - Unverified user response + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + security: + - apiToken: [] + - oauth2: [] + tags: + - InlineHook +components: + examples: + APIDevicesListAllResponse: + summary: List all devices with embedded users + value: + - id: guo4a5u7YAHhjXrMK0g4 + status: CREATED + created: '2019-10-02T18:03:07.000Z' + lastUpdated: '2019-10-02T18:03:07.000Z' + profile: + displayName: Example Device name 1 + platform: WINDOWS + serialNumber: XXDDRFCFRGF3M8MD6D + sid: S-1-11-111 + registered: true + secureHardwarePresent: false + diskEncryptionType: ALL_INTERNAL_VOLUMES + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 1 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g4 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users + hints: + allow: + - GET + _embedded: + users: [] + - id: guo4a5u7YAHhjXrMK0g5 + status: ACTIVE + created: '2023-06-21T23:24:02.000Z' + lastUpdated: '2023-06-21T23:24:02.000Z' + profile: + displayName: Example Device name 2 + platform: ANDROID + manufacturer: Google + model: Pixel 6 + osVersion: 13:2023-05-05 + registered: true + secureHardwarePresent: true + diskEncryptionType: USER + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 2 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g5 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users + hints: + allow: + - GET + _embedded: + users: + - managementStatus: MANAGED + created: '2021-10-01T16:52:41.000Z' + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + status: ACTIVE + created: '2020-08-12T06:46:50.000Z' + activated: '2020-08-12T06:46:50.000Z' + statusChanged: '2021-01-27T21:05:32.000Z' + lastLogin: '2021-10-14T09:04:48.000Z' + lastUpdated: '2021-01-27T21:05:32.000Z' + passwordChanged: '2020-08-12T06:46:50.000Z' + type: + id: oty7ut9Uu76oHVUZc0w4 + profile: + firstName: fname + lastName: lname + mobilePhone: null + secondEmail: null + login: email@email.com + email: email@email.com + credentials: + password: {} + recovery_question: + question: What is the food you least liked as a child? + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend + method: POST + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc7ut9Uu76oHVUZc0w4 + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password + method: POST + forgotPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password + method: POST + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/oty7ut9Uu76oHVUZc0w4 + changePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate + APIDevicesListAllUserSummaryResponse: + summary: List all devices with embedded user summaries + value: + - id: guo4a5u7YAHhjXrMK0g4 + status: CREATED + created: '2019-10-02T18:03:07.000Z' + lastUpdated: '2019-10-02T18:03:07.000Z' + profile: + displayName: Example Device name 1 + platform: WINDOWS + serialNumber: XXDDRFCFRGF3M8MD6D + sid: S-1-11-111 + registered: true + secureHardwarePresent: false + diskEncryptionType: ALL_INTERNAL_VOLUMES + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 1 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g4 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users + hints: + allow: + - GET + _embedded: + users: [] + - id: guo4a5u7YAHhjXrMK0g5 + status: ACTIVE + created: '2023-06-21T23:24:02.000Z' + lastUpdated: '2023-06-21T23:24:02.000Z' + profile: + displayName: Example Device name 2 + platform: ANDROID + manufacturer: Google + model: Pixel 6 + osVersion: 13:2023-05-05 + registered: true + secureHardwarePresent: true + diskEncryptionType: USER + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 2 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g5 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users + hints: + allow: + - GET + _embedded: + users: + - managementStatus: MANAGED + created: '2021-10-01T16:52:41.000Z' + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + realmId: 00u17vh0q8ov8IU8T0g5 + profile: + firstName: fname + lastName: lname + login: email@email.com + email: email@email.com + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + APIDevicesListAllUsersResponse: + summary: Response example + value: + - created: '2021-08-20T17:13:35.000Z' + managementStatus: NOT_MANAGED + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + status: ACTIVE + created: '2021-08-20T16:08:25.000Z' + activated: null + statusChanged: '2021-08-20T16:39:41.000Z' + lastLogin: '2023-04-18T17:54:12.000Z' + lastUpdated: '2021-12-20T18:27:30.000Z' + passwordChanged: '2021-12-20T18:27:30.000Z' + type: + id: oty17vh0n2EHVnbYF1d7 + profile: + firstName: Bunk + lastName: Moreland + mobilePhone: null + secondEmail: null + login: bunk.moreland@example.com + email: bunk.moreland@example.com + credentials: + password: null + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend + method: POST + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc17vh0n2EHVnbYF1d7 + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password + method: POST + forgotPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password + method: POST + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + resetFactors: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_factors + method: POST + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/oty17vh0n2EHVnbYF1d7 + changePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password + method: POST + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate + method: POST + APIPushProvidersListAllResponse: + value: + - id: ppchvbeucdTgqeiGxR0g4 + providerType: APNS + name: Example Push Provider 1 + lastUpdatedDate: '2022-01-00T00:00:00.000Z' + configuration: + keyId: ABC123DEFG + teamId: DEF123GHIJ + fileName: fileName.p8 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} + hints: + allow: + - DELETE + - GET + - PUT + - id: ppctekcmngGaqeiBxB0g4 + providerType: FCM + name: Example Push Provider 2 + lastUpdatedDate: '2022-01-00T00:00:00.000Z' + configuration: + projectId: PROJECT_ID + fileName: fileName.json + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} + hints: + allow: + - DELETE + - GET + - PUT + APIServiceIntegrationInstanceSecretListResponse: + summary: Secrets list response example + value: + - id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: '***DhOW' + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: '***MQGQ' + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + APIServiceIntegrationListResponse: + summary: List response example + value: + - id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + APIServiceIntegrationResponse: + summary: Response example + value: + id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + ActivateFactorCallResponse: + summary: call + value: + id: clf1o51EADOTFXHHBXBP + factorType: call + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-06T16:56:31.000Z' + lastUpdated: '2014-08-06T16:56:31.000Z' + profile: + phoneNumber: +1-555-415-1337 + phoneExtension: '1234' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorEmailResponse: + summary: email + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: ACTIVE + profile: + email: changed@clouditude.net + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + ActivateFactorPushResponse: + summary: push + value: + id: opf3hkfocI4JTLAju0g4 + factorType: push + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2015-03-16T18:01:28.000Z' + lastUpdated: '2015-08-27T14:25:17.000Z' + profile: + credentialId: dade.murphy@example.com + deviceType: SmartPhone_IPhone + name: Gibson + platform: IOS + version: '9.0' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorSmsResponse: + summary: sms + value: + id: sms1o51EADOTFXHHBXBP + factorType: sms + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-06T16:56:31.000Z' + lastUpdated: '2014-08-06T16:56:31.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorTotpResponse: + summary: token:software:totp + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-08-06T00:31:07.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorU2fRequest: + summary: u2f + value: + registrationData: BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew + clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ + ActivateFactorU2fResponse: + summary: u2f + value: + id: fuf2rovRxogXJ0nDy0g4 + factorType: u2f + provider: FIDO + vendorName: FIDO + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: WVO-QyHEi0eWmTNqESqJynDtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + version: U2F_V2 + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorWebauthnRequest: + summary: webAuthn + value: + attestation: o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ== + clientData: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0= + ActivateFactorWebauthnResponse: + summary: webAuthn + value: + id: fwf2rovRxogXJ0nDy0g4 + factorType: webauthn + provider: FIDO + vendorName: FIDO + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateIdPResponse: + summary: Activate an Identity Provider + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-25T19:14:23.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + ActivateNetworkZone: + summary: Activated Network Zone + value: + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + ActiveAuthorizationServerKey: + summary: Active Authorization Server Key + value: + status: ACTIVE + alg: RS256 + e: AQAB + 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ + kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + hints: + allow: + - GET + AddMappingBody: + summary: Update an existing profile mapping by adding one or more properties + value: + properties: + additionalProperties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.nickName + pushStatus: PUSH + AddMappingResponse: + summary: Update an existing profile mapping by adding one or more properties + value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.nickName + pushStatus: PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + AdminConsoleSettingsExample: + summary: Default Okta Admin Console Settings + value: + sessionMaxLifetimeMinutes: 720 + sessionIdleTimeoutMinutes: 15 + AerialConsentDetails: + description: Example response of consent details + value: + accountId: 0200bs0617vvhv2v675mch1cukp + grantDate: '2023-04-06T21:32:33.000Z' + grantedBy: 00uabcdefg1234567890 + AerialConsentInvalidAccountIdResponse: + description: Aerial account ID is invalid + value: + errorCode: E0000001 + errorSummary: 'API validation failed: account' + errorLink: E0000001 + errorId: oaewjePjfdBT7m71KkPz0Ipaw + errorCauses: + - errorSummary: Invalid aerial account ID. + AerialConsentOrgAlreadyLinkedResponse: + description: The revoke operation isn't possible when the org is already linked + value: + errorCode: E0000001 + errorSummary: 'API validation failed: account' + errorLink: E0000001 + errorId: oae_wheRkaxRT-EFAXwBmBKLg + errorCauses: + - errorSummary: The org is already linked to an Account. + AerialGrantAlreadyPresentErrorResponse: + description: Grant is already present + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: account' + errorLink: E0000001 + errorId: oaewjePjfdBT7m71KkPz0Ipaw + errorCauses: + - errorSummary: The org already has a consent grant added to Aerial. + AerialGrantNotFoundResponse: + description: No grant found for org + value: + errorCode: E0000007 + errorSummary: 'Not found: Resource not found: grant (String)' + errorLink: E0000007 + errorId: sampleFYH_dTSSTdpPYIAdHJw + errorCauses: [] + AllAssignmentsOperationResponse: + value: + id: rre4mje4ez7B2a7B60g7 + type: realm:assignment + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + assignmentOperation: + configuration: + id: ALL + name: All Assignments + numUserMoved: 50 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez7B2a7B60g7 + method: GET + ApiTokenListMetadataResponse: + value: + - name: My API Token + userId: 00uabcdefg1234567890 + tokenWindow: P30D + network: + connection: ANYWHERE + id: 00Tabcdefg1234567890 + clientName: Okta API + expiresAt: '2021-12-11T20:38:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 + hints: + allow: + - GET + - name: Another API Token + userId: 00uabcdefg1234567890 + tokenWindow: PT5M + id: 00T1234567890abcdefg + clientName: Okta API + expiresAt: '2021-11-11T20:43:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 + hints: + allow: + - GET + ApiTokenMetadataResponse: + value: + name: My API Token + userId: 00uXXXXXXXXXXXXXXXXX + tokenWindow: P30D + network: + connection: ANYWHERE + id: 00Tabcdefg1234567890 + clientName: Okta API + expiresAt: '2021-12-11T20:38:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX + hints: + allow: + - GET + AppCsrJsonResponse: + summary: CSR object in JSON format + value: + id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: + - GET + - DELETE + publish: + href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + AppCsrPkcs10Response: + summary: CSR in DER format + value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9 + AppFeatureListResponseEx: + summary: List app Feature response + value: + - name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: DISABLED + update: + profile: + status: DISABLED + lifecycleDeactivate: + status: DISABLED + password: + status: DISABLED + seed: RANDOM + change: KEEP_EXISTING + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT + AppFeatureResponseEx: + summary: App Feature response + value: + name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: DISABLED + update: + profile: + status: DISABLED + lifecycleDeactivate: + status: DISABLED + password: + status: DISABLED + seed: RANDOM + change: KEEP_EXISTING + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT + AppGrantsEx: + summary: App Grants example + value: + id: oag91n9ruw3dsaXzP0h6 + status: ACTIVE + created: '2023-02-21T16:54:00.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-21T16:54:00.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.users.read + source: ADMIN + _embedded: + scope: + id: okta.users.read + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + AppGrantsPostEx: + summary: App Grants example + value: + issuer: '{yourOktaDomain}' + scopeId: okta.users.read + AppResponseBaseEx: + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + AppUserAssignProvRequest: + summary: SSO and provisioning Application User request example + value: + id: 00u15s1KDETTQMQYABRL + scope: USER + credentials: + username: saml.jackson@example.com + profile: + salesforceGroups: + - Employee + role: Developer + profile: Standard User + AppUserAssignSSORequest: + summary: SSO Application User request example + value: + id: 00ud4tVDDXYVKPXKVLCO + scope: USER + credentials: + username: rae.cloud@example.com + AppUserCredUpdateResponse: + summary: Application User credential update + value: + id: 00ud4tVDDXYVKPXKVLCO + externalId: null + created: '2024-01-27T03:52:45.000Z' + lastUpdated: '2024-01-27T05:15:30.000Z' + scope: USER + status: ACTIVE + statusChanged: '2024-01-27T03:52:45.000Z' + passwordChanged: '2024-01-27T05:15:30.000Z' + syncState: DISABLED + credentials": + userName: rae.cloud@example.com + password: {} + profile: + street_address: null + country: null + website: null + zoneinfo: America/Los_Angeles + birthdate: null + gender: null + formatted: null + profile: null + locality: null + given_name: Rae + middle_name: null + locale: en_US + picture: null + name: Rae Cloud + nickname: null + phone_number: null + region: null + postal_code: null + family_name: Cloud + email: rae.cloud@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO + AppUserListEx: + summary: List Application User example + value: + - id: 00u1dnq5S0CfjlkpABCD + externalId: 00u5edt3PNbbjzvIABCD + created: '2024-01-31T18:25:01.000Z' + lastUpdated: '2024-01-31T18:25:03.000Z' + scope: USER + status: PROVISIONED + statusChanged: '2024-01-31T18:25:03.000Z' + passwordChanged: null + syncState: SYNCHRONIZED + lastSync: '2024-01-31T18:25:03.000Z' + credentials: + userName: saml.test@example.com + profile: + secondEmail: null + lastName: Test + mobilePhone: null + displayName: Saml O Test + email: saml.test@example.com + salesforceGroups: [] + role: Tester + firstName: Saml + streetAddress: null + profile: Standard Platform User + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL + user: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + _embedded: + user: + id: 00u1dnq5S0CfjlkpABCD + status: ACTIVE + created: '2024-01-09T15:36:04.000Z' + activated: '2024-01-09T15:36:05.000Z' + statusChanged: '2024-01-09T15:36:05.000Z' + lastLogin: null + lastUpdated: '2024-01-09T15:36:05.000Z' + passwordChanged: '2024-01-09T15:36:05.000Z' + type: + id: otyzhh29g7Python90g3 + profile: + firstName: Saml + lastName: Test + mobilePhone: null + secondEmail: null + login: saml.test@example.com + email: saml.test@example.com + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend + method: POST + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9 + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password + method: POST + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3 + changePassword: + href: https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password + method: POST + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate + method: POST + AppUserProfUpdateResponse: + summary: Application User profile update + value: + id: 00ud4tVDDXYVKPXKVLCO + externalId: null + created: '2024-01-27T03:52:45.000Z' + lastUpdated: '2024-01-27T05:05:32.000Z' + scope: USER + status: ACTIVE + statusChanged: '2024-01-27T03:52:45.000Z' + passwordChanged: null + syncState: DISABLED + credentials": + userName: rae.cloud@example.com + profile: + street_address: null + country: null + website: null + zoneinfo: America/Los_Angeles + birthdate: null + gender: null + formatted: null + profile: null + locality: null + given_name: Rae + middle_name: Mae + locale: en_US + picture: null + name: Rae Mae Cloud + nickname: null + phone_number: null + region: null + postal_code: null + family_name: Cloud + email: rae.cloud@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO + AppUserProvExpandResponse: + summary: Application User expand example + value: + id: 00u1dnq5S0CfjlkpABCD + externalId: 00u5edt3PNbbjzvIABCD + created: '2024-01-31T18:25:01.000Z' + lastUpdated: '2024-01-31T18:25:03.000Z' + scope: USER + status: PROVISIONED + statusChanged: '2024-01-31T18:25:03.000Z' + passwordChanged: null + syncState: SYNCHRONIZED + lastSync: '2024-01-31T18:25:03.000Z' + credentials: + userName: saml.test@example.com + profile: + secondEmail: null + lastName: Test + mobilePhone: null + displayName: Saml O Test + email: saml.test@example.com + salesforceGroups: [] + role: Tester + firstName: Saml + streetAddress: null + profile: Standard Platform User + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL + user: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + _embedded: + user: + id: 00u1dnq5S0CfjlkpABCD + status: ACTIVE + created: '2024-01-09T15:36:04.000Z' + activated: '2024-01-09T15:36:05.000Z' + statusChanged: '2024-01-09T15:36:05.000Z' + lastLogin: null + lastUpdated: '2024-01-09T15:36:05.000Z' + passwordChanged: '2024-01-09T15:36:05.000Z' + type: + id: otyzhh29g7Python90g3 + profile: + firstName: Saml + lastName: Test + mobilePhone: null + secondEmail: null + login: saml.test@example.com + email: saml.test@example.com + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend + method: POST + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9 + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password + method: POST + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3 + changePassword: + href: https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password + method: POST + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate + method: POST + AppUserProvResponse: + summary: SSO and provisioning Application User response example + value: + id: 00u15s1KDETTQMQYABRL + externalId: 005o0000000ogQ9AAI + created: '2014-08-16T02:35:14.000Z' + lastUpdated: '2014-08-16T02:56:49.000Z' + scope: USER + status: PROVISIONED + statusChanged: '2014-08-16T02:56:49.000Z' + passwordChanged: null + syncState: SYNCHRONIZED + lastSync: '2014-08-16T02:56:49.000Z' + credentials: + userName: saml.jackson@example.com + profile: + secondEmail: null + lastName: Jackson + mobilePhone: null + email: saml.jackson@example.com + salesforceGroups: + - Employee + role: Developer + firstName: Saml + profile: Standard User + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + AppUserSSOResponse: + summary: SSO Application User response example + value: + id: 00ud4tVDDXYVKPXKVLCO + externalId: null + created: '2024-01-27T03:52:45.000Z' + lastUpdated: '2024-01-27T03:52:45.000Z' + scope: USER + status: ACTIVE + statusChanged: '2024-01-27T03:52:45.000Z' + passwordChanged: null + syncState: DISABLED + credentials": + userName: rae.cloud@example.com + profile: + street_address: null + country: null + website: null + zoneinfo: America/Los_Angeles + birthdate: null + gender: null + formatted: null + profile: null + locality: null + given_name: Rae + middle_name: null + locale: en_US + picture: null + name: Rae Cloud + nickname: null + phone_number: null + region: null + postal_code: null + family_name: Cloud + email: rae.cloud@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO + AppUserSchemaAddRequest: + value: + definitions: + custom: + id: '#custom' + type: object + properties: + twitterUserName: + title: Twitter username + externalName: twitterUserName + description: User's username for twitter.com + type: string + required: false + minLength: 1 + maxLength: 20 + required: [] + AppUserSchemaResponse: + value: + id: https://{yourOktaDomain}/meta/schemas/apps/0oa25gejWwdXNnFH90g4/default + $schema: http://json-schema.org/draft-04/schema# + name: Example App + title: Example App User + lastUpdated: '2017-07-18T23:18:43.000Z' + created: '2017-07-18T22:35:30.000Z' + definitions: + base: + id: '#base' + type: object + properties: + userName: + title: Username + type: string + required: true + scope: NONE + maxLength: 100 + required: + - userName + custom: + id: '#custom' + type: object + properties: + twitterUserName: + title: Twitter username + externalName: twitterUserName + description: User's username for twitter.com + type: string + scope: NONE + minLength: 1 + maxLength: 20 + required: [] + type: object + properties: + profile: + allOf: + - $ref: '#/definitions/base' + - $ref: '#/definitions/custom' + AppUserUpdateCredRequest: + summary: Application User credentials update + value: + credentials: + userName: rae.cloud@example.com + password: + value: updatedP@55word + AppUserUpdateProfileRequest: + summary: Application User profile update + value: + profile: + name: Rae Mae Cloud + middle_name: Mae + AppleIdPResponse: + summary: Apple Identity Provider + value: + id: 0oa18hsHsG3boVejU0g4 + type: APPLE + issuerMode: ORG_URL + name: Apple Identity Provider + status: ACTIVE + created: '2020-06-05T20:57:51.000Z' + lastUpdated: '2020-06-05T20:57:51.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://appleid.apple.com/auth/authorize + binding: HTTP-REDIRECT + token: + url: https://appleid.apple.com/auth/token + binding: HTTP-POST + scopes: + - openid + - email + - name + credentials: + client: + client_id: your-client-id + signing: + teamId: test team ID + privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + kid: test key ID + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa18hsHsG3boVejU0g4&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri=${redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + AssignGroupOwnerRequest: + summary: Assign a group owner request example + value: + id: 00u1cmc03xjzePoWD0h8 + type: USER + AssignGroupOwnerResponse: + summary: Assign a group owner response example + value: + id: 00u1cmc03xjzePoWD0h8 + type: USER + resolved: true + originId: null + originType: OKTA_DIRECTORY + displayName: Oliver Putnam + lastUpdated: Wed Mar 29 18:34:31 UTC 2023 + AuthenticatorMethodInactiveVoice: + value: + type: voice + status: INACTIVE + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice + hints: + allow: + - GET + - PUT + activate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate + hints: + allow: + - POST + AuthenticatorMethodPhone: + value: + - type: sms + status: ACTIVE + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms + hints: + allow: + - GET + - PUT + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate + hints: + allow: + - POST + - type: voice + status: INACTIVE + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice + hints: + allow: + - GET + - PUT + activate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate + hints: + allow: + - POST + AuthenticatorMethodSms: + value: + type: sms + status: ACTIVE + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms + hints: + allow: + - GET + - PUT + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate + hints: + allow": + - POST + AuthenticatorMethodWebauth: + value: + type: webauthn + status: ACTIVE + settings: + userVerification: DISCOURAGED + attachment: ANY + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/webauthn + hints: + allow: + - GET + - PUT + AuthenticatorRequestDuo: + value: + key: duo + name: Duo Security + provider: + type: DUO + configuration: + userNameTemplate: + template: oktaId + integrationKey: testIntegrationKey + secretKey: testSecretKey + host: https://api-xxxxxxxx.duosecurity.com + AuthenticatorResponseDuo: + value: + type: app + id: aut9gnvcjUHIWb37J0g4 + key: duo + status: ACTIVE + name: Duo Security + created: '2022-07-15T21:14:02.000Z' + lastUpdated: '2022-07-15T21:14:02.000Z' + settings: {} + provider: + type: DUO + configuration: + host: https://api-xxxxxxxx.duosecurity.com + userNameTemplate: + template: oktaId + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4 + hints: + allow: + - GET + - PUT + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/lifecycle/deactivate + hints: + allow: + - POST + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/methods + hints: + allow: + - GET + AuthenticatorResponseEmail: + value: + type: email + id: aut1nbsPHh7jNjjyP0g4 + key: okta_email + status: ACTIVE + name: Email + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-28T21:45:52.000Z' + settings: + allowedFor: any + tokenLifetimeInMinutes: 5 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorResponseInactiveWebAuthn: + value: + type: security_key + id: aut1nd8PQhGcQtSxB0g4 + key: webauthn + status: INACTIVE + name: Security Key or Biometric + created: '2020-07-26T21:16:37.000Z' + lastUpdated: '2020-07-27T18:59:30.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorResponsePassword: + value: + type: password + id: aut1nbtrJKKA9m45a0g4 + key: okta_password + status: ACTIVE + name: Password + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods + hints: + allow: + - GET + AuthenticatorResponsePhone: + value: + type: phone + id: aut1nbuyD8m1ckAYc0g4 + key: phone_number + status: INACTIVE + name: Phone + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-29T00:21:29.000Z' + settings: + allowedFor: none + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods + hints: + allow: + - GET + activate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate + hints: + allow: + - POST + AuthenticatorResponseSecurityQuestion: + summary: Security Question + value: + type: security_question + id: aut1nbvIgEenhwE6c0g4 + key: security_question + status: ACTIVE + name: Security Question + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4 + hints: + allow: + - GET + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorResponseWebAuthn: + value: + type: security_key + id: aut1nd8PQhGcQtSxB0g4 + key: webauthn + status: ACTIVE + name: Security Key or Biometric + created: '2020-07-26T21:16:37.000Z' + lastUpdated: '2020-07-27T18:59:30.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorsResponse: + summary: Org Authenticators + value: + - type: email + id: aut1nbsPHh7jNjjyP0g4 + key: okta_email + status: ACTIVE + name: Email + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-28T21:45:52.000Z' + settings: + allowedFor: any + tokenLifetimeInMinutes: 5 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate + hints: + allow: + - POST + - type: password + id: aut1nbtrJKKA9m45a0g4 + key: okta_password + status: ACTIVE + name: Password + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods + hints: + allow: + - GET + - type: phone + id: aut1nbuyD8m1ckAYc0g4 + key: phone_number + status: INACTIVE + name: Phone + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-29T00:21:29.000Z' + settings: + allowedFor: none + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods + hints: + allow: + - GET + activate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate + hints: + allow: + - POST + - type: security_key + id: aut1nd8PQhGcQtSxB0g4 + key: webauthn + status: ACTIVE + name: Security Key or Biometric + created: '2020-07-26T21:16:37.000Z' + lastUpdated: '2020-07-27T18:59:30.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthorizationServerPolicy: + summary: Authorization Server Policy + value: + type: OAUTH_AUTHORIZATION_POLICY + id: 00palyaappA22DPkj0h7 + status: ACTIVE + name: Vendor2 Policy + description: Vendor2 policy description + priority: 1 + system: false + conditions: + clients: + include: + - ALL_CLIENTS + created: '2017-05-26T19:43:53.000Z' + lastUpdated: '2017-06-07T15:28:17.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate + hints: + allow: + - POST + rules: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules + hints: + allow: + - GET + AuthorizationServerPolicyRule: + summary: Authorization Server Policy Rule + value: + type: RESOURCE_ACCESS + id: 0prbsjfyl01zfSZ9K0h7 + status: ACTIVE + name: Default Policy Rule + priority: 1 + created: '2017-08-25T16:57:02.000Z' + lastUpdated: '2017-08-30T14:51:05.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: + - EVERYONE + exclude: [] + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate + hints: + allow: + - POST + AutoLoginAppResponseEx: + summary: AUTO_LOGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + customswaapp_link: true + name: customswaapp + label: Custom SWA App + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + signOn: + redirectUrl: http://swasecondaryredirecturl.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + AutoLoginEx: + summary: AUTO_LOGIN + value: + label: Custom SWA App + signOnMode: AUTO_LOGIN + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + settings: + signOn: + redirectUrl: http://swasecondaryredirecturl.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + AutoLoginPutEx: + summary: AUTO_LOGIN + value: + label: Custom SWA App updated + status: ACTIVE + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: ADMIN_SETS_CREDENTIALS + userNameTemplate: + template: ${source.email} + type: BUILT_IN + settings: + signOn: + redirectUrl: http://swasecondaryredirecturlupdated.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + AutoLoginPutResponseEx: + summary: AUTO_LOGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + customswaapp_link: true + name: customswaapp + label: Custom SWA App updated + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: ADMIN_SETS_CREDENTIALS + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + signOn: + redirectUrl: http://swasecondaryredirecturlupdated.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + BaseSignOnModeEx: + value: + status: ACTIVE + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + features: [] + BasicAuthEx: + summary: BASIC_AUTH + value: + name: template_basic_auth + label: Sample Basic Auth App + signOnMode: BASIC_AUTH + settings: + app: + url: https://example.com/login.html + authURL: https://example.com/auth.html + BasicAuthPutEx: + summary: BASIC_AUTH + value: + label: Sample Basic Auth App updated + signOnMode: BASIC_AUTH + settings: + app: + url: https://example.com/loginUpdated.html + authURL: https://example.com/auth.html + BasicAuthPutResponseEx: + summary: BASIC_AUTH + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_basic_auth + label: Sample Basic Auth App updated + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + url: https://example.com/loginUpdated.html + authURL: https://example.com/auth.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BasicAuthResponseEx: + summary: BASIC_AUTH + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_basic_auth + label: Sample Basic Auth App + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + url: https://example.com/login.html + authURL: https://example.com/auth.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BehaviorRuleRequest: + value: + name: My Behavior Rule + type: VELOCITY + BehaviorRuleResponse: + value: + id: abcd1234 + name: My Behavior Rule + type: VELOCITY + settings: + velocityKph: 805 + status: ACTIVE + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _link: + self: + href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234 + hints: + allow: + - GET + - POST + - PUT + - DELETE + BookmarkAppResponseEx: + summary: BOOKMARK + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: bookmark + label: Sample Bookmark App + features: [] + signOnMode: BOOKMARK + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: {} + settings: + app: + requestIntegration: false + url: https://example.com/bookmark.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BookmarkEx: + summary: BOOKMARK + value: + name: bookmark + label: Sample Bookmark App + signOnMode: BOOKMARK + settings: + app: + url: https://example.com/bookmark.html + BookmarkPutEx: + summary: BOOKMARK + value: + name: bookmark + label: Sample Bookmark App updated + signOnMode: BOOKMARK + settings: + app: + requestIntegration: true + url: https://example.com/bookmark.html + BookmarkPutResponseEx: + summary: BOOKMARK + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: bookmark + label: Sample Bookmark App updated + features: [] + signOnMode: BOOKMARK + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: {} + settings: + app: + requestIntegration: true + url: https://example.com/bookmark.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginEx: + summary: BROWSER_PLUGIN + value: + name: template_swa + label: Sample Plugin App + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + BrowserPluginPutEx: + summary: BROWSER_PLUGIN + value: + name: template_swa + label: Sample Plugin App updated + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example_updated.com/login.html + BrowserPluginPutResponseEx: + summary: BROWSER_PLUGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa + label: Sample Plugin App updated + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + usernameField: txtbox-username + buttonField: btn-login + passwordField: txtbox-password + url: https://example_updated.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginResponseEx: + summary: BROWSER_PLUGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa + label: Sample Plugin App + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + usernameField: txtbox-username + buttonField: btn-login + passwordField: txtbox-password + url: https://example.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginSwa3FieldEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + name: template_swa3field + label: Sample Plugin App + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonSelector: '#btn-login' + passwordSelector: '#txtbox-password' + userNameSelector: '#txtbox-username' + targetURL: https://example.com/login.html + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + BrowserPluginSwa3FieldPutEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + name: template_swa3field + label: Sample Plugin App updated + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonSelector: '#btn-login' + passwordSelector: '#txtbox-password' + userNameSelector: '#txtbox-username' + targetURL: https://exampleupdated.com/login.html + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + BrowserPluginSwa3FieldPutResponseEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa3field + label: Sample Plugin App updated + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + userNameSelector: '#txtbox-username' + passwordSelector: '#txtbox-password' + buttonSelector: '#btn-login' + targetURL: https://exampleupdated.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BrowserPluginSwa3FieldResponseEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa3field + label: Sample Plugin App + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + userNameSelector: '#txtbox-username' + passwordSelector: '#txtbox-password' + buttonSelector: '#btn-login' + targetURL: https://example.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + BundleEntitlementsResponse: + summary: List of governance bundle entitlements + value: + entitlements: + - id: espfxqCAJWWGELFTYASJ + role: GROUP_MEMBERSHIP_ADMIN + name: Group Membership Admin + description: Perform all admin activities for groups in the org + _links: + values: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements/espfxqCAJWWGELFTYASJ/values + _links: + self: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 + next: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12 + bundle: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA + CAPTCHAInstanceRequestHCaptcha: + value: + name: myHCaptcha + secretKey: xxxxxxxxxxx + siteKey: xxxxxxxxxxx + type: HCAPTCHA + CAPTCHAInstanceRequestReCaptcha: + value: + name: myReCaptcha + secretKey: xxxxxxxxxxx + siteKey: yyyyyyyyyyyyyyy + type: RECAPTCHA_V2 + CAPTCHAInstanceResponseHCaptcha: + value: + id: abcd1234 + name: myHCaptcha + siteKey: xxxxxxxxxxx + type: HCAPTCHA + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234 + hints: + allow: + - GET + - POST + - PUT + - DELETE + CAPTCHAInstanceResponseReCaptcha: + value: + id: abcd4567 + name: myReCaptcha + siteKey: yyyyyyyyyyyyyyy + type: RECAPTCHA_V2 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + hints: + allow: + - GET + - POST + - PUT + - DELETE + ChangePwdRequest: + value: + oldPassword: + value: tlpWENT2m + newPassword: + value: uTVM,TPw55 + revokeSessions: true + ChangePwdResponse: + value: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + CreateAnEventHook: + summary: Create an event hook + value: + name: Event Hook Test + events: + type: EVENT_TYPE + items: + - group.user_membership.add + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + CreateAnEventHookWithFilter: + summary: Create an event hook with a filter + value: + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + CreateAppleIdPRequest: + summary: Create Apple Identity Provider + value: + type: APPLE + name: Apple Identity Provider + protocol: + type: OIDC + scopes: + - openid + - email + - name + credentials: + client: + client_id: your-client-id + signing: + privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + kid: test key ID + teamId: test team ID + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + matchType: USERNAME + CreateAssocAuthServerBody: + summary: Create a trusted relationship between authorization servers + value: + - trusted: '{authorizationServerId}' + CreateAssocAuthServerResponse: + summary: Create a trusted relationship between authorization servers + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: CUSTOM_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - DELETE + CreateAuthServerBody: + summary: Create a custom authorization server + value: + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - api://default + CreateAuthServerResponse: + summary: Create a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + CreateAuthorizationServerPolicyRequest: + summary: Create Authorization Server Policy + value: + type: OAUTH_AUTHORIZATION_POLICY + status: ACTIVE + name: Default Policy + description: Default policy description + priority: 1 + system: false + conditions: + clients": + include": + - ALL_CLIENTS + CreateAuthorizationServerPolicyRuleRequest: + summary: Create Authorization Server Policy Rule + value: + type: RESOURCE_ACCESS + name: Default Policy Rule + priority: 1 + conditions: + people: + groups: + include: + - EVERYONE + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + CreateBrandRequest: + value: + name: My Awesome Brand + CreateBrandResponse: + value: + id: bnd114iNkrcN6aR680g5 + removePoweredByOkta: false + customPrivacyPolicyUrl: null, + agreeToCustomPrivacyPolicy: false, + name: My Awesome Brand + locale: en + defaultApp: + appInstanceId: null + appLinkName: null + classicApplicationUri: null + isDefault: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5/themes + hints: + allow: + - GET + CreateChildOrgRequestEx: + summary: Create org request + value: + subdomain: my-child-org-1 + name: My Child Org 1 + website: http://www.examplecorp.com + edition: SKU + admin: + profile: + firstName: First + lastName: Last + email: FirstLast@example.com + login: FirstLast@example.com + mobilePhone: null + credentials: + password: + value: XXXX + CreateChildOrgResponseEx: + summary: Create org response + value: + id: 00o1n8sbwArJ7OQRw406 + subdomain: my-child-org-1 + name: My Child Org 1 + website: http://www.examplecorp.com + status: ACTIVE + edition: SKU + expiresAt: null + created: '2024-08-27T15:42:52.000Z' + lastUpdated: '2024-08-27T15:42:56.000Z' + licensing: + apps: [] + settings: + app: + errorRedirectUrl: null + interstitialUrl: null + interstitialMinWaitTime: 1200 + userAccount: + attributes: + secondaryEmail: true + secondaryImage: true + portal: + errorRedirectUrl: null + signOutUrl: null + logs: + level: INFO + token: XXXXXXXXXXXXX + tokenType: SSWS + _links: + administrator: + href: https://my-child-org-1.oktapreview.com/api/v1/users/00u1n8sheI1WBQlDV406 + uploadLogo: + href: https://my-child-org-1.oktapreview.com/api/v1/org/logo + organization: + href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1 + contacts: + href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/contacts + policy: + href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/policy + CreateCustomRoleResponseGroup: + value: + id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + CreateCustomTokenClaimBody: + summary: Create a custom token Claim + value: + - alwaysIncludeInToken: true + claimType: IDENTITY + conditions: + scopes: + - profile + group_filter_type: CONTAINS + name: Support + status: ACTIVE + system: false + value: Support + valueType: GROUPS + CreateCustomTokenClaimResponse: + summary: Create a custom token Claim response + value: + - id: '{claimId}' + name: Support + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Support + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + CreateEDNZRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Create an Enhanced Dynamic Network Zone + value: + type: DYNAMIC_V2 + name: testZone106 + status: ACTIVE + usage: BLOCKLIST + locations: + include: [] + exclude: [] + asns: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclude: [] + CreateEDNZResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Enhanced Dynamic Network Zone + value: + type: DYNAMIC_V2 + id: nzok0oz2xYHOZtIch0g4 + name: testZone106 + status: ACTIVE + usage: BLOCKLIST + create: '2024-05-13T16:33:44.000Z' + lastUpdated: '2024-05-13T16:33:44.000Z' + system: false + locations: + include: [] + exclude: [] + asns: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclude: [] + _links: + self: + href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate + hints: + allow: + - POST + CreateEmailDomainRequest: + value: + displayName: Admin + userName: admin + domain: example.com + brandId: bnd100iSrkcN6aR680g1 + validationSubdomain: mail + CreateFacebookIdPRequest: + summary: Create Facebook Identity Provider + value: + type: FACEBOOK + name: Facebook + protocol: + type: OAUTH2 + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + CreateGenericOidcIdPRequest: + summary: Create Generic OpenID Connect Identity Provider + value: + type: OIDC + name: Example OpenID Connect IdP + protocol: + algorithms: + request: + signature: + algorithm: HS256 + scope: REQUEST + endpoints: + acs: + binding: HTTP-POST + type: INSTANCE + authorization: + binding: HTTP-REDIRECT + url: https://idp.example.com/authorize + token: + binding: HTTP-POST + url: https://idp.example.com/token + userInfo: + binding: HTTP-REDIRECT + url: https://idp.example.com/userinfo + jwks: + binding: HTTP-REDIRECT + url: https://idp.example.com/keys + scopes: + - openid + - profile + - email + type: OIDC + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + pkce_required: 'true' + issuer: + url: https://idp.example.com + policy: + accountLink: + action: AUTO + filter: null + provisioning: + action: AUTO + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + groups: + action: NONE + mapAMRClaims: false + maxClockSkew: 120000 + subject: + userNameTemplate: + template: idpuser.email + matchType: USERNAME + CreateGoogleIdPRequest: + summary: Create Google Identity Provider + value: + type: GOOGLE + name: Google + protocol: + type: OAUTH2 + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + CreateHookKeyResponse: + summary: Create a key response example + value: + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + _embedded: + kty: RSA + alg: RSA + kid: 7fbc27fd-e3df-4522-86bf-1930110256ad + use: 'null' + e: AQAB + 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` + CreateIAMStandardRoleResponseGroup: + value: + id: irb1q92TFAHzySt3x0g4 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests Administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7 + CreateIPPolicyBlockListNetworkZone: + summary: Create an IP Blocklist Network Zone + value: + type: IP + name: newBlockListNetworkZone + status: ACTIVE + usage: BLOCKLIST + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: null + CreateIPPolicyBlockListNetworkZoneResponse: + summary: IP Blocklist Network Zone + value: + type: IP + id: nzo1qasnPb1kqEq0e0g4 + name: newBlockListNetworkzone + status: ACTIVE + usage: BLOCKLIST + created: '2021-08-09T20:22:09.000Z' + lastUpdated: '2021-08-09T20:22:09.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4/lifecycle/deactivate + hints: + allow: + - POST + CreateIPPolicyNetworkZone: + summary: Create an IP Policy Network Zone + value: + type: IP + name: newNetworkZone + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: + - type: CIDR + value: 2.2.3.4/24 + - type: CIDR + value: 3.3.4.5/24 + CreateIPPolicyNetworkZoneResponse: + summary: IP Policy Network Zone + value: + type: IP + id: nzowb8T5Jh5xuAJ0o0g7 + name: newNetworkZone + status: ACTIVE + usage: POLICY + created: '2021-08-09T21:32:01.000Z' + lastUpdated: '2021-08-09T21:32:01.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24' + - type: CIDR + value: 2.3.4.5/24 + proxies: + - type: CIDR + value: 2.2.3.4/24 + - type: CIDR + value: 3.3.4.5/24 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7/lifecycle/deactivate + hints: + allow: + - POST + CreateLinkedObjectRequest: + summary: Create manager-subordinate link request + value: + primary: + name: manager + title: manager + description: Manager link property + type: USER + associated: + name: subordinate + title: subordinate + description: Subordinate link property + type: USER + CreateLinkedObjectResponse: + summary: Create manager-subordinate link property response + value: + primary: + name: manager + title: manager + description: Manager link property + type: USER + associated: + name: subordinate + title: subordinate + description: Subordinate link property + type: USER + _links: + self: + href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager + CreateMicrosoftIdPRequest: + summary: Create Microsoft Identity Provider + value: + type: MICROSOFT + name: Microsoft + protocol: + type: OIDC + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + CreateOAuth2ScopeRequest: + summary: Example scope + value: + name: car:drive + description: Drive car + consent: REQUIRED + displayName: Saml Jackson + CreateOrReplaceSMSTemplateRequest: + value: + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + CreateOrReplaceSMSTemplateResponse: + value: + id: 6NQUJ5yR3bpgEiYmq8IC + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + CreateSamlIdPRequest: + summary: Create SAML 2.0 Identity Provider + value: + type: SAML2 + name: Example SAML IdP + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + format: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + filter: (\S+@example\.com) + matchType: USERNAME + CreateSessionBody: + summary: Create a new Session with a valid session token + value: + sessionToken: 00HiohZYpJgMSHwmL9TQy7RRzuY-q9soKp1SPmYYow + CreateSessionResponse: + summary: Create a new Session with a valid session token + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + CreateSmartCardIdPRequest: + summary: Create SmartCard Identity Provider + value: + type: X509 + status: ACTIVE + name: Smart Card IDP Name + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + credentials: + trust: + revocation: CRL + revocationCacheLifetime: 2880 + issuer: your-issuer + kid: your-kid + policy: + provisioning: + action: DISABLED + mapAMRClaims: false + maxClockSkew: 120000 + subject: + matchType: EMAIL + matchAttribute: '' + userNameTemplate: + template: idpuser.subjectAltNameEmail + CreateStandardRoleAssignmentResponseGroup: + value: + id: grasraHPx7i79ajaJ0g3 + label: Organization Administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-27T14:56:55.000Z' + lastUpdated: '2019-02-27T14:56:55.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 + CreateUISchemaBody: + summary: UI Schema body request + value: + uiSchema: + type: Group + elements: + - type: Control + scope: '#/properties/firstName' + label: First Name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last Name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Primary email + options: + format: text + buttonLabel: Submit + label: Sign in + CreateUISchemaResponse: + summary: Returns full UI Schema body + value: + id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Primary email + options: + format: text + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + hints: + allow: + - GET + - PUT + - DELETE + CreateUpdateEmailCustomizationRequest: + value: + language: fr + subject: Bienvenue dans ${org.name}! + body: <!DOCTYPE html><html><body><p>Bonjour ${user.profile.firstName}. <a href="${activationLink}">Activer le compte</a></p></body></html> + isDefault: false + CreateUpdateEmailCustomizationResponse: + value: + language: fr + subject: Bienvenue dans ${org.name}! + body: <!DOCTYPE html><html><body><p>Bonjour ${user.profile.firstName}. <a href="${activationLink}">Activer le compte</a></p></body></html> + isDefault: false + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + hints: + allow: + - GET + - PUT + - DELETE + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + CreateUpdateIamRolePermissionRequestExampleWithExclude: + value: + conditions: + exclude: + okta:ResourceAttribute/User/Profile: + - zipCode + CreateUpdateIamRolePermissionRequestExampleWithInclude: + value: + conditions: + include: + okta:ResourceAttribute/User/Profile: + - city + - state + CreateUserRequest: + summary: Create a user type request + value: + description: A new custom user type + displayName: New User Type + name: newUserType + CreateUserResponse: + summary: Create a user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: New User Type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + CsrJsonResponse: + summary: CSR object in JSON format + value: + id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: + - GET + - DELETE + publish: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + CsrPkcs10Response: + summary: CSR in DER format + value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9 + CustomRoleAssignmentRequest: + value: + type: CUSTOM + role: cr04cxy6yzSCtNciD0g7 + resource-set: iam4cxy6z7hhaZCSk0g7 + CustomRoleResponseClient: + value: + id: irb4ey26fpFI3vQ8y0g7 + label: view_minimal + type: CUSTOM + status: ACTIVE + created: '2023-05-01T15:16:47.000Z' + lastUpdated: '2023-05-01T15:16:47.000Z' + assignmentType: CLIENT + resource-set: iam4cxy6z7hhaZCSk0g7 + role: cr04cxy6yzSCtNciD0g7 + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7 + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7 + CustomRoleResponseUser: + value: + id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + CustomRolesListResponseClient: + value: + - id: irb4ey26fpFI3vQ8y0g7 + label: view_minimal + type: CUSTOM + status: ACTIVE + created: '2023-05-01T15:16:47.000Z' + lastUpdated: '2023-05-01T15:16:47.000Z' + assignmentType: CLIENT + resource-set: iam4cxy6z7hhaZCSk0g7 + role: cr04cxy6yzSCtNciD0g7 + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7 + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7 + CustomRolesListResponseGroup: + value: + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + DeactivateIdPResponse: + summary: Deactivate an Identity Provider + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: INACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-25T19:16:53.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + DeactivateNetworkZone: + summary: Deactivated Network Zone + value: + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: INACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + activate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/activate + hints: + allow: + - POST + DeactivatedSecurityEventsProviderResponse: + summary: Inactive Security Events Provider + value: + id: sse1qg25RpusjUP6m0g5 + name: Security Events Provider with well-known URL + type: okta + status: INACTIVE + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 + hints: + allow: + - GET + - PUT + - DELETE + activate: + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/activate + hints: + allow: + - POST + DefaultEnhancedDynamicNetworkZone: + summary: Default Enhanced Dynamic Network Zone + value: + type: DYNAMIC_V2 + id: nzohcnxFrSgsiwyHp0g4 + name: DefaultEnhancedDynamicZone + status: ACTIVE + usage: BLOCKLIST + created: '2024-05-06T19:12:29.000Z' + lastUpdated: '2024-05-09T21:02:31.000Z' + system: true + locations: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclue: [] + asns: + include: [] + exclude: [] + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate + hints: + allow: + - POST + DefaultIpBlocklistNetworkZone: + summary: Default IP Blocklist Network Zone + value: + type: IP + id: nzou3u0stMCmgOzXK1d6 + name: BlockedIpZone + status: ACTIVE + usage: BLOCKLIST + created: '2021-06-09T21:32:46.000Z' + lastUpdated: '2021-06-09T21:32:46.000Z' + system: true + gateways: null + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate + hints: + allow: + - POST + DefaultIpNetworkZone: + summary: Default IP Network Zone + value: + type: IP + id: nzou3u0ssJfZjYsWL1d6 + name: LegacyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-09T21:32:46.000Z' + lastUpdated: '2021-06-09T21:32:46.000Z' + system: true + gateways: null + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6/lifecycle/deactivate + hints: + allow: + - POST + DefaultRealmAssignment: + value: + id: rul2jy7jLUlnO5ng00g4 + status: ACTIVE + name: Catch-all + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + conditions: + profileSourceId: 0oa4enoRyjwSCy6hx0g4, + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf2g5 + priority: 499 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4 + method: GET + DefaultRealmResponse: + value: + id: guox9jQ16k9V8IQWL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + profile: + name: Default Realm + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IQWL0g3 + method: GET + DeviceAssuranceAndroidRequest: + summary: Android request + value: + name: Device assurance Android + osVersion: + minimum: 12 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceAndroidResponse: + summary: Android response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Android + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceAndroidWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with dynamic version requirement request + value: + name: Device assurance Android + osVersion: + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 0 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceAndroidWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Android + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 0 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: ChromeOS with third-party signal providers request + value: + name: Device assurance ChromeOS + platform: CHROMEOS + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + allowScreenLock: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_OS_VERIFIED_MODE + DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: ChromeOS with third-party signal providers response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance ChromeOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + platform: CHROMEOS + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + allowScreenLock: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_OS_VERIFIED_MODE + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceIosRequest: + summary: iOS request + value: + name: Device assurance iOS + osVersion: + minimum: 12.4.5 + jailbreak: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + DeviceAssuranceIosResponse: + summary: iOS response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance iOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + jailbroken: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceIosWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with dynamic version requirement request + value: + name: Device assurance iOS + osVersion: + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + latestSecurityPatch: true + jailbreak: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + DeviceAssuranceIosWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance iOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + latestSecurityPatch: true + jailbroken: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSRequest: + summary: macOS request + value: + name: Device assurance macOS + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceMacOSResponse: + summary: macOS response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with dynamic version requirement request + value: + name: Device assurance macOS + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceMacOSWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with third-party signal providers request + value: + name: Device assurance macOS + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain": testDomain + builtInDnsClientEnabled": true + chromeRemoteDesktopAppBlocked": true + safeBrowsingProtectionLevel": true + siteIsolationEnabled": true + passwordProtectionWarningTrigger": PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode": true + DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with third-party signal providers response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_BROWSER_HW_KEY + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsRequest: + summary: Windows request + value: + name: Device assurance Windows + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsResponse: + summary: Windows response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 and Windows 10 dynamic version requirements request + value: + name: Device assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 1 + latestSecurityPatch: true + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 and Windows 10 dynamic version requirements response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 1 + latestSecurityPatch: true + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with third-party signal providers request + value: + name: Device assurance Windows + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + secureBootEnabled: true + windowsMachineDomain: testMachineDomain + windowsUserDomain: testUserDomain + thirdPartyBlockingEnabled: true + crowdStrikeCustomerId: testCustomerId + crowdStrikeAgentId": testAgentId + keyTrustLevel: CHROME_BROWSER_HW_KEY + DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with third-party signal providers response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + secureBootEnabled: true + windowsMachineDomain: testMachineDomain + windowsUserDomain: testUserDomain + thirdPartyBlockingEnabled: true + crowdStrikeCustomerId: testCustomerId + crowdStrikeAgentId": testAgentId + keyTrustLevel: CHROME_BROWSER_HW_KEY + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version request + value: + name: Device assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 1 + - majorVersionConstraint: WINDOWS_10 + minimum: 10.0.19045.0 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 1 + - majorVersionConstraint: WINDOWS_10 + minimum: 10.0.19045.0 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 minimum version and a Windows 10 dynamic version requirement request + value: + name: Device assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + minimum: 10.0.22000.0 + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: NOT_ALLOWED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 minimum version and Windows 10 dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + minimum: 10.0.22000.0 + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: NOT_ALLOWED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceChecksMacOSRequest: + summary: macOS request + value: + name: Device Check macOS + description: Query macOS devices to check if firewall is enabled + variableName: macOSFirewall + platform: MACOS + query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; + DeviceChecksMacOSResponse: + summary: macOS response + value: + id: dch3m8o4rWhwReDeM1c5 + name: Device Check macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + description: Query macOS devices to check if firewall is enabled + variableName: macOSFirewall + query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; + platform: MACOS + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-checks/dch3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceChecksWindowsRequest: + summary: Windows request + value: + name: Device Check Windows + description: Query Windows devices to check if firewall is enabled + variableName: windowsFirewall + platform: WINDOWS + query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles; + DeviceChecksWindowsResponse: + summary: Windows response + value: + id: dch3m8o4rWhwReDeM1c5 + name: Device Check Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + description: Query Windows devices to check if firewall is enabled + variableName: windowsFirewall + query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles; + platform: WINDOWS + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-checks/dch3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceResponse: + value: + id: guo8jx5vVoxfvJeLb0w4 + status: ACTIVE + created: '2020-11-03T21:47:01.000Z' + lastUpdated: '2020-11-03T23:46:27.000Z' + profile: + displayName: DESKTOP-EHAD3IE + platform: WINDOWS + manufacturer: International Corp + model: VMware7,1 + osVersion: 10.0.18362 + serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce + udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE + sid: S-1-5-21-3992267483-1860856704-2413701314-500 + registered: true + secureHardwarePresent: false + diskEncryptionType: NONE + resourceId: guo8jx5vVoxfvJeLb0w4 + resourceDisplayName: + value: DESKTOP-EHAD3IE + sensitive: false + resourceType: UDDevice + resourceAlternateId: null + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate + hints: + allow: + - POST + EmailCustomizationResponse: + value: + language: en + isDefault: true + subject: Welcome to ${org.name}! + body: <!DOCTYPE html><html><body><p>Hello, ${user.profile.firstName}. Click <a href="${activationLink}">here</a> to activate your account.</body></html> + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + hints: + allow: + - GET + - PUT + - DELETE + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + EmailDomainResponse: + value: + id: OeD114iNkrcN6aR680g4 + validationStatus: NOT_STARTED + displayName: Admin + userName: admin + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + EmailSettingsRequest: + value: + recipients: ALL_USERS + EmailSettingsResponse: + value: + recipients: ALL_USERS + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + EmailTemplateDefaultContentResponse: + value: + subject: Welcome to ${org.name}! + body: <!DOCTYPE html><html><body><p>Hello, ${user.profile.firstName}. Click <a href="${activationLink}">here</a> to activate your account.</body></html> + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview + hints: + allow: + - GET + EmbeddedGroupAssignmentSampleResponse: + summary: Application Group with an embedded Group + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-02T13:17:57.000Z' + profile: + preferredLanguage: English + manager: Donald Glover + securityQuestion: Who is the footballer to have played the game + securityAnswer: Ronaldinho + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: wazobia + userType: null + department: marketing + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + _embedded: + group: + id: 00g15acRUy0SYb9GT0g4 + created: '2024-06-02T13:02:12.000Z' + lastUpdated: '2024-06-02T13:02:12.000Z' + lastMembershipUpdated: '2024-06-02T13:03:13.000Z' + objectClass: + - okta:user_group + type: OKTA_GROUP + profile: + name: Football Group + description: Group with professional footballers + _links: + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-medium.30ce6d4085dff29412984e4c191bc874.png + type: image/png + - name: large + href: http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-large.c3cb8cda8ae0add1b4fe928f5844dbe3.png + type: image/png + users: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/users + apps: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/apps + EmbeddedMetadataGroupAssignmentSampleResponse: + summary: Application Group with embedded metadata + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-02T13:17:57.000Z' + profile: + preferredLanguage: English + manager: Donald Glover + securityQuestion: Who is the footballer to have played the game + securityAnswer: Ronaldinho + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: wazobia + userType: null + department: marketing + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + _embedded: + metadata: + credentials: {} + profile: + division: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + preferredLanguage: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + manager: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + securityQuestion: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + securityAnswer: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + timezone: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + organization: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + initialStatus: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + managerId: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + userType: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + locale: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + department: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + EnrollFactorCallRequest: + summary: call + value: + factorType: call + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 + honeExtension: '1234' + EnrollFactorCallResponse: + summary: call + value: + id: clf1nz9JHJGHWRKMTLHP + factorType: call + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-08-05T20:59:49.000Z' + lastUpdated: '2014-08-06T03:59:49.000Z' + profile: + phoneNumber: +1-555-415-1337 + phoneExtension: '1234' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/lifecycle/activate + hints: + allow: + - POST + resend: + - name: call + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/resend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorCustomTotpRequest: + summary: custom totp + value: + factorType: token:hotp + provider: CUSTOM + factorProfileId: fpr20l2mDyaUGWGCa0g4 + profile: + sharedSecret: 484f97be3213b117e3a20438e291540a + EnrollFactorCustomTotpResponse: + summary: custom totp + value: + id: chf20l33Ks8U2Zjba0g4 + factorType: token:hotp + provider: CUSTOM + vendorName: Entrust Datacard + status: ACTIVE + created: '2019-07-22T23:22:36.000Z' + lastUpdated: '2019-07-22T23:22:36.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4 + hints: + allow: + - GET + - DELETE + verify: + href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3 + hints: + allow: + - GET + EnrollFactorEmailRequest: + summary: email + value: + factorType: email + provider: OKTA + profile: + email: test@gmail.com + EnrollFactorEmailResponse: + summary: email + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/lifecycle/activate + hints: + allow: + - POST + resend: + - name: email + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/resend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + EnrollFactorGoogleRequest: + summary: google token:software:totp + value: + factorType: token:software:totp + provider: GOOGLE + EnrollFactorGoogleResponse: + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: GOOGLE + vendorName: GOOGLE + status: PENDING_ACTIVATION + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-07-16T16:13:56.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: JBTWGV22G4ZGKV3N + encoding: base32 + keyLength: 16 + _links: + qrcode: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4 + type: image/png + EnrollFactorOVPushRequest: + summary: token:software:totp push + value: + factorType: push + provider: OKTA + EnrollFactorOVPushResponse: + summary: token:software:totp + value: + id: opfbtzzrjgwauUsxO0g4 + factorType: push + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2015-11-13T07:34:22.000Z' + lastUpdated: '2015-11-13T07:34:22.000Z' + _links: + poll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/poll + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + expiresAt: '2015-11-13T07:44:22.000Z' + factorResult: WAITING + _links: + send: + - name: email + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/email + hints: + allow: + - POST + - name: sms + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/sms + hints: + allow: + - POST + qrcode: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/qr/00Ji8qVBNJD4LmjYy1WZO2VbNqvvPdaCVua-1qjypa + type: image/png + EnrollFactorOVTotpRequest: + summary: token:software:totp + value: + factorType: token:software:totp + provider: OKTA + EnrollFactorOVTotpResponse: + summary: token:software:totp + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-07-16T16:13:56.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: JBTWGV22G4ZGKV3N + encoding: base32 + keyLength: 6 + _links: + qrcode: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4 + type: image/png + EnrollFactorQuestionRequest: + summary: question + value: + question: + summary: question factor + value: + factorType: question + provider: OKTA + profile: + question: disliked_food + answer: mayonnaise + EnrollFactorQuestionResponse: + summary: question + value: + id: ufs1o01OTMGHLAJPVHDZ + factorType: question + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-05T22:58:49.000Z' + lastUpdated: '2014-08-05T22:58:49.000Z' + profile: + question: disliked_food + questionText: What is the food you least liked as a child? + _links: + questions: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs1o01OTMGHLAJPVHDZ + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorRsaSecurIdRequest: + summary: RSA SecurID + value: + factorType: token + provider: RSA + profile: + credentialId: dade.murphy@example.com + verify: + passCode: '5275875498' + EnrollFactorRsaSecurIdResponse: + summary: RSA SecurID + value: + id: rsabtznMn6cp94ez20g4 + factorType: token + provider: RSA + vendorName: RSA + status: ACTIVE + created: '2015-11-13T07:05:53.000Z' + lastUpdated: '2015-11-13T07:05:53.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorSmsRequest: + summary: sms + value: + factorType: sms + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 + EnrollFactorSmsResponse: + summary: sms + value: + id: mbl1nz9JHJGHWRKMTLHP + factorType: sms + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-08-05T20:59:49.000Z' + lastUpdated: '2014-08-06T03:59:49.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/lifecycle/activate + hints: + allow: + - POST + resend: + - name: sms + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/resend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorSymantecVipRequest: + summary: Symantec VIP + value: + factorType: token + provider: SYMANTEC + profile: + credentialId: VSMT14393584 + verify: + passCode: '875498' + nextPassCode: '678195' + EnrollFactorSymantecVipResponse: + summary: Symantec VIP + value: + id: ufvbtzgkYaA7zTKdQ0g4 + factorType: token + provider: SYMANTEC + vendorName: SYMANTEC + status: ACTIVE + created: '2015-11-13T06:52:08.000Z' + lastUpdated: '2015-11-13T06:52:08.000Z' + profile: + credentialId: VSMT14393584 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorU2fRequest: + summary: u2f + value: + factorType: u2f + provider: FIDO + EnrollFactorU2fResponse: + summary: u2f + value: + id: fuf2rovRxogXJ0nDy0g4 + factorType: u2f + provider: FIDO + vendorName: FIDO + status: PENDING_ACTIVATION + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T20:43:19.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + version: U2F_V2 + nonce: 9DmGJDLvaU6KWxJbfrZ0 + timeoutSeconds: 20 + EnrollFactorWebauthnRequest: + summary: webAuthn + value: + factorType: webauthn + provider: FIDO + EnrollFactorWebauthnResponse: + summary: webAuthn + value: + id: fwf2rovRxogXJ0nDy0g4 + factorType: webauthn + provider: FIDO + vendorName: FIDO + status: PENDING_ACTIVATION + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T20:43:19.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + attestation: direct + authenticatorSelection: + userVerification: preferred + requireResidentKey: false + challenge: cdsZ1V10E0BGE4GcG3IK + excludeCredentials: [] + pubKeyCredParams: + - type: public-key + alg: -7 + - type: public-key + alg: -257 + rp: + name: Rain-Cloud59 + user: + displayName: First Last + name: first.last@gmail.com + id: 00u15s1KDETTQMQYABRL + EnrollFactorYubikeyRequest: + summary: yubikey + value: + factorType: token:hardware + provider: YUBICO + verify: + passCode: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji + EnrollFactorYubikeyResponse: + value: + id: ykfbty3BJeBgUi3750g4 + factorType: token:hardware + provider: YUBICO + vendorName: YUBICO + status: ACTIVE + created: '2015-11-13T05:27:49.000Z' + lastUpdated: '2015-11-13T05:27:49.000Z' + profile: + credentialId: '000004102994' + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4/verify + hints: + allow: + - POST + self: + href: hhttps://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EntitlementValuesResponse: + summary: List of bundle entitlement values + value: + entitlementValues: + - id: entfxqCAJWWGELFTYAAA + value: orn:okta:00o5rb5mt2H3d1TJd0h7:groups:00guaxWZ0AOa5NFAj0g3 + name: Restricted users group + _links: + group: http://your-subdomain.okta.com/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + _links: + self: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 + bundle: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA + entitlements: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorAgentTimeOut: + value: + errorCode: E0000237 + errorSummary: Timed out waiting for agent. + errorLink: E0000237 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorAppFeatureAPIValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: feature' + errorLink: E0000001 + errorId: oaeZLxeiHUUQomPkM8xOqvu1A + errorCauses: + - errorSummary: Provisioning is not enabled for the app instance. + ErrorAppUserForbiddenAction: + summary: Forbidden action + description: If the `PUSH_NEW_USERS` or `PUSH_PROFILE_UPDATES` feature is enabled and the request specifies a value for a profile-mapped (Universal Directory) attribute that doesn't match the mapped value, then a 403 error is returned. + value: + errorCode: E0000075 + errorSummary: Cannot modify the firstName attribute because it has a field mapping and profile push is enabled. + errorLink: E0000075 + errorId: sampleWXiR_K-WwaTKhlgBQ + errorCauses: [] + ErrorAppUserUpdateBadRequest: + summary: Bad request + description: If you attempt to assign a username or password to an app with an incompatible authentication scheme, then a 400 error is returned. + value: + errorCode: E0000041 + errorSummary: Credentials should not be set on this resource based on the scheme. + errorLink: E0000041 + errorId: oaeUM77NBynQQu4C_qT5ngjGQ + errorCauses: + errorSummary: User level credentials should not be provided for this scheme. + ErrorCAPTCHALimitOfOne: + value: + errorCode: E0000165 + errorSummary: CAPTCHA count limit reached. At most one CAPTCHA instance is allowed per Org. + errorLink: E0000165 + errorId: oaejrB1fWL1S7mc-2KcG-SOtw + errorCauses: [] + ErrorCAPTCHAOrgWideSetting: + value: + errorCode: E0000149 + errorSummary: Current CAPTCHA is associated with org-wide settings, cannot be removed. + errorLink: E0000149 + errorId: samplezsusshPdiTWiITwqBt8 + errorCauses: [] + ErrorCAPTCHAOrgWideSettingNull: + summary: captchaId is null, but enabledPages is defined + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: captchaId' + errorLink: E0000001 + errorId: oae-hk3rssXQmOWDRsaFfxe8A + errorCauses: + errorSummary: 'captchaId: Invalid CAPTCHA ID. The value of captchaId cannot be blank when enabledPages is not empty. Please resubmit with an existing CAPTCHA ID or disable CAPTCHA support on all supported pages.' + ErrorClientJsonWebKeyDuplicateKid: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: All keys in the 'jwks' must have a unique `kid`. + ErrorClientJsonWebKeyKidLengthTooShort: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: RSA key length in the 'jwks' is less than '2,048' bits for the given key. + ErrorClientJsonWebKeyNonUniqueKid: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Each key should have a unique kid when adding multiple keys. Use the Apps API to update the JWKS to add a kid for the existing key, or delete the existing key and re-add the key with a kid using the JWKS APIs. + ErrorClientJsonWebKeyTooManyKids: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't create a new key. You have reached the maximum number of keys allowed (50). To add another key, you must first delete an existing one. + ErrorClientSecretNonAscii: + summary: Client secret allows only ASCII error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''''client_secret'''' must only contain printable ASCII: [x20-x7E]+' + ErrorClientSecretTooLong: + summary: Client secret too long error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''client_secret'' can''t be more than ''100'' characters long.' + ErrorClientSecretTooShort: + summary: Client secret too short error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''client_secret'' must be at least ''14'' characters long.' + ErrorClientSecretTooShortWithClientSecretJWT: + summary: Client secret is too short for JWT error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: 'client_secret: ''client_secret'' must be at least ''32'' characters long when ''token_endpoint_auth_method'' is ''client_secret_jwt''.' + ErrorClientSecretWithPrivateKeyJWT: + summary: Client secret can't be used for private key JWT error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: '''client_secret'' can''t be used when ''token_endpoint_auth_method'' is ''private_key_jwt''.' + ErrorCreateBrandExists: + value: + errorCode: E0000202 + errorSummary: Brand name already exists. + errorLink: E0000202 + errorId: oaeKABuesTdRvCXeCTpSpXAcQ + errorCauses: [] + ErrorCreateUserWithExpiredPasswordWithNullPassword: + value: + errorCode: E0000124 + errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified. + errorLink: E0000124 + errorId: oaeXxuZgXBySvqi1FvtkwoYCA + errorCauses: + - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified. + ErrorCreateUserWithExpiredPasswordWithoutActivation: + value: + errorCode: E0000125 + errorSummary: Could not create user. To create a user and expire their password immediately, `activate` must be true. + errorLink: E0000125 + errorId: oaeDd77L9R-TJaD7j_rXsQ31w + errorCauses: + - errorSummary: Could not create user. To create a user and expire their password immediately, `activate` must be true. + ErrorCreateUserWithTooManyManyGroupsResponse: + value: + errorCode: E0000093 + errorSummary: Target count limit exceeded + errorLink: E0000093 + errorId: oaePVSLIYnIQsC0B-ptBIllVA + errorCauses: + - errorSummary: The number of group targets is too large + ErrorDeactivateTheOnlyClientSecret: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't deactivate the only active client secret. + ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Can't deactivate the only active JSON Web Key when the value for `token_endpoint_auth_method` is `private_key_jwt`. + ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The `jwks` must contain at least one key with an algorithm matching the `request_object_signature_algorithm`. + ErrorDeleteActiveJsonWebKey: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't delete an active JSON Web key. Deactivate the key before deleting it. + ErrorDeleteActiveSecret: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't delete an active client secret. Deactivate the secret before deleting it. + ErrorDeleteBrandAssociatedWithDomain: + value: + errorCode: E0000201 + errorSummary: A brand associated with a domain cannot be deleted + errorLink: E0000201 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorDeleteDefaultBrand: + value: + errorCode: E0000200 + errorSummary: A default brand cannot be deleted + errorLink: E0000200 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorDeviceAssuranceInUse: + summary: Can't delete device assurance policy in use by authentication policies + value: + errorSummary: Device assurance is in use and cannot be deleted. + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] + ErrorDeviceCheckInUse: + summary: Can't delete device check in use by device assurance policies + value: + errorSummary: Device check is in use and can't be deleted. + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] + ErrorEmailCustomizationCannotClearDefault: + value: + errorCode: E0000185 + errorSummary: The isDefault parameter of the default email template customization can't be set to false. + errorLink: E0000185 + errorId: oaejrB1fWL1S7mc-2KcG-SOtw + errorCauses: [] + ErrorEmailCustomizationCannotDeleteDefault: + value: + errorCode: E0000184 + errorSummary: A default email template customization can't be deleted. + errorLink: E0000184 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorEmailCustomizationDefaultAlreadyExists: + value: + errorCode: E0000182 + errorSummary: A default email template customization already exists. + errorLink: E0000182 + errorId: oaeXYwTiMvASsC3O4HCzjFaCA + errorCauses: [] + ErrorEmailCustomizationLanguageAlreadyExists: + value: + errorCode: E0000183 + errorSummary: An email template customization for that language already exists. + errorLink: E0000183 + errorId: oaeUcGELffqRay0u1OPdnPypw + errorCauses: [] + ErrorEmailDomainAlreadyExists: + value: + errorCode: E0000197 + errorSummary: Email domain already exists. + errorLink: E0000197 + errorId: oaeEdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorEmailDomainInUse: + value: + errorCode: E0000216 + errorSummary: Email domain can't be deleted due to mail provider restrictions. + errorLink: E0000216 + errorId: oaeEdRqprFuTyKokyYPbURJkB + errorCauses: [] + ErrorEmailDomainInvalidStatus: + value: + errorCode: E0000217 + errorSummary: Invalid status. Can't validate email domain with current status. + errorLink: E0000217 + errorId: oaeEdRqprFuTyKokyYPbURJkD + errorCauses: [] + ErrorEmailDomainNotVerified: + value: + errorCode: E0000218 + errorSummary: Email domain couldn't be verified by mail provider. + errorLink: E0000218 + errorId: oaeEdRqprFuTyKokyYPbURJkC + errorCauses: [] + ErrorInternalServer: + summary: Internal Server Error + value: + errorCode: E0000009 + errorSummary: Internal Server Error + errorLink: E0000000 + errorId: sampleAlJ82XS2SDB_vaNIWgcA + errorCauses: [] + ErrorInvalidEmailTemplateRecipients: + value: + errorCode: E0000189 + errorSummary: This template does not support the recipients value. + errorLink: E0000189 + errorId: oae8L1-UkcNTeGi5xVQ28_lww + errorCauses: [] + ErrorInvalidLinkedObjectDef: + summary: Invalid linked objection definition + value: + errorCode: E0000127 + errorSummary: Invalid linked objection definition. Linked object identifier is already in use. + errorLink: E0000127 + errorId: oaeh5FICFF2RnqakoNofPadhw + errorCauses: + - errorSummary: Linked object identifier for primary is already in use. + reason: UNIQUE_CONSTRAINT + locationType: body + domain: linkedObjects + - errorSummary: Linked object identifier for associated is already in use. + reason: UNIQUE_CONSTRAINT + locationType: body + domain: linkedObjects + ErrorInvalidTokenProvided: + summary: Invalid Token Provided + value: + errorCode: E0000011 + errorSummary: Invalid token provided + errorLink: E0000011 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorKeyCredentialCloneDuplicateKey: + summary: Duplicate key credential error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: cloneKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Key already exists in the list of key credentials for the target app. + ErrorKeyCredentialInvalidValidity: + summary: Key credential invalid year error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: generateKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Validity years out of range. It should be 2 - 10 years. + ErrorMaxNumberOfSecrets: + summary: Maximum client secrets reached error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You've reached the maximum number of client secrets per client. + ErrorMissingRequiredParameter: + summary: Missing Required Parameter + value: + errorCode: E0000028 + errorSummary: The request is missing a required parameter. + errorLink: E0000028 + errorId: sampleiCF-l7mr9XqM1NQ + errorCauses: [] + ErrorNoConnectedAgents: + value: + errorCode: E0000236 + errorSummary: There are no connected agents. + errorLink: E0000236 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorPinOrCredRequestsGenerationFailure: + summary: PIN or Cred Requests Generation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: pinRequest|credRequests' + errorLink: E0000001 + errorId: oaehk3rssXQmOWDRsaFfxe8A + errorCauses: + errorSummary: There was a problem generating the pinRequest|credRequests. + ErrorPinOrCredResponsesProcessingFailure: + summary: PIN or Cred Response Processing Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: pinResponse|credResponses' + errorLink: E0000001 + errorId: oaehk3rssXQmOWDRsaFfxe8B + errorCauses: + errorSummary: There was a problem generating the pinResponse|credResponses. + ErrorPublishCSRCertDoesNotMatchCSR: + summary: Mismatch certificate and CSR error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: certificate' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The certificate doesn't match the CSR. + ErrorPublishCSRCertValidityLessThan90Days: + summary: Certificate valid for 90 days error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: certificate' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The certificate must be valid for more than 90 days. + ErrorPushProviderUsedByCustomAppAuthenticator: + value: + errorCode: E0000187 + errorSummary: Cannot delete push provider because it is being used by a custom app authenticator. + errorLink: E0000187 + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ExampleOAuth2Scope: + summary: Example scope + value: + id: scp5yu8kLOnDzo7lh0g4 + name: car:drive + description: Drive car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: NO_CLIENTS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 + hints: + allow: + - GET + - PUT + - DELETE + ExampleOAuth2Scopes: + summary: All scopes + value: + - id: scp5yu8kLOnDzo7lh0g4 + name: car:drive + description: Drive car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: NO_CLIENTS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 + hints: + allow: + - GET + - PUT + - DELETE + ExpirePwdResponse: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: PASSWORD_EXPIRED + created: '2013-06-24T16:39:18.000Z' + activated: '2013-06-24T16:39:19.000Z' + statusChanged: '2013-06-24T16:39:19.000Z' + lastLogin: '2013-06-24T17:39:19.000Z' + lastUpdated: '2013-06-27T16:35:28.000Z' + passwordChanged: '2013-06-24T16:39:19.000Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + _links: + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_password + resetFactors: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_factors + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/expire_password + forgotPassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/forgot_password + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_recovery_question + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/deactivate + changePassword: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_password + ExpirePwdWithTempPwdResponse: + value: + tempPassword: F46gy7X4 + ExpiredAuthorizationServerKey: + summary: Expired Authorization Server Key + value: + status: EXPIRED + alg: RS256 + e: AQAB + 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ + kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + hints: + allow: + - GET + FacebookIdPResponse: + summary: Facebook Identity Provider + value: + id: 0oa62b57p7c8PaGpU0h7 + type: FACEBOOK + name: Facebook + status: ACTIVE + created: '2016-03-24T23:18:27.000Z' + lastUpdated: '2016-03-24T23:18:27.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.facebook.com/dialog/oauth + binding: HTTP-REDIRECT + token: + url: https://graph.facebook.com/v2.5/oauth/access_token + binding: HTTP-POST + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + FactorEmail: + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: ACTIVE + profile: + email: changed@clouditude.net + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + FactorPasscodeRequest: + value: + passCode: '123456' + FactorResponseSms: + value: + id: sms2gt8gzgEBPUWBIFHN + factorType: sms + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-06-27T20:27:26.000Z' + lastUpdated: '2014-06-27T20:27:26.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ForgotPwdRecoveryQuestionRequest: + value: + password: + value: uTVM,TPw55 + recovery_question: + answer: Annie Oakley + ForgotPwdRecoveryQuestionResponse: + value: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + ForgotPwdResponse: + value: + resetPasswordUrl: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO + GenericOidcIdpResponse: + summary: Generic OpenID Connect Identity Provider + value: + id: 0oaulob4BFVa4zQvt0g3 + type: OIDC + name: Example OpenID Connect IdP + status: ACTIVE + created: '2019-02-07T20:07:47.000Z' + lastUpdated: '2019-02-07T20:07:47.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://idp.example.com/authorize + binding: HTTP-REDIRECT + token: + url: https://idp.example.com/token + binding: HTTP-POST + userInfo: + url: https://idp.example.com/userinfo + binding: HTTP-REDIRECT + jwks: + url: https://idp.example.com/keys + binding: HTTP-REDIRECT + algorithms: + request: + signature: + algorithm: HS256 + scope: REQUEST + scopes: + - openid + issuer: + url: https://idp.example.com + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + pkce_required: 'true' + policy: + provisioning: + action: AUTO + profileMaster: false + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + GetApplicationsByGroupResponseEx: + summary: Retrieve apps assigned to a group + value: + - id: 0oa7vicdkRNrz59R80w6 + name: workday + label: hrportal2 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:50.000Z' + created: '2021-05-17T23:10:49.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate + - id: 0oa7vicvor8YSr9Hc0w6 + name: workday + label: hrportal1 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:22.000Z' + created: '2021-05-17T23:10:22.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate + - id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https:/example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + GetApplicationsByKeyResponseEx: + summary: Retrieve apps using a key + value: + - id: 0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + _links: + logo: + - name: medium + href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-03-21T23:31:35.000Z' + lastUpdated: '2014-03-21T23:31:35.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-03-21T23:31:35.000Z' + passwordChanged: null + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https://example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-06-10T15:16:01.000Z' + lastUpdated: '2014-06-10T15:17:38.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-06-10T15:16:01.000Z' + passwordChanged: '2014-06-10T15:17:38.000Z' + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + password: {} + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + GetApplicationsByNameResponseEx: + summary: Retrieve apps by name + value: + - id: 0oa7vicdkRNrz59R80w6 + name: workday + label: hrportal2 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:50.000Z' + created: '2021-05-17T23:10:49.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate + - id: 0oa7vicvor8YSr9Hc0w6 + name: workday + label: hrportal1 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:22.000Z' + created: '2021-05-17T23:10:22.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30 + type: text/html + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate + GetApplicationsByUserResponseEx: + summary: Retrieve apps assigned to a user + value: + - id: 0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + _links: + logo: + - name: medium + href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-03-21T23:31:35.000Z' + lastUpdated: '2014-03-21T23:31:35.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-03-21T23:31:35.000Z' + passwordChanged: null + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https://example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-06-10T15:16:01.000Z' + lastUpdated: '2014-06-10T15:17:38.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-06-10T15:16:01.000Z' + passwordChanged: '2014-06-10T15:17:38.000Z' + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + password: {} + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + user: + href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + GetApplicationsResponseEx: + summary: Retrieve an app + value: + id: 0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + inlineHooks: + - id: cal3ughy17pylLxQB357 + _links: + self: + href: https://{yourOktaDomain}/api/v1/inlineHooks/cal3ughy17pylLxQB357 + hints: + allow: + - GET + - PUT + - DELETE + _links: + logo: + - name: medium + href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + GetAssociatedLinkedObjectsResponse: + summary: Retrieve all associated Linked Object values response + value: + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u5zex6ztMbOZhF50h7 + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u1tsf0nQKavLDUh0g5 + GetBrandResponse: + value: + id: bnd114iNkrcN6aR680g4 + agreeToCustomPrivacyPolicy: false + removePoweredByOkta: false + customPrivacyPolicyUrl: null + name: Okta Default + isDefault: true + locale: en + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + hints: + allow: + - GET + emailDomain: + href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + GetEmailTemplateResponse: + value: + name: UserActivation + _embedded: + customizationCount: 0 + settings: + recipients: ALL_USERS + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + settings: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + defaultContent: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + customizations: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations + hints: + allow: + - GET + - POST + - DELETE + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + GetPrimaryLinkedObjectResponse: + summary: Retrieve primary Linked Object value response + value: + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + GetRealmAssignmentResponse: + value: + id: rul2jy7jLUlnO3ng00g4 + status: ACTIVE + name: Realm Assignment 1 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + priority: 0 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4 + method: GET + GetRoleAssignmentGovernanceGrantResources: + value: + resources: + - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g114290ar1oCC5A0g5 + label: test-group-1 + - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5B0g5 + label: test-group-2 + _links: + next: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources?after=orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5A0g5 + self: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + GetRoleAssignmentGovernanceGrantResponse: + value: + type: ENTITLEMENT-BUNDLE + grantId: grai2556vZgWesWf10g4 + bundleId: enbhz2pAwtts9UBes0g4 + expirationDate: '2024-12-09 14:17:22.0' + _links: + resources: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + self: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4 + GetSessionResponse: + value: + id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CREATED + importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T16:15:44.000Z' + GetThemeResponse: + value: + id: thdul904tTZ6kWVhP0g3 + logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png + favicon: https://{yourOktaDomain}/favicon.ico + backgroundImage: null + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + GetUseRoleGovernanceResponse: + value: + grants: + - type: CUSTOM + grantId: grai24zWTjnDazeOI0g4 + _links: + resources: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai24zWTjnDazeOI0g4/resources + - type: ENTITLEMENT-BUNDLE + grantId: grai2556vZgWesWf10g4 + bundleId: enbhz2pAwtts9UBes0g4 + expirationDate: '2024-12-09 14:17:22.0' + _links: + resources: + href: https://{yourOktaDomain}//api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5" + GetUserLinkedObjectResponse: + summary: Retrieve user linked object value + value: + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + GetUserResponse: + summary: Retrieve a user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: New User Type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + GetYubikeyOptTokenResponse: + summary: Get Yubikey OPT Token response + value: + id: ykkxdtCA1fKVxyu6R0g3 + created: '2020-06-09T23:42:05.000Z' + activated: '2020-06-09T23:47:29.000Z' + lastVerified: '2020-06-09T23:47:29.000Z' + lastUpdated: '2020-06-09T23:47:29.000Z' + status: ACTIVE + profile: + serial: '000009508427' + _links: + self: + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3 + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3 + hints: + allow: + - DELETE + GoogleIdPResponse: + summary: Google Identity Provider + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-24T23:21:49.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + GovernanceBundle: + summary: Governance Bundle + value: + id: 0bbfxqCAJWWGELFTYAAA + name: Group admin bundle + description: Group bundle for administrative access + status: ACTIVE + orn: orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA + _links: + self: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA + entitlements: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements + GovernanceBundleCreateRequestCustomRole: + summary: Create governance bundle with custom role + value: + name: Custom admin bundle + description: Custom bundle for administrative access + entitlements: + role: cr0WxyzJxGIr0ouum0g4 + resourceSets: + - iamoJDFKaJxGIr0oamd9g + GovernanceBundleCreateRequestScopedStandardRole: + summary: Create governance bundle with scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + targets: + - 00guaxWZ0AOa5NFAj0g3 + GovernanceBundleCreateRequestStandardRole: + summary: Create governance bundle with non-scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + GovernanceBundleUpdateRequestCustomRole: + summary: Update governance bundle with custom role + value: + name: Custom admin bundle + description: Custom bundle for administrative access + entitlements: + role: cr0WxyzJxGIr0ouum0g4 + resourceSets: + - iamoJDFKaJxGIr0oamd9g + GovernanceBundleUpdateRequestScopedStandardRole: + summary: Update governance bundle with scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + targets: + - 00guaxWZ0AOa5NFAj0g3 + GovernanceBundleUpdateRequestStandardRole: + summary: Update governance bundle with non-scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + GovernanceBundlesResponse: + summary: List of governance bundles + value: + bundles: + - id: 0bbfxqCAJWWGELFTYAAA + name: Group admin bundle + description: Group bundle for administrative access + status: ACTIVE + orn: orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA + _links: + entitlements: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements + _links: + self: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 + next: + href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12 + GroupAssignmentExListResponse: + summary: Application Groups list with embedded metadata + value: + - id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-02T13:17:57.000Z' + profile: + preferredLanguage: English + manager: Donald Glover + securityQuestion: Who is the footballer to have played the game + securityAnswer: Ronaldinho + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: wazobia + userType: null + department: marketing + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + _embedded: + metadata: + credentials: {} + profile: + division: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + preferredLanguage: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + manager: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + securityQuestion: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + securityAnswer: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + timezone: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + organization: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + initialStatus: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + managerId: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + userType: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + locale: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + department: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + GroupAssignmentExResponse: + summary: Application Group response + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-02T13:17:57.000Z' + profile: + preferredLanguage: English + manager: Donald Glover + securityQuestion: Who is the footballer to have played the game + securityAnswer: Ronaldinho + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: wazobia + userType: null + department: marketing + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + GroupAssignmentPatchRequestExample: + summary: Update app group request + value: + - op: replace + path: /profile/manager + value: Carlo Ancelotti + GroupAssignmentPatchResponseExample: + summary: Update Application Group response + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-03T13:42:20.000Z' + profile: + preferredLanguage: English + securityQuestion: Who is the footballer to have played the game + securityAnswer: Jay Jay Okocha + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: null + userType: null + department: Accounting + manager: Carlo Ancelotti + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + GroupAssignmentPutRequestExample: + summary: Assign Application Group request + value: + id: 00g15acRUy0SYb9GT0g4 + profile: + preferredLanguage: English + manager: Arsene Wenger + securityQuestion: Who is the footballer to have played the game + securityAnswer: Jay Jay Okocha + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: null + userType: null + department: Accounting + GroupAssignmentPutResponseExample: + summary: Assign Application Group response + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-03T13:52:07.000Z' + profile: + preferredLanguage: English + manager: Arsene Wenger + securityQuestion: Who is the footballer to have played the game + securityAnswer: Jay Jay Okocha + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: null + userType: null + department: Accounting + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + GroupSchemaAddRequest: + value: + definitions: + custom: + id: '#custom' + type: object + properties: + groupContact: + title: Group administrative contact + description: Group administrative contact + type: string + required: false + minLength: 1 + maxLength: 20 + permissions: + - principal: SELF + action: READ_WRITE + required: [] + GroupSchemaResponse: + value: + $schema: http://json-schema.org/draft-04/schema# + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/group/default + method: GET + rel: self + created: '2021-01-30T00:18:24.000Z' + definitions: + base: + id: '#base' + properties: {} + required: + - name + type: object + custom: + id: '#custom' + properties: + groupContact: + description: Group administrative contact + master: + type: PROFILE_MASTER + mutability: READ_WRITE + permissions: + - action: READ_WRITE + principal: SELF + scope: NONE + title: Group administrative contact + type: string + required: [] + type: object + description: Okta group profile template + id: https://{yourOktaDomain}/meta/schemas/group/default + lastUpdated: '2021-02-25T23:05:31.000Z' + name: group + properties: + profile: + allOf: + - $ref: '#/definitions/custom' + - $ref: '#/definitions/base' + title: Okta group + type: object + IAMStandardRoleResponseClient: + value: + id: irb4jlodtdN4yJ88b0g7 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests Administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2023-07-06T21:52:48.000Z' + lastUpdated: '2023-07-06T21:52:48.000Z' + assignmentType: CLIENT + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/client/0oa5vymVNCe2cPEeZ0g4 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7 + IAMStandardRoleResponseUser: + value: + id: irb1q92TFAHzySt3x0g4 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb1q92TFAHzySt3x0g4 + IAMStandardRolesListResponse: + value: + - id: IFIFAX2BIRGUSTQ + label: Application administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions + IAMStandardRolesListResponseClient: + value: + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications Administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: CLIENT + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/clients/0oa4ee9vgbIuqTUvd0g7 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissionsZ + IAMStandardRolesListResponseGroup: + value: + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications Administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: Group + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions + IdPAppUserResponse: + summary: IdP User + value: + id: 00u5t60iloOHN9pBi0h7 + externalId: externalId + created: '2017-12-19T17:30:16.000Z' + lastUpdated: '2017-12-19T17:30:16.000Z' + profile: + profileUrl: null + firstName: null + lastName: null + honorificSuffix: null + displayName: null + honorificPrefix: null + middleName: null + email: null + _links: + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7 + self: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7/users/00u5t60iloOHN9pBi0h7 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + IdPKeyCredentialRequest: + summary: Identity Provider Key Credential + value: + e: '65537' + 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdPKeyCredentialResponse: + summary: Identity Provider Key Credential + value: + kid: your-key-id + created: '2016-01-03T18:15:47.000Z' + lastUpdated: '2016-01-03T18:15:47.000Z' + e: '65537' + 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + kty: RSA + use: sig + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdPSigningKeyCredentialResponse: + summary: Identity Provider Signing Key Credential + value: + created: '2015-12-10T18:56:23.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + kid: akm5hvbbevE341ovl0h7 + kty: RSA + use: sig + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + InlineHookMgmtCreateHTTPRequest: + summary: Create an inline hook with HTTP authentication + value: + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: + - key: x-any-key + value: my-header-value + method: POST + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + InlineHookMgmtCreateHTTPResponse: + summary: Inline hook with HTTP authentication response + value: + id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + InlineHookMgmtCreateOAuthClientSecretRequest: + summary: Create an inline hook with OAuth 2.0 Client Secret + value: + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + authType: client_secret_post + clientId: 0oaj43vkrq7wKxZSI5e6 + clientSecret: b-iATvTu7sIocvhWx95S9kF.....vfZhM6q6khSaojLBejF21cUn5bPm9abi + uri: https://example.com/tokenHook + headers: [] + method: POST + tokenUrl: https://example.okta.com/oauth2/default/v1/token + InlineHookMgmtCreateOAuthClientSecretResponse: + summary: Inline hook with OAuth 2.0 Client Secret response + value: + id: calj4fythrqj5Bxol5e5 + status: ACTIVE + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.user.pre-registration + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/registrationHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5e6 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: client_secret_post + scope: null + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtCreateOAuthPrivateKeyRequest: + summary: Create an inline hook with OAuth 2.0 Private Key + value: + name: Token hook with OAuth 2.0 Private Key authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + authType: private_key_jwt + clientId: 0oaj43vkrq7wKxZSI5e6 + hookKeyId: HKYj4ft1a3fjmwZg05e6 + uri: https://example.com/tokenHook + headers: + - key: x-any-key + value: my-header-value + method: POST + tokenUrl: https://example.okta.com/oauth2/default/v1/token + InlineHookMgmtCreateOAuthPrivateKeyResponse: + summary: Inline hook with OAuth 2.0 Private Key response + value: + id: calj4fythrqj5Bxol4ai6 + status: ACTIVE + name: Token Hook with OAuth 2.0 Private Key JWT + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5d7 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: private_key_jwt + scope: null + hookKeyId: HKYj4ft1a3fjmwZg05d6 + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtHTTPexample: + summary: An inline hook with HTTP authentication + value: + id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + InlineHookMgmtHTTPexampleDeactivate: + value: + id: calb7gacafgwgE7hc5e4 + status: INACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + InlineHookMgmtOAuthCSPexample: + summary: An inline hook example with OAuth 2.0 Client Secret Post + value: + id: calj4fythrqj5Bxol5e5 + status: ACTIVE + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.user.pre-registration + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/registrationHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5e6 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: client_secret_post + scope: null + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtOauthPKJexample: + summary: An inline hook example with OAuth 2.0 Private Key JWT + value: + id: calj4fythrqj5Bxol4ai6 + status: ACTIVE + name: Token Hook with OAuth 2.0 Private Key JWT + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5d7 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: private_key_jwt + scope: null + hookKeyId: HKYj4ft1a3fjmwZg05d6 + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtPutHTTPRequest: + summary: Update an inline hook name + value: + name: New name token hook with HTTP authentication + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: + - key: x-any-key + value: my-header-value + method: POST + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + InlineHookMgmtPutResponse: + value: + id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: New name token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + description: Inline hook response with a new name + InlineHookTelephony: + value: + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://your-external-webservice/sendOtp + headers: [] + method: POST + authScheme: + type: HEADER + key: x-telephony-key + created: '2024-03-28T17:30:25.000Z' + id: caldpyulr3nbET2du1d7 + lastUpdated: '2024-05-07T16:35:18.000Z' + name: testTelephonyHook + status: ACTIVE + type: com.okta.telephony.provider + version: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7 + execute: + href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7/execute + hints: + allow": + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7/lifecycle/deactivate + hints: + allow": + - POST + InlineHooktMgmtListAllexample: + summary: List all inline hooks response + value: + - id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + - id: calj4fythrqj5Bxol5e5 + status: ACTIVE + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.user.pre-registration + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/registrationHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5e6 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: client_secret_post + scope: null + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate + hints: + allow: + - POST + - id: calj4fythrqj5Bxol4ai6 + status: ACTIVE + name: Token Hook with OAuth 2.0 Private Key JWT + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5d7 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: private_key_jwt + scope: null + hookKeyId: HKYj4ft1a3fjmwZg05d6 + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 + execute: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute + hints: + allow: + - POST + deactivate: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate + hints: + allow: + - POST + InvalidRotateUse: + summary: Invalid Use + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: rotateKeys' + errorLink: E0000001 + errorId: oaeprak9qKHRlaWiclJ4oPJRQ + errorCauses: + - errorSummary: Invalid value specified for key 'use' parameter + KeyCredentialExample: + summary: Key Credential example + value: + created: '2015-12-10T18:56:23.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + e: AQAB + 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + kty: RSA + use: sig + x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + LinkIdPAppUserResponse: + summary: Linked IdP User + value: + id: 00ub0oNGTSWTBKOLGLNR + externalId: '121749775026145' + created: '2017-03-30T02:19:51.000Z' + lastUpdated: '2017-03-30T02:19:51.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7/users/00ub0oNGTSWTBKOLGLNR + hints: + allow: + - GET + - DELETE + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7 + user: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + ListAllKeyCredentialsExample: + summary: List all Key Credentials example + value: + - created: '2015-12-10T18:56:23.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + e: AQAB + 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + kty: RSA + use: sig + x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + - created: '2015-12-10T18:55:35.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2045-01-23T02:15:23.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAUsUkouzMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTAxMjMwMjE0MjNaFw00NTAxMjMwMjE1MjNaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhmkmKsu3FYeBiJg44aN6Ah3g9gof1cytXJVMnblDUWpLfe/FMUQCssh8Y8NCYRri5jni4efBgk6B3SkC7ymqsOXILIEHSwUYWnAaqDOTxO101mHzryowu1+0PldRNoyTthahpprvAPYlTin9zrDTqFT+WY/zwoaN8H+CfixlW1nM85qF18zYYekkW50MSoHPcfJKe2ywIhPXTYTSBEPcHh8dQEjBrZn7A4qOoDnfOXll8OL7j2O6EVyTtHA0tLJHVLpwI4gSPsXFwEnHltjN57odwYe9yds0BbM/YG9i+am1+3cmZ6Uyd16mLGclrr05o9BHcEZ4ZctV2hr6whbRsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAnNlF27gRmhGTQ+GRAvbvYToFRgsIbBAPvRqB2LmEIiQ6UJd602w6uP1sv/zEzBYg4SnMLuVyWgOJ6d71dCvXdIO9mgAq6BaEPjlo0WhGyt+zGrpkMnIX5EwRa64kHydcPRHNA607wVYA96sJdyNJEMzBvjY9fJnfevzzDCN3NWpMS2T6rk6HP5IziI1VuFWY2OUC1kbCqLj1dUgp8koe3ftLL55ZpkAocnVMnrzBveNjgAOAiKTMcyS0bhESph9aVWvuHVZSfTnUjnTPb/4jA2YlB3ED+qaU3aqHwft1KXwZskNXBKXy7lyC+CMoeB3/ncFhSg/UllBooPPS3wYlNA== + e: AQAB + 'n': htbi5H5MN_oYaKcZ8vlWRZn2oTrPY0v8_2Br_VZPJgJ57dCgguq5dDk1Me_ax-B3kjBPdXcW8wEoUFaU30spyVeQjZrdqsSvF0nMW4OzrMOIqrGLwCrAoDBS8tutfk5Y7qc-5xABzxgu4BjgSK5nWXbCt_UR0DzVTknotmMGeT8tAej8F6GAphLa0YhIxWT7Jy-y_pdANsiUPRiZBoLueGI0rrCqgYHIQVjNoj4-si105KCXbQuyYM9_Cd-dyyu5KJ4Ic0cOW61gpx4pnecMgSy8OX57FEd06W2hExBd49ah6jra2KFMeOGe3rkIXirdkofl1mBgeQ77ruKO1wW9Qw + kid: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo + kty: RSA + use: sig + x5t#S256": 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ + ListAllKeysResponse: + summary: List All Keys response example + value: + - id: HKY1i2htmXF5UNQhL0g4 + keyId: bb5bed7d-6e4d-488f-9c86-59b93a2bb3fb + name: My new key + created: '2022-08-22T16:34:33.000Z' + lastUpdated: '2022-08-22T16:34:33.000Z' + isUsed: 'true' + - id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: Test key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + ListAppGrantsEx: + summary: List all app Grants example + value: + - id: oag91n9ruw3dsaXzP0h6 + status: ACTIVE + created: '2023-02-21T16:54:00.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-21T16:54:00.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.users.read + source: ADMIN + _embedded: + scope: + id: okta.users.read + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + - id: oaghm3sh9ukdkvDmO0h6 + status: ACTIVE + created: '2023-02-03T21:57:49.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-03T21:57:49.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.apps.manage + source: ADMIN + _embedded: + scope: + id: okta.apps.manage + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oaghm3sh9ukdkvDmO0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + ListAppLinks: + value: + - id: 00ub0oNGTSWTBKOLGLNR + label: Google Apps Mail + linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/50 + logoUrl: https://{yourOktaDomain}/img/logos/google-mail.png + appName: google + appInstanceId: 0oa3omz2i9XRNSRIHBZO + appAssignmentId: 0ua3omz7weMMMQJERBKY + credentialsSetup: false + hidden: false + sortOrder: 0 + - id: 00ub0oNGTSWTBKOLGLNR + label: Google Apps Calendar + linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/54 + logoUrl: https://{yourOktaDomain}/img/logos/google-calendar.png + appName: google + appInstanceId: 0oa3omz2i9XRNSRIHBZO + appAssignmentId: 0ua3omz7weMMMQJERBKY + credentialsSetup: false + hidden: false + sortOrder: 1 + - id: 00ub0oNGTSWTBKOLGLNR + label: Box + linkUrl: https://{yourOktaDomain}/home/boxnet/0oa3ompioiQCSTOYXVBK/72 + logoUrl: https://{yourOktaDomain}/img/logos/box.png + appName: boxnet + appInstanceId: 0oa3ompioiQCSTOYXVBK + appAssignmentId: 0ua3omx46lYEZLPPRWBO + credentialsSetup: false + hidden: false + sortOrder: 3 + - id: 00ub0oNGTSWTBKOLGLNR + label: Salesforce.com + linkUrl: https://{yourOktaDomain}/home/salesforce/0oa12ecnxtBQMKOXJSMF/46 + logoUrl: https://{yourOktaDomain}/img/logos/salesforce_logo.png + appName: salesforce + appInstanceId: 0oa12ecnxtBQMKOXJSMF + appAssignmentId: 0ua173qgj5VAVOBQMCVB + credentialsSetup: true + hidden: false + sortOrder: 2 + ListAssocAuthServerResponse: + summary: List associated Authorization Servers + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: CUSTOM_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: DYNAMIC + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - DELETE + ListAuthServersResponse: + summary: List all custom authorization servers in your org + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + ListAuthorizationServerKeys: + summary: All Credential Keys + value: + - status: ACTIVE + alg: RS256 + e: AQAB + 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ + kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + hints: + allow: + - GET + - status: NEXT + alg: RS256 + e: AQAB + 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ + kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + hints: + allow: + - GET + - status: EXPIRED + alg: RS256 + e: AQAB + 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ + kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + hints: + allow: + - GET + ListAuthorizationServerPolicies: + summary: List Authorization Server Policies + value: + - type: OAUTH_AUTHORIZATION_POLICY + id: 00palyaappA22DPkj0h7 + status: ACTIVE + name: Vendor2 Policy + description: Vendor2 policy description + priority: 1 + system: false + conditions: + clients: + include: + - ALL_CLIENTS + created: '2017-05-26T19:43:53.000Z' + lastUpdated: '2017-06-07T15:28:17.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate + hints: + allow: + - POST + rules: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules + hints: + allow: + - GET + ListAuthorizationServerPolicyRules: + summary: List Authorization Server Policy Rules + value: + - type: RESOURCE_ACCESS + id: 0prbsjfyl01zfSZ9K0h7 + status: ACTIVE + name: Default Policy Rule + priority: 1 + created: '2017-08-25T16:57:02.000Z' + lastUpdated: '2017-08-30T14:51:05.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: + - EVERYONE + exclude: [] + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate + hints: + allow: + - POST + ListBrandsResponse: + value: + - id: bnd114iNkrcN6aR680g4 + name: Okta Default + isDefault: true + agreeToCustomPrivacyPolicy: false + removePoweredByOkta: false + customPrivacyPolicyUrl: null + locale: en + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + hints: + allow: + - GET + emailDomain: + href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + ListClientsResponse: + summary: List all Client resources for which an authorization server has tokens + value: + - client_id: '{clientId}' + client_name: My Web App + client_uri: null, + logo_uri: null, + _links: + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: My Web App + tokens: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens + hints: + allow: + - GET + - DELETE + ListCustomTokenClaimsResponse: + summary: List all custom token Claims for an authorization server + value: + - id: '{claimId}' + name: sub + status: ACTIVE + claimType: RESOURCE + valueType: EXPRESSION + value: '(appuser != null) ? appuser.userName : app.clientId' + conditions: + scopes: + - profile + system: true + alwaysIncludeInToken: true + apiResourceId: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + ListEmailCustomizationResponse: + value: + - language: en + isDefault: true + subject: Welcome to ${org.name}! + body: <!DOCTYPE html><html><body><p>Hello, ${user.profile.firstName}. Click <a href="${activationLink}">here</a> to activate your account.</body></html> + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + hints: + allow: + - GET + - PUT + - DELETE + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + ListEmailTemplateResponse: + value: + - name: UserActivation + _embedded: + customizationCount: 0 + settings: + recipients: ALL_USERS + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + settings: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + defaultContent: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + customizations: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations + hints: + allow: + - GET + - POST + - DELETE + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + ListFactorsResults: + summary: All of the enrolled Factors for the specified User + value: + - id: ufs2bysphxKODSZKWVCT + factorType: question + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-04-15T18:10:06.000Z' + lastUpdated: '2014-04-15T18:10:06.000Z' + profile: + question: favorite_art_piece + questionText: What is your favorite piece of art? + _links: + questions: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs2bysphxKODSZKWVCT + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + - id: ostf2gsyictRQDSGTDZE + factorType: token:software:totp + provider: OKTA + status: PENDING_ACTIVATION + created: '2014-06-27T20:27:33.000Z' + lastUpdated: '2014-06-27T20:27:33.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + next: + name: activate + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: HE64TMLL2IUZW2ZLB + encoding: base32 + keyLength: 16 + - id: sms2gt8gzgEBPUWBIFHN + factorType: sms + provider: OKTA + status: ACTIVE + created: '2014-06-27T20:27:26.000Z' + lastUpdated: '2014-06-27T20:27:26.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ListFeatureDependenciesResponse: + summary: List all dependencies for a feature + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: OPEN + value: EA + status: ENABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListFeatureDependentsResponse: + summary: List all feature dependents for the specified feature + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: OPEN + value: EA + status: ENABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListFeaturesResponse: + summary: List all self-service features for your org + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: CLOSED + value: BETA + status: DISABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListIdPUsersResponse: + summary: List of linked IdP Users + value: + - id: 00u5cl9lo7nMjHjPr0h7 + externalId: '109912936038778' + created: '2015-11-03T19:10:11.000Z' + lastUpdated: '2015-11-03T19:11:49.000Z' + profile: + firstName: Carol + middleName: Lee + lastName: Johnson + email: carol_johnson@tfbnw.net + displayName: Carol Johnson + profile: https://www.facebook.com/app_scoped_user_id/109912936038778/ + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7/users/00u5cl9lo7nMjHjPr0h7 + hints: + allow: + - GET + - DELETE + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7 + user: + href: https://{yourOktaDomain}/api/v1/users/00u5cl9lo7nMjHjPr0h7 + ListLinkedObjects: + summary: List all Linked Object definitions + value: + - primary: + name: manager + title: manager + description: Manager link property + type: USER + associated: + name: subordinate + title: subordinate + description: Subordinate link property + type: USER + _links: + self: + href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager + ListLogs: + summary: List all system logs + value: + - actor: + id: 00uttidj01jqL21aM1d6 + type: User + alternateId: john.doe@example.com + displayName: John Doe + detailEntry: null + client: + userAgent: + rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 + os: Mac OS X + browser: CHROME + zone: null + device: Computer + id: null + ipAddress: 10.0.0.1 + geographicalContext: + city: New York + state: New York + country: United States + postalCode: 10013 + geolocation: + lat: 40.3157 + lon: -74.01 + device: + id: guofdhyjex1feOgbN1d9 + name: Mac15,6 + os_platform: OSX + os_version: 14.6.0 + managed: false + registered: true + device_integrator: null + disk_encryption_type: ALL_INTERNAL_VOLUMES + screen_lock_type: BIOMETRIC + jailbreak: null + secure_hardware_present: true + authenticationContext: + authenticationProvider: null + credentialProvider: null + credentialType: null + issuer: null + interface: null + authenticationStep: 0 + rootSessionId: idxBager62CSveUkTxvgRtonA + externalSessionId: idxBager62CSveUkTxvgRtonA + displayMessage: User login to Okta + eventType: user.session.start + outcome: + result: SUCCESS + reason: null + published: '2024-08-13T15:58:20.353Z' + securityContext: + asNumber: 394089 + asOrg: ASN 0000 + isp: google + domain: null + isProxy: false + severity: INFO + debugContext: + debugData: + requestId: ab609228fe84ce59cdcbfa690bcce016 + requestUri: /idp/idx/authenticators/poll + url: /idp/idx/authenticators/poll + legacyEventType: core.user_auth.login_success + transaction: + type: WEB + id: ab609228fe84ce59cdcbfa690bgce016 + detail: null + uuid: dc9fd3c0-598c-11ef-8478-2b7584bf8d5a + version: 0 + request: + ipChain: + - ip: 10.0.0.1 + geographicalContext: + city: New York + state: New York + country: United States + postalCode: 10013 + geolocation: + lat: 40.3157 + lon: -74.01 + version: V4 + source: null + target: + - id: pfdfdhyjf0HMbkP2e1d7 + type: AuthenticatorEnrollment + alternateId: unknown + displayName: Okta Verify + detailEntry: null + - id: 0oatxlef9sQvvqInq5d6 + type: AppInstance + alternateId: Okta Admin Console + displayName: Okta Admin Console + detailEntry: null + ListMappingsResponse: + summary: List all Profile Mappings response + value: + - id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + ListOfSecurityEventsProviderInstances: + summary: List of Security Events Providers + value: + - id: sse1qg25RpusjUP6m0g5 + name: Security Events Provider with well-known URL + type: okta + status: ACTIVE + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate + hints: + allow: + - POST + - id: sse1qu4fUtsoD12iF0g5 + name: Security Events Provider with an issuer and a JWKS URL + type: okta + status: ACTIVE + settings: + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate + hints: + allow: + - POST + ListPrivilegedAccounts: + summary: List Privileged Accounts with mixed account types + value: + - accountType: APP_ACCOUNT + description: This is for accessing AWS Prod-5 + id: a747a818-a4c4-4446-8a87-704216495a08 + name: AWS Prod-5 account + ownerGroupIds: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + - 00u11s48P9zGW8yqm0g5 + status: NO_ISSUES + statusDetail: ROTATED + created: '2023-04-04T15:56:05.000Z' + lastUpdated: '2023-05-05T18:15:44.000Z' + details: + credentials: + username: testuser@example.com + oktaApplicationId: aln1aqcs055ZRoizW0g8 + appInstanceName: AWS Prod-5 + appGlobalName: AWS Account Federation + - accountType: OKTA_USER_ACCOUNT + description: Shared admin account for managing AD integrations + id: d1b65a78-21ed-429b-8ea3-eec96f2748d6 + name: AD Integrations Admin + ownerGroupIds: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + - 00u11s48P9zGW8yqm0g5 + status: INFO + statusDetail: ROTATING + created: '2023-04-04T15:56:05.000Z' + lastUpdated: '2023-05-05T18:15:44.000Z' + details: + credentials: + username: shr-ad-admin-01@example.com + email: shr-ad-admin-01@example.com + oktaUserId: 00u11s48P9zGW8yqm0g5 + ListRealmAssignmentsResponse: + value: + - id: rul2jy7jLUlnO3ng00g4 + status: ACTIVE + name: Realm Assignment 1 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: user.profile.role ==\"Manager\" + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + priority: 0 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4 + method: GET + - id: rul2jy7jLUlnO5ng00g4 + status: ACTIVE + name: Catch-all + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + conditions: + profileSourceId: 0oa4enoRyjwSCy6hx0g4, + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf2g5 + priority: 499 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4 + method: GET + ListRealmAwareUsersResponse: + summary: List all users + value: + - id: 00u118oQYT4TBGuay0g4 + status: ACTIVE + created: '2022-04-04T15:56:05.000Z' + activated: null + statusChanged: null + lastLogin: '2022-05-04T19:50:52.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + passwordChanged: '2022-04-04T16:00:22.000Z' + type: + id: oty1162QAr8hJjTaq0g4 + profile: + firstName: Alice + lastName: Smith + mobilePhone: null + secondEmail: null + login: alice.smith@example.com + email: alice.smith@example.com + realmId: guo1afiNtSnZYILxO0g4 + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + self: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + ListRealmsResponse: + value: + - id: guox9jQ16k9V8IFEL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + profile: + name: Car Co + realmType: PARTNER + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 + method: GET + ListRefreshTokensClientsResponse: + summary: List all refresh tokens for a Client + value: + - id: '{refreshTokenId}' + status: ACTIVE + created: '2023-09-21T19:59:56.000Z' + lastUpdated: '2023-09-21T20:00:38.000Z' + expiresAt: '2023-09-28T20:00:38.000Z' + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + client_id: '{clientId}' + userId: '{userId}' + scopes: + - offline_access + - openid + _embedded: + scopes: + - id: '{scopeId}' + name: openid + displayName: openid + description: Signals that a request is an OpenID request + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + title: openid + - id: '{scopeID}' + name: offline_access + displayName: Keep you signed in to the app + description: This keeps you signed in to the app, even when you aren't using it. + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + itle: Keep you signed in to the app + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: My Web App + authorizationServer: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + title: Authorization Server name + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + revoke: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: My Web App + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + title: Joe User + ListRiskProviderResponse: + summary: List Risk Provider response example + value: + - id: 00rp12r4skkjkjgsn + action: log_only + name: Risk-Partner-X + clientId: 00ckjsfgjkdkjdkkljjsd + created: '2021-01-05 22:18:30' + lastUpdated: '2021-01-05 22:18:30' + _links: + self: + href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn + hints: + allow: + - GET + - PUT + ListSessionsResponseForGetSessions: + value: + - id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CREATED + importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T16:15:44.000Z' + - id: aps1quck606ngubVq0h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: TRIGGERED + importType: INCREMENTAL + created: '2022-04-04T16:56:05.000Z' + lastUpdated: '2022-05-05T17:15:44.000Z' + - id: aps1qzy2acb5jDlUc0h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: IN_PROGRESS + importType: INCREMENTAL + created: '2022-04-04T17:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + - id: aps1qqne8c1JHkMdF0h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: EXPIRED + importType: INCREMENTAL + created: '2022-04-04T18:56:05.000Z' + lastUpdated: '2022-05-05T19:15:44.000Z' + - id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CLOSED + importType: INCREMENTAL + created: '2022-04-04T19:56:05.000Z' + lastUpdated: '2022-05-05T20:15:44.000Z' + ListThemesResponse: + value: + - id: thdul904tTZ6kWVhP0g3 + logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png + favicon: https://{yourOktaDomain}/favicon.ico + backgroundImage: null + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + ListUISchemaResponse: + summary: Lists all UI Schemas response + value: + - id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + options: + format: text + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://example.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + hints: + allow: + - GET + - PUT + - DELETE + - id: uis4abjqkkKXVPGAU0g7 + uiSchema: + type: Group + label: Sign in 2 + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://example.com/api/v1/meta/uischemas/uis4abjqkkKXVPGAU0g7 + hints: + allow: + - GET + - PUT + - DELETE + ListUserBlocksAnyDevicesResponse: + value: + - type: DEVICE_BASED + appliesTo: ANY_DEVICES + ListUserBlocksUnknownDevicesResponse: + value: + - type: DEVICE_BASED + appliesTo: UNKNOWN_DEVICES + ListUserClients: + value: + - client_id: 0oabskvc6442nkvQO0h7 + client_name: My App + client_uri: null + logo_uri: null + _links: + grants: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants + tokens: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens + ListUserGroups: + value: + - id: 0gabcd1234 + profile: + name: Cloud App Users + description: Users can access cloud apps + - id: 0gefgh5678 + profile: + name: Internal App Users + description: Users can access internal apps + ListUsersResponse: + summary: List all users + value: + - id: 00u118oQYT4TBTemp0g4 + status: ACTIVE + created: '2022-04-04T15:56:05.000Z' + activated: null + statusChanged: null + lastLogin: '2022-05-04T19:50:52.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + passwordChanged: '2022-04-04T16:00:22.000Z' + type: + id: oty1162QAr8hJjTaq0g4 + profile: + firstName: Alice + lastName: Smith + mobilePhone: null + secondEmail: null + login: alice.smith@example.com + email: alice.smith@example.com + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + self: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + ListYubikeyOptTokensResponse: + summary: List Yubikey OPT Token response + value: + - id: ykkwcx13nrDq8g4oy0g3 + created: '2020-01-14T21:53:09.000Z' + lastVerified: '2020-01-14T21:53:06.000Z' + lastUpdated: '2020-01-14T21:53:09.000Z' + status: UNASSIGNED + profile: + serial: '000003632071' + _links: + self: + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkwcx13nrDq8g4oy0g3 + hints: + allow: + - GET + - DELETE + - id: ykkxdtCA1fKVxyu6R0g3 + created: '2020-06-09T23:42:05.000Z' + activated: '2020-06-09T23:47:29.000Z' + lastVerified: '2020-06-09T23:47:29.000Z' + lastUpdated: '2020-06-09T23:47:29.000Z' + status: ACTIVE + profile: + serial: '000009508427' + _links: + self: + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3 + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3 + hints: + allow: + - DELETE + ListsAllUserTypes: + summary: Lists all user types + value: + - id: otyfnly5cQjJT9PnR0g4 + displayName: New User Type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + - id: otyz9fj2jMiRBC1ZT1d6 + displayName: User + name: user + description: Okta user profile template with default permission settings + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: true + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + ListsOwnerOneResponse: + summary: Lists a response with one owner + value: + - id: 00g1gae1k0znUcLuU0h8 + type: GROUP + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Product & Engineering + lastUpdated: '2023-03-29 18:18:37.0' + ListsOwnersMultipleResponse: + summary: Lists a response with multiple owners + value: + - id: 00u1cmbqjkkmFXeqb0h8 + type: USER + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Mabel Mora + lastUpdated: '2023-03-29T18:30:58.000Z' + - id: 00u1cmc52x5B86cnZ0h8 + type: USER + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Cinda Canning + lastUpdated: '2023-03-29T18:30:55.000Z' + LogStreamActivateResponse: + summary: Activate Log Stream response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:22:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamDeactivateResponse: + summary: Deactivate Log Stream response + value: + id: 0oa7agphh5FT7H521d7 + type: splunk_cloud_logstreaming + name: Splunk Cloud Example + lastUpdated: '2023-03-24T21:23:00.000Z' + created: '2023-03-24T21:15:13.000Z' + status: INACTIVE + settings: + edition: aws + host: okexample.splunkcloud.com + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7 + method: GET + activate: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7/lifecycle/activate + method: POST + LogStreamGetAllResponse: + summary: Lists all Log Streams + value: + - id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:02:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamPostRequest: + summary: Create an AWS EventBridge Log Stream + value: + type: aws_eventbridge + name: Example AWS EventBridge + settings: + eventSourceName: your-event-source-name + accountId: '123456789012' + region: us-east-2 + LogStreamPostResponse: + summary: AWS EventBridge Log Stream response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:02:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamPutRequest: + summary: Replace AWS EventBridge name + value: + type: aws_eventbridge + name: Updated AWS EventBridge + settings: + eventSourceName: your-event-source-name + accountId: '123456789012' + region: us-east-2 + LogStreamPutResponse: + summary: Replace AWS EventBridge name response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Updated AWS EventBridge + lastUpdated: '2023-03-24T21:12:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamSchemaAws: + value: + $schema: https://json-schema.org/draft/2020-12/schema + $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge + title: AWS EventBridge + type: object + properties: + settings: + description: Configuration properties specific to AWS EventBridge + type: object + properties: + accountId: + title: AWS Account ID + description: Your Amazon AWS Account ID. + type: string + writeOnce: true + pattern: ^\d{12}$ + eventSourceName: + title: AWS Event Source Name + description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge. + type: string + writeOnce: true + pattern: ^[\.\-_A-Za-z0-9]{1,75}$ + region: + title: AWS Region + description: The destination AWS region for your system log events. + type: string + writeOnce: true + oneOf: + - title: US East (Ohio) + const: us-east-2 + - title: US East (N. Virginia) + const: us-east-1 + - title: US West (N. California) + const: us-west-1 + - title: US West (Oregon) + const: us-west-2 + - title: Canada (Central) + const: ca-central-1 + - title: Europe (Frankfurt) + const: eu-central-1 + - title: Europe (Ireland) + const: eu-west-1 + - title: Europe (London) + const: eu-west-2 + - title: Europe (Paris) + const: eu-west-3 + - title: Europe (Milan) + const: eu-south-1 + - title: Europe (Stockholm) + const: eu-north-1 + required: + - eventSourceName + - accountId + - region + errorMessage: + properties: + accountId: Account number must be 12 digits. + eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters. + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + LogStreamSchemaList: + value: + - $schema: https://json-schema.org/draft/2020-12/schema + $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge + title: AWS EventBridge + type: object + properties: + settings: + description: Configuration properties specific to AWS EventBridge + type: object + properties: + accountId: + title: AWS Account ID + description: Your Amazon AWS Account ID. + type: string + writeOnce: true + pattern: ^\d{12}$ + eventSourceName: + title: AWS Event Source Name + description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge. + type: string + writeOnce: true + pattern: ^[\.\-_A-Za-z0-9]{1,75}$ + region: + title: AWS Region + description: The destination AWS region for your system log events. + type: string + writeOnce: true + oneOf: + - title: US East (Ohio) + const: us-east-2 + - title: US East (N. Virginia) + const: us-east-1 + - title: US West (N. California) + const: us-west-1 + - title: US West (Oregon) + const: us-west-2 + - title: Canada (Central) + const: ca-central-1 + - title: Europe (Frankfurt) + const: eu-central-1 + - title: Europe (Ireland) + const: eu-west-1 + - title: Europe (London) + const: eu-west-2 + - title: Europe (Paris) + const: eu-west-3 + - title: Europe (Milan) + const: eu-south-1 + - title: Europe (Stockholm) + const: eu-north-1 + required: + - eventSourceName + - accountId + - region + errorMessage: + properties: + accountId: Account number must be 12 digits. + eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters. + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + - $schema: https://json-schema.org/draft/2020-12/schema + id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming + title: Splunk Cloud + type: object + properties: + settings: + description: Configuration properties specific to Splunk Cloud + type: object + properties: + host: + title: Host + description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com' + type: string + writeOnce: false + pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ + token: + title: HEC Token + description: The token from your Splunk Cloud HTTP Event Collector (HEC). + type: string + writeOnce: false + pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' + required: + - host + - token + errorMessage: + properties: + host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com' + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + LogStreamSchemaSplunk: + value: + $schema: https://json-schema.org/draft/2020-12/schema + id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming + title: Splunk Cloud + type: object + properties: + settings: + description: Configuration properties specific to Splunk Cloud + type: object + properties: + host: + title: Host + description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com' + type: string + writeOnce: false + pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ + token: + title: HEC Token + description: The token from your Splunk Cloud HTTP Event Collector (HEC). + type: string + writeOnce: false + pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' + required: + - host + - token + errorMessage: + properties: + host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com' + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + LogTargetChangeDetails: + summary: Example of the `changeDetails` property on the target + value: + from: + vpnLocationOptions: DISABLED + vpnSettingsZones: + include: null + exclude: null + to: + message: You must a use VPN to connect to this application + vpnLocationOptions: ZONE + vpnSettingsZones: + include: + - ALL_ZONES + exclude: null + MicrosoftIdPResponse: + summary: Microsoft Identity Provider + value: + id: 0oajmvdFawBih4gey0g3 + type: MICROSOFT + name: Microsoft + status: ACTIVE + created: '2016-03-29T16:47:36.000Z' + lastUpdated: '2016-03-29T16:47:36.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize + binding: HTTP-REDIRECT + token: + url: https://login.microsoftonline.com/common/oauth2/v2.0/token + binding: HTTP-POST + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: |- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + MultipleIdPCsrsResponse: + summary: Identity Provider CSRs + value: + - id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: - GET - DELETE - user: - href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 + publish: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + - id: '-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg' + created: '2017-03-28T01:21:10.000Z' + csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg hints: allow: - GET - - name: Another API Token - userId: 00uabcdefg1234567890 - tokenWindow: PT5M - id: 00T1234567890abcdefg - clientName: Okta API - expiresAt: 2021-11-11T20:43:10.000Z - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + - DELETE + publish: + href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg/lifecycle/publish + hints: + allow: + - POST + MultipleIdPKeyCredentialsResponse: + summary: Identity Provider Key Credentials + value: + - kid: your-key-id + created: '2016-01-03T18:15:47.000Z' + lastUpdated: '2016-01-03T18:15:47.000Z' + e: '65537' + 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + kty: RSA + use: sig + x5c: + - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + - kty: EC + created: '2020-04-24T20:51:20.000Z' + lastUpdated: '2020-04-24T20:51:20.000Z' + expiresAt: '2040-03-01T20:22:29.000Z' + alg: EC + x5c: + - MIICqDCCAgqgAwIBAgIJAOkmCa/S8dHiMAoGCCqGSM49BAMCMG0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdKYW5reUNvMR8wHQYDVQQDDBZUZXN0IElkZW50aXR5IFByb3ZpZGVyMB4XDTIwMDMwNjIwMjIyOVoXDTQwMDMwMTIwMjIyOVowbTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoMB0phbmt5Q28xHzAdBgNVBAMMFlRlc3QgSWRlbnRpdHkgUHJvdmlkZXIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABW/lGHl17mKDtCD4D7gcMYYOWgyWTGno8MTefDOABA8PddessTsbfrguF49Gli6lCzrZaAKhhvgINc3R6t/dYleAE3lY6LAocOoLe9xDkeggXNcSuP5fDc1x5R9GHTXl44vLoJOLSLsMbOXVMXIXoqbPDzTSYUy24aFdv4W4LZxW6ak6NQME4wHQYDVR0OBBYEFChTXNWvs4z1qjRVemPDD/hqlDQ4MB8GA1UdIwQYMBaAFChTXNWvs4z1qjRVemPDD/hqlDQ4MAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDgYsAMIGHAkIBuDhHMNLbBIsorbKtjxJzHJ2ItCSD2wAwqYv/6JBtA2ulKN5gRTSqdNCnqFsZ1/nYY7FFVXHEuQ2N3pPq7Ri8h84CQSgCq1UQyd0lFtb7+57JbiGb6LVaRqRm7vwx8zLRA+tVjIM1DlQ2Gbxkj3nlkzmM93j9wchiqGdQidyKnF6EBnfd + x: Vv5Rh5de5ig7Qg-A-4HDGGDloMlkxp6PDE3nwzgAQPD3XXrLE7G364LhePRpYupQs62WgCoYb4CDXN0erf3WJXg + 'y': ATeVjosChw6gt73EOR6CBc1xK4_l8NzXHlH0YdNeXji8ugk4tIuwxs5dUxcheips8PNNJhTLbhoV2_hbgtnFbpqT + crv: P-521 + kid: your-kid + use: sig + x5t#S256: TUx-AIwypm2pZURHNqafk7ZDxqQP_ypzIyUwDDnPOlw + MultipleIdPSigningKeyCredentialsResponse: + summary: Identity Provider Signing Key Credentials + value: + - created: '2015-12-10T18:56:23.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + kid: akm5hvbbevE341ovl0h7 + kty: RSA + use: sig + x5t#S256: 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + - created: '2015-12-10T18:55:35.000Z' + expiresAt: '2045-01-23T02:15:23.000Z' + x5c: + - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + kid: akm5hvbn1vojA9Fsa0h7 + kty: RSA + use: sig + x5t#S256: 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ + MultipleIdPsResponse: + summary: Multiple Identity Providers + value: + - id: 0oa62b57p7c8PaGpU0h7 + type: FACEBOOK + name: Facebook + status: ACTIVE + created: '2016-03-24T23:18:27.000Z' + lastUpdated: '2016-03-24T23:18:27.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.facebook.com/dialog/oauth + binding: HTTP-REDIRECT + token: + url: https://graph.facebook.com/v2.5/oauth/access_token + binding: HTTP-POST + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: ACTIVE + created: '2016-03-24T23:14:54.000Z' + lastUpdated: '2016-03-24T23:14:54.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + filter: (\S+@example\.com) + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + metadata: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml + hints: + allow: + - GET + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate + hints: + allow: + - POST + - id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-24T23:21:49.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa62bfdjnK55Z5x80h7 + type: LINKEDIN + name: LinkedIn + status: ACTIVE + created: '2016-03-24T23:23:59.000Z' + lastUpdated: '2016-03-24T23:23:59.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.linkedin.com/uas/oauth2/authorization + binding: HTTP-REDIRECT + token: + url: https://www.linkedin.com/uas/oauth2/accessToken + binding: HTTP-POST + scopes: + - r_basicprofile + - r_emailaddress + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdjnK55Z5x80h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oajmvdFawBih4gey0g3 + type: MICROSOFT + name: Microsoft + status: ACTIVE + created: '2016-03-29T16:47:36.000Z' + lastUpdated: '2016-03-29T16:47:36.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize + binding: HTTP-REDIRECT + token: + url: https://login.microsoftonline.com/common/oauth2/v2.0/token + binding: HTTP-POST + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oaulob4BFVa4zQvt0g3 + type: OIDC + name: Example OpenID Connect IdP + status: ACTIVE + created: '2019-02-07T20:07:47.000Z' + lastUpdated: '2019-02-07T20:07:47.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://idp.example.com/authorize + binding: HTTP-REDIRECT + token: + url: https://idp.example.com/token + binding: HTTP-POST + userInfo: + url: https://idp.example.com/userinfo + binding: HTTP-REDIRECT + jwks: + url: https://idp.example.com/keys + binding: HTTP-REDIRECT + scopes: + - openid + issuer: + url: https://idp.example.com + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: false + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa6jxasyhwM2ZHJh0g4 + type: X509 + name: Smart Card IDP Name + status: ACTIVE + created: '2020-01-07T00:19:27.000Z' + lastUpdated: '2020-01-07T00:19:27.000Z' + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + endpoints: + sso: + url: https://{yourOktaDomain}.okta.com/login/cert + credentials: + trust: + issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + audience: null + kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc + revocation: CRL + revocationCacheLifetime: 2880 + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: idpuser.subjectAltNameEmail + filter: null + matchType: EMAIL + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + deactivate: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users + hints: + allow: + - GET + keys: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc + hints: + allow: + - GET + NextAuthorizationServerKey: + summary: Next Authorization Server Key + value: + status: NEXT + alg: RS256 + e: AQAB + 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ + kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + kty: RSA + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + hints: + allow: + - GET + NzErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000003 + errorSummary: The request body was not well-formed. + errorLink: E0000003 + errorId: samplewNxQUR9iohr4QYlD0eg + errorCauses: [] + NzErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: Resource not found: itd (NetworkZone)' + errorLink: E0000007 + errorId: samplejCSVaKFDkCMElmKQ + errorCauses: [] + OAuth2RefreshTokenResponseEx: + summary: OAuth 2.0 refresh token example + value: + id: oar579Mcp7OUsNTlo0g3 + status: ACTIVE + created: '2023-03-09T03:18:06.000Z' + lastUpdated: '2023-03-09T03:18:06.000Z' + expiresAt: '2023-03-16T03:18:06.000Z' + issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 + clientId: 0oabskvc6442nkvQO0h7 + userId: 00u5t60iloOHN9pBi0h7 + scopes: + - offline_access + - car:drive + _embedded: + scopes: + - id: scppb56cIl4GvGxy70g3 + name: offline_access + description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: offline_access + - id: scp142iq2J8IGRUCS0g4 + name: car:drive + displayName: Drive car + description: Allows the user to drive a car + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4 + title: Drive car + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: Native + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + revoke: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7 + title: Example Client App + user: + href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3 + title: Saml Jackson + authorizationServer: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: Example Authorization Server + OAuth2RefreshTokenResponseListEx: + summary: App refresh token list example + value: + - id: oar579Mcp7OUsNTlo0g3 + status: ACTIVE + created: '2023-03-09T03:18:06.000Z' + lastUpdated: '2023-03-09T03:18:06.000Z' + expiresAt: '2023-03-16T03:18:06.000Z' + issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 + clientId: 0oabskvc6442nkvQO0h7 + userId: 00u5t60iloOHN9pBi0h7 + scopes: + - offline_access + - car:drive + _embedded: + scopes: + - id: scppb56cIl4GvGxy70g3 + name: offline_access + description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: offline_access + - id: scp142iq2J8IGRUCS0g4 + name: car:drive + displayName: Drive car + description: Allows the user to drive a car + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4 + title: Drive car + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: Native + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + revoke: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7 + title: Example Client App + user: + href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3 + title: Saml Jackson + authorizationServer: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: Example Authorization Server + OpenidConnectEx: + summary: OPENID_CONNECT + value: + name: oidc_client + label: Sample Client profile + signOnMode: OPENID_CONNECT + credentials: + oauthClient: + token_endpoint_auth_method: client_secret_post + profile: + label: oauth2 client app 1 + settings: + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + participate_slo: false + OpenidConnectPutEx: + summary: OPENID_CONNECT + value: + name: oidc_client + label: Sample Client profile updated + signOnMode: OPENID_CONNECT + OpenidConnectPutResponseEx: + summary: OPENID_CONNECT + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: true + web: true + appLinks: + oidc_client_link: true + name: oidc_client + label: Sample Client profile updated + features: [] + signOnMode: OPENID_CONNECT + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc + oauthClient: + autoKeyRotation: true + client_id: 0oahonkqCRR6TSNlg4 + client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5 + token_endpoint_auth_method: client_secret_post + pkce_required: true + settings: + app: {} + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + issuer_mode: DYNAMIC + idp_initiated_login: + mode: DISABLED + default_scope: [] + wildcard_redirect: DISABLED + dpop_bound_access_tokens: false + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + OpenidConnectResponseEx: + summary: OPENID_CONNECT + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: true + web: true + appLinks: + oidc_client_link: true + name: oidc_client + label: Sample Client profile + features: [] + signOnMode: OPENID_CONNECT + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc + oauthClient: + autoKeyRotation: true + client_id: 0oahonkqCRR6TSNlg4 + client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5 + token_endpoint_auth_method: client_secret_post + pkce_required: true + settings: + app: {} + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + issuer_mode: DYNAMIC + idp_initiated_login: + mode: DISABLED + default_scope: [] + wildcard_redirect: DISABLED + dpop_bound_access_tokens: false + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + profile: + label: oauth2 client app 1 + OperationResponse: + value: + id: rre4mje4ez6B2a7B60g7 + type: realm:assignment + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + realmId: 00g1b7rvh0xPLKXFf0g5 + realmName: Realm Name + assignmentOperation: + configuration: + id: 0pr1b7rxZj2ibQzfP0g5 + name: Realm Assignment 1 + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + numUserMoved: 50 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7 + method: GET + OptInStatusResponse: + summary: Opt in response + value: + optInStatus: OPTING_IN + _links: + optInStatus: + href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn + OptOutStatusResponse: + summary: Opt out response + value: + optInStatus: OPTING_OUT + _links: + optInStatus: + href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn + OrgCAPTCHASettingsConfigured: + summary: Org-wide Captcha Settings are configured + value: + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + hints: + allow: + - GET + - POST + - PUT + - DELETE + OrgCAPTCHASettingsDisable: + summary: Disable Org-wide Captcha Settings + value: + captchaId: 'null' + enabledPages: 'null' + OrgCAPTCHASettingsDisabled: + summary: Disabled Org-wide Captcha Settings + value: + captchaId: 'null' + enabledPages: '[]' + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/ + hints: + allow: + - GET + - PUT + OrgCAPTCHASettingsEmpty: + summary: Org-wide Captcha Settings aren't configured + value: + captchaId: null + enabledPages: [] + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas + hints: + allow: + - GET + - POST + - PUT + - DELETE + OrgCAPTCHASettingsUpdate: + summary: Update Org-wide Captcha Settings + value: + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN + OrgCAPTCHASettingsUpdated: + summary: Updated Org-wide Captcha Settings + value: + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + hints: + allow: + - GET + - POST + - PUT + - DELETE + OrgSettingResponse: + summary: Org setting response + value: + address1: 100 1st St + address2: 6th floor + city: San Fransico + companyName: okta + country: United States + endUserSupportHelpURL: support.okta.com + phoneNumber: '+18887227871' + postalCode: '94105' + state: California + supportPhoneNumber: '+18887227871' + website: www.okta.com + id: 00o3qqiw0vSCIwu8I0g7 + created: '2024-01-24T14:15:22Z' + lastUpdated: '2024-07-21T14:15:22Z' + expiresAt: '2024-12-24T14:15:22Z' + status: ACTIVE + subdomain: okta + _links: + preferences: + href: https://{yourOktaDomain}/v1/org/preferences + uploadLogo: + href: https://{yourOktaDomain}/api/v1/org/logo + hints: + allow: + - POST + oktaCommunication: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication + logo: null + oktaSupport: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport + contacts: + href: https://vantest.oktapreview.com/api/v1/org/contacts + PasswordImportPayloadExample: + summary: An example password import inline hook request body + value: + eventId: 3o9jBzq1SmOGmmsDsqyyeQ + eventTime: '2020-01-17T21:23:56.000Z' + eventType: com.okta.user.credential.password.import + eventTypeVersion: '1.0' + contentType: application/json + cloudEventVersion: '0.1' + source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7 + data: + context: + request: + id: XiIl6wn7005Rr@fjYqeC7CCDBxw + method: POST + url: + value: /idp/idx/challenge/answer + ipAddress: 66.124.153.138 + credential: + username: isaac.brock@example.com + password: Okta + action: + credential: UNVERIFIED + PasswordImportUnVerifiedResponse: + summary: An example password hook response for an unverified user password + value: + commands: + - type: com.okta.action.update + value: + credential: UNVERIFIED + PasswordImportVerifiedResponse: + summary: An example password hook response for a verified user password + value: + commands: + - type: com.okta.action.update + value: + credential: VERIFIED + PerClientRateLimitSettingsEnforceDefault: + value: + defaultMode: ENFORCE + PerClientRateLimitSettingsEnforceDefaultWithOverrides: + value: + defaultMode: ENFORCE + useCaseModeOverrides: + OAUTH2_AUTHORIZE: PREVIEW + OIE_APP_INTENT: DISABLE + PerClientRateLimitSettingsPreviewDefaultWithOverrides: + value: + defaultMode: PREVIEW + useCaseModeOverrides: + LOGIN_PAGE: ENFORCE + PermissionResponse: + value: + label: okta.users.manage + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.manage + PermissionResponseWithConditions: + value: + label: okta.users.read + conditions: + include: + okta:ResourceAttribute/User/Profile: + - city + - state + - zipCode + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read + PermissionsResponse: + value: + permissions: + - label: okta.users.create + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.create + - label: okta.users.read + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + conditions: + include: + okta:ResourceAttribute/User/Profile: + - city + - state + - zipCode + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read + - label: okta.groups.read + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.groups.read + - label: okta.users.userprofile.manage + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.userprofile.manage + PreviewEmailCustomizationResponse: + value: + subject: Welcome to Okta! + body: <!DOCTYPE html><html><body><p>Hello, John. Click <a href="https://{yourOktaDomain}/...">here</a> to activate your account.</body></html> + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview + hints: + allow: + - GET + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + PreviewEmailTemplateDefaultContentResponse: + value: + subject: Welcome to Okta! + body: <!DOCTYPE html><html><body><p>Hello, John. Click <a href="https://{yourOktaDomain}/...">here</a> to activate your account.</body></html> + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview + hints: + allow: + - GET + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + defaultContent: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test/default-content + hints: + allow: + - POST + PrincipalRateLimitEntityRequestEmptyPercentages: + value: + principalId: token1234 + principalType: SSWS_TOKEN + PrincipalRateLimitEntityRequestSSWSToken: + value: + principalId: token1234 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 75 + PrincipalRateLimitEntityResponseSSWSToken: + value: + id: abcd1234 + orgId: org1234 + principalId: token1234 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 75 + createdDate: '2022-05-19T20:05:32.720Z' + createdBy: user1234 + lastUpdate: '2022-05-20T21:13:07.410Z' + lastUpdatedBy: user4321 + PrivilegedResourceClaimAppAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: APP_ACCOUNT + containerDetails: + appName: google, + containerId: 0oa103099SBEb3Z2b0g4, + displayName: Google App1, + globalAppId: 964b82aa-85b4-5645-b790-83312c473480, + passwordPushSupported: true, + provisioningEnabled: true, _links: - self: - href: https://{yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg - hints: - allow: - - GET - - DELETE + login: + href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, + logo: + href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, + credentials: + userName: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourceClaimOktaAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4, + credentials: + userName: username + profile: + email: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourceCreateAppAccountRequest: + value: + resourceType: APP_ACCOUNT + containerDetails: + containerId: 0oa103099SBEb3Z2b0g4 + credentials: + userName: testuser@example.com + PrivilegedResourceCreateAppAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: APP_ACCOUNT + containerDetails: + appName: google, + containerId: 0oa103099SBEb3Z2b0g4, + displayName: Google App1, + globalAppId: 964b82aa-85b4-5645-b790-83312c473480, + passwordPushSupported: true, + provisioningEnabled: true, + _links: + login: + href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, + logo: + href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, + credentials: + userName: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: INACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourceCreateOktaAccountRequestConvert: + value: + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4 + PrivilegedResourceCreateOktaAccountRequestNew: + value: + resourceType: OKTA_USER_ACCOUNT + credentials: + userName: username + profile: + email: testuser@example.com + PrivilegedResourceCreateOktaAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4, + credentials: + userName: username + profile: + email: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: INACTIVE + credentialSyncInfo: + secretVersionId: '' + syncTime: '' + syncState: NOT_SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourceRotatePasswordAppAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: APP_ACCOUNT + containerDetails: + appName: google, + containerId: 0oa103099SBEb3Z2b0g4, + displayName: Google App1, + globalAppId: 964b82aa-85b4-5645-b790-83312c473480, + passwordPushSupported: true, + provisioningEnabled: true, + _links: + login: + href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, + logo: + href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, + credentials: + userName: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '' + syncState: SYNCING + errorCode: '' + errorReason: '' + PrivilegedResourceRotatePasswordOktaAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4, + credentials: + userName: username + profile: + email: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-11T11:11:01.000Z' + syncState: SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourcesAppAccountUpdateRequest: + value: + username: username + PrivilegedResourcesGetAppAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: APP_ACCOUNT + containerDetails: + appName: google, + containerId: 0oa103099SBEb3Z2b0g4, + displayName: Google App1, + globalAppId: 964b82aa-85b4-5645-b790-83312c473480, + passwordPushSupported: true, + provisioningEnabled: true, + _links: + login: + href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, + logo: + href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, + credentials: + userName: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-10T11:30:01.000Z' + syncState: SYNC_FAILED + errorCode: UNKNOWN_ERROR + errorReason: Password update failed + PrivilegedResourcesGetOktaAccountResponse: + value: + id: opa100xTfFs4MasRf0g4 + resourceType: OKTA_USER_ACCOUNT + resourceId: 00u100xTfFs4MasRf0g4, + credentials: + userName: testuser@example.com + profile: + email: testuser@example.com + created: '2024-06-10T11:11:01.000Z' + lastUpdated: '2024-06-10T11:11:01.000Z' + status: ACTIVE + credentialSyncInfo: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-10T11:30:01.000Z' + syncState: SYNCED + errorCode: '' + errorReason: '' + PrivilegedResourcesOktaUserAccountUpdateRequest: + value: + username: username + profile: + email: testuser@example.com + ProfileEnrollmentRequest: + summary: An example registration hook profile enrollment (SSR) inline hook request body + value: + eventId: 04Dmt8BcT_aEgM + eventTime: '2022-04-25T17:35:27.000Z' + eventType: com.okta.user.pre-registration + eventTypeVersion: 1 + contentType: application/json + cloudEventVersion: 0.1 + source: regt4qeBKU29vSoPz0g3 + requestType: self.service.registration + data: + context: + request: + method: POST + ipAddress: 127.0.0.1 + id: 123testId456 + url: + value: /idp/idx/enroll/new + userProfile: + firstName: Rosario + lastName: Jones + login: rosario.jones@example.com + email: rosario.jones@example.com + action: ALLOW + ProfileEnrollmentResponse: + summary: An example registration hook profile enrollment (SSR) inline hook response + value: + commands: + - type: com.action.update + value: + registration: ALLOW + ProfileEnrollmentResponseDeny: + summary: An example Profile Enrollment (SSR) inline hook Deny response + value: + commands: + - type: com.action.update + value: + registration: DENY + error: + errorSummary: Incorrect email address. Please contact your admin. + errorCauses: + - errorSummary: Only example.com emails can register. + reason: INVALID_EMAIL_DOMAIN + locationType: body + location: data.userProfile.email + domain: end-user + ProgressiveProfileRequest: + summary: An example Progressive Profile inline hook request + value: + eventId: vzYp_zMwQu2htIWRbNJdfw + eventTime: '2022-04-25T04:04:41.000Z' + eventType: com.okta.user.pre-registration + eventTypeVersion: 1 + contentType: application/json + cloudEventVersion: 0.1 + source: regt4qeBKU29vS + requestType: progressive.profile + data: + context: + request: + method: POST + ipAddress: 127.0.0.1 + id: 123dummyId456 + url: + value: /idp/idx/enroll/update user: - href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 - hints: - allow: - - GET - ApiTokenMetadataResponse: + passwordChanged: '2022-01-01T00:00:00.000Z' + _links: + groups: + href: /api/v1/users/00u48gwcu01WxvNol0g7/groups + factors: + href: /api/v1/users/00u48gwcu01WxvNol0g7/factors + profile: + firstName: Rosario + lastName: Jones" + timeZone: America/Los_Angeles + login: rosario.jones@example.com + locale: en_US + id: 00u48gwcu01WxvNo + action: ALLOW + userProfileUpdate: + employeeNumber: 1234 + ProgressiveProfileResponse: + summary: An example Progressive Profile inline hook response value: - name: My API Token - userId: 00uXXXXXXXXXXXXXXXXX - tokenWindow: P30D - id: 00Tabcdefg1234567890 - clientName: Okta API - expiresAt: 2021-12-11T20:38:10.000Z - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + commands: + - type: com.okta.user.progressive.profile.update' + value: request.body.data.userProfileUpdate['employeeNumber'] + ProgressiveProfileResponseDeny: + summary: An example Progressive Profile inline hook Deny response + value: + commands: + - type: com.action.update + value: + registration: DENY + error: + errorSummary: Incorrect employee number. Enter an employee number with 4 digits. + errorCauses: + - errorSummary: Only employee numbers with 4 digits can register. + reason: INVALID_EMPLOYEE_NUMBER + locationType: body + location: data.userProfile.employeeNumber + domain: end-user + ProvisioningConnectionOauthO365RequestEx: + summary: Provisioning Connection with OAuth 2.0 for Microsoft Office 365 app + value: + profile: + authScheme: OAUTH2 + settings: + adminUsername: office_admin-username + adminPassword: office_admin-password + ProvisioningConnectionOauthRequestEx: + summary: Provisioning Connection with OAuth 2.0 + value: + profile: + authScheme: OAUTH2 + ProvisioningConnectionOauthResponseEx: + summary: Provisioning Connection with OAuth 2.0 for Microsoft Office 365 app + value: + status: ENABLED + profile: + authScheme: OAUTH2 _links: self: - href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default hints: allow: - GET - - DELETE - user: - href: https://{yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate + hints: + allow: + - POST + authorize: + href: https://login.microsoftonline.com/myofficetenant.onmicrosoft.com/oauth2/authorize?response_type=code&state=<code>>&client_id=<client_id>&redirect_uri=<redirect_uri>&scope=<scope> hints: allow: - GET - AppFeatureListResponseEx: - summary: List app Feature response + guidance: + - Specifies the URI to invoke in a browser for granting scope consent required to complete the OAuth 2.0 connection. + ProvisioningConnectionTokenOrg2OrgRequestEx: + summary: Provisioning Connection with token for Okta Org2Org app value: - - name: USER_PROVISIONING - status: ENABLED - description: User provisioning settings from Okta to a downstream application - capabilities: - create: - lifecycleCreate: - status: DISABLED - update: - profile: - status: DISABLED - lifecycleDeactivate: - status: DISABLED - password: - status: DISABLED - seed: RANDOM - change: KEEP_EXISTING - _links: - self: - href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING - hints: - allow: - - GET - - PUT - AppFeatureResponseEx: - summary: App Feature response + profile: + authScheme: TOKEN + clientId: 0oa2h6su6bVFyJzIf1d7 + ProvisioningConnectionTokenRequestEx: + summary: Provisioning Connection with token for Zscaler 2.0 (`zscalerbyz`) app value: - name: USER_PROVISIONING + baseUrl: https://scim.zscalerbeta.net/1234567/890/scim + profile: + authScheme: TOKEN + token: 00NgAPZqUVy8cX9ehNzzahEE5b-On9sImTcInvWp-x + ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx: + summary: Provisioning Connection with token for Okta Org2Org (`okta_org2org`) app + value: + authScheme: TOKEN status: ENABLED - description: User provisioning settings from Okta to a downstream application - capabilities: - create: - lifecycleCreate: - status: DISABLED - update: - profile: - status: DISABLED - lifecycleDeactivate: - status: DISABLED - password: - status: DISABLED - seed: RANDOM - change: KEEP_EXISTING + baseUrl: https://targetorg.okta.com + profile: + authScheme: TOKEN _links: self: - href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default + hints: + allow: + - GET + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate + hints: + allow: + - POST + ProvisioningConnectionTokenResponseWithProfileZscalerEx: + summary: Provisioning Connection with token for Zscaler 2.0 (`zscalerbyz`) app + value: + authScheme: TOKEN + status: ENABLED + baseUrl: https://scim.zscalerbeta.net/1234567/890/scim + profile: + authScheme: TOKEN + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default + hints: + allow: + - GET + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate + hints: + allow: + - POST + PushProviderAPNsRequest: + value: + name: APNs Example + providerType: APNS + configuration: + keyId: KEY_ID + teamId: TEAM_ID + tokenSigningKey: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' + fileName: fileName.p8 + PushProviderAPNsResponse: + value: + id: ppctekcmngGaqeiBxB0g4 + name: APNs Example + providerType: APNS + lastUpdatedDate: '2022-01-01T00:00:00.000Z' + configuration: + keyId: KEY_ID + teamId: TEAM_ID + fileName: fileName.p8 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 hints: allow: + - DELETE - GET - PUT - AppUserSchemaAddRequest: + PushProviderFCMRequest: value: - definitions: - custom: - id: '#custom' - type: object - properties: - twitterUserName: - title: Twitter username - description: User's username for twitter.com - type: string - required: false - minLength: 1 - maxLength: 20 - required: [] - AppUserSchemaResponse: + name: FCM Example + providerType: FCM + configuration: + serviceAccountJson: + type: service_account + project_id: PROJECT_ID + private_key_id: KEY_ID + private_key: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' + client_email: SERVICE_ACCOUNT_EMAIL + client_id: CLIENT_ID + auth_uri: https://accounts.google.com/o/oauth2/auth + token_uri: https://accounts.google.com/o/oauth2/token + auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs + client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL + fileName: fileName.json + PushProviderFCMResponse: + value: + id: ppctekcmngGaqeiBxB0g4 + name: FCM Example + providerType: FCM + lastUpdatedDate: '2022-01-01T00:00:00.000Z' + configuration: + projectId: PROJECT_ID + fileName: fileName.p8 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 + hints: + allow: + - DELETE + - GET + - PUT + RateLimitAdminNotificationsDisabled: + value: + notificationsEnabled: false + RateLimitAdminNotificationsEnabled: + value: + notificationsEnabled: true + RateLimitWarningThresholdValidExample: + value: + warningThreshold: 66 + RealmResponse: + value: + id: guox9jQ16k9V8IFEL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + profile: + name: Car Co + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 + method: GET + RefreshCurrentSessionResponse: + summary: Refresh current session + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - GET + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/me + refresh: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh + user: + hints: + allow: + - GET + href: https://{yourOktaDomain}/api/v1/users/me + name: User Name + RefreshSessionResponse: + summary: Refresh an existing Session using the session ID + value: + amr: + - pwd + createdAt: '2019-08-25T14:17:22Z' + expiresAt: '2019-08-25T14:17:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + RemoveMappingBody: + summary: Update an existing profile mapping by removing one or more properties value: - id: https://{yourOktaDomain}/meta/schemas/apps/0oa25gejWwdXNnFH90g4/default - $schema: http://json-schema.org/draft-04/schema# - name: Example App - title: Example App User - lastUpdated: '2017-07-18T23:18:43.000Z' - created: '2017-07-18T22:35:30.000Z' - definitions: - base: - id: '#base' - type: object - properties: - userName: - title: Username - type: string - required: true - scope: NONE - maxLength: 100 - required: - - userName - custom: - id: '#custom' - type: object - properties: - twitterUserName: - title: Twitter username - description: User's username for twitter.com - type: string - scope: NONE - minLength: 1 - maxLength: 20 - required: [] - type: object properties: - profile: - allOf: - - $ref: '#/definitions/base' - - $ref: '#/definitions/custom' - AssignGroupOwnerRequest: - summary: Assign a group owner request example + nickName: + expression: null + pushStatus: null + RemoveMappingResponse: + summary: Update an existing profile mapping by removing one or more properties value: - id: 00u1cmc03xjzePoWD0h8 - type: USER - AssignGroupOwnerResponse: - summary: Assign a group owner response example + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + ReplaceAnEventHookWithFilter: + summary: Replace an event hook value: - id: 00u1cmc03xjzePoWD0h8 - type: USER - resolved: true - originId: null - originType: OKTA_DIRECTORY - displayName: Oliver Putnam - lastUpdated: Wed Mar 29 18:34:31 UTC 2023 - AuthenticatorRequestDuo: + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + ReplaceAuthServerBody: + summary: Replace a custom authorization server value: - key: duo - name: Duo Security - provider: - type: DUO - configuration: - userNameTemplate: - template: oktaId - integrationKey: testIntegrationKey - secretKey: testSecretKey - host: https://api-xxxxxxxx.duosecurity.com - AuthenticatorResponseDuo: + name: New Authorization Server + description: Authorization Server description + audiences: + - api://default + credentials: + signing: + rotationMode: AUTO + use: sig + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + ReplaceAuthServerResponse: + summary: Replace a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + ReplaceCustomTokenClaimBody: + summary: Replace a custom token Claim + value: + - alwaysIncludeInToken: true + claimType: IDENTITY + conditions: + scopes: + - profile + group_filter_type: CONTAINS + name: Knowledge_Base + status: ACTIVE + system: false + value: Knowledge Base + valueType: GROUPS + ReplaceCustomTokenClaimResponse: + summary: Replace a custom token Claim response + value: + - id: '{claimId}' + name: Knowledge_Base + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Knowledge Base + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + ReplaceIdPRequestResponse: + summary: Replace an Identity Provider value: - type: app - id: aut9gnvcjUHIWb37J0g4 - key: duo - status: ACTIVE - name: Duo Security - created: '2022-07-15T21:14:02.000Z' - lastUpdated: '2022-07-15T21:14:02.000Z' - settings: {} - provider: - type: DUO - configuration: - host: https://api-xxxxxxxx.duosecurity.com + id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: INACTIVE + created: null + lastUpdated: '2016-03-29T21:23:45.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com/saml2/sso + binding: HTTP-REDIRECT + destination: https://idp.example.com/saml2/sso + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + credentials: + trust: + issuer: https://idp.example.com + audience: https://www.okta.com/saml2/service-provider/spCQJRNaaxs7ANqKBO7M + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: userNameTemplate: - template: oktaId + template: idpuser.subjectNameId + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 120000 _links: - self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4 + metadata: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml hints: allow: - GET - - PUT - deactivate: - href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/lifecycle/deactivate + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml hints: allow: - POST - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/methods + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users hints: allow: - GET - AuthenticatorResponseEmail: &ref_0 + activate: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/activate + hints: + allow: + - POST + ReplaceKeyResponse: + summary: Replace a key response example value: - type: email - id: aut1nbsPHh7jNjjyP0g4 - key: okta_email + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My updated new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:16:59.000Z' + isUsed: 'false' + ReplaceNetworkZone: + summary: Replace a Network Zone + value: + type: IP + id: nzovw2rFz2YoqmvwZ0g9 + name: UpdatedNetZone status: ACTIVE - name: Email - created: '2020-07-26T21:05:23.000Z' - lastUpdated: '2020-07-28T21:45:52.000Z' - settings: - allowedFor: any - tokenLifetimeInMinutes: 5 + system: false + usage: POLICY + gateways: + - type: CIDR + value: 10.2.3.4/24 + - type: CIDR + value: 12.2.3.4/24 + - type: RANGE + value: 13.4.5.6-13.4.5.8 + - type: CIDR + value: 14.2.3.4/24 + proxies: + - type: CIDR + value: 12.2.3.4/24 + - type: CIDR + value: 13.3.4.5/24 + - type: RANGE + value: 14.4.5.6-14.4.5.8 + - type: RANGE + value: 15.5.6.7/24-15.5.6.9 _links: self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9 hints: allow: - GET - PUT - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods - hints: - allow: - - GET + - DELETE deactivate: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate hints: allow: - POST - AuthenticatorResponsePassword: &ref_1 + ReplaceNetworkZoneResponse: + summary: Replace Network Zone value: - type: password - id: aut1nbtrJKKA9m45a0g4 - key: okta_password + type: IP + id: nzovw2rFz2YoqmvwZ0g9 + name: UpdatedNetZone status: ACTIVE - name: Password - created: '2020-07-26T21:05:23.000Z' - lastUpdated: '2020-07-26T21:05:23.000Z' + usage: POLICY + created: '2022-05-08T18:25:05.000Z' + lastUpdated: '2022-05-10T13:15:22.000Z' + system: false + gateways: + - type: CIDR + value: 10.2.3.4/24 + - type: CIDR + value: 12.2.3.4/24 + - type: RANGE + value: 13.4.5.6-13.4.5.8 + - type: CIDR + value: 14.2.3.4/24 + proxies: + - type: CIDR + value: 12.2.3.4/24 + - type: CIDR + value: 13.3.4.5/24 + - type: RANGE + value: 14.4.5.6-14.4.5.8 + - type: RANGE + value: 15.5.6.7/24-15.5.6.9 _links: self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9 hints: allow: - GET - PUT - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate hints: allow: - - GET - AuthenticatorResponsePhone: &ref_2 + - POST + ReplaceResourceSetRequest: value: - type: phone - id: aut1nbuyD8m1ckAYc0g4 - key: phone_number + label: SF-IT-People + description: People in the IT department of San Francisco + ReplaceRoleRequest: + value: + label: UserCreator + description: Create users + ReplaceUserTypePutRequest: + summary: Replace user type request + value: + displayName: Replacement Display Name + description: Replacement description + name: newUserType + ReplaceUserTypePutResponse: + summary: Replace user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: Replacement Display Name + name: newUserType + description: Replacement description + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + ResetPwdWithoutSendingEmailResponse: + value: + summary: Reset password without sending email + resetPasswordUrl: https://{yourOktaDomain}/reset_password/XE6wE17zmphl3KqAPFxO + ResourceSelectorCreateRequestExample: + value: + name: All applications except Workday applications + description: All applications except Workday applications + schema: /api/v1/apps + filter: name ne "workday" + ResourceSelectorCreateResponseExample: + value: + id: rsl1hx31gVEa6x10v0g5 + name: All applications except Workday applications + description: All applications except Workday applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps + _links: + self: + href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5 + resources: + href: https://{yourOktaDomain}/api/v1/apps?filter="name ne "workday"" + ResourceSelectorPatchRequestExample: + value: + name: All applications except Facebook applications + description: All applications except Facebook applications + filter: name ne "facebook" + ResourceSelectorPatchResponseExample: + value: + id: rsl1hx31gVEa6x10v0g5 + name: All applications except Facebook applications + description: All applications except Facebook applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps + _links: + self: + href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5 + resources: + href: https://{yourOktaDomain}/api/v1/apps?filter="name ne "facebook"" + ResourceSelectorResponseExample: + value: + id: rsl1hx31gVEa6x10v0g5 + name: All applications except a specific application + description: All applications except a specific application + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps + _links: + self: + href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5 + resources: + href: https://{yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqAAJWWGELFTYASH" + ResourceSelectorsResponseExample: + value: + resourceSelectors: + - id: rsl1hx31gVEa6x10v0g5 + name: All applications except Workday applications + description: All applications except Workday applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps + _links: + resources: + href: http://${yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqCAJWWGELFTYASJ" + - id: rsl1hx31gVEa6x10v0g6 + name: All applications except Facebook applications + description: All applications except Facebook applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g6:apps + _links: + resources: + href: http://${yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqAAJWWGELFTYASH + _links: + next: + href: https://{yourOktaDomain}/api/v1/resource-selectors?after=rsl1hx31gVEa6x10v0g6 + ResourceSetBindingAddMembersRequestExample: + value: + additions: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/users/00u67DU2qNCjNZYO0g3 + ResourceSetBindingCreateRequestExample: + value: + role: cr0Yq6IJxGIr0ouum0g3 + members: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + ResourceSetBindingMemberResponse: + value: + id: irb1qe6PGuMc7Oh8N0g4 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 + ResourceSetBindingMembersResponse: + value: + members: + - id: irb1qe6PGuMc7Oh8N0g4 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 + - id: irb1q92TFAHzySt3x0g4 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + _links: + binding: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members?after=0ouRq6IJmGIr3ouum0g3 + ResourceSetBindingResponseExample: + value: + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetBindingResponseWithIdExample: + value: + id: cr0Yq6IJxGIr0ouum0g3 + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetBindingsResponse: + value: + roles: + - id: cr0WxyzJxGIr0ouum0g4 + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0WxyzJxGIr0ouum0g4 + members: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0WxyzJxGIr0ouum0g4/members + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings?after=cr0WxyzJxGIr0ouum0g4 + ResourceSetRequest: + value: + label: SF-IT-People + description: People in the IT department of San Francisco + resources: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + - https://{yourOktaDomain}/api/v1/users + ResourceSetResourcePatchRequestExample: + value: + additions: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + ResourceSetResourcePostRequestExample: + summary: Resource Set with conditions request + value: + resourceOrnOrUrl: https://{yourOktaDomain}/api/v1/apps + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + ResourceSetResourcePutRequestExample: + value: + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + ResourceSetResourceResponse: + summary: Resource Set response + value: + id: ire106sQKoHoXXsAe0g4 + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1 + ResourceSetResourcesResponse: + value: + resources: + - id: ire106sQKoHoXXsAe0g4 + orn: orn:{partition}:directory:{yourOrgId}:groups:00guaxWZ0AOa5NFAj0g3 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1 + - id: ire106riDrTYl4qA70g4 + orn: orn:{partition}:directory:{yourOrgId}:groups:00gu67DU2qNCjNZYO0g3:contained_resources + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g2 + - id: irezvo4AwE2ngpMw40g3 + orn: orn:{partition}:directory:{yourOrgId}:users + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users + users: + href: https://{yourOktaDomain}/api/v1/users + - id: ire2j4iDnxHhUFaZN0g4 + orn: orn:{partition}:directory:{yourOrgId}:groups + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups + groups: + href: https://{yourOktaDomain}/api/v1/groups + resource: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g3 + _links: + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources?after=irezvn1ZZxLSIBM2J0g3 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetResponse: + value: + id: iamoJDFKaJxGIr0oamd9g + label: SF-IT-People + description: People in the IT department of San Francisco + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + resources: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + ResourceSetsResponse: + value: + resource-sets: + - id: iamoJDFKaJxGIr0oamd9g + label: SF-IT-1 + description: First San Francisco IT Resource Set + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + resources: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + - id: iamoJDFKaJxGIr0oamd0q + label: SF-IT-2 + description: Second San Francisco IT Resource Set + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q + resources: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/resources + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/bindings + _links: + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets?after=iamoJDFKaJxGIr0oamd0q + RetrieveADeactivatedEventHook: + summary: Deactivated event hook + value: + id: who8vt36qfNpCGz9H1e6 status: INACTIVE - name: Phone - created: '2020-07-26T21:05:23.000Z' - lastUpdated: '2020-07-29T00:21:29.000Z' - settings: - allowedFor: none + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + method: POST + authScheme: + type: HEADER + key: authorization _links: self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 - hints: - allow: - - GET - - PUT - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify hints: allow: - - GET - activate: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate hints: allow: - POST - AuthenticatorResponseSecurityQuestion: - summary: Security Question + RetrieveAllEventHooks: + summary: Retrieves all event hooks + value: + - id: who8tsqyrhCdmetzx135 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T17:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T17:43:03.000Z' + events: + type: EVENT_TYPE + items: + - user.lifecycle.deactivate + - user.lifecycle.activate + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userDeactivate + headers: [] + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/deactivate + hints: + allow: + - POST + - id: who8vt36qfNpCGz9H1e6 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + version: null + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: [] + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAllZones: + summary: Retrieves all Network Zones + value: + - type: DYNAMIC_V2 + id: nzok0oz2xYHOZtIch0g4 + name: testZone106 + status: ACTIVE + usage: BLOCKLIST + create: '2024-05-13T16:33:44.000Z' + lastUpdated: '2024-05-13T16:33:44.000Z' + system: false + locations: + include: [] + exclude: [] + asns: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclude: [] + _links: + self: + href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate + hints: + allow: + - POST + - type: DYNAMIC + id: nzoy0ox5xADOZtKrh0g6 + name: test + status: ACTIVE + usage: POLICY + created: '2022-05-19T15:33:32.000Z' + lastUpdated: '2022-05-19T15:33:32.000Z' + system: false + locations: + - country: AF + region: AF-BGL + proxyType: ANY + asns: + - '23457' + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate + hints: + allow: + - POST + - type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + - type: IP + id: nzou3u0stMCmgOzXK1d6 + name: BlockedIpZone + status: ACTIVE + usage: BLOCKLIST + created: '2021-06-09T21:32:46.000Z' + lastUpdated: '2021-06-09T21:32:46.000Z' + system: true + gateways: null + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate + hints: + allow: + - POST + - type: DYNAMIC_V2 + id: nzohcnxFrSgsiwyHp0g4 + name: DefaultEnhancedDynamicZone + status: ACTIVE + usage: BLOCKLIST + created: '2024-05-06T19:12:29.000Z' + lastUpdated: '2024-05-09T21:02:31.000Z' + system: true + locations: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclue: [] + asns: + include: [] + exclude: [] + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate + hints: + allow: + - POST + - type: IP + id: nzou3u0ssJfZjYsWL1d6 + name: LegacyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-09T21:32:46.000Z' + lastUpdated: '2021-06-09T21:32:46.000Z' + system: true + gateways: null + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAllZonesWithFilter: + summary: Retrieves Network Zones with filter value: - type: security_question - id: aut1nbvIgEenhwE6c0g4 - key: security_question + - type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAnEventHook: + summary: Retrieve an event hook + value: + id: who8vt36qfNpCGz9H1e6 status: ACTIVE - name: Security Question - created: '2020-07-26T21:05:23.000Z' - lastUpdated: '2020-07-26T21:05:23.000Z' + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + method: POST + authScheme: + type: HEADER + key: authorization _links: self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4 - hints: - allow: - - GET - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/methods + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify hints: allow: - - GET + - POST deactivate: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/lifecycle/deactivate + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate hints: allow: - POST - AuthenticatorResponseWebAuthn: &ref_3 + RetrieveAnEventHookWithFilter: + summary: Retrieve an event hook value: - type: security_key - id: aut1nd8PQhGcQtSxB0g4 - key: webauthn + id: who8vt36qfNpCGz9H1e6 status: ACTIVE - name: Security Key or Biometric - created: '2020-07-26T21:16:37.000Z' - lastUpdated: '2020-07-27T18:59:30.000Z' + verificationStatus: VERIFIED + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + version: null + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + method: POST + authScheme: + type: HEADER + key: authorization _links: self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 - hints: - allow: - - GET - - PUT - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods - hints: - allow: - - GET + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST deactivate: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate hints: allow: - POST - AuthenticatorsResponse: - summary: Org Authenticators - value: - - *ref_0 - - *ref_1 - - *ref_2 - - *ref_3 - BehaviorRuleRequest: - value: - name: My Behavior Rule - type: VELOCITY - BehaviorRuleResponse: + RetrieveAuthServerResponse: + summary: Retrieve a custom authorization server value: - id: abcd1234 - name: My Behavior Rule - type: VELOCITY - settings: - velocityKph: 805 + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL status: ACTIVE - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z - _link: - self: - href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234 - hints: - allow: - - GET - - POST - - PUT - - DELETE - CAPTCHAInstanceRequestHCaptcha: - value: - name: myHCaptcha - secretKey: xxxxxxxxxxx - siteKey: xxxxxxxxxxx - type: HCAPTCHA - CAPTCHAInstanceRequestReCaptcha: - value: - name: myReCaptcha - secretKey: xxxxxxxxxxx - siteKey: yyyyyyyyyyyyyyy - type: RECAPTCHA_V2 - CAPTCHAInstanceResponseHCaptcha: - value: - id: abcd1234 - name: myHCaptcha - siteKey: xxxxxxxxxxx - type: HCAPTCHA - _links: - self: - href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234 - hints: - allow: - - GET - - POST - - PUT - - DELETE - CAPTCHAInstanceResponseReCaptcha: - value: - id: abcd4567 - name: myReCaptcha - siteKey: yyyyyyyyyyyyyyy - type: RECAPTCHA_V2 + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 _links: - self: - href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes hints: allow: - GET - - POST - - PUT - - DELETE - CreateBrandRequest: - value: - name: My Awesome Brand - CreateBrandResponse: - value: - id: bnd114iNkrcN6aR680g5 - removePoweredByOkta: false - customPrivacyPolicyUrl: null - name: My Awesome Brand - locale: en - defaultApp: - appInstanceId: 0oa114iNkrcN6aR680g4 - appLinkName: null - classicApplicationUri: null - isDefault: false - _links: - self: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5 + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims hints: allow: - GET - - PUT - - DELETE - themes: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5/themes + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies hints: allow: - GET - CreateEmailDomainRequest: - value: - displayName: Admin - userName: admin - domain: example.com - brandId: bnd100iSrkcN6aR680g1 - CreateHookKeyResponse: - summary: Create a key response example - value: - id: HKY1p7jWLndGQV9M60g4 - keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad - name: My new key - created: '2022-08-31T18:09:58.000Z' - lastUpdated: '2022-08-31T18:09:58.000Z' - isUsed: 'false' - _embedded: - kty: RSA - alg: RSA - kid: 7fbc27fd-e3df-4522-86bf-1930110256ad - use: 'null' - e: AQAB - 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` - CreateIPPolicyBlockListNetworkZone: - summary: Create an IP Policy Blocklist Network Zone - value: - type: IP - name: newBlockListNetworkZone - status: ACTIVE - usage: BLOCKLIST - gateways: - - type: CIDR - value: 1.2.3.4/24 - - type: CIDR - value: 2.3.4.5/24 - proxies: null - CreateIPPolicyBlockListNetworkZoneResponse: - summary: IP Policy Blocklist Network Zone Response - value: - type: IP - id: nzo1qasnPb1kqEq0e0g4 - name: newBlockListNetworkzone - status: ACTIVE - usage: BLOCKLIST - created: '2020-10-12T18:58:02.000Z' - lastUpdated: '2020-10-12T18:58:02.000Z' - system: false - gateways: - - type: CIDR - value: 1.2.3.4/24 - - type: CIDR - value: 2.3.4.5/24 - proxies: null - _links: self: - href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4 + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - GET - - PUT - DELETE - deactivate: - href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4/lifecycle/deactivate + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate hints: allow: - POST - CreateIPPolicyNetworkZone: - summary: Create an IP Policy Network Zone - value: - type: IP - name: newNetworkZone - gateways: - - type: CIDR - value: 1.2.3.4/24 - - type: CIDR - value: 2.3.4.5/24 - proxies: - - type: CIDR - value: 2.2.3.4/24 - - type: CIDR - value: 3.3.4.5/24 - CreateIPPolicyNetworkZoneResponse: - summary: IP Policy Network Zone Response - value: - type: IP - id: nzowc1U5Jh5xuAK0o0g3 - name: newNetworkZone - status: ACTIVE - usage: POLICY - created: '2019-05-17T18:44:31.000Z' - lastUpdated: '2019-05-21T13:50:49.000Z' - system: false - gateways: - - type: CIDR - value: 1.2.3.4/24' - - type: CIDR - value: 2.3.4.5/24 - proxies: - - type: CIDR - value: 2.2.3.4/24 - - type: CIDR - value: 3.3.4.5/24 - _links: - self: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 - hints: - allow: - - GET - - PUT - - DELETE deactivate: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate hints: allow: - POST - CreateUISchemaBody: - summary: UI Schema body request - value: - uiSchema: - type: Group - elements: - - type: Control - scope: '#/properties/firstName' - label: First Name - options: - format: text - - type: Control - scope: '#/properties/lastName' - label: Last Name - options: - format: text - - type: Control - scope: '#/properties/email' - label: Primary email - options: - format: text - buttonLabel: Submit - label: Sign in - CreateUISchemaResponse: - summary: Returns full UI Schema body - value: - id: uis4a7liocgcRgcxZ0g7 - uiSchema: - type: Group - label: Sign in - buttonLabel: Submit - elements: - - type: Control - scope: '#/properties/firstName' - label: First name - options: - format: text - - type: Control - scope: '#/properties/lastName' - label: Last name - options: - format: text - - type: Control - scope: '#/properties/email' - label: Primary email - options: - format: text - created: '2022-07-25T12:56:31.000Z' - lastUpdated: '2022-07-26T11:53:59.000Z' - _links: - self: - href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 - hints: - allow: - - GET - - PUT - - DELETE - CreateUpdateEmailCustomizationRequest: - value: - language: fr - subject: Bienvenue dans ${org.name}! - body: <!DOCTYPE html><html><body><p>Bonjour ${user.profile.firstName}. <a href="${activationLink}">Activer le compte</a></p></body></html> - isDefault: false - CreateUpdateEmailCustomizationResponse: + RetrieveCurrentSessionResponse: + summary: Retrieve current session value: - language: fr - subject: Bienvenue dans ${org.name}! - body: <!DOCTYPE html><html><body><p>Bonjour ${user.profile.firstName}. <a href="${activationLink}">Activer le compte</a></p></body></html> - isDefault: false - id: oel11u6DqUiMbQkpl0g4 - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP _links: self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 hints: allow: - GET - - PUT - DELETE - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + href: https://{yourOktaDomain}/api/v1/sessions/me + refresh: hints: allow: - - GET - preview: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + - POST + href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh + user: hints: allow: - GET - test: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test - hints: - allow: - - POST - CreateUpdateIamRolePermissionRequestExample: - value: - conditions: - include: - okta:ResourceAttribute/User/Profile: - - city - - state - - zipCode - CreateUserRequest: - summary: Create a user type request - value: - description: A new custom user type - displayName: New User Type - name: newUserType - CreateUserResponse: - summary: Create a user type response + href: https://{yourOktaDomain}/api/v1/users/me + name: User Name + RetrieveCustomTokenClaimResponse: + summary: Retrieve a custom token Claim response value: - id: otyfnly5cQjJT9PnR0g4 - displayName: New User Type - name: newUserType - description: A new custom user type - createdBy: sprz9fj1ycBcsgopy1d6 - lastUpdatedBy: sprz9fj1ycBcsgopy1d6 - created: '2021-07-05T20:40:38.000Z' - lastUpdated: '2021-07-05T20:40:38.000Z' - default: false - _links: - self: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - DeactivateNetworkZone: - summary: Deactivated Network Zone response + - id: '{claimId}' + name: Support + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Support + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + RetrieveFeaturesResponse: + summary: Retrieve a feature by ID value: - type: IP - id: nzowc1U5Jh5xuAK0o0g3 - name: LegacyIpZone - status: INACTIVE - usage: POLICY - created: '2019-05-17T18:44:31.000Z' - lastUpdated: '2019-05-21T13:50:49.000Z' - system: true - gateways: - - type: CIDR - value: 1.2.3.4/24 - proxies: - - type: RANGE - value: 3.3.4.5-3.3.4.15 + id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: CLOSED + value: BETA + status: DISABLED + type: self-service _links: self: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 - hints: - allow: - - GET - - PUT - - DELETE - deactivate: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate hints: allow: - POST - DefaultRealmResponse: - value: - id: guox9jQ16k9V8IQWL0g3 - created: 2022-04-04T15:56:05.000Z - lastUpdated: 2022-05-05T18:15:44.000Z - isDefault: true - profile: - name: Default Realm - _links: - self: - rel: self - href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IQWL0g3 - method: GET - DeviceAssuranceAndroidRequest: - summary: Android request - value: - name: Device Assurance Android - osVersion: - minimum: 12.4.5 - diskEncryptionType: - include: - - USER - - FULL - jailbreak: false - platform: ANDROID - screenLockType: - include: - - BIOMETRIC - secureHardwarePresent: true - DeviceAssuranceAndroidResponse: - summary: Android response + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + RetrieveKeyResponse: + summary: Retrieve a key by id response example value: - id: dae3m8o4rWhwReDeM1c5 - name: Device Assurance Android - lastUpdate: '2022-01-01T00:00:00.000Z' - createdUpdate: '2022-01-01T00:00:00.000Z' - lastUpdatedBy: 00u217pyf72CdUrBt1c5 - createdBy: 00u217pyf72CdUrBt1c5 - osVersion: - minimum: 12.4.5 - diskEncryptionType: - include: - - USER - - FULL - jailbreak: false - platform: ANDROID - screenLockType: - include: - - BIOMETRIC - secureHardwarePresent: true - _links: - self: - href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 - hints: - allow: - - DELETE - - GET - - PUT - DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest: - x-okta-lifecycle: - features: - - GOOGLE_DEVICE_CONTEXT_CONNECTOR - summary: ChromeOS with third-party signal providers request + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + RetrieveMappingsResponse: + summary: Retrieve a single Profile Mapping value: - name: Device Assurance ChromeOS - platform: CHROMEOS - thirdPartySignalProviders: - dtc: - osVersion: - minimum: 10.0.19041.1110 - diskEncrypted: true - osFirewall: true - screenLockSecured: true - allowScreenLock: true - browserVersion: - minimum: 15393.27.0 - deviceEnrollmentDomain: testDomain - builtInDnsClientEnabled: true - chromeRemoteDesktopAppBlocked: true - safeBrowsingProtectionLevel: ENHANCED_PROTECTION - siteIsolationEnabled: true - passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF - realtimeUrlCheckMode: true - keyTrustLevel: CHROME_OS_VERIFIED_MODE - DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse: - x-okta-lifecycle: - features: - - GOOGLE_DEVICE_CONTEXT_CONNECTOR - summary: ChromeOS with third-party signal providers response + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + firstName: + expression: user.firstName + pushStatus: PUSH + lastName: + expression: user.lastName + pushStatus: PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + RetrieveNetworkZoneDynamic: + summary: Dynamic Network Zone value: - id: dae3m8o4rWhwReDeM1c5 - name: Device Assurance ChromeOS - lastUpdate: '2022-01-01T00:00:00.000Z' - createdUpdate: '2022-01-01T00:00:00.000Z' - lastUpdatedBy: 00u217pyf72CdUrBt1c5 - createdBy: 00u217pyf72CdUrBt1c5 - platform: CHROMEOS - thirdPartySignalProviders: - dtc: - osVersion: - minimum: 10.0.19041.1110 - diskEncrypted: true - osFirewall: true - screenLockSecured: true - allowScreenLock: true - browserVersion: - minimum: 15393.27.0 - deviceEnrollmentDomain: testDomain - builtInDnsClientEnabled: true - chromeRemoteDesktopAppBlocked: true - safeBrowsingProtectionLevel: ENHANCED_PROTECTION - siteIsolationEnabled: true - passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF - realtimeUrlCheckMode: true - keyTrustLevel: CHROME_OS_VERIFIED_MODE + type: DYNAMIC + id: nzoy0ox5xADOZtKrh0g6 + name: test + status: ACTIVE + usage: POLICY + created: '2022-05-19T15:33:32.000Z' + lastUpdated: '2022-05-19T15:33:32.000Z' + system: false + locations: + - country: AF + region: AF-BGL + proxyType: ANY + asns: + - '23457' _links: self: - href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6 hints: allow: - - DELETE - GET - PUT - DeviceAssuranceIosRequest: - summary: iOS request - value: - name: Device Assurance iOS - osVersion: - minimum: 12.4.5 - jailbreak: false - platform: IOS - screenLockType: - include: - - BIOMETRIC - DeviceAssuranceIosResponse: - summary: iOS response + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveNetworkZoneIP: + summary: IP Network Zone value: - id: dae3m8o4rWhwReDeM1c5 - name: Device Assurance iOS - lastUpdate: '2022-01-01T00:00:00.000Z' - createdUpdate: '2022-01-01T00:00:00.000Z' - lastUpdatedBy: 00u217pyf72CdUrBt1c5 - createdBy: 00u217pyf72CdUrBt1c5 - osVersion: - minimum: 12.4.5.9 - jailbroken: false - platform: IOS - screenLockType: - include: - - BIOMETRIC + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 _links: self: - href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 hints: allow: - - DELETE - GET - PUT - DeviceAssuranceMacOSRequest: - summary: macOS request + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + RetrievePublicKeyResponse: + summary: Retrieve Public Key response example value: - name: Device Assurance macOS - osVersion: - minimum: 12.4.5 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: MACOS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true - DeviceAssuranceMacOSResponse: - summary: macOS response + _embedded: + kty: RSA + alg: RSA + kid: 7fbc27fd-e3df-4522-86bf-1930110256ad + use: null + e: AQAB + 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` + RetrieveRefreshTokenClientResponse: + summary: Retrieve a refresh token for a Client value: - id: dae3m8o4rWhwReDeM1c5 - name: Device Assurance macOS - lastUpdate: '2022-01-01T00:00:00.000Z' - createdUpdate: '2022-01-01T00:00:00.000Z' - lastUpdatedBy: 00u217pyf72CdUrBt1c5 - createdBy: 00u217pyf72CdUrBt1c5 - osVersion: - minimum: 12.4.5 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: MACOS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true + - id: '{refreshTokenId}' + status: ACTIVE + created: '2023-09-21T19:59:56.000Z' + lastUpdated: '2023-09-21T20:00:38.000Z' + expiresAt: '2023-09-28T20:00:38.000Z' + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + client_id: '{clientId}' + userId: '{userId}' + scopes: + - offline_access + - openid + _embedded: + scopes: + - id: '{scopeID}' + name: offline_access + displayName: Keep you signed in to the app + description: This keeps you signed in to the app, even when you aren't using it. + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + title: Keep you signed in to the app + - id: '{scopeId}' + name: openid + displayName: openid + description: Signals that a request is an OpenID request + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + title: openid + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: My Web App + authorizationServer: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + title: Authorization Server name + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + revoke: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: My Web App + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + title: Joe User + RetrieveSessionResponse: + summary: Retrieve Session information for a single session ID + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP _links: self: - href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - - GET - - PUT - DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest: - x-okta-lifecycle: - features: - - GOOGLE_DEVICE_CONTEXT_CONNECTOR - summary: macOS with third-party signal providers request - value: - name: Device Assurance macOS - osVersion: - minimum: 12.4.5 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: MACOS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true - thirdPartySignalProviders: - dtc: - osVersion: - minimum: 10.0.19041.1110 - diskEncrypted: true - osFirewall: true - screenLockSecured: true - browserVersion: - minimum: 15393.27.0 - deviceEnrollmentDomain": testDomain - builtInDnsClientEnabled": true - chromeRemoteDesktopAppBlocked": true - safeBrowsingProtectionLevel": true - siteIsolationEnabled": true - passwordProtectionWarningTrigger": PASSWORD_PROTECTION_OFF - realtimeUrlCheckMode": true - DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse: - x-okta-lifecycle: - features: - - GOOGLE_DEVICE_CONTEXT_CONNECTOR - summary: macOS with third-party signal providers response + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + RetrieveUISchemaResponse: + summary: Retrieves a UI Schema response value: - id: dae3m8o4rWhwReDeM1c5 - name: Device Assurance macOS - lastUpdate: '2022-01-01T00:00:00.000Z' - createdUpdate: '2022-01-01T00:00:00.000Z' - lastUpdatedBy: 00u217pyf72CdUrBt1c5 - createdBy: 00u217pyf72CdUrBt1c5 - osVersion: - minimum: 12.4.5.9 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: MACOS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true - thirdPartySignalProviders: - dtc: - osVersion: - minimum: 10.0.19041.1110 - diskEncrypted: true - osFirewall: true - screenLockSecured: true - browserVersion: - minimum: 15393.27.0 - deviceEnrollmentDomain: testDomain - builtInDnsClientEnabled: true - chromeRemoteDesktopAppBlocked: true - safeBrowsingProtectionLevel: ENHANCED_PROTECTION - siteIsolationEnabled: true - passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF - realtimeUrlCheckMode: true - keyTrustLevel: CHROME_BROWSER_HW_KEY + id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' _links: self: - href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 hints: allow: - - DELETE - GET - PUT - DeviceAssuranceWindowsRequest: - summary: Windows request + - DELETE + RiskEventsRequestExample: + summary: Risk Events payload example value: - name: Device Assurance Windows - osVersion: - minimum: 12.4.5.9 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: WINDOWS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true - DeviceAssuranceWindowsResponse: - summary: Windows response + - timestamp: '2021-01-20T00:00:00.001Z' + subjects: + - ip: 6.7.6.7 + riskLevel: MEDIUM + - ip: 1.1.1.1 + riskLevel: HIGH + message: Detected Attack tooling and suspicious activity + - timestamp: '2021-01-20T01:00:00.001Z' + subjects: + - ip: 6.7.6.7 + riskLevel: LOW + - ip: 2.2.2.2 + riskLevel: HIGH + RiskProviderPutRequest: + summary: Replace Risk Provider request example value: - id: dae3m8o4rWhwReDeM1c5 - name: Device Assurance Windows - lastUpdate: '2022-01-01T00:00:00.000Z' - createdUpdate: '2022-01-01T00:00:00.000Z' - lastUpdatedBy: 00u217pyf72CdUrBt1c5 - createdBy: 00u217pyf72CdUrBt1c5 - osVersion: - minimum: 12.4.5.9 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: WINDOWS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true + name: Risk-Partner-Y + action: enforce_and_log + clientId: 00ckjsfgjkdkjdkkljjsd + RiskProviderPutResponse: + summary: Replace Risk Provider response example + value: + id: 00rp12r4skkjkjgsn + action: enforce_and_log + name: Risk-Partner-Y + clientId: 00ckjsfgjkdkjdkkljjsd + created: '2021-01-05 22:18:30' + lastUpdated: '2021-01-05 23:18:30' _links: self: - href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn hints: allow: - - DELETE - GET - PUT - DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest: - x-okta-lifecycle: - features: - - GOOGLE_DEVICE_CONTEXT_CONNECTOR - summary: Windows with third-party signal providers request + RiskProviderRequest: + summary: Risk Provider payload example value: - name: Device Assurance Windows - osVersion: - minimum: 12.4.5.9 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: WINDOWS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true - thirdPartySignalProviders: - dtc: - osVersion: - minimum: 10.0.19041.1110 - diskEncrypted: true - osFirewall: true - screenLockSecured: true - browserVersion: - minimum: 15393.27.0 - deviceEnrollmentDomain: testDomain - builtInDnsClientEnabled: true - chromeRemoteDesktopAppBlocked: true - safeBrowsingProtectionLevel: ENHANCED_PROTECTION - siteIsolationEnabled: true - passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF - realtimeUrlCheckMode: true - secureBootEnabled: true - windowsMachineDomain: testMachineDomain - windowsUserDomain: testUserDomain - thirdPartyBlockingEnabled: true - crowdStrikeCustomerId: testCustomerId - crowdStrikeAgentId": testAgentId - keyTrustLevel: CHROME_BROWSER_HW_KEY - DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse: - x-okta-lifecycle: - features: - - GOOGLE_DEVICE_CONTEXT_CONNECTOR - summary: Windows with third-party signal providers response + name: Risk-Partner-X + action: log_only + clientId: 00ckjsfgjkdkjdkkljjsd + RiskProviderResponse: + summary: Risk Provider response example value: - id: dae3m8o4rWhwReDeM1c5 - name: Device Assurance Windows - lastUpdate: '2022-01-01T00:00:00.000Z' - createdUpdate: '2022-01-01T00:00:00.000Z' - lastUpdatedBy: 00u217pyf72CdUrBt1c5 - createdBy: 00u217pyf72CdUrBt1c5 - osVersion: - minimum: 12.4.5.9 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: WINDOWS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true - thirdPartySignalProviders: - dtc: - osVersion: - minimum: 10.0.19041.1110 - diskEncrypted: true - osFirewall: true - screenLockSecured: true - browserVersion: - minimum: 15393.27.0 - deviceEnrollmentDomain: testDomain - builtInDnsClientEnabled: true - chromeRemoteDesktopAppBlocked: true - safeBrowsingProtectionLevel: ENHANCED_PROTECTION - siteIsolationEnabled: true - passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF - realtimeUrlCheckMode: true - secureBootEnabled: true - windowsMachineDomain: testMachineDomain - windowsUserDomain: testUserDomain - thirdPartyBlockingEnabled: true - crowdStrikeCustomerId: testCustomerId - crowdStrikeAgentId": testAgentId - keyTrustLevel: CHROME_BROWSER_HW_KEY + id: 00rp12r4skkjkjgsn + action: log_only + name: Risk-Partner-X + clientId: 00ckjsfgjkdkjdkkljjsd + created: '2021-01-05 22:18:30' + lastUpdated: '2021-01-05 22:18:30' _links: self: - href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn hints: allow: - - DELETE - GET - PUT - DeviceResponse: + RoleAssignedUsersResponseExample: + value: + value: + - id: 00u118oQYT4TBGuay0g4 + orn: orn:okta:00o5rb5mt2H3d1TJd0h7:users:00u118oQYT4TBGuay0g4 + _links: + self: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + roles: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4/roles + _links: + next: + href: http://your-subdomain.okta.com/api/v1/iam/assignees/users?after=00u118oQYT4TBGuay0g4&limit=1 + RoleRequest: + value: + label: UserCreator + description: Create users + permissions: + - okta.users.create + - okta.users.read + - okta.groups.read + - okta.users.userprofile.manage + RoleResponse: + value: + id: cr0Yq6IJxGIr0ouum0g3 + label: UserCreator + description: Create users + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + RolesResponse: + value: + roles: + - id: cr0Yq6IJxGIr0ouum0g3 + label: UserCreator + description: Create users + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + - id: cr0Fw7HKcWIroo88m3r1 + label: GroupMembershipManager + description: Manage group membership + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + permissions: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1/permissions + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1 + _links: + next: + href: https://{yourOktaDomain}/api/v1/iam/roles?after=cr0Fw7HKcWIroo88m3r1 + SAMLHookResponseExample: + summary: An example SAML assertion inline hook response + value: + commands: + - type: com.okta.assertion.patch + value: + - op: replace + path: /claims/array/attributeValues/1/value + value: replacementValue + - op: replace + path: /authentication/authnContext + value: + authnContextClassRef: replacementValue + - op: add + path: /claims/extPatientId + value: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + attributeValues: + - attributes: + xsi:type: xs:string + value: '4321' + - op: add + path: /authentication/sessionLifetime + value: 300 + - type: com.okta.assertion.patch + value: + - op: replace + path: /authentication/sessionIndex + value: exampleSession + SAMLHookResponseWithURIFormat: + summary: An example with `replace` and `add` operations with the URI formatted claim encoded + value: + commands: + - type: com.okta.assertion.patch + value: + - op: replace + path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributeValues/0/value + value: replacementValue + - op: replace + path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributes + value: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + - op: add + path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1bar + value: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + attributeValues: + - attributes: + xsi:type: xs:string + value: bearer + SAMLPayLoadExample: + summary: An example SAML assertion inline hook request body + value: + source: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml + eventId: XMFoHCM1S4Wi_SGWzL8T9A + eventTime: '2019-03-28T19:15:23.000Z' + data: + context: + request: + id: reqqXypjzYJRSu2j1G1imUovA + method: GET + url: + value: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml + ipAddress: 127.0.0.1 + protocol: + type: SAML2.0 + issuer: + id: 0oath92zlO60urQOP0g3 + name: SAML 2.0 App + uri: http://www.okta.com/exkth8lMzFm0HZOTU0g3 + session: + id: 102LN9Bnuc4S_ewfc9BYwageA + userId: 00uq8tMo3zV0OfJON0g3 + login: user@example.com + createdAt: '2019-03-28T16:45:55.000Z' + expiresAt: '2019-03-28T21:15:23.000Z' + status: ACTIVE + lastPasswordVerification: '2019-03-28T16:45:55.000Z' + amr: + - PASSWORD + idp: + id: 00oq6kcVwvrDY2YsS0g3 + type: OKTA + mfaActive: false + user: + id: 00uq8tMo3zV0OfJON0g3 + passwordChanged: '2018-09-11T23:19:12.000Z' + profile: + login: user@example.com + firstName: Admin + lastName: Last + locale: en + timeZone: America/Los_Angeles + _links: + groups: + href: https://${yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups + factors: + href: https://${yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors + assertion: + subject: + nameId: user@example.com + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + confirmation: + method: urn:oasis:names:tc:SAML:2.0:cm:bearer + data: + recipient: http://www.example.com:7070/saml/sso + authentication: + sessionIndex: id1553800523546.312669168 + authnContext: + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + conditions: + audienceRestriction: + - urn:example:sp + claims: + extPatientId: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:integer + value: '4321' + array: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: Array 1 + - attributes: + xsi:type: xs:string + value: Array2 + - attributes: + xsi:type: xs:string + value: Array3 + middle: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: admin + firstAndLast: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: 7d6a50c8-4d7e-4058-9c5b-2cc98cecd294 + lifetime: + expiration: 300 + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + eventType: com.okta.saml.tokens.transform + contentType: application/json + SMSTemplateEditablePropertyValues: value: - id: guo8jx5vVoxfvJeLb0w4 + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + SMSTemplateListResponse: + value: + - id: 6NQUJ5yR3bpgEiYmq8IC + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + SMSTemplateResponseValues: + value: + id: 6NQUJ5yR3bpgEiYmq8IC + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + Saml2.0Ex: + summary: SAML_2_0 + value: + label: Example Custom SAML 2.0 App + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + signOnMode: SAML_2_0 + settings: + signOn: + defaultRelayState: '' + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: true + acsEndpoints: + - url: http://testorgone.okta + index: 0 + - url: http://testorgone.okta/1 + index: 1 + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + Saml2.0PutEx: + summary: SAML_2_0 + value: + label: Example Custom SAML 2.0 App updated + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + signOnMode: SAML_2_0 + settings: + signOn: + defaultRelayState: '' + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n..." + requestCompressed: false + allowMultipleAcsEndpoints: true + acsEndpoints: + - url: http://testorgone.okta + index: 0 + - url: http://testorgone.okta/1 + index: 1 + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + Saml2.0PutResponseEx: + summary: SAML_2_0 + value: + id: 0oafxqCAJWWGELFTYASJ status: ACTIVE - created: '2020-11-03T21:47:01.000Z' - lastUpdated: '2020-11-03T23:46:27.000Z' - profile: - displayName: DESKTOP-EHAD3IE - platform: WINDOWS - manufacturer: International Corp - model: VMware7,1 - osVersion: 10.0.18362 - serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce - udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE - sid: S-1-5-21-3992267483-1860856704-2413701314-500 - registered: true - secureHardwarePresent: false - diskEncryptionType: NONE - resourceId: guo8jx5vVoxfvJeLb0w4 - resourceDisplayName: - value: DESKTOP-EHAD3IE - sensitive: false - resourceType: UDDevice - resourceAlternateId: null + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null _links: - suspend: - href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST - self: - href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4 - hints: - allow: - - GET - - PATCH - - PUT + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png users: - href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users - hints: - allow: - - GET + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: - href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_examplecustomsaml20app_1_link: true + name: testorgone_examplecustomsaml20app_1 + label: Example Custom SAML 2.0 App updated + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q + settings: + app: {} + signOn: + defaultRelayState: null + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + spIssuer: https://testorgone.okta.com + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + samlSignedRequestEnabled: false + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + inlineHooks: [] + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + Saml2.0ResponseEx: + summary: SAML_2_0 + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST - EmailCustomizationResponse: + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_examplecustomsaml20app_1_link: true + name: testorgone_examplecustomsaml20app_1 + label: Example Custom SAML 2.0 App + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q + settings: + app: {} + signOn: + defaultRelayState: null + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + spIssuer: https://testorgone.okta.com + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + samlSignedRequestEnabled: false + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + inlineHooks: [] + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + SamlIdPResponse: + summary: SAML 2.0 Identity Provider value: - language: en - isDefault: true - subject: Welcome to ${org.name}! - body: <!DOCTYPE html><html><body><p>Hello, ${user.profile.firstName}. Click <a href="${activationLink}">here</a> to activate your account.</body></html> - id: oel11u6DqUiMbQkpl0g4 - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: ACTIVE + created: '2016-03-24T23:14:54.000Z' + lastUpdated: '2016-03-24T23:14:54.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + filter: (\S+@example\.com) + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 _links: - self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + metadata: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml hints: allow: - GET - - PUT - - DELETE - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml hints: allow: - - GET - preview: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users hints: allow: - GET - test: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + deactivate: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate hints: allow: - POST - EmailDomainResponse: + SecurePasswordStoreEx: + summary: SECURE_PASSWORD_STORE value: - id: OeD114iNkrcN6aR680g4 - validationStatus: NOT_STARTED - displayName: Admin - userName: admin - domain: example.com - dnsValidationRecords: - - recordType: TXT - fqdn: _oktaverification.example.com - verificationValue: 759080212bda43e3bc825a7d73b4bb64 - - recordType: CNAME - fqdn: mail.example.com - verificationValue: u22224444.wl024.sendgrid.net - - recordType: CNAME - fqdn: t02._domainkey.example.com - verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net - - recordType: CNAME - fqdn: t022._domainkey.example.com - verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net - EmailSettingsResponse: + name: template_sps + label: Example SWA App + signOnMode: SECURE_PASSWORD_STORE + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue + SecurePasswordStorePutEx: + summary: SECURE_PASSWORD_STORE value: - recipients: ALL_USERS + name: template_sps + label: Example SWA App updated + signOnMode: SECURE_PASSWORD_STORE + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue_updated + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue_updated + SecurePasswordStorePutResponseEx: + summary: SECURE_PASSWORD_STORE + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null _links: - self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - - GET - - PUT - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation - hints: - allow: - - GET - EmailTemplateDefaultContentResponse: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_sps + label: Example SWA App updated + features: [] + signOnMode: SECURE_PASSWORD_STORE + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue_updated + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue_updated + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + SecurePasswordStoreResponseEx: + summary: SECURE_PASSWORD_STORE value: - subject: Welcome to ${org.name}! - body: <!DOCTYPE html><html><body><p>Hello, ${user.profile.firstName}. Click <a href="${activationLink}">here</a> to activate your account.</body></html> + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null _links: - self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content - hints: - allow: - - GET - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation - hints: - allow: - - GET - preview: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - - GET - ErrorAccessDenied: - summary: Access Denied - value: - errorCode: E0000006 - errorSummary: You do not have permission to perform the requested action - errorLink: E0000006 - errorId: sampleNUSD_8fdkFd8fs8SDBK - errorCauses: [] - ErrorApiValidationFailed: - summary: API Validation Failed - value: - errorCode: E0000001 - errorSummary: 'Api validation failed: {0}' - errorLink: E0000001 - errorId: sampleiCF-8D5rLW6myqiPItW - errorCauses: [] - ErrorAppFeatureAPIValidationFailed: - summary: API Validation Failed - value: - errorCode: E0000001 - errorSummary: 'Api validation failed: feature' - errorLink: E0000001 - errorId: oaeZLxeiHUUQomPkM8xOqvu1A - errorCauses: - - errorSummary: Provisioning is not enabled for the app instance. - ErrorCAPTCHALimitOfOne: - value: - errorCode: E0000165 - errorSummary: CAPTCHA count limit reached. At most one CAPTCHA instance is allowed per Org. - errorLink: E0000165 - errorId: oaejrB1fWL1S7mc-2KcG-SOtw - errorCauses: [] - ErrorCAPTCHAOrgWideSetting: - value: - errorCode: E0000149 - errorSummary: Current CAPTCHA is associated with org-wide settings, cannot be removed. - errorLink: E0000149 - errorId: samplezsusshPdiTWiITwqBt8 - errorCauses: [] - ErrorCAPTCHAOrgWideSettingNull: - summary: captchaId is null, but enabledPages is defined - value: - errorCode: E0000001 - errorSummary: 'Api validation failed: captchaId' - errorLink: E0000001 - errorId: oae-hk3rssXQmOWDRsaFfxe8A - errorCauses: - errorSummary: 'captchaId: Invalid CAPTCHA ID. The value of captchaId cannot be blank when enabledPages is not empty. Please resubmit with an existing CAPTCHA ID or disable CAPTCHA support on all supported pages.' - ErrorCreateUserWithExpiredPasswordWithNullPassword: - value: - errorCode: E0000124 - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified - errorLink: E0000124 - errorId: oaeXxuZgXBySvqi1FvtkwoYCA - errorCauses: - - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified - ErrorCreateUserWithExpiredPasswordWithoutActivation: - value: - errorCode: E0000125 - errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true - errorLink: E0000125 - errorId: oaeDd77L9R-TJaD7j_rXsQ31w - errorCauses: - - errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true - ErrorCreateUserWithTooManyManyGroupsResponse: - value: - errorCode: E0000093 - errorSummary: Target count limit exceeded - errorLink: E0000093 - errorId: oaePVSLIYnIQsC0B-ptBIllVA - errorCauses: - - errorSummary: The number of group targets is too large. - ErrorDeleteBrandAssociatedWithDomain: - value: - errorCode: E0000201 - errorSummary: A brand associated with a domain cannot be deleted - errorLink: E0000201 - errorId: oaeAdRqprFuTyKokyYPbURJkA - errorCauses: [] - ErrorDeleteDefaultBrand: - value: - errorCode: E0000200 - errorSummary: A default brand cannot be deleted - errorLink: E0000200 - errorId: oaeAdRqprFuTyKokyYPbURJkA - errorCauses: [] - ErrorDeviceAssuranceInUse: - summary: Cannot delete device assurance policy in use by authentication policies - value: - errorSummary: Device assurance is in use and cannot be deleted. - errorId: oaenwA1ra80S9W-pvbh4m6haA - errorCauses: [] - ErrorEmailCustomizationCannotClearDefault: - value: - errorCode: E0000185 - errorSummary: The isDefault parameter of the default email template customization can't be set to false. - errorLink: E0000185 - errorId: oaejrB1fWL1S7mc-2KcG-SOtw - errorCauses: [] - ErrorEmailCustomizationCannotDeleteDefault: - value: - errorCode: E0000184 - errorSummary: A default email template customization can't be deleted. - errorLink: E0000184 - errorId: oaeAdRqprFuTyKokyYPbURJkA - errorCauses: [] - ErrorEmailCustomizationDefaultAlreadyExists: - value: - errorCode: E0000182 - errorSummary: A default email template customization already exists. - errorLink: E0000182 - errorId: oaeXYwTiMvASsC3O4HCzjFaCA - errorCauses: [] - ErrorEmailCustomizationLanguageAlreadyExists: - value: - errorCode: E0000183 - errorSummary: An email template customization for that language already exists. - errorLink: E0000183 - errorId: oaeUcGELffqRay0u1OPdnPypw - errorCauses: [] - ErrorEmailDomainAlreadyExists: - value: - errorCode: E0000197 - errorSummary: Email domain already exists. - errorLink: E0000197 - errorId: oaeEdRqprFuTyKokyYPbURJkA - errorCauses: [] - ErrorEmailDomainInUse: - value: - errorCode: E0000216 - errorSummary: Email domain can't be deleted due to mail provider restrictions. - errorLink: E0000216 - errorId: oaeEdRqprFuTyKokyYPbURJkB - errorCauses: [] - ErrorEmailDomainInvalidStatus: - value: - errorCode: E0000217 - errorSummary: Invalid status. Can't validate email domain with current status. - errorLink: E0000217 - errorId: oaeEdRqprFuTyKokyYPbURJkD - errorCauses: [] - ErrorEmailDomainNotVerified: - value: - errorCode: E0000218 - errorSummary: Email domain couldn't be verified by mail provider. - errorLink: E0000218 - errorId: oaeEdRqprFuTyKokyYPbURJkC - errorCauses: [] - ErrorInvalidEmailTemplateRecipients: - value: - errorCode: E0000189 - errorSummary: This template does not support the recipients value. - errorLink: E0000189 - errorId: oae8L1-UkcNTeGi5xVQ28_lww - errorCauses: [] - ErrorInvalidTokenProvided: - summary: Invalid Token Provided - value: - errorCode: E0000011 - errorSummary: Invalid token provided - errorLink: E0000011 - errorId: sampleQPivGUj_ND5v78vbYWW - errorCauses: [] - ErrorMissingRequiredParameter: - summary: Missing Required Parameter - value: - errorCode: E0000028 - errorSummary: The request is missing a required parameter. - errorLink: E0000028 - errorId: sampleiCF-l7mr9XqM1NQ - errorCauses: [] - ErrorPushProviderUsedByCustomAppAuthenticator: - value: - errorCode: E0000187 - errorSummary: Cannot delete push provider because it is being used by a custom app authenticator. - errorLink: E0000187 - errorId: oaenwA1ra80S9W-pvbh4m6haA - errorCauses: [] - ErrorResourceNotFound: - summary: Resource Not Found + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_sps + label: Example SWA App + features: [] + signOnMode: SECURE_PASSWORD_STORE + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + SecurityEventsProviderRequestIssuerAndJwksUrl: + summary: Provider with issuer and JWKS value: - errorCode: E0000007 - errorSummary: 'Not found: {0}' - errorLink: E0000007 - errorId: sampleMlLvGUj_YD5v16vkYWY - errorCauses: [] - ErrorTooManyRequests: - summary: Too Many Requests + name: Security Events Provider with an issuer and a JWKS URL + type: okta + settings: + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + SecurityEventsProviderRequestWellKnownUrl: + summary: Provider with well-known URL value: - errorCode: E0000047 - errorSummary: You exceeded the maximum number of requests. Try again in a while. - errorLink: E0000047 - errorId: sampleQPivGUj_ND5v78vbYWW - errorCauses: [] - GetBrandResponse: + name: Security Events Provider with well-known URL + type: okta + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + SecurityEventsProviderResponseIssuerAndJwksUrl: + summary: Provider with issuer and JWKS value: - id: bnd114iNkrcN6aR680g4 - removePoweredByOkta: false - customPrivacyPolicyUrl: null - name: Okta Default - isDefault: true - locale: en - emailDomainId: OeD114iNkrcN6aR680g4 - defaultApp: - appInstanceId: 0oa114iNkrcN6aR680g4 - appLinkName: null - classicApplicationUri: null + id: sse1qu4fUtsoD12iF0g5 + name: Security Events Provider with an issuer and a JWKS URL + type: okta + status: ACTIVE + settings: + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path _links: self: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5 hints: allow: - GET - PUT - DELETE - themes: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + deactivate: + href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate hints: allow: - - GET - GetEmailTemplateResponse: + - POST + SecurityEventsProviderResponseWellKnownUrl: + summary: Provider with well-known URL value: - name: UserActivation + id: sse1qg25RpusjUP6m0g5 + name: Security Events Provider with well-known URL + type: okta + status: ACTIVE + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path _links: self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 hints: allow: - GET - settings: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + - PUT + - DELETE + deactivate: + href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate hints: allow: - - GET - - PUT - defaultContent: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + - POST + SimulatePolicyBody: + summary: Simulate policy request body + description: Simulate policy request body + value: + policyType: + - OKTA_SIGN_ON + - MFA_ENROLL + appInstance: 0oa4eroj3nYCIJIW70g7 + policyContext: + groups: + ids: + - 00g4eralvekR5RLuS0g7 + - 00g4eralvekR5RLuS0g8 + risk: + level: LOW + zones: + ids: + - nzo4eralxcRnbIHYJ0g7 + device: + platform: IOS + registered: true + managed: true + SimulatePolicyElExpressionBody: + summary: Simulate policy request body with EL context + description: Simulate policy request body with EL context + value: + appInstance: 0oa4fdudGhhB5FNKR0g4 + policyContext: + user: + id: 00u10wvS3zms2JVaO0g4 + status: ACTIVE + created: '2024-04-29T18:05:24.000Z' + lastUpdated: '2024-04-29T18:05:24.000Z' + passwordChanged: '2024-04-29T18:05:24.000Z' + lastLogin: '2024-04-29T18:05:24.000Z' + profile: + city: string + costCenter: string + countryCode: st + department: string + displayName: string + division: string + email: user@example.com + employeeNumber: string + firstName: string + honorificPrefix: string + honorificSuffix: string + lastName: string + locale: string + login: string + manager: string + managerId: string + middleName: string + mobilePhone: string + nickName: string + organization: string + postalAddress: string + preferredLanguage: string + primaryPhone: string + profileUrl: string + secondEmail: user@example.com + state: string + streetAddress: string + timezone: string + title: string + userType: string + zipCode: string + SimulatePolicyElExpressionResponse: + summary: Simulate policy response body with EL Context + description: Simulate policy response body with EL Context + value: + evaluation: + - status: null + policyType: OKTA_SIGN_ON + result: + policies: + - id: 00p4eromwukk6qUku0g7 + name: test policy + status: MATCH + conditions: [] + rules: + - id: 0pr4erof85nGcyC7Y0g7 + name: test rule + status: MATCH + conditions: + - type: people.groups.include + status: MATCH + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: MFA_ENROLL + result: + policies: + - id: 00p4eram2kw1aLcrx0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: 0pr4eram2lMQT5FZF0g7 + name: null + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: ACCESS_POLICY + result: + policies: + - id: rst4eram06ZKZewEe0g7 + name: Any two factors + status: MATCH + conditions: [] + rules: + - id: rul4eram07VsWgybo0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: PROFILE_ENROLLMENT + result: + policies: + - id: rst4eram08ZSjPTOl0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: rul4eram094PrQ2BX0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + SimulatePolicyResponse: + summary: Simulate policy response body + description: Simulate policy response body + value: + evaluation: + - status: null + policyType: OKTA_SIGN_ON + result: + policies: + - id: 00p4eromwukk6qUku0g7 + name: test policy + status: MATCH + conditions: [] + rules: + - id: 0pr4erof85nGcyC7Y0g7 + name: test rule + status: MATCH + conditions: + - type: people.groups.include + status: MATCH + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: MFA_ENROLL + result: + policies: + - id: 00p4eram2kw1aLcrx0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: 0pr4eram2lMQT5FZF0g7 + name: null + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: ACCESS_POLICY + result: + policies: + - id: rst4eram06ZKZewEe0g7 + name: Any two factors + status: MATCH + conditions: [] + rules: + - id: rul4eram07VsWgybo0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: PROFILE_ENROLLMENT + result: + policies: + - id: rst4eram08ZSjPTOl0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: rul4eram094PrQ2BX0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + SmartCardIdPResponse: + summary: SmartCard Identity Provider + value: + id: 0oa6jxasyhwM2ZHJh0g4 + type: X509 + name: Smart Card IDP Name + status: ACTIVE + created: '2020-01-07T00:19:27.000Z' + lastUpdated: '2020-01-07T00:19:27.000Z' + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + endpoints: + sso: + url: https://{yourOktaDomain}.okta.com/login/cert + credentials: + trust: + issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + audience: null + kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc + revocation: CRL + revocationCacheLifetime: 2880 + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: idpuser.subjectAltNameEmail + filter: null + matchType: EMAIL + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 120000 + _links: + deactivate: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate hints: allow: - - GET - customizations: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations + - POST + users: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users hints: allow: - GET - - POST - - DELETE - test: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + keys: + href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc hints: allow: - - POST - GetUserResponse: - summary: Retrieve a user type response + - GET + SocialAuthTokensResponse: + summary: Social Authentication Tokens value: - id: otyfnly5cQjJT9PnR0g4 - displayName: New User Type - name: newUserType - description: A new custom user type - createdBy: sprz9fj1ycBcsgopy1d6 - lastUpdatedBy: sprz9fj1ycBcsgopy1d6 - created: '2021-07-05T20:40:38.000Z' - lastUpdated: '2021-07-05T20:40:38.000Z' - default: false - _links: - self: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - GroupSchemaAddRequest: + - id: <unique token identifier> + token: JBTWGV22G4ZGKV3N + tokenType: urn:ietf:params:oauth:token-type:access_token + tokenAuthScheme: Bearer + expiresAt: '2014-08-06T16:56:31.000Z' + scopes: + - openid + - foo + - id: <unique token identifier> + token: JBTWGV22G4ZJBRXJ + tokenType: urn:ietf:params:oauth:token-type:id_token + tokenAuthScheme: null + StandardAndCustomRolesListResponse: + value: + - id: IFIFAX2BIRGUSTQ + label: Application administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: ra125eqBFpETrMwu80g4 + label: Organization administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: gra25fapn1prGTBKV0g4 + label: API Access Management administrator + type: API_ACCESS_MANAGEMENT_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4 + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + - id: irb5e92YgBazyyQ3x1q5 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoakjsdQaJxGIr03int1o + _links: + assignee: + href: https://{ yourOktaDomain }/api/v1/groups/00g1ousb3XCr9Dkr20g4 + resource-set: + href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoakjsdQaJxGIr03int1o + member: + href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{ yourOktaDomain }/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: https://{ yourOktaDomain }/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + StandardRoleAssignmentRequest: value: - definitions: - custom: - id: '#custom' - type: object - properties: - groupContact: - title: Group administrative contact - description: Group administrative contact - type: string - required: false - minLength: 1 - maxLength: 20 - permissions: - - principal: SELF - action: READ_WRITE - required: [] - GroupSchemaResponse: + type: HELP_DESK_ADMIN + StandardRoleResponseClient: value: - $schema: http://json-schema.org/draft-04/schema# + id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk Administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2023-05-01T14:24:54.000Z' + lastUpdated: '2023-05-01T14:24:54.000Z' + assignmentType: CLIENT _links: - self: - href: https://{yourOktaDomain}/api/v1/meta/schemas/group/default - method: GET - rel: self - created: '2021-01-30T00:18:24.000Z' - definitions: - base: - id: '#base' - properties: {} - required: - - name - type: object - custom: - id: '#custom' - properties: - groupContact: - description: Group administrative contact - master: - type: PROFILE_MASTER - mutability: READ_WRITE - permissions: - - action: READ_WRITE - principal: SELF - scope: NONE - title: Group administrative contact - type: string - required: [] - type: object - description: Okta group profile template - id: https://{yourOktaDomain}/meta/schemas/group/default - lastUpdated: '2021-02-25T23:05:31.000Z' - name: group - properties: - profile: - allOf: - - $ref: '#/definitions/custom' - - $ref: '#/definitions/base' - title: Okta group - type: object - ListAllKeysResponse: - summary: List All Keys response example + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles + StandardRoleResponseUser: value: - - id: HKY1i2htmXF5UNQhL0g4 - keyId: bb5bed7d-6e4d-488f-9c86-59b93a2bb3fb - name: My new key - created: '2022-08-22T16:34:33.000Z' - lastUpdated: '2022-08-22T16:34:33.000Z' - isUsed: 'true' - - id: HKY1p7jWLndGQV9M60g4 - keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad - name: Test key - created: '2022-08-31T18:09:58.000Z' - lastUpdated: '2022-08-31T18:09:58.000Z' - isUsed: 'false' - ListBrandsResponse: + id: ra1b8anIk7rx7em7L0g4 + label: Super Organization administrator + type: SUPER_ADMIN + status: ACTIVE + created: '2015-09-06T15:28:47.000Z' + lastUpdated: '2015-09-06T15:28:47.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + StandardRolesListResponse: value: - - id: bnd114iNkrcN6aR680g4 - name: Okta Default - isDefault: true - removePoweredByOkta: false - customPrivacyPolicyUrl: null - locale: en - emailDomainId: OeD114iNkrcN6aR680g4 - defaultApp: - appInstanceId: 0oa114iNkrcN6aR680g4 - appLinkName: null - classicApplicationUri: null + - id: IFIFAX2BIRGUSTQ + label: Application administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER _links: - self: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 - hints: - allow: - - GET - - PUT - - DELETE - themes: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes - hints: - allow: - - GET - ListEmailCustomizationResponse: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: ra125eqBFpETrMwu80g4 + label: Organization administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: gra25fapn1prGTBKV0g4 + label: API Access Management administrator + type: API_ACCESS_MANAGEMENT_ADMIN + status: ACTIVE + created": '2019-02-06T16:20:57.000Z' + lastUpdated": '2019-02-06T16:20:57.000Z' + assignmentType": GROUP + _links": + assignee": + href": https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4 + StandardRolesListResponseClient: value: - - language: en - isDefault: true - subject: Welcome to ${org.name}! - body: <!DOCTYPE html><html><body><p>Hello, ${user.profile.firstName}. Click <a href="${activationLink}">here</a> to activate your account.</body></html> - id: oel11u6DqUiMbQkpl0g4 - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk Administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2023-05-01T14:24:54.000Z' + lastUpdated: '2023-05-01T14:24:54.000Z' + assignmentType: CLIENT _links: - self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 - hints: - allow: - - GET - - PUT - - DELETE - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles + StandardRolesListResponseGroup: + value: + - id: IFIFAX2BIRGUSTQ + label: Application Administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + SubmissionOidcRequest: + summary: Submission OIDC request example + value: + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + oidc: + redirectUris: + - https://${org.subdomain}.example.com/strawberry/oidc/login + initiateLoginUri: https://${org.subdomain}.example.com/strawberry/oidc/sp-init + postLogoutUris: + - https://${org.subdomain}.example.com/strawberry/oidc/logged-out + doc: https://example.com/strawberry/help/oidcSetup + config: + - name: subdomain + label: Subdomain + SubmissionOidcResponse: + summary: Submission OIDC response example + value: + id: acme_strawberrycentral_1 + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + oidc: + redirectUris: + - https://${org.subdomain}.example.com/strawberry/oidc/login + initiateLoginUri: https://${org.subdomain}.example.com/strawberry/oidc/sp-init + postLogoutUris: + - https://${org.subdomain}.example.com/strawberry/oidc/logged-out + doc: https://example.com/strawberry/help/oidcSetup + config: + - name: subdomain + label: Subdomain + status: New + lastUpdated: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR + lastPublished: '2023-09-01T13:23:45.000Z' + SubmissionSamlRequest: + summary: Submission SAML request example + value: + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + saml: + acs: + - url: https://${org.subdomain}.example.com/saml/login + entityId: https://${org.subdomain}.example.com + claims: + - name: manager + values: + - ${user.manager} + groups: + - name: groups + doc: https://example.com/strawberry/help/samlSetup + config: + - name: subdomain + label: Subdomain + SubmissionSamlResponse: + summary: Submission SAML response example + value: + id: acme_strawberrycentral_1 + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + saml: + acs: + - url: https://${org.subdomain}.example.com/saml/login + entityId: https://${org.subdomain}.example.com + claims: + - name: manager + values: + - ${user.manager} + groups: + - name: groups + doc: https://example.com/strawberry/help/samlSetup + config: + - name: subdomain + label: Subdomain + status: To be reviewed by Okta + lastUpdated: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR + lastPublished: null + SubmissionsResponse: + summary: Submission list example + value: + - id: acme_strawberrycentral_1 + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + saml: + acs: + - url: https://${org.subdomain}.example.com/saml/login + entityId: https://${org.subdomain}.example.com + claims: + - name: manager + values: + - ${user.manager} + groups: + - name: groups + doc: https://example.com/strawberry/help/samlSetup + config: + - name: subdomain + label: Subdomain + status: Complete + lastUpdated: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR + lastPublished: '2023-09-01T13:23:45.000Z' + SupportedFactorResults: + value: + - factorType: question + provider: OKTA + vendorName: OKTA + _links: + questions: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions hints: allow: - GET - preview: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - - GET - test: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + - POST + - factorType: token:software:totp + provider: OKTA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - POST - ListEmailTemplateResponse: - value: - - name: UserActivation + - factorType: token:software:totp + provider: GOOGLE _links: - self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - - GET - settings: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + - POST + - factorType: sms + provider: OKTA + vendorName: OKTA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - - GET - - PUT - defaultContent: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + - POST + _embedded: + phones: + - id: mblldntFJevYKbyQQ0g3 + profile: + phoneNumber: '+14081234567' + status: ACTIVE + - factorType: call + provider: OKTA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - - GET - customizations: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations + - POST + - factorType: token + provider: RSA + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - - GET - POST - - DELETE - test: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + - factorType: token + provider: SYMANTEC + _links: + enroll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - POST - ListMappingsResponse: - summary: List all Profile Mappings response + TelephonyFailureResponse: + summary: An example telephony hook response for an external web service returning failure value: - - id: prm1k47ghydIQOTBW0g4 - source: - id: otysbePhQ3yqt4cVv0g3 - name: user - type: user - _links: - self: - href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 - target: - id: 0oa1qmn4LZQQEH0wZ0g4 - name: okta_org2org - type: appuser - _links: - self: - href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default - _links: - self: - href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 - ListRealmAwareUsersResponse: - summary: List all Users + error: + - errorSummary: Failed to deliver SMS OTP to test.user@okta.com + - errorCauses: + errorSummary: Provider could not deliver OTP + reason: The content of the message is not supported + location: South Africa + TelephonyPayloadExample: + summary: An example telephony inline hook request body value: - - id: 00u118oQYT4TBGuay0g4 - status: ACTIVE - created: 2022-04-04T15:56:05.000Z - activated: null - statusChanged: null - lastLogin: 2022-05-04T19:50:52.000Z - lastUpdated: 2022-05-05T18:15:44.000Z - passwordChanged: 2022-04-04T16:00:22.000Z - type: - id: oty1162QAr8hJjTaq0g4 - profile: - firstName: Alice - lastName: Smith - mobilePhone: null - secondEmail: null - login: alice.smith@example.com - email: alice.smith@example.com - realmId: guo1afiNtSnZYILxO0g4 - credentials: - password: {} - provider: - type: OKTA - name: OKTA - _links: - self: - href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 - ListRealmsResponse: + eventId: uS5871kJThSsU8qlA1LTcg + eventTime: '2020-01-17T21:23:56.000Z' + eventType: com.okta.telephony.provider + eventTypeVersion: '1.0' + contentType: application/json + cloudEventVersion: '0.1' + source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7 + data: + context: + request: + id: reqRgSk8IBBRhuo0YdlEDTmUw + method: POST + url: + value: /api/internal/v1/inlineHooks/com.okta.telephony.provider/generatePreview + ipAddress: 127.0.0.1 + userProfile: + firstName: test + lastName: user + login: test.user@okta.com + userId: 00uyxxSknGtK8022w0g3 + messageProfile: + msgTemplate: (HOOK)Your code is 11111 + phoneNumber: 9876543210 + otpExpires: '2022-01-28T21:48:34.321Z' + deliveryChannel: SMS + otpCode: 11111 + locale: EN-US + TelephonySuccessResponse: + summary: An example telephony hook response for an external web service returning success value: - - id: guox9jQ16k9V8IFEL0g3 - created: 2022-04-04T15:56:05.000Z - lastUpdated: 2022-05-05T18:15:44.000Z - isDefault: false - profile: - name: Car Co - _links: - self: - rel: self - href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 - method: GET - ListRiskProviderResponse: - summary: List Risk Provider response example + commands: + - type: com.okta.telephony.action + - value: + status: FAILURE + provider: VONAGE + transactionId: SM49a8ece2822d44e4adaccd7ed268f954 + transactionMetadata: Duration=300ms + TestInfoOidcRequest: + summary: OIDC SSO Submission Testing Information request value: - - id: 00rp12r4skkjkjgsn - action: log_only - name: Risk-Partner-X - clientId: 00ckjsfgjkdkjdkkljjsd - created: '2021-01-05 22:18:30' - lastUpdated: '2021-01-05 22:18:30' - _links: - self: - href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn - hints: - allow: - - GET - - PUT - ListSessionsResponse: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + oidcTestConfiguration: + jit: false + spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init + TestInfoOidcResponse: + summary: OIDC SSO Submission Testing Information response value: - - id: uij4ri8ZLk0ywyqxB0g1 - identitySourceId: 0oa3l6l6WK6h0R0QW0g4 - status: CREATED - importType: INCREMENTAL - created: 2022-04-04T15:56:05.000Z - lastUpdated: 2022-05-05T16:15:44.000Z - ListSessionsResponseForGetSessions: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + oidcTestConfiguration: + idp: true + sp: true + jit: false + spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init + TestInfoSamlRequest: + summary: SAML SSO Submission Testing Information request value: - - id: uij4ri8ZLk0ywyqxB0g1 - identitySourceId: 0oa3l6l6WK6h0R0QW0g4 - status: CREATED - importType: INCREMENTAL - created: 2022-04-04T15:56:05.000Z - lastUpdated: 2022-05-05T16:15:44.000Z - - id: uij4ri8ZLk0ywyqxB0g2 + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + samlTestConfiguration: + idp: true + sp: true + jit: false + spInitiateUrl: https://test.example.com/strawberry/saml/sp-init + spInitiateDescription: Go to the app URL from a browser and enter your username + TestInfoSamlResponse: + summary: SAML SSO Submission Testing Information response + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + samlTestConfiguration: + idp: true + sp: true + jit: false + spInitiateUrl: https://test.example.com/strawberry/saml/sp-init + spInitiateDescription: Go to the app URL from a browser and enter your username + ThreatInsightResponseExample: + summary: ThreatInsight response + value: + action: none + excludeZones: [] + created: '2020-08-05T22:18:30.629Z' + lastUpdated: '2020-08-05T22:18:30.629Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/threats/configuration + hints: + allow: + - GET + - POST + ThreatInsightUpdateRequestExample: + summary: ThreatInsight update request + value: + action: audit + excludeZones: + - nzo1q7jEOsoCnoKcj0g4 + - nzouagptWUz5DlLfM0g3 + ThreatInsightUpdateResponseExample: + summary: ThreatInsight update response + value: + action: audit + excludeZones: + - nzo1q7jEOsoCnoKcj0g4 + - nzouagptWUz5DlLfM0g3 + created: '2020-08-05T22:18:30.629Z' + lastUpdated: '2020-10-13T21:23:10.178Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/threats/configuration + hints: + allow: + - GET + - POST + TokenHookErrorExample: + summary: Error response + value: + error: + errorSummary: Human-readable summary of the error + TokenHookModifyLifetime: + summary: Modify token lifetime + value: + commands: + - type: com.okta.identity.patch + value: + - op: replace + path: /token/lifetime/expiration + value: 36000 + - type: com.okta.access.patch + value: + - op: replace + path: /token/lifetime/expiration + value: 36000 + TokenHookRemoveClaim: + summary: Remove claim + value: + commands: + - type: com.okta.identity.patch + value: + - op: remove + path: /claims/birthdate + value: null + - type: com.okta.access.patch + value: + - op: remove + path: /claims/external_guid + TokenHookRemoveFromArray: + summary: Remove from array + value: + commands: + - type: com.okta.identity.patch + value: + - op: remove + path: /claims/preferred_airports/1 + TokenHookRemoveFromObject: + summary: Remove from JSON object + value: + commands: + - type: com.okta.identity.patch + value: + - op: remove + path: /claims/employee_profile/email + TokenHookReplaceExisting: + summary: Replace an existing claim + value: + commands: + - type: com.okta.identity.patch + value: + - op: replace + path: /claims/extPatientId + value: '1234' + - op: replace + path: /claims/external_guid + value: F0384685-F87D-474B-848D-2058AC5655A7 + TokenHookReplaceInPath: + summary: Replace within JSON object + value: + commands: + - type: com.okta.identity.patch + value: + - op: replace + path: /claims/employee_profile/email + value: anna@company.com + TokenHookResponse: + description: Token inline hook response + summary: An example token inline hook response that adds a claim + value: + commands: + - type: com.okta.assertion.patch + value: + - op: add + path: /claims/extPatientId + value: '1234' + - type: com.okta.assertion.patch + value: + - op: add + path: /claims/external_guid + value: F0384685-F87D-474B-848D-2058AC5655A7 + TokenHookResponseAppendArray: + summary: Append to array + value: + commands: + - type: com.okta.identity.patch + value: + - op: add + path: /claims/preferred_airports/3 + value: lax + TokenHookResponseWithURIFormat: + summary: Add new members to existing JSON objects + value: + commands: + - type: com.okta.identity.patch + value: + - op: add + path: /claims/employee_profile/department_id + value: '4947' + TokenPayLoadExample: + summary: An example token inline hook request body + description: An example token inline hook request body + value: + source: https://{yourOktaDomain}/oauth2/default/v1/authorize + eventId: 3OWo4oo-QQ-rBWfRyTmQYw + eventTime: '2019-01-15T23:20:47.000Z' + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + contentType: application/json + eventType: com.okta.oauth2.tokens.transform + data: null + context: + request: + id: reqv66CbCaCStGEFc8AdfS0ng + method: GET + url: + value: https://{yourOktaDomain}/oauth2/default/v1/authorize?scope=openid+profile+email&response_type=token+id_token&redirect_uri=https%3A%2F%2Fhttpbin.org%2Fget&state=foobareere&nonce=asf&client_id=customClientIdNative + ipAddress: 127.0.0.1 + protocol: + type: OAUTH2.0 + request: + scope: openid profile email + state: foobareere + redirect_uri: https://httpbin.org/get + response_mode: fragment + response_type: token id_token + client_id: customClientIdNative + issuer: + uri: https://{yourOktaDomain}/oauth2/default + client: + id: customClientIdNative + name: Native client + type: PUBLIC + session: + id: 102Qoe7t5PcRnSxr8j3I8I6pA + userId: 00uq8tMo3zV0OfJON0g3 + login: administrator1@clouditude.net + createdAt: '2019-01-15T23:17:09.000Z' + expiresAt: '2019-01-16T01:20:46.000Z' + status: ACTIVE + lastPasswordVerification: '2019-01-15T23:17:09.000Z' + amr: + - PASSWORD + idp: + id: 00oq6kcVwvrDY2YsS0g3 + type: OKTA + mfaActive: false + user: + id: 00uq8tMo3zV0OfJON0g3 + passwordChanged: '2018-09-11T23:19:12.000Z' + profile: + login: administrator1@clouditude.net + firstName: Add-Min + lastName: O'Cloudy Tud + locale: en + timeZone: America/Los_Angeles + _links: + groups: + href: https://{yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups + factors: + href: https://{yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors + policy: + id: 00pq8lGaLlI8APuqY0g3 + rule: + id: 0prq8mLKuKAmavOvq0g3 + identity: + claims: + sub: 00uq8tMo3zV0OfJON0g3 + name: Add-Min O'Cloudy Tud + email: administrator1@clouditude.net + ver: 1 + iss: https://{yourOktaDomain}/oauth2/default + aud: customClientIdNative + jti: ID.YxF2whJfB3Eu4ktG_7aClqtCgjDq6ab_hgpiV7-ZZn0 + amr: + - pwd + idp: 00oq6kcVwvrDY2YsS0g3 + nonce: asf + preferred_username: administrator1@clouditude.net + auth_time: 1547594229 + token: + lifetime: + expiration: 3600 + access: + claims: + ver: 1 + jti: AT.W-rrB-z-kkZQmHW0e6VS3Or...QfEN_YvoWJa46A7HAA + iss: https://{yourOktaDomain}/oauth2/default + aud: api://default + cid: customClientIdNative + uid: 00uq8tMo3zV0OfJON0g3 + sub: administrator1@clouditude.net + firstName: Add-Min + preferred_username: administrator1@clouditude.net + token: + lifetime: + expiration: 3600 + scopes: + openid: + id: scpq7bW1cp6dcvrz80g3 + action: GRANT + profile: + id: scpq7cWJ81CIP5Qkr0g3 + action: GRANT + email: + id: scpq7dxsoz6LQlRj00g3 + action: GRANT + refresh_token: + jti: oarob4a0tckCkGcyo1d6 + TriggerSessionResponse: + value: + - id: aps1qqonvr2SZv6o70h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: TRIGGERED importType: INCREMENTAL - created: 2022-04-04T16:56:05.000Z - lastUpdated: 2022-05-05T17:15:44.000Z - - id: uij4ri8ZLk0ywyqxB0g3 - identitySourceId: 0oa3l6l6WK6h0R0QW0g4 - status: IN_PROGRESS - importType: INCREMENTAL - created: 2022-04-04T17:56:05.000Z - lastUpdated: 2022-05-05T18:15:44.000Z - - id: uij4ri8ZLk0ywyqxB0g4 - identitySourceId: 0oa3l6l6WK6h0R0QW0g4 - status: EXPIRED - importType: INCREMENTAL - created: 2022-04-04T18:56:05.000Z - lastUpdated: 2022-05-05T19:15:44.000Z - - id: uij4ri8ZLk0ywyqxB0g5 - identitySourceId: 0oa3l6l6WK6h0R0QW0g4 - status: CLOSED - importType: INCREMENTAL - created: 2022-04-04T19:56:05.000Z - lastUpdated: 2022-05-05T20:15:44.000Z - ListUISchemaResponse: - summary: Lists all UI Schemas response + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + TrustedOriginBody: + summary: Trusted origin request body value: - - id: uis4a7liocgcRgcxZ0g7 - uiSchema: - type: Group - label: Sign in - buttonLabel: Submit - elements: - - type: Control - scope: '#/properties/firstName' - label: First name - options: - format: text - - type: Control - scope: '#/properties/lastName' - label: Last name - options: - format: text - - type: Control - scope: '#/properties/email' - label: Email - options: - format: text - - type: Control - scope: '#/properties/countryCode' - label: Country code - options: - format: select - - type: Control - scope: '#/properties/bool2' - label: bool2 - options: - format: checkbox - - type: Control - scope: '#/properties/date' - label: date - options: - format: text - - type: Control - scope: '#/properties/enum' - label: enum - options: - format: radio - created: '2022-07-25T12:56:31.000Z' - lastUpdated: '2022-07-26T11:53:59.000Z' + name: New Trusted Origin + origin: http://example.com + scopes: + - type: CORS + - type: REDIRECT + TrustedOriginBodyWithIframeEmbedding: + summary: Trusted origin request body with iFrame embedding (Okta End-User Dashboard and Okta sign-in page) + description: | + Creates a new Trusted Origin for iFrame embedding of an Okta resource within that origin. In this example, the type + of Okta resource is both the Okta End-User Dashboard and the Okta sign-in page. + value: + name: New Trusted Origin + origin: http://example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + TrustedOriginBodyWithIframeEmbeddingSignIn: + summary: Trusted origin request body with iFrame embedding (Okta sign-in page) + description: | + Creates a new Trusted Origin for iFrame embedding of an Okta resource within that origin. In this example, the Okta + resource is the Okta sign-in page. + value: + name: New Trusted Origin + origin: http://example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: [] + TrustedOriginInactiveResponse: + summary: Trusted origin response + value: + id: tos10hu7rkbtrFt1M0g4 + name: New Trusted Origin + origin: http://example.com + status: INACTIVE + scopes: + - type: CORS + - type: REDIRECT + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + TrustedOriginPut: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: CORS + - type: REDIRECT + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutBody: + summary: Trusted origin request body + value: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: CORS + - type: REDIRECT + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: - href: https://example.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 hints: allow: - GET - PUT - DELETE - - id: uis4abjqkkKXVPGAU0g7 - uiSchema: - type: Group - label: Sign in 2 - buttonLabel: Submit - elements: - - type: Control - scope: '#/properties/firstName' - label: First name - options: - format: text - - type: Control - scope: '#/properties/lastName' - label: Last name - options: - format: text - - type: Control - scope: '#/properties/email' - label: Email - options: - format: text - - type: Control - scope: '#/properties/countryCode' - label: Country code - options: - format: select - - type: Control - scope: '#/properties/bool2' - label: bool2 - options: - format: checkbox - - type: Control - scope: '#/properties/date' - label: date - - type: Control - scope: '#/properties/enum' - label: enum - options: - format: radio - created: '2022-07-25T12:56:31.000Z' - lastUpdated: '2022-07-26T11:53:59.000Z' + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutBodyWithIframeEmbedding: + summary: Trusted origin request body with iFrame embedding + value: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: - href: https://example.com/api/v1/meta/uischemas/uis4abjqkkKXVPGAU0g7 + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 hints: allow: - GET - PUT - DELETE - ListUserBlocksAnyDevicesResponse: - value: - - type: DEVICE_BASED - appliesTo: ANY_DEVICES - ListUserBlocksUnknownDevicesResponse: - value: - - type: DEVICE_BASED - appliesTo: UNKNOWN_DEVICES - ListUsersResponse: - summary: List all Users - value: - - id: 00u118oQYT4TBTemp0g4 - status: ACTIVE - created: 2022-04-04T15:56:05.000Z - activated: null - statusChanged: null - lastLogin: 2022-05-04T19:50:52.000Z - lastUpdated: 2022-05-05T18:15:44.000Z - passwordChanged: 2022-04-04T16:00:22.000Z - type: - id: oty1162QAr8hJjTaq0g4 - profile: - firstName: Alice - lastName: Smith - mobilePhone: null - secondEmail: null - login: alice.smith@example.com - email: alice.smith@example.com - credentials: - password: {} - provider: - type: OKTA - name: OKTA - _links: - self: - href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 - ListsAllUserTypes: - summary: Lists all user types + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutResponse: + summary: Trusted origin response body value: - - id: otyfnly5cQjJT9PnR0g4 - displayName: New User Type - name: newUserType - description: A new custom user type - createdBy: sprz9fj1ycBcsgopy1d6 - lastUpdatedBy: sprz9fj1ycBcsgopy1d6 - created: '2021-07-05T20:40:38.000Z' - lastUpdated: '2021-07-05T20:40:38.000Z' - default: false + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: CORS + - type: REDIRECT + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - - id: otyz9fj2jMiRBC1ZT1d6 - displayName: User - name: user - description: Okta user profile template with default permission settings - createdBy: sprz9fj1ycBcsgopy1d6 - lastUpdatedBy: sprz9fj1ycBcsgopy1d6 - created: '2021-07-05T20:40:38.000Z' - lastUpdated: '2021-07-05T20:40:38.000Z' - default: true + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutResponseWithIframeEmbedding: + summary: Trusted origin response body with iFrame embedding + value: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - ListsOwnerOneResponse: - summary: Lists a response with one owner + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutWithIframeEmbedding: value: - - id: 00g1gae1k0znUcLuU0h8 - type: GROUP - resolved: true - originId: 'null' - originType: OKTA_DIRECTORY - displayName: Product & Engineering - lastUpdated: '2023-03-29 18:18:37.0' - ListsOwnersMultipleResponse: - summary: Lists a response with multiple owners + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example Trusted Origin + origin: http://updated.example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginResponse: + summary: Trusted origin response value: - - id: 00u1cmbqjkkmFXeqb0h8 - type: USER - resolved: true - originId: 'null' - originType: OKTA_DIRECTORY - displayName: Mabel Mora - lastUpdated: 2023-03-29T18:30:58.000Z - - id: 00u1cmc52x5B86cnZ0h8 - type: USER - resolved: true - originId: 'null' - originType: OKTA_DIRECTORY - displayName: Cinda Canning - lastUpdated: 2023-03-29T18:30:55.000Z - LogStreamActivateResponse: - summary: Activate Log Stream response + id: tos10hu7rkbtrFt1M0g4 + name: New Trusted Origin + origin: http://example.com + status: ACTIVE + scopes: + - type: CORS + - type: REDIRECT + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginResponseWithIframeEmbedding: + summary: Trusted origin response with iFrame embedding (End-User Dashboard and Okta sign-in page) value: - id: 0oa1orqUGCIoCGNxf0g4 - type: aws_eventbridge - name: Example AWS EventBridge - lastUpdated: '2023-03-24T21:22:43.000Z' - created: '2023-03-24T21:02:43.000Z' + id: tos10hu7rkbtrFt1M0g4 + name: New Trusted Origin + origin: http://example.com status: ACTIVE - settings: - accountId: '123456789012' - eventSourceName: your-event-source-name - region: us-east-2 + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 - method: GET + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE deactivate: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate - method: POST - LogStreamDeactivateResponse: - summary: Deactivate Log Stream response + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginResponseWithIframeEmbeddingSignIn: + summary: Trusted origin response with iFrame embedding (Okta sign-in page) value: - id: 0oa7agphh5FT7H521d7 - type: splunk_cloud_logstreaming - name: Splunk Cloud Example - lastUpdated: '2023-03-24T21:23:00.000Z' - created: '2023-03-24T21:15:13.000Z' - status: INACTIVE - settings: - edition: aws - host: okexample.splunkcloud.com + id: tos10hu7rkbtrFt1M0g4 + name: New Trusted Origin + origin: http://example.com + status: ACTIVE + scopes: + - type: IFRAME_EMBED + allowedOktaApps: [] + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7 - method: GET - activate: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7/lifecycle/activate - method: POST - LogStreamGetAllResponse: - summary: Lists all Log Streams + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginsResponse: + summary: Trusted origins response value: - - id: 0oa1orqUGCIoCGNxf0g4 - type: aws_eventbridge - name: Example AWS EventBridge - lastUpdated: '2023-03-24T21:02:43.000Z' - created: '2023-03-24T21:02:43.000Z' + - id: tos10hu7rkbtrFt1M0g4 + name: New Trusted Origin + origin: http://example.com status: ACTIVE - settings: - accountId: '123456789012' - eventSourceName: your-event-source-name - region: us-east-2 + scopes: + - type: CORS + - type: REDIRECT + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 - method: GET + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE deactivate: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate - method: POST - LogStreamPostRequest: - summary: Create an AWS EventBridge Log Stream + href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + UpdateAppFeatureRequestEx: + summary: Update USER_PROVISIONING request value: - type: aws_eventbridge - name: Example AWS EventBridge - settings: - eventSourceName: your-event-source-name - accountId: '123456789012' - region: us-east-2 - LogStreamPostResponse: - summary: AWS EventBridge Log Stream response + create: + lifecycleCreate: + status: ENABLED + update: + lifecycleDeactivate: + status: ENABLED + profile: + status: ENABLED + password: + status: ENABLED + seed: RANDOM + change: CHANGE + UpdateAppFeatureResponseEx: + summary: Update USER_PROVISIONING response value: - id: 0oa1orqUGCIoCGNxf0g4 - type: aws_eventbridge - name: Example AWS EventBridge - lastUpdated: '2023-03-24T21:02:43.000Z' - created: '2023-03-24T21:02:43.000Z' - status: ACTIVE - settings: - accountId: '123456789012' - eventSourceName: your-event-source-name - region: us-east-2 + name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: ENABLED + update: + lifecycleDeactivate: + status: ENABLED + profile: + status: ENABLED + password: + status: ENABLED + seed: RANDOM + change: CHANGE _links: self: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 - method: GET - deactivate: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate - method: POST - LogStreamPutRequest: - summary: Replace AWS EventBridge name + href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT + UpdateAuthorizationServerPolicyRequest: + summary: Update Authorization Server Policy value: - type: aws_eventbridge - name: Updated AWS EventBridge - settings: - eventSourceName: your-event-source-name - accountId: '123456789012' - region: us-east-2 - LogStreamPutResponse: - summary: Replace AWS EventBridge name response + id: 00p5m9xrrBffPd9ah0g4 + type: OAUTH_AUTHORIZATION_POLICY + status: ACTIVE + name: Default Policy + description: Default policy description + priority: 1 + system: false + conditions: + clients": + include": + - ALL_CLIENTS + UpdateAuthorizationServerPolicyRuleRequest: + summary: Update Authorization Server Policy Rule value: - id: 0oa1orqUGCIoCGNxf0g4 - type: aws_eventbridge - name: Updated AWS EventBridge - lastUpdated: '2023-03-24T21:12:43.000Z' - created: '2023-03-24T21:02:43.000Z' + type: RESOURCE_ACCESS + name: Default Policy Rule + priority: 1 status: ACTIVE - settings: - accountId: '123456789012' - eventSourceName: your-event-source-name - region: us-east-2 + conditions: + people: + groups: + include: + - EVERYONE + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + UpdateBrandRequest: + value: + customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy + agreeToCustomPrivacyPolicy: true + removePoweredByOkta: true + name: New Name For Brand + emailDomainId: OeD114iNkrcN6aR680g4 + locale: en + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + UpdateBrandResponse: + value: + id: bnd114iNkrcN6aR680g4 + removePoweredByOkta: true + agreeToCustomPrivacyPolicy: true + name: New Name For Brand + isDefault: true + customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + locale: en _links: self: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 - method: GET - deactivate: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate - method: POST - LogStreamSchemaAws: - value: &ref_4 - $schema: https://json-schema.org/draft/2020-12/schema - $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge - title: AWS EventBridge - type: object + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + hints: + allow: + - GET + emailDomain: + href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + UpdateEmailDomainRequest: + value: + displayName: IT Admin + userName: noreply + UpdateFeatureLifecycleResponse: + summary: Update the feature lifecycle status + value: + description: Example feature description + id: ftrZooGoT8b41iWRiQs7 + name: Example feature name + stage: + state: OPEN + value: BETA + status: DISABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + UpdateInboundProvisioningFeatureRequestEx: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Update INBOUND_PROVISIONING request + value: + capabilities: + importSettings: + username: + userNameFormat: EMAIL + schedule: + status: ENABLED + fullImport: + expression: 0 0 * * 0 + timezone: America/New_York + incrementalImport: + expression: 0 */3 * * * + timezone: America/New_York + importRules: + userCreateAndMatch: + exactMatchCriteria: EMAIL + allowPartialMatch: false + autoConfirmPartialMatch: false + autoConfirmExactMatch: false + autoConfirmNewUsers: false + autoActivateNewUsers: false + UpdateInboundProvisioningFeatureResponseEx: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Update INBOUND_PROVISIONING response + value: + name: INBOUND_PROVISIONING + status: ENABLED + description: In-bound provisioning settings from an application to Okta + capabilities: + importSettings: + username: + userNameFormat: EMAIL + schedule: + status: ENABLED + fullImport: + expression: 0 0 * * 0 + timezone: America/New_York + incrementalImport: + expression: 0 */3 * * * + timezone: America/New_York + importRules: + userCreateAndMatch: + exactMatchCriteria: EMAIL + allowPartialMatch: false + autoConfirmPartialMatch: false + autoConfirmExactMatch: false + autoConfirmNewUsers: false + autoActivateNewUsers: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/INBOUND_PROVISIONING + hints: + allow: + - GET + - PUT + UpdateMappingBody: + summary: Update an existing profile mapping by updating one or more properties + value: properties: - settings: - description: Configuration properties specific to AWS EventBridge - type: object - properties: - accountId: - title: AWS Account ID - description: Your Amazon AWS Account ID. - type: string - writeOnce: true - pattern: ^\d{12}$ - eventSourceName: - title: AWS Event Source Name - description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge. - type: string - writeOnce: true - pattern: ^[\.\-_A-Za-z0-9]{1,75}$ - region: - title: AWS Region - description: The destination AWS region for your system log events. - type: string - writeOnce: true - oneOf: - - title: US East (Ohio) - const: us-east-2 - - title: US East (N. Virginia) - const: us-east-1 - - title: US West (N. California) - const: us-west-1 - - title: US West (Oregon) - const: us-west-2 - - title: Canada (Central) - const: ca-central-1 - - title: Europe (Frankfurt) - const: eu-central-1 - - title: Europe (Ireland) - const: eu-west-1 - - title: Europe (London) - const: eu-west-2 - - title: Europe (Paris) - const: eu-west-3 - - title: Europe (Milan) - const: eu-south-1 - - title: Europe (Stockholm) - const: eu-north-1 - required: - - eventSourceName - - accountId - - region - errorMessage: - properties: - accountId: Account number must be 12 digits. - eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters. - name: - title: Name - description: A name for this log stream in Okta - type: string - writeOnce: false - pattern: ^.{1,100}$ - required: - - name - - settings - errorMessage: - properties: - name: Name can't exceed 100 characters. - LogStreamSchemaList: + nickName: + expression: user.honorificPrefix + user.displayName + pushStatus: DONT_PUSH + UpdateMappingResponse: + summary: Update an existing profile mapping by updating one or more properties value: - - *ref_4 - - &ref_5 - $schema: https://json-schema.org/draft/2020-12/schema - $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming - title: Splunk Cloud - type: object - properties: - settings: - description: Configuration properties specific to Splunk Cloud - type: object - properties: - host: - title: Host - description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com' - type: string - writeOnce: false - pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ - token: - title: HEC Token - description: The token from your Splunk Cloud HTTP Event Collector (HEC). - type: string - writeOnce: false - pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' - required: - - host - - token - errorMessage: - properties: - host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com' - name: - title: Name - description: A name for this log stream in Okta - type: string - writeOnce: false - pattern: ^.{1,100}$ - required: - - name - - settings - errorMessage: - properties: - name: Name can't exceed 100 characters. - LogStreamSchemaSplunk: - value: *ref_5 - OrgCAPTCHASettingsConfigured: - summary: Org-wide Captcha Settings are configured + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.honorificPrefix + user.displayName + pushStatus: DONT_PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + UpdateOAuth2ScopeRequest: + summary: Example scope + value: + description: Order car + name: car:order + metadataPublish: ALL_CLIENTS + UpdateOrgSettingEx: + summary: Org setting request + value: + address1: 100 1st St + address2: 6th floor + city: San Fransico + companyName: okta + country: United States + endUserSupportHelpURL: support.okta.com + phoneNumber: '+18887227871' + postalCode: '94105' + state: California + supportPhoneNumber: '+18887227871' + website: www.okta.com + UpdateRecQuestionRequest: + value: + password: + value: tlpWENT2m + recovery_question: + question: How many roads must a man walk down? + answer: forty two + UpdateRecQuestionResponse: + value: + password: {} + recovery_question: + question: How many roads must a man walk down? + provider: + type: OKTA + name: OKTA + UpdateSMSTemplateRequest: + value: + translations: + de: '${org.name}: ihre bestätigungscode ist ${code}.' + UpdateSMSTemplateResponse: + value: + id: 6NQUJ5yR3bpgEiYmq8IC + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + de: '${org.name}: ihre bestätigungscode ist ${code}.' + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + UpdateThemeRequest: + value: + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + UpdateThemeResponse: + value: + id: thdul904tTZ6kWVhP0g3 + logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png + favicon: https://{yourOktaDomain}/favicon.ico + backgroundImage: null + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + UpdateUserTypePostRequest: + summary: Update user type request + value: + displayName: Updated Display Name + UpdateUserTypePostResponse: + summary: Update user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: Updated Display Name + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + UpdatedEmailDomainResponse: value: - captchaId: abcd4567 - enabledPages: - - SSR - - SIGN_IN + id: OeD114iNkrcN6aR680g4 + validationStatus: NOT_STARTED + displayName: IT Admin + userName: noreply + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + UpdatedOAuth2ScopeResponse: + summary: Updated scope + value: + id: scp5yu8kLOnDzo7lh0g4 + name: car:order + description: Order car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: ALL_CLIENTS _links: self: - href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 hints: allow: - GET - - POST - PUT - DELETE - OrgCAPTCHASettingsDisable: - summary: Disable Org-wide Captcha Settings + UploadYubikeyTokenSeedRequest: + summary: Yubikey OTP Seed value: - captchaId: 'null' - enabledPages: 'null' - OrgCAPTCHASettingsDisabled: - summary: Disabled Org-wide Captcha Settings + serialNumber: '7886622' + publicId: ccccccijgibu + privateId: b74be6169486 + aesKey: 1fcc6d8ce39bf1604e0b17f3e0a11067 + UploadYubikeyTokenSeedResponse: value: - captchaId: 'null' - enabledPages: '[]' + id: ykkut4G6ti62DD8Dy0g3 + created: '2020-01-10T23:04:10.000Z' + lastVerified: '2020-01-10T23:04:10.000Z' + lastUpdated: '2020-01-10T23:04:10.000Z' + status: UNASSIGNED + profile: + serial: '000007886622' _links: self: - href: https://your-subdomain.okta.com/api/v1/captchas/ + href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkut4G6ti62DD8Dy0g3 hints: allow: - GET - - PUT - OrgCAPTCHASettingsEmpty: - summary: Org-wide Captcha Settings aren't configured + - DELETE + UserFactorChallengeCallResponse: + summary: call challenge value: - captchaId: null - enabledPages: [] + factorResult: CHALLENGE + profile: + phoneNumber: '+12532236986' + phoneExtension: '1234' _links: - self: - href: https://your-subdomain.okta.com/api/v1/captchas + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV hints: allow: - GET + - DELETE + UserFactorChallengeEmailResponse: + summary: email challenge + value: + factorResult: CHALLENGE + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: - POST - - PUT + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET - DELETE - OrgCAPTCHASettingsUpdate: - summary: Update Org-wide Captcha Settings + UserFactorChallengePushResponse: + summary: push challenge value: - captchaId: abcd4567 - enabledPages: - - SSR - - SIGN_IN - OrgCAPTCHASettingsUpdated: - summary: Updated Org-wide Captcha Settings + expiresAt: '2015-04-01T15:57:32.000Z' + factorResult: WAITING + _links: + poll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g + hints: + allow: + - GET + cancel: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g + hints: + allow: + - DELETE + UserFactorChallengeSmsResponse: + summary: sms challenge value: - captchaId: abcd4567 - enabledPages: - - SSR - - SIGN_IN + factorResult: CHALLENGE + profile: + phoneNumber: '+12532236986' _links: - self: - href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3 hints: allow: - GET + - DELETE + UserFactorChallengeU2fResponse: + summary: u2f challenge + value: + factorResult: CHALLENGE + profile: + credentialId: GAiiLsVab2m3-zL1Fi3bVtNrM9G6_MntUITHKjxkV24ktGKjLSCRnz72wCEdHCe18IvC69Aia0sE4UpsO0HpFQ + version: U2F_V2 + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify + hints: + allow: - POST - - PUT + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET - DELETE - PerClientRateLimitSettingsEnforceDefault: + _embedded: + challenge: + nonce: vQFwTt6zKzMV7HFPzjS2 + timeoutSeconds: 20 + UserFactorChallengeWebauthnResponse: + summary: webAuthn challenge value: - defaultMode: ENFORCE - PerClientRateLimitSettingsEnforceDefaultWithOverrides: + factorResult: CHALLENGE + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + _embedded: + challenge: + challenge: vQFwTt6zKzMV7HFPzjS2 + extensions: {} + UserFactorVerifyCallSuccessResponse: + summary: call verify value: - defaultMode: ENFORCE - useCaseModeOverrides: - OAUTH2_AUTHORIZE: PREVIEW - OIE_APP_INTENT: DISABLE - PerClientRateLimitSettingsPreviewDefaultWithOverrides: + factorResult: SUCCESS + UserFactorVerifyEmailSuccessResponse: + summary: email verify value: - defaultMode: PREVIEW - useCaseModeOverrides: - LOGIN_PAGE: ENFORCE - PermissionResponse: + factorResult: SUCCESS + UserFactorVerifyPushRejectedResponse: + summary: push verification rejected value: - label: okta.users.manage - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' + factorResult: REJECTED + profile: + credentialId: jane.doe@example.com _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 - self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.manage - PermissionResponseWithConditions: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifyPushTransactionApproved: + summary: SUCCESS value: - label: okta.users.read - conditions: - include: - okta:ResourceAttribute/User/Profile: - - city - - state - - zipCode - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' + factorResult: SUCCESS + UserFactorVerifyPushTransactionRejected: + summary: REJECTED + value: + factorResult: REJECTED + profile: + credentialId: jane.doe@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifyPushTransactionTimeout: + summary: TIMEOUT + value: + factorResult: TIMEOUT + profile: + credentialId: jane.doe@example.com + _links: + verify: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify + hints: + allow: + - POST + factor: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifyPushTransactionWaiting: + summary: WAITING + value: + expiresAt: '2015-04-01T15:57:32.000Z' + factorResult: WAITING + profile: + credentialId: jane.doe@example.com + _links: + poll: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA + hints: + allow: + - GET + cancel: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA + hints: + allow: + - DELETE + UserFactorVerifySecurityQuestionRequest: + summary: security question verify + value: + answer: mayonnaise + UserFactorVerifySuccessSmsResponse: + summary: sms verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessSqResponse: + summary: security question verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessTokenResponse: + summary: token verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessTotpResponse: + summary: totp verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessYubikeyResponse: + summary: yubikey verify + value: + factorResult: SUCCESS + UserFactorVerifyU2fRequest: + summary: u2f verify + value: + clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9 + signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc + UserFactorVerifyU2fResponse: + summary: u2f verify response + value: + factorResult: SUCCESS + profile: + credentialId: h1bFwJFU9wnelYkexJuQfoUHZ5lX3CgQMTZk4H3I8kM9Nn6XALiQ-BIab4P5EE0GQrA7VD-kAwgnG950aXkhBw + version: U2F_V2 + UserFactorVerifyWebauthnRequest: + summary: WebAuthn verify challenge (posts a signed assertion using the challenge `nonce`) + value: + clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9 + authenticatorData: SBv04caJ+NLZ0bTeotGq9esMhHJ8YC5z4bMXXPbT95UFXbDsOg== + signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc + UserFactorVerifyWebauthnResponse: + summary: WebAuthn verify + value: + factorResult: SUCCESS + profile: + credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + UserImportChangeAppUserProfileExample: + summary: An example user import inline hook response that updates an app user's profile + value: + commands: + - type: com.okta.appUser.profile.update + value: + firstName: Stan + UserImportChangeUserProfileExample: + summary: Update an Okta user's profile response + value: + commands: + - type: com.okta.user.profile.update + value: + firstName: Stan + UserImportCreateANewUserExample: + summary: Create a new Okta user profile response + value: + commands: + - type: com.okta.action.update + value: + result: CREATE_USER + UserImportErrorExample: + summary: Return an error object + value: + error: + errorSummary: Error at third-party service. Please contact your admin. + UserImportMatchExample: + summary: Match an existing Okta user response + value: + commands: + - type: com.okta.action.update + value: + result: LINK_USER + - type: com.okta.user.update + value: + id: 00garwpuyxHaWOkdV0g3 + UserImportPayloadExample: + summary: An example user import request body + value: + source: cal7eyxOsnb20oWbZ0g4 + eventId: JUGOUiYZTaKPmH6db0nDag + eventTime: '2019-02-27T20:59:04.000Z' + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + eventType: com.okta.import.transform + contentType: application/json + data: + context: + conflicts: + - login + application: + name: test_app + id: 0oa7ey7aLRuBvcYUD0g4 + label: Test App + status: ACTIVE + job: + id: ij17ez2AWtMZRfCZ60g4 + type: import:users + matches: [] + policy: + - EMAIL + - FIRST_AND_LAST_NAME + action: + result: CREATE_USER + appUser: + profile: + firstName: Sally2 + lastName: Admin2 + mobilePhone: null + accountType: PRO + secondEmail: null + failProvisioning: null + failDeprovisioning: null + externalId: user221 + groups: + - everyone@examplee.net + - tech@example.net + userName: administrator2 + email: sally.admin@example.net + user: + profile: + lastName: Admin2 + zipCode: null + city: null + secondEmail: null + postAddress: null + login: sally.admin@example.net + firstName: Sally2 + primaryPhone: null + mobilePhone: null + streetAddress: null + countryCode: null + typeId: null + state: null + email: sally.admin@example.net + UserRiskNoneResponse: + summary: Example User Risk with NONE risk level response + value: + riskLevel: NONE _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read - PermissionsResponse: + href: https://{yourOktaDomain}/api/v1/users/{userId}/risk + hints: + allow: + - GET + - PUT + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + hints: + allow: + - GET + UserRiskRequest: + summary: Example upsert the risk for a user request value: - permissions: - - label: okta.users.create - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 - self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.create - - label: okta.users.read - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 - self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read - - label: okta.groups.read - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 - self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.groups.read - - label: okta.users.userprofile.manage - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 - self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.userprofile.manage - PreviewEmailCustomizationResponse: + riskLevel: HIGH + UserRiskResponse: + summary: Example User Risk response value: - subject: Welcome to Okta! - body: <!DOCTYPE html><html><body><p>Hello, John. Click <a href="https://{yourOktaDomain}/...">here</a> to activate your account.</body></html> + riskLevel: HIGH + reason: Admin override risk _links: self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview + href: https://{yourOktaDomain}/api/v1/users/{userId}/risk hints: allow: - GET - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + - PUT + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} hints: allow: - GET - test: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + UserSchemaAddRequest: + value: + definitions: + custom: + id: '#custom' + type: object + properties: + twitterUserName: + title: Twitter username + description: Twitter Username + type: string + required: false + minLength: 1 + maxLength: 20 + permissions: + - principal: SELF + action: READ_WRITE + required: [] + UserSchemaResponse: + value: + id: https://{yourOktaDomain}/meta/schemas/user/default + $schema: http://json-schema.org/draft-04/schema# + name: user + title: Default Okta User + lastUpdated: '2015-09-05T10:40:45.000Z' + created: '2015-02-02T10:27:36.000Z' + definitions: + base: + id: '#base' + type: object + properties: + login: + title: Username + type: string + required: true + minLength: 5 + maxLength: 100 + permissions: + - principal: SELF + action: READ_WRITE + firstName: + title: First name + type: string + required: true + minLength: 1 + maxLength: 50 + permissions: + - principal: SELF + action: READ_WRITE + lastName: + title: Last name + type: string + required: true + minLength: 1 + maxLength: 50 + permissions: + - principal: SELF + action: READ_WRITE + email: + title: Primary email + type: string + required: true + format: email + permissions: + - principal: SELF + action: READ_WRITE + required: + - login + - firstName + - lastName + - email + custom: + id: '#custom' + type: object + properties: + twitterUserName: + title: Twitter username + description: User's username for twitter.com + type: string + required: false + minLength: 1 + maxLength: 20 + permissions: + - principal: SELF + action: READ_WRITE + required: [] + type: object + properties: + profile: + allOf: + - $ref: '#/definitions/base' + - $ref: '#/definitions/custom' + VerifiedEmailDomainResponse: + value: + id: OeD114iNkrcN6aR680g4 + validationStatus: VERIFIED + displayName: IT Admin + userName: noreply + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + WSFederationEx: + summary: WS_FEDERATION + value: + name: template_wsfed + label: Sample WS-Fed App + signOnMode: WS_FEDERATION + settings: + app: + audienceRestriction: urn:example:app + groupValueFormat: windowsDomainQualifiedName + wReplyURL: https://example.com/ + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + siteURL: https://example.com + usernameAttribute: username + WSFederationPutEx: + summary: WS_FEDERATION + value: + name: template_wsfed + label: Sample WS-Fed App updated + signOnMode: WS_FEDERATION + settings: + app: + audienceRestriction: urn:exampleupdated:app + groupValueFormat: windowsDomainQualifiedName + wReplyURL: https://example.com/ + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + siteURL: https://example.com + usernameAttribute: username + WSFederationPutResponseEx: + summary: WS_FEDERATION + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST - PreviewEmailTemplateDefaultContentResponse: + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_wsfed + label: Sample WS-Fed App updated + features: [] + signOnMode: WS_FEDERATION + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU + settings: + app: + groupFilter: null + siteURL: https://example.com + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + wReplyOverride: false + digestAlgorithm: SHA1 + usernameAttribute: username + signatureAlgorithm: RSA_SHA1 + audienceRestriction: urn:exampleupdated:app + wReplyURL: https://example.com/ + groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role + attributeStatements: null + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4 + groupValueFormat: windowsDomainQualifiedName + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + WSFederationResponseEx: + summary: WS_FEDERATION value: - subject: Welcome to Okta! - body: <!DOCTYPE html><html><body><p>Hello, John. Click <a href="https://{yourOktaDomain}/...">here</a> to activate your account.</body></html> + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_wsfed + label: Sample WS-Fed App + features: [] + signOnMode: WS_FEDERATION + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU + settings: + app: + groupFilter: null + siteURL: https://example.com + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + wReplyOverride: false + digestAlgorithm: SHA1 + usernameAttribute: username + signatureAlgorithm: RSA_SHA1 + audienceRestriction: urn:example:app + wReplyURL: https://example.com/ + groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role + attributeStatements: null + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4 + groupValueFormat: windowsDomainQualifiedName + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + WellKnownAppAuthenticatorConfigurationCustomApp: + value: + - authenticatorId: aut22f6xzargnJZYE3l7 + orgId: 00o1vhf34q20MfCFC3l7 + type: app + key: custom_app + name: EnergyAus Authenticator + createdDate: '2022-10-11T08:56:45.000Z' + lastUpdated: '2023-09-07T11:31:35.000Z' + settings: + userVerification: PREFERRED + supportedMethods: + - type: push + status: ACTIVE + settings: + algorithms: + - RS256 + - ES256 + keyProtection: ANY + appAuthenticatorEnrollEndpoint: https://{yourOktaDomain}/idp/myaccount/app-authenticators + WellKnownOrgMetadataResponseClassic: + value: + id: 00o5rb5mt2H3d1TJd0h7 + _links: + organization: + href: https://{{yourOktaDomain}} + pipeline: v1 + settings: + analyticsCollectionEnabled: false + bugReportingEnabled: true + omEnabled: true + WellKnownOrgMetadataResponseCustomUrlOie: + value: + id: 00o47wwoytgsDqEtz0g7 + _links: + organization: + href: https://{yourSubdomain}.okta.com + alternate: + href: https://{yourCustomDomain} + pipeline: idx + settings: + analyticsCollectionEnabled: false + bugReportingEnabled: true + omEnabled: false + activateOAuth2ClientSecretResponse: + summary: Activate Secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + activeAPIServiceIntegrationInstanceSecretResponse: + summary: Activate Secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: '***MQGQ' + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + bulkDeletePayload: + value: + entityType: USERS + profiles: + - externalId: EXT123456784C2IF + - externalId: EXT123456784C3IF + - externalId: EXT123456784C4IF + bulkUpsertPayload: + value: + entityType: USERS + profiles: + - externalId: EXT123456784C2IF + profile: + userName: isaac.brock@example.com + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + secondEmail: isaac2.brock@example.com + mobilePhone: 123-456-7890 + homeAddress: Kirkland, WA + cloud-rule: + summary: Global session policy - Challenge cloud users + description: This global session policy uses a rule to challenge cloud users + value: + type: SIGN_ON + name: Challenge Cloud Users + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: [] + exclude: [] + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + actions: + signon: + access: ALLOW + requireFactor: true + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + cloud-rule-response: + summary: Global session policy - Challenge cloud users + description: The response body from the creation of a global session policy that uses a rule to challenge cloud users + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + type: SIGN_ON + name: Challenge Cloud Users + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: [] + exclude: [] + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: ALLOW + requireFactor: true + primaryFactor: PASSWORD_IDP_ANY_FACTOR + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + create-auth-policy-rule-condition: + summary: Authentication policy - Create rule with conditions + description: Creates an authentication policy rule with a conditions object. + value: + system: false + type: ACCESS_POLICY + name: Rule with conditions + conditions: + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + network: + connection: ZONE + exclude: + - 00u7yq5goxNFTiMjW1d7 + riskScore: + level: ANY + people: + users: + exclude: + - 00u7yq5goxNFTiMjW1d7 + include: [] + groups: + include: + - 00g9i12jictsYdZdi1d7 + exclude: [] + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + reauthenticateIn: PT2H + constraints: + - knowledge: + reauthenticateIn: PT2H + types: + - password + type: ASSURANCE + create-auth-policy-rule-condition-response: + summary: Authentication policy - Policy rule with conditions + description: The response body from the creation of an authentication policy rule with conditions. + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + name: Rule with conditions + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: + - 00u7yq5goxNFTiMjW1d7 + groups: + include: + - 00g9i12jictsYdZdi1d7 + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + exclude: [] + riskScore: + level: ANY + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + required: true + types: + - password + reauthenticateIn: PT2H + type: ACCESS_POLICY _links: self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - defaultContent: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test/default-content - hints: - allow: - - POST - PrincipalRateLimitEntityRequestEmptyPercentages: + - PUT + - DELETE + create-group-rule-request-example: + summary: Create group rule request example value: - principalId: token1234 - principalType: SSWS_TOKEN - PrincipalRateLimitEntityRequestSSWSToken: + type: group_rule + name: Engineering group rule + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + create-user-in-group-request: + description: See [Create user in group](/openapi/okta-management/management/tag/User/#create-user--in-group) for description. value: - principalId: token1234 - principalType: SSWS_TOKEN - defaultPercentage: 50 - defaultConcurrencyPercentage: 75 - PrincipalRateLimitEntityResponseSSWSToken: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + groupIds: + - 00g1emaKYZTWRYYRRTSK + - 00garwpuyxHaWOkdV0g4 + create-user-in-group-response: value: - id: abcd1234 - orgId: org1234 - principalId: token1234 - principalType: SSWS_TOKEN - defaultPercentage: 50 - defaultConcurrencyPercentage: 75 - createdDate: '2022-05-19T20:05:32.720Z' - createdBy: user1234 - lastUpdate: '2022-05-20T21:13:07.410Z' - lastUpdatedBy: user4321 - ProvisioningConnectionOauthRequestEx: - summary: Provisioning Connection with OAuth 2.0 + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA + _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-authentication-provider-request: + description: Set `activate` parameter to `true`. See [Create user with authentication provider](/openapi/okta-management/management/tag/User/#create-user-with-authentication-provider) for description. value: profile: - authScheme: OAUTH2 - clientId: 0oa2h6su6bVFyJzIf1d7 - ProvisioningConnectionOauthResponseEx: - summary: Provisioning Connection with OAuth 2.0 + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: FEDERATION + name: FEDERATION + create-user-with-authentication-provider-response: value: - authScheme: OAUTH2 - status: ENABLED + id: 00uijntSwJjSHtDY70g3 + status: ACTIVE + created: '2016-01-19T22:02:08.000Z' + activated: '2016-01-19T22:02:08.000Z' + statusChanged: '2016-01-19T22:02:08.000Z' + lastLogin: null + lastUpdated: '2016-01-19T22:02:08.000Z' + passwordChanged: null + profile: + login: isaac.brock@example.com + firstName: Isaac + lastName: Brock + mobilePhone: 555-415-1337 + email: isaac.brock@example.com + secondEmail: null + credentials: + provider: + type: FEDERATION + name: FEDERATION _links: - self: - href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default - hints: - allow: - - GET - - POST + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/reset_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/credentials/change_recovery_question + method: POST deactivate: - href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate - hints: - allow: - - POST - ProvisioningConnectionTokenRequestEx: - summary: Provisioning Connection with token + href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/deactivate + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-imported-hashed-password-request: + description: Set `activate` parameter to `true`. See [Create user with imported hashed password](/openapi/okta-management/management/tag/User/#create-user-with-password) for description. value: profile: - authScheme: TOKEN - token: 00NgAPZqUVy8cX9ehNzzahEE5b-On9sImTcInvWp-x - ProvisioningConnectionTokenResponseEx: - summary: Provisioning Connection with token + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + hash: + algorithm: BCRYPT + workFactor: 10 + salt: rwh3vH166HCH/NT9XV5FYu + value: qaMqvAPULkbiQzkTCWo5XDcvzpk8Tna + create-user-with-imported-hashed-password-response: value: - authScheme: TOKEN - status: ENABLED + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: IMPORT + name: IMPORT _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: - href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default - hints: - allow: - - GET - - POST - deactivate: - href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate - hints: - allow: - - POST - PushProviderAPNsRequest: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-non-default-user-type-request: + description: See [Create user with non-default user type](/openapi/okta-management/management/tag/User/#create-user-with-non-default-user-type) for description. value: - name: APNs Example - providerType: APNS - configuration: - keyId: KEY_ID - teamId: TEAM_ID - tokenSigningKey: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' - fileName: fileName.p8 - PushProviderAPNsResponse: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + type: + id: otyfnjfba4ye7pgjB0g4 + create-user-with-non-default-user-type-response: value: - id: ppctekcmngGaqeiBxB0g4 - name: APNs Example - providerType: APNS - lastUpdatedDate: 2022-01-01T00:00:00.000Z - configuration: - keyId: KEY_ID - teamId: TEAM_ID - fileName: fileName.p8 + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + type: + id: otyfnjfba4ye7pgjB0g4 + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA _links: + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscfnjfba4ye7pgjB0g4 + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: - href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 - hints: - allow: - - DELETE - - GET - - PUT - PushProviderFCMRequest: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otyfnjfba4ye7pgjB0g4 + create-user-with-password-and-recovery-question-request: + description: See [Create user with password and recovery question](/openapi/okta-management/management/tag/User/#create-user-with-password-and-recovery-question) for description. value: - name: FCM Example - providerType: FCM - configuration: - serviceAccountJson: - type: service_account - project_id: PROJECT_ID - private_key_id: KEY_ID - private_key: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' - client_email: SERVICE_ACCOUNT_EMAIL - client_id: CLIENT_ID - auth_uri: https://accounts.google.com/o/oauth2/auth - token_uri: https://accounts.google.com/o/oauth2/token - auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs - client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL - fileName: fileName.json - PushProviderFCMResponse: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + value: tlpWENT2m + recovery_question: + question: Who is a major player in the cowboy scene? + answer: Annie Oakley + create-user-with-password-and-recovery-question-response: value: - id: ppctekcmngGaqeiBxB0g4 - name: FCM Example - providerType: FCM - lastUpdatedDate: 2022-01-01T00:00:00.000Z - configuration: - projectId: PROJECT_ID - fileName: fileName.p8 + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: - href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 - hints: - allow: - - DELETE - - GET - - PUT - RateLimitAdminNotificationsDisabled: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-password-import-inline-hook-request: + description: Set `activate` parameter to `true`. See [Create user with password inline hook](/openapi/okta-management/management/tag/User/#create-user-with-password-inline-hook) for description. value: - notificationsEnabled: false - RateLimitAdminNotificationsEnabled: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + hook: + type: default + create-user-with-password-import-inline-hook-response: value: - notificationsEnabled: true - RateLimitWarningThresholdValidExample: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: IMPORT + name: IMPORT + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-password-request: + description: Set `activate` parameter to `true`. See [Create user with password](/openapi/okta-management/management/tag/User/#create-user-with-password) for description. value: - warningThreshold: 66 - RealmResponse: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + value: tlpWENT2m + create-user-with-password-response: value: - id: guox9jQ16k9V8IFEL0g3 - created: 2022-04-04T15:56:05.000Z - lastUpdated: 2022-05-05T18:15:44.000Z - isDefault: false + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' profile: - name: Car Co + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: OKTA + name: OKTA _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: - rel: self - href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 - method: GET - RemoveMappingBody: - summary: Update an existing profile mapping by removing one or more properties + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-recovery-question-request: + description: See [Create user with recovery question](/openapi/okta-management/management/tag/User/#create-user-with-recovery-question) for description. value: - properties: - nickName: - expression: null - pushStatus: null - RemoveMappingResponse: - summary: Update an existing profile mapping by removing one or more properties + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + recovery_question: + question: Who is a major player in the cowboy scene? + answer: Annie Oakley + create-user-with-recovery-question-response: value: - id: prm1k47ghydIQOTBW0g4 - source: - id: otysbePhQ3yqt4cVv0g3 - name: user - type: user - _links: - self: - href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 - target: - id: 0oa1qmn4LZQQEH0wZ0g4 - name: okta_org2org - type: appuser - _links: - self: - href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default - properties: - fullName: - expression: user.firstName + user.lastName - pushStatus: PUSH + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: - href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 - ReplaceKeyResponse: - summary: Replace a key response example + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-without-credentials-request: value: - id: HKY1p7jWLndGQV9M60g4 - keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad - name: My updated new key - created: '2022-08-31T18:09:58.000Z' - lastUpdated: '2022-08-31T18:16:59.000Z' - isUsed: 'false' - ReplaceNetworkZone: - summary: Replace a Network Zone + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + create-user-without-credentials-response: value: - type: IP - id: nzovw2rFz2YoqmvwZ0g9 - name: UpdatedNetZone - status: ACTIVE - usage: POLICY - gateways: - - type: CIDR - value: 10.2.3.4/24 - - type: CIDR - value: 12.2.3.4/24 - - type: RANGE - value: 13.4.5.6-13.4.5.8 - - type: CIDR - value: 14.2.3.4/24 - proxies: - - type: CIDR - value: 12.2.3.4/24 - - type: CIDR - value: 13.3.4.5/24 - - type: RANGE - value: 14.4.5.6-14.4.5.8 - - type: RANGE - value: 15.5.6.7/24-15.5.6.9 + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA _links: + activate: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: - href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9 + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + createOAuth2ClientSecretCustomRequestBody: + summary: Add a user provided client secret + value: + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + status: ACTIVE + createOAuth2ClientSecretSystemGeneratedRequestBody: + summary: Add a system-generated client secret + value: {} + deactivateOAuth2ClientJsonWebKeyResponse: + summary: Deactivate JSON Web Key example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: INACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/activate hints: allow: - - GET - - PUT - - DELETE - deactivate: - href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate + - POST + deactivateOAuth2ClientSecretResponse: + summary: Deactivate Secret response example + value: + id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate hints: allow: - POST - ReplaceNetworkZoneResponse: - summary: Replace Network Zone response + delete: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + deny-rule: + summary: Global session policy - Deny users + description: This global session policy uses a rule to deny users value: - type: IP - id: nzovw2rFz2YoqmvwZ0g3 - name: UpdatedNetZone + type: SIGN_ON + name: Deny users + conditions: + network: + connection: ANYWHERE + authContext: + authType: ANY + actions: + signon: + access: DENY + requireFactor: false + deny-rule-response: + summary: Global session policy - Deny users + description: The response body from the creation of a global session policy that uses a rule to deny users + value: + id: rule8jjozjGMGbHyC1d6 status: ACTIVE - usage: POLICY - created: '2019-01-24T19:53:28.000Z' - lastUpdated: '2019-02-24T19:53:28.000Z' + type: SIGN_ON + name: Deny + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' system: false - gateways: - - type: CIDR - value: 10.2.3.4/24 - - type: CIDR - value: 12.2.3.4/24 - - type: RANGE - value: 13.4.5.6-13.4.5.8 - - type: CIDR - value: 14.2.3.4/24 - proxies: - - type: CIDR - value: 12.2.3.4/24 - - type: CIDR - value: 13.3.4.5/24 - - type: RANGE - value: 14.4.5.6-14.4.5.8 - - type: RANGE - value: 15.5.6.7/24-15.5.6.9 - ReplaceUserTypePutRequest: - summary: Replace user type request - value: - displayName: Replacement Display Name - description: Replacement description - name: newUserType - ReplaceUserTypePutResponse: - summary: Replace user type response - value: - id: otyfnly5cQjJT9PnR0g4 - displayName: Replacement Display Name - name: newUserType - description: Replacement description - createdBy: sprz9fj1ycBcsgopy1d6 - lastUpdatedBy: sprz9fj1ycBcsgopy1d6 - created: '2021-07-05T20:40:38.000Z' - lastUpdated: '2021-07-05T20:40:38.000Z' - default: false + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + authContext: + authType: ANY + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: DENY + requireFactor: false + primaryFactor: PASSWORD_IDP + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 120 + maxSessionLifetimeMinutes: 0 _links: self: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - ResourceSetBindingAddMembersRequestExample: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + editFeatureExample: + summary: Enable Okta Personal admin settings value: - additions: - - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - - https://{yourOktaDomain}/api/v1/users/00u67DU2qNCjNZYO0g3 - ResourceSetBindingCreateRequestExample: + enableExportApps: true + enableEnduserEntryPoints: true + getBlockListExample: + summary: List of blocked email domains value: - role: cr0Yq6IJxGIr0ouum0g3 - members: - - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - ResourceSetBindingMemberResponse: + domains: + - yahoo.com + - google.com + group-example: + summary: Group example + description: Example of a Group value: - id: irb1qe6PGuMc7Oh8N0g4 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' + id: 00g1emaKYZTWRYYRRTSK + created: '2015-02-06T10:11:28.000Z' + lastUpdated: '2015-10-05T19:16:43.000Z' + lastMembershipUpdated: '2015-11-28T19:15:32.000Z' + objectClass: + - okta:user_group + type: OKTA_GROUP + profile: + name: West Coast Users + description: All Users West of The Rockies _links: - self: - href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 - ResourceSetBindingMembersResponse: + logo: + - name: medium + href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png + type: image/png + - name: large + href: https://{yourOktaDomain}/img/logos/groups/okta-large.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps + group-rule-example: + summary: Group rule example + description: Example of a group rule value: - members: - - id: irb1qe6PGuMc7Oh8N0g4 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 - - id: irb1q92TFAHzySt3x0g4 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - _links: - binding: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 - next: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members?after=0ouRq6IJmGIr3ouum0g3 - ResourceSetBindingResponseExample: + type: group_rule + id: 0pr3f7zMZZHPgUoWO0g4 + status: INACTIVE + name: Engineering group rule + created: '2016-12-01T14:40:04.000Z' + lastUpdated: '2016-12-01T14:40:04.000Z' + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + idp-discovery-dynamic-routing-rule: + summary: IdP discovery policy - Dynamic routing rule + description: This routing rule uses a dynamic Identity Provider. value: - _links: - self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 - bindings: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings - resource-set: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - ResourceSetBindingResponseWithIdExample: + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + idp-discovery-dynamic-routing-rule-response: + summary: IdP discovery policy - Dynamic routing rule value: - id: cr0Yq6IJxGIr0ouum0g3 + id: ruleId _links: self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 - bindings: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings - resource-set: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - ResourceSetBindingsResponse: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + idp-discovery-policy-response: + summary: IDP_DISCOVERY value: - roles: - - id: cr0WxyzJxGIr0ouum0g4 - _links: - self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0WxyzJxGIr0ouum0g4 - members: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0WxyzJxGIr0ouum0g4/members + type: IDP_DISCOVERY + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: null _links: self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings - resource-set: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - next: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings?after=cr0WxyzJxGIr0ouum0g4 - ResourceSetRequest: - value: - label: SF-IT-People - description: People in the IT department of San Francisco - resources: - - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users - - https://{yourOktaDomain}/api/v1/users - ResourceSetResourcePatchRequestExample: - value: - additions: - - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users - ResourceSetResourcesResponse: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + idp-discovery-specific-routing-rule: + summary: IdP discovery policy - Specific routing rule + description: This routing rule uses a specific Identity Provider. value: - resources: - - id: ire106sQKoHoXXsAe0g4 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - - id: ire106riDrTYl4qA70g4 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users - - id: irezvo4AwE2ngpMw40g3 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - users: - href: https://{yourOktaDomain}/api/v1/users - groups: - href: https://{yourOktaDomain}/api/v1/groups - _links: - next: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources?after=irezvn1ZZxLSIBM2J0g3 - resource-set: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - ResourceSetResponse: + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY + idp-discovery-specific-routing-rule-response: + summary: IdP discovery policy - Specific routing rule value: - id: iamoJDFKaJxGIr0oamd9g - label: SF-IT-People - description: People in the IT department of San Francisco - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' + id: ruleId _links: self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - resources: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources - bindings: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings - ResourceSetsResponse: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY + inactiveAPIServiceIntegrationInstanceSecretResponse: + summary: Deactivate Secret response example value: - resource-sets: - - id: iamoJDFKaJxGIr0oamd9g - label: SF-IT-1 - description: First San Francisco IT Resource Set - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - resources: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources - bindings: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings - - id: iamoJDFKaJxGIr0oamd0q - label: SF-IT-2 - description: Second San Francisco IT Resource Set - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q - resources: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/resources - bindings: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/bindings + id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: '***DhOW' + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' _links: - next: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets?after=iamoJDFKaJxGIr0oamd0q - RetrieveAllZones: - summary: Retrieves all Network Zones + activate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + list-all-idp-discovery-policy-rule-response: + summary: IDP_DISCOVERY value: - - type: IP - id: nzowc1U5Jh5xuAK0o0g3 - name: LegacyIpZone + - id: 0prgu3bb10hce267M1d7 status: ACTIVE - usage: POLICY - created: 2019-05-17T18:44:31.000Z - lastUpdated: 2019-05-21T13:50:49.000Z + name: Test rule + priority: 1 + created: '2024-08-27T19:51:15.000Z' + lastUpdated: '2024-08-27T19:51:15.000Z' system: true - gateways: - - type: CIDR - value: 1.2.3.4/24 - proxies: - - type: RANGE - value: 3.3.4.5-3.3.4.15 + conditions: + network: + connection: ANYWHERE + platform: + include: [] + exclude: [] + userIdentifier: + patterns: [] + app: + include: [] + exclude: [] + actions: + idp: + providers: + - type: OKTA + idpSelectionType: SPECIFIC _links: self: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - - DELETE - deactivate: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + type: IDP_DISCOVERY + list-all-mfa-enroll-policy-rule-response: + summary: MFA_ENROLL + value: + - id: 0prgu3g4mon9ARm9F1d7 + status: ACTIVE + name: Test Rule + priority: 1 + created: '2024-08-27T19:51:39.000Z' + lastUpdated: '2024-08-27T19:51:39.000Z' + system: true + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + enroll: + self: CHALLENGE + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - - POST - - type: DYNAMIC - id: nzowc1U5Jh5xuAK0o0g3 - name: test + - GET + - PUT + type: MFA_ENROLL + list-all-password-policy-rule-response: + summary: PASSWORD + value: + - id: 0prgu3baytQGHuVEv1d7 status: ACTIVE - usage: POLICY - created: 2019-05-17T18:44:31.000Z - lastUpdated: 2019-05-21T13:50:49.000Z - system: false - locations: - - country: AF - region: AF-BGL - proxyType: ANY - asns: - - '23457' + name: Test Rule + priority: 1 + created: '2024-08-27T19:51:11.000Z' + lastUpdated: '2024-08-27T19:51:17.000Z' + system: true + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - email + stepUp: + required: false + selfServiceUnlock: + access: DENY _links: self: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - - DELETE - deactivate: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + type: PASSWORD + list-all-profile-enrollment-policy-rule-response: + summary: PROFILE_ENROLLMENT + value: + - id: rulgu3bb4oWR7qbMi1d7 + status: ACTIVE + name: Test Rule + priority: 99 + created: '2024-08-27T19:51:18.000Z' + lastUpdated: '2024-08-27T19:51:22.000Z' + system: true + conditions: null + actions: + profileEnrollment: + access: ALLOW + preRegistrationInlineHooks: null + profileAttributes: + - name: email + label: Email + required: true + - name: firstName + label: First name + required: true + - name: lastName + label: Last name + required: true + targetGroupIds: null + unknownUserAction: DENY + activationRequirements: + emailVerification: true + uiSchemaId: uisgu3bb4zTbvwD8S1d7 + progressiveProfilingAction: DISABLED + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - - POST - RetrieveAllZonesWithFilter: - summary: Retrieves Network Zones with filter + - GET + - PUT + type: PROFILE_ENROLLMENT + list-all-sign-on-policy-rule-response: + summary: OKTA_SIGN_ON value: - - type: IP - id: nzowc1U5Jh5xuAK0o0g3 - name: LegacyIpZone + - id: 0prh1sd28q5sXGW08697 status: ACTIVE - usage: POLICY - created: 2019-05-17T18:44:31.000Z - lastUpdated: 2019-05-21T13:50:49.000Z - system: true - gateways: - - type: CIDR - value: 1.2.3.4/24 - proxies: - - type: RANGE - value: 3.3.4.5-3.3.4.15 + name: Test rule + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + primaryFactor: PASSWORD_IDP_ANY_FACTOR + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false _links: self: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - POST - RetrieveKeyResponse: - summary: Retrieve a key by hookKeyId response example + type: SIGN_ON + list-apps-example: + summary: List apps example + description: List all apps example value: - id: HKY1p7jWLndGQV9M60g4 - keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad - name: My new key - created: '2022-08-31T18:09:58.000Z' - lastUpdated: '2022-08-31T18:09:58.000Z' - isUsed: 'false' - RetrieveMappingsResponse: - summary: Retrieve a single Profile Mapping + - id: 0oafwvZDWJKVLDCUWUAC + name: template_basic_auth + label: Sample Basic Auth App + status: ACTIVE + lastUpdated: '2013-09-30T00:56:52.000Z' + created: '2013-09-30T00:56:52.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + url: https://example.com/login.html + authURL: https://example.com/auth.html + _links: + appLinks: + - href: https://{yourOktaDomain}/home/template_basic_auth/0oafwvZDWJKVLDCUWUAC/1438 + name: login + type: text/html + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/users + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/lifecycle/deactivate + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/groups + list-group-rules-example: + summary: List Group rules example + description: List all group rules example value: - id: prm1k47ghydIQOTBW0g4 - source: - id: otysbePhQ3yqt4cVv0g3 - name: user - type: user + - type: group_rule + id: 0pr3f7zMZZHPgUoWO0g4 + status: INACTIVE + name: Engineering group rule + created: '2016-12-01T14:40:04.000Z' + lastUpdated: '2016-12-01T14:40:04.000Z' + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + list-groups-examples: + summary: List all groups example + description: Lists an example of an OKTA_GROUP and an APP_GROUP + value: + - id: 00g1emaKYZTWRYYRRTSK + created: '2015-02-06T10:11:28.000Z' + lastUpdated: '2015-10-05T19:16:43.000Z' + lastMembershipUpdated: '2015-11-28T19:15:32.000Z' + objectClass: + - okta:user_group + type: OKTA_GROUP + profile: + name: West Coast Users + description: All Users West of The Rockies _links: - self: - href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 - target: - id: 0oa1qmn4LZQQEH0wZ0g4 - name: okta_org2org - type: appuser + logo: + - name: medium + href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png + type: image/png + - name: large + href: https://{yourOktaDomain}/img/logos/groups/okta-large.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps + - id: 00garwpuyxHaWOkdV0g4 + created: '2015-08-15T19:15:17.000Z' + lastUpdated: '2015-11-18T04:02:19.000Z' + lastMembershipUpdated: '2015-08-15T19:15:17.000Z' + objectClass: + - okta:windows_security_principal + type: APP_GROUP + profile: + name: Engineering Users + description: corp.example.com/Engineering/Engineering Users + groupType: Security + samAccountName: Engineering Users + objectSid: S-1-5-21-717838489-685202119-709183397-1177 + groupScope: Global + dn: CN=Engineering Users,OU=Engineering,DC=corp,DC=example,DC=com + windowsDomainQualifiedName: CORP\Engineering Users + externalId: OZJdWdONCU6h7WjQKp+LPA== + source: + id: 0oa2v0el0gP90aqjJ0g7 + _links: + logo: + - name: medium + href: https://{yourOktaDomain}/img/logos/groups/active_directory-medium.png + type: image/png + - name: large + href: https://{yourOktaDomain}/img/logos/groups/active_directory-large.png + type: image/png + source: + href: https://{yourOktaDomain}/api/v1/apps/0oa2v0el0gP90aqjJ0g7 + users: + href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/apps + list-user-example: + value: + - id: 00u1f96ECLNVOKVMUSEA + status: ACTIVE + created: '2013-12-12T16:14:22.000Z' + activated: '2013-12-12T16:14:22.000Z' + statusChanged: '2013-12-12T22:14:22.000Z' + lastLogin: '2013-12-12T22:14:22.000Z' + lastUpdated: '2015-11-15T19:23:32.000Z' + passwordChanged: '2013-12-12T22:14:22.000Z' + profile: + firstName: Easy + lastName: E + email: easy-e@example.com + login: easy-e@example.com + mobilePhone: null + credentials: + password: {} + provider: + type: OKTA + name: OKTA _links: self: - href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default - properties: - firstName: - expression: user.firstName - pushStatus: PUSH - lastName: - expression: user.lastName - pushStatus: PUSH - _links: - self: - href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 - RetrieveNetworkZoneDynamic: - summary: Dynamic Network Zone response + href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA + listStreamConfigurationExample: + summary: List of SSF Stream configurations example value: - type: DYNAMIC - id: nzowc1U5Jh5xuAK0o0g3 - name: test + - aud: https://example.com + delivery: + method: urn:ietf:rfc:8935 + endpoint_url: https://example.com + events_delivered: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_requested: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_supported: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + format: iss_sub + iss: https://{yourOktaDomain} + min_verification_interval: 0 + stream_id: esc1k235GIIztAuGK0g5 + mfa-enroll-policy-response: + summary: MFA_ENROLL + value: + type: MFA_ENROLL + id: policyId status: ACTIVE - usage: POLICY - created: '2019-05-17T18:44:31.000Z' - lastUpdated: '2019-05-21T13:50:49.000Z' - system: false - locations: - - country: AF - region: AF-BGL - proxyType: ANY - asns: - - '23457' + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: + people: + groups: + include: + - groupId + settings: + factors: + okta_otp: + enroll: + self: OPTIONAL + consent: + type: NONE + okta_push: + enroll: + self: OPTIONAL + consent: + type: NONE + okta_password: + enroll: + self: OPTIONAL + consent: + type: NONE _links: self: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT - - DELETE - deactivate: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - POST - RetrieveNetworkZoneIP: - summary: IP Network Zone response + - GET + newAPIServiceIntegrationInstanceSecretResponse: + summary: New secret response example value: - type: IP - id: nzowc1U5Jh5xuAK0o0g3 - name: LegacyIpZone + id: ocs2f50kZB0cITmYU0g4 status: ACTIVE - usage: POLICY - created: 2019-05-17T18:44:31.000Z - lastUpdated: 2019-05-21T13:50:49.000Z - system: true - gateways: - - type: CIDR - value: 1.2.3.4/24 - proxies: - - type: RANGE - value: 3.3.4.5-3.3.4.15 + client_secret: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + secret_hash: FpCwXwSjTRQNtEI11I00-g + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' _links: - self: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + deactivate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate hints: allow: - - GET - - PUT - - DELETE + - POST + oAuth2ClientSecretResponse: + summary: Client secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: FpCwXwSjTRQNtEI11I00-g + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: deactivate: - href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate hints: allow: - POST - RetrievePublicKeyResponse: - summary: Retrieve Public Key response example - value: - _embedded: - kty: RSA - alg: RSA - kid: 7fbc27fd-e3df-4522-86bf-1930110256ad - use: null - e: AQAB - 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` - RetrieveUISchemaResponse: - summary: Retrieves a UI Schema response + oAuthClientJsonWebKey: + summary: JSON Web Key example value: - id: uis4a7liocgcRgcxZ0g7 - uiSchema: - type: Group - label: Sign in - buttonLabel: Submit - elements: - - type: Control - scope: '#/properties/firstName' - label: First name - options: - format: text - - type: Control - scope: '#/properties/lastName' - label: Last name - options: - format: text - - type: Control - scope: '#/properties/email' - label: Email - options: - format: text - - type: Control - scope: '#/properties/countryCode' - label: Country code - options: - format: select - - type: Control - scope: '#/properties/bool2' - label: bool2 - options: - format: checkbox - - type: Control - scope: '#/properties/date' - label: date - - type: Control - scope: '#/properties/enum' - label: enum - options: - format: radio - created: '2022-07-25T12:56:31.000Z' - lastUpdated: '2022-07-26T11:53:59.000Z' + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' _links: - self: - href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate hints: allow: - - GET - - PUT - - DELETE - RiskEventsRequestExample: - summary: Risk Events payload example + - POST + oAuthClientJsonWebKeyListResponse: + summary: JSON Web Key list response example value: - - timestamp: '2021-01-20T00:00:00.001Z' - subjects: - - ip: 6.7.6.7 - riskLevel: MEDIUM - - ip: 1.1.1.1 - riskLevel: HIGH - message: Detected Attack tooling and suspicious activity - - timestamp: '2021-01-20T01:00:00.001Z' - subjects: - - ip: 6.7.6.7 - riskLevel: LOW - - ip: 2.2.2.2 - riskLevel: HIGH - RiskProviderPutRequest: - summary: Replace Risk Provider request example + jwks: + keys: + - id: pks2f4zrZbs8nUa7p0g4 + kid: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU= + status: INACTIVE + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oAuthClientJsonWebKeyRequest: + summary: JSON Web Key Request example value: - name: Risk-Partner-Y - action: enforce_and_log - clientId: 00ckjsfgjkdkjdkkljjsd - RiskProviderPutResponse: - summary: Replace Risk Provider response example + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + oAuthClientSecretListResponse: + summary: Secrets list response example value: - id: 00rp12r4skkjkjgsn - action: enforce_and_log - name: Risk-Partner-Y - clientId: 00ckjsfgjkdkjdkkljjsd - created: '2021-01-05 22:18:30' - lastUpdated: '2021-01-05 23:18:30' - _links: - self: - href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn - hints: - allow: - - GET - - PUT - RiskProviderRequest: - summary: Risk Provider payload example + - id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: HAGDTYU9XbLnS......3xasFDDwecdZuFs5B + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oamp-id-proofing-policy-rule: + summary: Account Management Policy - Account management policy rule with ID proofing enabled + description: This account management policy rule enables ID proofing for enrollment processes value: - name: Risk-Partner-X - action: log_only - clientId: 00ckjsfgjkdkjdkkljjsd - RiskProviderResponse: - summary: Risk Provider response example + id: ruleId + name: Account Management Policy Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + appSignOn: + access: ALLOW + verificationMethod: + id: entity_id + type: ID_PROOFING + oamp-id-proofing-policy-rule-response: + summary: Account Management Policy - Account management policy rule with ID proofing enabled + description: This account management policy rule response enables ID proofing for enrollment processes value: - id: 00rp12r4skkjkjgsn - action: log_only - name: Risk-Partner-X - clientId: 00ckjsfgjkdkjdkkljjsd - created: '2021-01-05 22:18:30' - lastUpdated: '2021-01-05 22:18:30' + id: ruleId _links: self: - href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - RoleAssignedUsersResponseExample: - value: - value: - - id: 00u118oQYT4TBGuay0g4 - orn: orn:okta:00o5rb5mt2H3d1TJd0h7:users:00u118oQYT4TBGuay0g4 - _links: - self: - href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 - roles: - href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4/roles - _links: - next: - href: http://your-subdomain.okta.com/api/v1/iam/assignees/users?after=00u118oQYT4TBGuay0g4&limit=1 - RoleRequest: - value: - label: UserCreator - description: Create users - permissions: - - okta.users.create - - okta.users.read - - okta.groups.read - - okta.users.userprofile.manage - RoleResponse: - value: - id: cr0Yq6IJxGIr0ouum0g3 - label: UserCreator - description: Create users - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - permissions: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions - self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 - RolesResponse: - value: - roles: - - id: cr0Yq6IJxGIr0ouum0g3 - label: UserCreator - description: Create users - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - permissions: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions - self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 - - id: cr0Fw7HKcWIroo88m3r1 - label: GroupMembershipManager - description: Manage group membership - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - permissions: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1/permissions - self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1 + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Account Management Policy Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + appSignOn: + access: ALLOW + verificationMethod: + id: entity_id + type: ID_PROOFING + orgCommunicationOptInResponse: + summary: Opt in to communication emails + value: + optOutEmailUsers: false _links: - next: - href: https://{yourOktaDomain}/api/v1/iam/roles?after=cr0Fw7HKcWIroo88m3r1 - SimulatePolicyBody: - summary: Simulate policy request body - description: Simulate policy request body + optOut: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optOut + hints: + allow: + - POST + orgCommunicationOptOutResponse: + summary: Opt out of communication emails value: - policyType: - - OKTA_SIGN_ON - - MFA_ENROLL - appInstance: 0oa4eroj3nYCIJIW70g7 - policyContext: - groups: - ids: - - 00g4eralvekR5RLuS0g7 - - 00g4eralvekR5RLuS0g8 - risk: - level: LOW - zones: - ids: - - nzo4eralxcRnbIHYJ0g7 - device: - platform: IOS - registered: true - managed: true - SimulatePolicyResponse: - summary: Simulate policy response body - description: Simulate policy response body + optOutEmailUsers: true + _links: + optIn: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optIn + hints: + allow: + - POST + orgContactTypeResponse: + summary: Org Contact Types value: - evaluation: - - status: null - policyType: OkTA_SIGN_ON - result: - policies: - - id: 00p4eromwukk6qUku0g7 - - name: test policy - - status: MATCH - - conditions: [] - - rules: - - id: 0pr4erof85nGcyC7Y0g7 - - name: test rule - - status: MATCH - - conditions: - - type: people.groups.include - - status: MATCH - undefined: - policies: null - evaluated: - policies: null - - status: null - policyType: ACCESS_POLICY - result: - policies: - - id: rst4eram06ZKZewEe0g7 - - name: Any two factors - - status: MATCH - - conditions: [] - - rules: - - id: rul4eram07VsWgybo0g7 - - name: Catch-all rule - - status: MATCH - - conditions: [] - undefined: - policies: null - evaluated: - policies: null - - status: null - policyType: PROFILE_ENROLLMENT - result: - policies: - - id: rst4eram08ZSjPTOl0g7 - - name: Default Policy - - status: MATCH - - conditions: [] - - rules: - - id: rul4eram094PrQ2BX0g7 - - name: Catch-all rule - - status: MATCH - - conditions: [] - undefined: - policies: null - evaluated: - policies: null - ThreatInsightResponseExample: - summary: ThreatInsight response + - contactType: BILLING + _links: + billing: + href: https://{yourOktaDomain}/api/v1/org/contacts/billing + - contactType: TECHNICAL + _links: + technical: + href: https://{yourOktaDomain}/api/v1/org/contacts/technical + orgContactUserResponse: + summary: Contact User value: - action: none - excludeZones: [] - created: '2020-08-05T22:18:30.629Z' - lastUpdated: '2020-08-05T22:18:30.629Z' + userId: 00ux3u0ujW1r5AfZC1d7 _links: - self: - href: https://{yourOktaDomain}/api/v1/threats/configuration + user: + href: https://{yourOktaDomain}/api/v1/users/00ux3u0ujW1r5AfZC1d7 + orgHideFooterPrefResponse: + summary: Hide footer response + value: + showEndUserFooter: false + _links: + showEndUserFooter: + href: https://{yourOktaDomain}/api/v1/org/preferences/showEndUserFooter hints: allow: - - GET - POST - ThreatInsightUpdateRequestExample: - summary: ThreatInsight update request + orgShowFooterPrefResponse: + summary: Show footer response value: - action: audit - excludeZones: - - nzo1q7jEOsoCnoKcj0g4 - - nzouagptWUz5DlLfM0g3 - ThreatInsightUpdateResponseExample: - summary: ThreatInsight update response + showEndUserFooter: true + _links: + hideEndUserFooter: + href: https://{yourOktaDomain}/api/v1/org/preferences/hideEndUserFooter + hints: + allow: + - POST + orgSupportSettingsResponse: + summary: Org Support Settings value: - action: audit - excludeZones: - - nzo1q7jEOsoCnoKcj0g4 - - nzouagptWUz5DlLfM0g3 - created: '2020-08-05T22:18:30.629Z' - lastUpdated: '2020-10-13T21:23:10.178Z' + support: ENABLED + expiration: '2024-01-24T11:13:14.000Z' _links: - self: - href: https://{yourOktaDomain}/api/v1/threats/configuration + extend: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/extend hints: allow: - - GET - POST - TriggerSessionResponse: + revoke: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/revoke + hints: + allow: + - POST + orgSupportSettingsRevokeResponse: + summary: Revoked Org Support value: - - id: uij4ri8ZLk0ywyqxB0g4 - identitySourceId: 0oa3l6l6WK6h0R0QW0g4 - status: TRIGGERED - importType: INCREMENTAL - created: 2022-04-04T15:56:05.000Z - lastUpdated: 2022-05-05T18:15:44.000Z - UpdateAppFeatureRequestEx: - summary: Update app Feature request + support: DISABLED + expiration: null + _links: + grant: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/grant + hints: + allow: + - POST + password-policy-response: + summary: PASSWORD value: - create: - lifecycleCreate: - status: ENABLED - update: - lifecycleDeactivate: - status: ENABLED - profile: - status: ENABLED + type: PASSWORD + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: + people: + groups: + include: + - groupId + authProvider: + provider: provider + settings: password: - status: ENABLED - seed: RANDOM - change: CHANGE - UpdateAppFeatureResponseEx: - summary: Update app Feature response - value: - name: USER_PROVISIONING - status: ENABLED - description: User provisioning settings from Okta to a downstream application - capabilities: - create: - lifecycleCreate: - status: ENABLED - update: - lifecycleDeactivate: - status: ENABLED - profile: - status: ENABLED - password: - status: ENABLED - seed: RANDOM - change: CHANGE + complexity: + minLength: 8 + minLowerCase: 1 + minUpperCase: 1 + minNumber: null + minSymbol: 0 + excludeUsername: true + dictionary: + common: + exclude: false + excludeAttributes: [] + age: + maxAgeDays: 0 + expireWarnDays: 0 + minAgeMinutes: 0 + historyCount: 4 + lockout: + maxAttempts: 0 + autoUnlockMinutes: 0 + userLockoutNotificationChannels: [] + showLockoutFailures: false + recovery: + factors: + recovery_question: + status: ACTIVE + properties: + complexity: + complexity: 4 + okta_email: + status: ACTIVE + properties: + recoveryToken: + tokenLifetimeMinutes: 10080 + okta_sms: + status: INACTIVE + okta_call: + status: INACTIVE + delegation: + options: + skipUnlock: false _links: self: - href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT - UpdateBrandRequest: + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + policy-mapping-list-response: + summary: List all Mappings for a policy value: - customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy - agreeToCustomPrivacyPolicy: true - removePoweredByOkta: true - name: New Name For Brand - emailDomainId: OeD114iNkrcN6aR680g4 - locale: en - defaultApp: - appInstanceId: 0oa114iNkrcN6aR680g4 - appLinkName: null - classicApplicationUri: null - UpdateBrandResponse: + - id: policyId + _links: + application: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + hints: + allow: + - GET + - PUT + - DELETE + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId} + hints: + allow: + - GET + - PUT + - DELETE + policy: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + - DELETE + policy-mapping-response: + summary: Policy Mapping for a Policy value: - id: bnd114iNkrcN6aR680g4 - removePoweredByOkta: true - agreeToCustomPrivacyPolicy: true - name: New Name For Brand - isDefault: true - customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy - emailDomainId: OeD114iNkrcN6aR680g4 - defaultApp: - appInstanceId: 0oa114iNkrcN6aR680g4 - appLinkName: null - classicApplicationUri: null - locale: en + id: policyId _links: + application: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + hints: + allow: + - GET + - PUT + - DELETE self: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId} hints: allow: - GET - PUT - DELETE - themes: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + policy: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - UpdateEmailDomainRequest: - value: - displayName: IT Admin - userName: noreply - UpdateMappingBody: - summary: Update an existing profile mapping by updating one or more properties + - PUT + - DELETE + postAPIServiceIntegrationRequest: value: - properties: - nickName: - expression: user.honorificPrefix + user.displayName - pushStatus: DONT_PUSH - UpdateMappingResponse: - summary: Update an existing profile mapping by updating one or more properties + type: my_app_cie + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + postAPIServiceIntegrationResponse: + summary: Post response example value: - id: prm1k47ghydIQOTBW0g4 - source: - id: otysbePhQ3yqt4cVv0g3 - name: user - type: user - _links: - self: - href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 - target: - id: 0oa1qmn4LZQQEH0wZ0g4 - name: okta_org2org - type: appuser - _links: - self: - href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default - properties: - fullName: - expression: user.firstName + user.lastName - pushStatus: PUSH - nickName: - expression: user.honorificPrefix + user.displayName - pushStatus: DONT_PUSH + id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read _links: self: - href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 - UpdateUserTypePostRequest: - summary: Update user type request - value: - displayName: Updated Display Name - UpdateUserTypePostResponse: - summary: Update user type response + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + profile-enrollment-policy-response: + summary: PROFILE_ENROLLMENT value: - id: otyfnly5cQjJT9PnR0g4 - displayName: Updated Display Name - name: newUserType - description: A new custom user type - createdBy: sprz9fj1ycBcsgopy1d6 - lastUpdatedBy: sprz9fj1ycBcsgopy1d6 - created: '2021-07-05T20:40:38.000Z' - lastUpdated: '2021-07-05T20:40:38.000Z' - default: false + type: PROFILE_ENROLLMENT + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: null _links: self: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - schema: - href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - UpdatedEmailDomainResponse: - value: - id: OeD114iNkrcN6aR680g4 - validationStatus: NOT_STARTED - displayName: IT Admin - userName: noreply - domain: example.com - dnsValidationRecords: - - recordType: TXT - fqdn: _oktaverification.example.com - verificationValue: 759080212bda43e3bc825a7d73b4bb64 - - recordType: CNAME - fqdn: mail.example.com - verificationValue: u22224444.wl024.sendgrid.net - - recordType: CNAME - fqdn: t02._domainkey.example.com - verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net - - recordType: CNAME - fqdn: t022._domainkey.example.com - verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net - UserSchemaAddRequest: - value: - definitions: - custom: - id: '#custom' - type: object - properties: - twitterUserName: - title: Twitter username - description: Twitter Username - type: string - required: false - minLength: 1 - maxLength: 20 - permissions: - - principal: SELF - action: READ_WRITE - required: [] - UserSchemaResponse: - value: - id: https://{yourOktaDomain}/meta/schemas/user/default - $schema: http://json-schema.org/draft-04/schema# - name: user - title: Default Okta User - lastUpdated: '2015-09-05T10:40:45.000Z' - created: '2015-02-02T10:27:36.000Z' - definitions: - base: - id: '#base' - type: object - properties: - login: - title: Username - type: string - required: true - minLength: 5 - maxLength: 100 - permissions: - - principal: SELF - action: READ_WRITE - firstName: - title: First name - type: string - required: true - minLength: 1 - maxLength: 50 - permissions: - - principal: SELF - action: READ_WRITE - lastName: - title: Last name - type: string - required: true - minLength: 1 - maxLength: 50 - permissions: - - principal: SELF - action: READ_WRITE - email: - title: Primary email - type: string - required: true - format: email - permissions: - - principal: SELF - action: READ_WRITE - required: - - login - - firstName - - lastName - - email - custom: - id: '#custom' - type: object - properties: - twitterUserName: - title: Twitter username - description: User's username for twitter.com - type: string - required: false - minLength: 1 - maxLength: 20 - permissions: - - principal: SELF - action: READ_WRITE - required: [] - type: object - properties: - profile: - allOf: - - $ref: '#/definitions/base' - - $ref: '#/definitions/custom' - VerifiedEmailDomainResponse: - value: - id: OeD114iNkrcN6aR680g4 - validationStatus: VERIFIED - displayName: IT Admin - userName: noreply - domain: example.com - dnsValidationRecords: - - recordType: TXT - fqdn: _oktaverification.example.com - verificationValue: 759080212bda43e3bc825a7d73b4bb64 - - recordType: CNAME - fqdn: mail.example.com - verificationValue: u22224444.wl024.sendgrid.net - - recordType: CNAME - fqdn: t02._domainkey.example.com - verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net - - recordType: CNAME - fqdn: t022._domainkey.example.com - verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net - WellKnownOrgMetadataResponseClassic: - value: - id: 00o5rb5mt2H3d1TJd0h7 - _links: - organization: - href: https://{{yourOktaDomain}} - pipeline: v1 - settings: - analyticsCollectionEnabled: false - bugReportingEnabled: true - omEnabled: true - WellKnownOrgMetadataResponseCustomUrlOie: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + radius-rule: + summary: Global session policy - Challenge VPN users with Radius + description: This global session policy uses a rule to challenge VPN users with Radius value: - id: 00o47wwoytgsDqEtz0g7 - _links: - organization: - href: https://{{yourSubdomain}}.okta.com - alternate: - href: https://{{yourCustomDomain}} - pipeline: idx - settings: - analyticsCollectionEnabled: false - bugReportingEnabled: true - omEnabled: false - activeAPIServiceIntegrationInstanceSecretResponse: - summary: Activate Secret response example + type: SIGN_ON + status: ACTIVE + name: Challenge VPN users + conditions: + network: + connection: ANYWHERE + authContext: + authType: RADIUS + people: + users: + exclude: [] + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: ALLOW + requireFactor: true + primaryFactor: PASSWORD_IDP_ANY_FACTOR + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + radius-rule-response: + summary: Global session policy - Challenge VPN users with Radius + description: The response body from the creation of a global session policy that uses a rule to challenge VPN users with Radius value: - id: ocs2f50kZB0cITmYU0g4 + id: rule8jjozjGMGbHyC1d6 status: ACTIVE - client_secret: '***MQGQ' - secret_hash: 0WOOvBSzV9clc4Nr7Rbaug - created: '2023-04-06T21:32:33.000Z' - lastUpdated: '2023-04-06T21:32:33.000Z' + type: SIGN_ON + name: Challenge VPN users + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + network: + connection: ANYWHERE + authContext: + authType: RADIUS + actions: + signon: + access: ALLOW + requireFactor: true + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE deactivate: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - - POST - inactiveAPIServiceIntegrationInstanceSecretResponse: - summary: Deactivate Secret response example + - GET + - PUT + - DELETE + replace-user-request: value: - id: ocs2f4zrZbs8nUa7p0g4 - status: INACTIVE - client_secret: '***DhOW' - secret_hash: yk4SVx4sUWVJVbHt6M-UPA - created: '2023-02-21T20:08:24.000Z' - lastUpdated: '2023-02-21T20:08:24.000Z' + credentials: + password: + value: tlpWENT2m + recovery_question: + question: Who's a major player in the cowboy scene? + answer: Annie Oakley + provider: + type: OKTA + name: OKTA + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + settingsResponseBaseEx: + value: + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + sign-on-policy-rule: + summary: Sign-on policy - Rule with factor mode always + description: Sign-on policy rule with a factor mode always + value: + type: SIGN_ON + name: Test Sign On + conditions: + network: + connection: ANYWHERE + riskScore: + level: ANY + identityProvider: + provider: ANY + authContext: + authType: ANY + actions: + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR + sign-on-policy-rule-response: + summary: Sign-on policy - Rule with factor mode always + description: Sign-on policy rule with a factor mode always + value: + type: SIGN_ON + name: Test Sign On + id: 0prh1sd28q5sXGW08697 + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + status: ACTIVE + conditions: + network: + connection: ANYWHERE + riskScore: + level: ANY + identityProvider: + provider: ANY + authContext: + authType: ANY + people: + users: + exclude: [] + actions: + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR _links: - activate: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - - POST - delete: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: + - GET + - PUT - DELETE - newAPIServiceIntegrationInstanceSecretResponse: - summary: New secret response example + skip-factor-challenge-on-prem-rule: + summary: Global session policy - Skip factor challenge for on-prem sign-in use + description: This global session policy uses a rule to skip factor challenge for on-prem sign-in use value: - id: ocs2f50kZB0cITmYU0g4 + type: SIGN_ON status: ACTIVE - client_secret: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B - secret_hash: FpCwXwSjTRQNtEI11I00-g - created: '2023-04-06T21:32:33.000Z' - lastUpdated: '2023-04-06T21:32:33.000Z' + name: Skip Factor Challenge when On-Prem + conditions: + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + actions: + signon: + access: ALLOW + requireFactor: false + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + skip-factor-challenge-on-prem-rule-response: + summary: Global session policy - Skip factor challenge for on-prem sign-in use + description: The response body from the creation of a global session policy that uses a rule to skip the factor challenge for on-prem sign-in use + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + name: Skip Factor Challenge when On-Prem + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + people: + users: + exclude: [] + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: ALLOW + requireFactor: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + type: SIGN_ON _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE deactivate: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - - POST - postAPIServiceIntegrationRequest: + - GET + - PUT + - DELETE + sspr-enabled-OAMP: + summary: Password policy - SSPR with Okta account management policy + description: This policy defers to the Okta account management policy to define SSPR authentication requirements. value: - type: my_app_cie - grantedScopes: - - okta.logs.read - - okta.groups.read - - okta.users.read - postAPIServiceIntegrationResponse: - summary: Post response example + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-OAMP-response: + summary: Password policy - SSPR with access control set to Okta account management policy value: - id: 0oa72lrepvp4WqEET1d9 - type: my_app_cie - name: My App Cloud Identity Engine - createdAt: '2023-02-21T20:08:24.000Z' - createdBy: 00uu3u0ujW1P6AfZC2d5 - clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg - configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide - grantedScopes: - - okta.logs.read - - okta.groups.read - - okta.users.read + id: ruleId _links: self: - href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET + - PUT - DELETE - client: - href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - - GET - logo: - name: small - href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-OAMP-update: + summary: Password policy - SSPR with Okta account management policy + description: This policy defers to the Okta account management policy to define SSPR authentication requirements. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD sspr-enabled-no-step-up: summary: Password policy - SSPR with no step up description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators with no secondary authentication required. @@ -21282,7 +45222,6 @@ components: summary: Password policy - SSPR with no step up value: id: ruleId - $ref: '#/components/examples/sspr-enabled-no-step-up/value' _links: self: href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} @@ -21296,15 +45235,64 @@ components: hints: allow: - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD sspr-enabled-no-step-up-update: summary: Password policy - SSPR with no step up description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators with no secondary authentication required. value: id: ruleId - $ref: '#/components/examples/sspr-enabled-no-step-up/value' + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD sspr-enabled-sq-step-up: - summary: Password policy - SSPR with security question as step up - description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are initial authenticators, and the secondary authentication is a security question. + summary: Password policy - SSPR with security question as step-up auth + description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are the initial authenticators, and the secondary authentication is a security question. value: name: SSPR Rule priority: 1 @@ -21337,7 +45325,6 @@ components: summary: Password policy - SSPR with security question as step up value: id: ruleId - $ref: '#/components/examples/sspr-enabled-sq-step-up/value' _links: self: href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} @@ -21351,12 +45338,65 @@ components: hints: allow: - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + methods: + - security_question + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD sspr-enabled-sq-step-up-update: summary: Password policy - SSPR with security question as step up description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are initial authenticators, and the secondary authentication is a security question. value: id: ruleId - $ref: '#/components/examples/sspr-enabled-sq-step-up/value' + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + methods: + - security_question + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD sspr-enabled-sso-step-up: summary: Password policy - SSPR with any SSO authenticator as step up description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators. The step-up authentication required is any active SSO authenticator. @@ -21390,7 +45430,6 @@ components: summary: Password policy - SSPR with any SSO authenticator as step up value: id: ruleId - $ref: '#/components/examples/sspr-enabled-sso-step-up/value' _links: self: href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} @@ -21404,12 +45443,61 @@ components: hints: allow: - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD sspr-enabled-sso-step-up-update: summary: Password policy - SSPR with any SSO authenticator as step up description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators. The step-up authentication required is any active SSO authenticator. value: id: ruleId - $ref: '#/components/examples/sspr-enabled-sso-step-up/value' + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD sspr-enabled-sso-step-up-with-constraints: summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint description: This password policy permits self-service password change, reset, and unlock. Okta Verify push, Phone SMS, or Google OTP are initial authenticators. The secondary authentication required is any SSO authenticator. The `methodConstraints` property limits OTP authenticators to Google. @@ -21449,27 +45537,487 @@ components: summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint value: id: ruleId - $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints/value' _links: self: - href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: - href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + - otp + methodConstraints: + - method: otp + allowedAuthenticators: + - key: google_otp + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD sspr-enabled-sso-step-up-with-constraints-update: summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint description: This password policy permits self-service password change, reset, and unlock. Okta Verify push, Phone SMS, or Google OTP are initial authenticators. The secondary authentication required is any SSO authenticator. The `methodConstraints` property limits OTP authenticators to Google. value: id: ruleId - $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints/value' + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + - otp + methodConstraints: + - method: otp + allowedAuthenticators: + - key: google_otp + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + streamConfigurationExample: + summary: SSF Stream configuration example + value: + aud: https://example.com + delivery: + method: urn:ietf:rfc:8935 + endpoint_url: https://example.com + events_delivered: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_requested: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_supported: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + format: iss_sub + iss: https://{yourOktaDomain} + min_verification_interval: 0 + stream_id: esc1k235GIIztAuGK0g5 + twofa-enabled-disallow-password-allow-phishing: + summary: Authentication policy - 2FA with granular authentication + description: This two-factor authentication policy uses a rule to disallow passwords and require phishing resistance for possession authenticators for authentication. + value: + name: Passwordless 2FA + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + possession: + deviceBound: REQUIRED + phishingREsistant: REQUIRED + type: ACCESS_POLICY + twofa-enabled-disallow-password-allow-phishing-response: + summary: Authentication policy - 2FA with granular authentication + description: The rule from a two-factor authentication policy that disallows passwords and requires phishing resistance + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: Passwordless 2FA + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: false + possession: + deviceBound: REQUIRED + phishingREsistant: REQUIRED + required: true + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + twofa-enabled-post-auth-kmsi-disabled: + summary: Authentication policy - 2FA with granular authentication (KMSI disabled) + description: This two-factor authentication policy uses a rule that doesn't prompt the user to stay signed in post-authentication. + value: + name: 2FA with Post Auth KMSI prompt disabled + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + keepMeSignedIn: + postAuth: NOT_ALLOWED + type: ACCESS_POLICY + twofa-enabled-post-auth-kmsi-disabled-response: + summary: Authentication policy - 2FA with granular authentication (KMSI disabled) + description: This two-factor authentication policy uses a rule that doesn't prompt the user to stay signed in post-authentication. + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: 2FA with Post Auth KMSI prompt disabled + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: true + keepMeSignedIn: + postAuth: NOT_ALLOWED + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + twofa-enabled-post-auth-kmsi-enabled: + summary: Authentication policy - 2FA with granular authentication (KMSI enabled) + description: This two-factor authentication policy uses a rule to prompt the user to stay signed in post authentication. + value: + name: 2FA with Post Auth KMSI prompt enabled + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + keepMeSignedIn: + postAuth: ALLOWED + postAuthPromptFrequency: P30D + twofa-enabled-post-auth-kmsi-enabled-response: + summary: Authentication policy - 2FA with granular authentication (KMSI enabled) + description: This two-factor authentication policy uses a rule to prompt the user to stay signed in post authentication. + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: 2FA with Post Auth KMSI prompt enabled + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: true + keepMeSignedIn: + postAuth: ALLOWED + postAuthPromptFrequency: PT720H + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + update-auth-policy-rule-condition: + summary: Authentication policy - Update rule with conditions + description: Updates the conditions object on the request body of an authentication policy rule. + value: + type: ACCESS_POLICY + name: Rule with conditions - exclude a group + description: Updated policy rule + conditions: + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + riskScore: + level: ANY + people: + users: + exclude: + - 00u7yq5goxNFTiMjW1d7 + include: [] + groups: + include: [] + exclude: + - 00g8vta8qzkxPEfKC1d7 + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + elCondition: + condition: security.risk.level == 'HIGH' + update-auth-policy-rule-condition-response: + summary: Authentication policy - Update rule with conditions + description: The response body from an updated conditions object of an authentication policy rule. + value: + id: rulezuo73ySrHndLb1d7 + status: ACTIVE + name: Rule with conditions - exclude a group + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: [] + groups: + exclude: + - 00u7yq5goxNFTiMjW1d7 + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + exclude: [] + riskScore: + level: ANY + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + required: true + types: + - password + reauthenticateIn: PT2H + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + update-user-profile-request: + value: + profile: + firstName: Isaac + email: isaac.brock@update.example.com + mobilePhone: 555-415-1337 + update-user-set-password-request: + value: + credentials: + password: + value: uTVM,TPw55 + update-user-set-recovery-question-and-answer: + value: + credentials: + recovery_question: + question: How many roads must a man walk down? + answer: forty two + user-example: + summary: User example + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-06-24T16:39:18.000Z' + activated: '2013-06-24T16:39:19.000Z' + statusChanged: '2013-06-24T16:39:19.000Z' + lastLogin: '2013-06-24T17:39:19.000Z' + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + login: isaac.brock@example.com + firstName: Isaac + lastName: Brock + nickName: issac + displayName: Isaac Brock + email: isaac.brock@example.com + secondEmail: isaac@example.org + profileUrl: http://www.example.com/profile + preferredLanguage: en-US + userType: Employee + organization: Okta + title: Director + division: R&D + department: Engineering + costCenter: '10' + employeeNumber: '187' + mobilePhone: +1-555-415-1337 + primaryPhone: +1-555-514-1337 + streetAddress: 301 Brannan St. + city: San Francisco + state: CA + zipCode: '94107' + countryCode: US + credentials: + password: {} + recovery_question: + question: What's my childhood elementary school? + provider: + type: OKTA + name: OKTA + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA + userNameTemplateResponseBaseEx: + value: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + wellKnownSSFMetadataExample: + summary: Well-Known SSF Metadata example + value: + configuration_endpoint: https://{yourOktaDomain}/api/v1/ssf/stream + delivery_methods_supported: + - https://schemas.openid.net/secevent/risc/delivery-method/push + - urn:ietf:rfc:8935 + issuer: https://{yourOktaDomain} + jwks_uri: https://{yourOktaDomain}/oauth2/v1/keys parameters: + OktaResponse: + name: Content-Type + in: header + description: |- + Specifies the media type of the resource. Optional `okta-response` value can be included for performance optimization. + + Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck. + + Enum values for `okta-response`: + * `omitCredentials`: Omits the credentials subobject from the response. + * `omitCredentialsLinks`: Omits the following HAL links from the response: Change Password, Change Recovery Question, Forgot Password, Reset Password, Reset Factors, Unlock. + * `omitTransitioningToStatus`: Omits the `transitioningToStatus` field from the response. + required: false + schema: + type: string + examples: + Omit credentials subobject and credentials links: + value: application/json; okta-response=omitCredentials,omitCredentialsLinks + summary: Omits the credentials subobject and credentials links from the response. Does not apply performance optimization. + Omit credentials, credentials links, and `transitioningToStatus` field: + value: application/json; okta-response="omitCredentials,omitCredentialsLinks, omitTransitioningToStatus" + summary: Omits the credentials, credentials links, and `transitioningToStatus` field from the response. Applies performance optimization. UISchemaId: name: id description: The unique ID of the UI Schema @@ -21478,6 +46026,54 @@ components: schema: type: string example: uis4a7liocgcRgcxZ0g7 + appInstanceId: + name: appInstanceId + in: path + description: ID of the AD AppInstance in Okta + schema: + type: string + required: true + assignmentId: + name: assignmentId + description: '`id` of the Realm Assignment' + in: path + required: true + schema: + type: string + example: rul2jy7jLUlnO3ng00g4 + authenticatorEnrollmentId: + name: authenticatorEnrollmentId + in: path + required: true + description: ID for a WebAuthn Preregistration Factor in Okta + schema: + type: string + domain: + name: domain + in: path + description: The okta domain name of your org or one of your custom domains + required: true + schema: + type: string + inlineHookType: + name: type + description: One of the supported inline hook types + in: query + schema: + type: string + enum: + - com.okta.import.transform + - com.okta.oauth2.tokens.transform + - com.okta.saml.tokens.transform + - com.okta.user.credential.password.import + - com.okta.user.pre-registration + - com.okta.telephony.provider + limitParameter: + name: limit + in: query + schema: + type: string + description: Defines the number of policy rules returned. See [Pagination](https://developer.okta.com/docs/api/#pagination). pathApiServiceId: name: apiServiceId in: path @@ -21496,7 +46092,7 @@ components: description: id of the API Token pathAppId: name: appId - description: ID of the Application + description: Application ID in: path required: true schema: @@ -21504,11 +46100,20 @@ components: example: 0oafxqCAJWWGELFTYASJ pathAppName: name: appName + description: Application name for the app type in: path required: true schema: type: string example: oidc_client + pathAppUserId: + name: userId + description: ID of an existing Okta user + in: path + required: true + schema: + type: string + example: 00u13okQOVWZJGDOAUVR pathAssociatedServerId: name: associatedServerId description: '`id` of the associated Authorization Server' @@ -21548,6 +46153,14 @@ components: schema: type: string description: The ID of the brand + pathBundleId: + name: bundleId + in: path + schema: + type: string + example: 08ab2db568c7c300079fefd0 + required: true + description: The `id` of a bundle pathCaptchaId: name: captchaId in: path @@ -21571,12 +46184,33 @@ components: schema: type: string example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD + pathClientSecretId: + name: secretId + in: path + schema: + type: string + required: true + description: Unique `id` of the OAuth 2.0 Client Secret + example: ocs2f4zrZbs8nUa7p0g4 pathContactType: name: contactType in: path required: true schema: type: string + description: Type of contact + enum: + - BILLING + - TECHNICAL + example: BILLING + pathCredentialKeyId: + name: keyId + description: '`id` of the certificate key' + in: path + required: true + schema: + type: string + example: P7jXpG-LG2ObNgY9C0Mn2uf4InCQTmRZMDCZoVNxdrk pathCsrId: name: csrId description: '`id` of the CSR' @@ -21596,7 +46230,14 @@ components: in: path name: deviceAssuranceId required: true - description: Id of the Device Assurance Policy + description: Id of the device assurance policy + schema: + type: string + pathDeviceCheckId: + in: path + name: deviceCheckId + required: true + description: Id of the Device Check schema: type: string pathDeviceId: @@ -21628,7 +46269,15 @@ components: required: true schema: type: string - description: The ID of the email SMTP Server + description: ID of your SMTP Server configuration + pathEntitlementId: + name: entitlementId + in: path + schema: + type: string + example: 0obfxqCAJWWGELFTYASJ + required: true + description: The `id` of a bundle entitlement pathEventHookId: name: eventHookId description: '`id` of the Event Hook' @@ -21636,10 +46285,10 @@ components: required: true schema: type: string - example: YTDQbItFfFuy9RdHrvly + example: who8vt36qfNpCGz9H1e6 pathFactorId: name: factorId - description: '`id` of the Factor' + description: ID of an existing user Factor in: path required: true schema: @@ -21647,7 +46296,7 @@ components: example: zAgrsaBe0wVGRugDYtdv pathFeatureId: name: featureId - description: '`id` of the Feature' + description: '`id` of the feature' in: path required: true schema: @@ -21658,12 +46307,22 @@ components: description: Name of the Feature in: path required: true + schema: + $ref: '#/components/schemas/ApplicationFeatureType' + pathFirstPartyAppName: + name: appName + description: | + The key name for the Okta app.<br> + Supported apps: + * Okta Admin Console (`admin-console`) + in: path + required: true schema: type: string - example: USER_PROVISIONING + example: admin-console pathGrantId: name: grantId - description: ID of the Grant + description: Grant ID in: path required: true schema: @@ -21686,23 +46345,34 @@ components: type: string example: 0pr3f7zMZZHPgUoWO0g4 pathHookKeyId: - name: hookKeyId - description: '`id` of the Hook Key' + name: id + description: ID of the Hook Key in: path required: true schema: type: string example: XreKU5laGwBkjOTehusG + pathId: + name: id + description: '`id`, `login`, or `login shortname` (as long as it is unambiguous) of a user' + in: path + required: true + schema: + type: string pathIdentitySourceId: name: identitySourceId in: path required: true + description: The ID of the Identity Source for which the session is created + example: 0oa3l6l6WK6h0R0QW0g4 schema: type: string pathIdentitySourceSessionId: name: sessionId in: path required: true + description: The ID of the Identity Source Session + example: aps1qqonvr2SZv6o70h8 schema: type: string pathIdpCsrId: @@ -21720,15 +46390,7 @@ components: required: true schema: type: string - example: SVHoAOh0l8cPQkVX1LRl - pathIdpKeyId: - name: idpKeyId - description: '`id` of IdP Key' - in: path - required: true - schema: - type: string - example: KmMo85SSsU7TZzOShcGb + example: 0oa62bfdjnK55Z5x80h7 pathInlineHookId: name: inlineHookId description: '`id` of the Inline Hook' @@ -21737,6 +46399,14 @@ components: schema: type: string example: Y7Rzrd4g4xj6WdKzrBHH + pathJsonWebKeyId: + name: keyId + in: path + schema: + type: string + required: true + description: Unique `id` of the OAuth 2.0 Client JSON Web Key + example: pks2f4zrZbs8nUa7p0g4 pathKeyId: name: keyId description: ID of the Key Credential for the application @@ -21745,15 +46415,24 @@ components: schema: type: string example: sjP9eiETijYz110VkhHN + pathKid: + name: kid + description: Unique `id` of the IdP Key Credential + in: path + required: true + schema: + type: string + example: KmMo85SSsU7TZzOShcGb pathLifecycle: name: lifecycle - description: Whether to `enable` or `disable` the feature + description: Whether to `ENABLE` or `DISABLE` the feature in: path required: true schema: $ref: '#/components/schemas/FeatureLifecycle' pathLinkedObjectName: name: linkedObjectName + description: Primary or Associated name in: path required: true schema: @@ -21787,10 +46466,10 @@ components: type: string example: irb1qe6PGuMc7Oh8N0g4 required: true - description: '`id` of a member' + description: '`id` of the Member' pathMethodType: name: methodType - description: Type of the authenticator method + description: Type of authenticator method in: path required: true schema: @@ -21801,6 +46480,12 @@ components: required: true schema: $ref: '#/components/schemas/NotificationType' + pathOAuthProvisioningAppName: + name: appName + in: path + required: true + schema: + $ref: '#/components/schemas/OAuthProvisioningEnabledApp' pathOperation: name: operation in: path @@ -21848,18 +46533,19 @@ components: required: true pathPrimaryRelationshipName: name: primaryRelationshipName + description: Name of the `primary` relationship being assigned in: path required: true schema: type: string + example: manager pathPrimaryUserId: name: primaryUserId - description: '`id` of primary User' + description: User ID to be assigned to the `primary` relationship for the `associated` user in: path required: true schema: type: string - example: ctxeQ5JnAVdGFBB7Zr7W pathPrincipalRateLimitId: name: principalRateLimitId in: path @@ -21869,8 +46555,8 @@ components: required: true description: id of the Principal Rate Limit pathPublicKeyId: - name: publicKeyId - description: '`id` of the Public Key' + name: keyId + description: id" of the Public Key in: path required: true schema: @@ -21883,6 +46569,20 @@ components: description: Id of the push provider schema: type: string + pathQueryRoleExpand: + name: expand + description: 'An optional parameter used to return targets configured for the standard Role Assignment in the `embedded` property. Supported values: `targets/groups` or `targets/catalog/apps`' + in: query + required: false + schema: + type: string + examples: + groupTarget: + value: targets/groups + summary: Return Group targets + appTarget: + value: targets/catalog/apps + summary: Return App targets pathRealmId: name: realmId description: '`id` of the Realm' @@ -21893,10 +46593,18 @@ components: example: vvrcFogtKCrK9aYq3fgV pathRelationshipName: name: relationshipName + description: Name of the `primary` or `associated` relationship being queried in: path required: true schema: type: string + examples: + manager: + value: manager + summary: Example of a `primary` name + subordinate: + value: subordinate + summary: Example of an `associated` name pathResourceId: name: resourceId in: path @@ -21904,15 +46612,23 @@ components: type: string example: ire106sQKoHoXXsAe0g4 required: true - description: '`id` of a resource' - pathResourceSetId: - name: resourceSetId + description: '`id` of the Resource' + pathResourceSelectorId: + name: resourceSelectorId + in: path + schema: + type: string + example: rsl1hx31gVEa6x10v0g5 + required: true + description: '`id` of a Resource Selector' + pathResourceSetIdOrLabel: + name: resourceSetIdOrLabel in: path schema: type: string example: iamoJDFKaJxGIr0oamd9g required: true - description: '`id` of a Resource Set' + description: '`id` or `label` the Resource Set' pathRiskProviderId: name: riskProviderId in: path @@ -21921,9 +46637,17 @@ components: example: 00rp12r4skkjkjgsn required: true description: '`id` of the Risk Provider object' + pathRoleAssignmentId: + name: roleAssignmentId + description: The `id` of the role assignment + in: path + required: true + schema: + type: string + example: JBCUYUC7IRCVGS27IFCE2SKO pathRoleId: name: roleId - description: '`id` of the Role' + description: '`id` of the role' in: path required: true schema: @@ -21936,11 +46660,11 @@ components: type: string example: cr0Yq6IJxGIr0ouum0g3 required: true - description: '`id` or `label` of the role' + description: '`id` or `label` of the Role' pathRoleRef: name: roleRef in: path - description: A reference to an existing role. Standard roles require a `roleType`, while Custom Roles require a `roleId`. See [Standard Role Types](https://developer.okta.com/docs/concepts/role-assignment/#standard-role-types). + description: A reference to an existing role. Standard roles require a `roleType`, while Custom Roles require a `roleId`. See [Standard Roles](/openapi/okta-management/guides/roles/#standard-roles). required: true schema: oneOf: @@ -21985,6 +46709,14 @@ components: required: true schema: type: string + pathSecurityEventProviderId: + name: securityEventProviderId + in: path + schema: + type: string + example: sse1qg25RpusjUP6m0g5 + required: true + description: '`id` of the Security Events Provider instance' pathSessionId: name: sessionId description: '`id` of the Session' @@ -21993,6 +46725,14 @@ components: schema: type: string example: l7FbDVqS8zHSy65uJD85 + pathSubmissionId: + name: submissionId + description: OIN Integration ID + in: path + required: true + schema: + type: string + example: acme_submissionapp_1 pathTargetGroupId: name: targetGroupId in: path @@ -22032,7 +46772,7 @@ components: example: sHHSth53yJAyNSTQKDJZ pathTransactionId: name: transactionId - description: '`id` of the Transaction' + description: ID of an existing Factor verification transaction in: path required: true schema: @@ -22062,10 +46802,29 @@ components: required: true pathUserId: name: userId + description: ID of an existing Okta user in: path required: true schema: type: string + example: 00ub0oNGTSWTBKOLGLNR + pathUserIdOrLogin: + name: userIdOrLogin + description: |- + If for the `self` link, the ID of the User for whom you want to get the primary User ID. If for the `associated` relation, the User ID or login value of the User assigned the associated relationship. + + This can be `me` to represent the current session User. + in: path + required: true + schema: + type: string + examples: + manager: + value: 00u5zex6ztMbOZhF50h7 + summary: Example ID of `primary` + subordinate: + value: 00u5zex6ztMbOZhF50h7 + summary: Example ID of `associated` pathZoneId: name: zoneId in: path @@ -22074,19 +46833,89 @@ components: required: true description: '`id` of the Network Zone' example: nzowc1U5Jh5xuAK0o0g3 + privilegedAccountId: + name: id + in: path + description: ID of an existing Privileged Account + required: true + schema: + type: string + privilegedResourceId: + name: id + in: path + description: ID of an existing privileged resource + required: true + schema: + type: string queryAfter: name: after in: query schema: type: string - description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination) for more information. - queryExpand: + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). + queryAppAfter: + name: after + in: query + description: Specifies the pagination cursor for the next page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](/#pagination). + schema: + type: string + example: 16275000448691 + queryAppGrantsExpand: name: expand in: query - description: 'An optional parameter to include scope details in the `_embedded` attribute. Valid value: `scope`' + description: 'An optional parameter to return scope details in the `_embedded` property. Valid value: `scope`' schema: type: string example: scope + queryAppLimit: + name: limit + in: query + schema: + type: integer + format: int32 + minimum: 1 + maximum: 500 + default: 50 + description: | + Specifies the number of objects to return per page. + If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). + See [Pagination](/#pagination). + queryAppUserExpand: + name: expand + in: query + description: |- + An optional query parameter to return the corresponding [User](/openapi/okta-management/management/tag/User/) object in the `_embedded` property. + Valid value: `user` + schema: + type: string + example: user + queryAppUserQ: + name: q + in: query + schema: + type: string + example: sam + description: | + Specifies a filter for the list of Application Users returned based on their profile attributes. + The value of `q` is matched against the beginning of the following profile attributes: `userName`, `firstName`, `lastName`, and `email`. + This filter only supports the `startsWith` operation that matches the `q` string against the beginning of the attribute values. + > **Note:** For OIDC apps, user profiles don't contain the `firstName` or `lastName` attributes. Therefore, the query only matches against the `userName` or `email` attributes. + queryAppsExpand: + name: expand + in: query + description: |- + An optional parameter used for link expansion to embed more resources in the response. + Only supports `expand=user/{userId}` and must be used with the `user.id eq "{userId}"` filter query for the same user. + Returns the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property. + schema: + type: string + example: user/0oa1gjh63g214q0Hq0g4 + queryExpand: + name: expand + in: query + schema: + type: string + description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' queryExpandBrand: name: expand in: query @@ -22152,6 +46981,61 @@ components: description: Searches the records for matching value schema: type: string + queryGroupAssignmentLimit: + name: limit + in: query + description: |- + Specifies the number of objects to return per page. + If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). + See [Pagination](/#pagination). + examples: + min: + value: 20 + summary: Minimum limit value + hundred: + value: 100 + summary: Sample limit value + max: + value: 200 + summary: Maximum limit value + schema: + type: integer + format: int32 + default: 20 + minimum: 20 + maximum: 200 + queryGroupAssignmentWithGroupExpand: + name: expand + in: query + description: |- + An optional query parameter to return the corresponding assigned [Group](/openapi/okta-management/management/tag/Group/) or + the group assignment metadata details in the `_embedded` property. + schema: + type: string + example: group + examples: + group: + value: group + summary: Embedded assigned Group + metadata: + value: metadata + summary: Embedded group assignment metadata + queryGroupAssignmentWithMetadataExpand: + name: expand + in: query + description: |- + An optional query parameter to return the corresponding assigned [Group](/openapi/okta-management/management/tag/Group/) or + the group assignment metadata details in the `_embedded` property. + schema: + type: string + example: metadata + examples: + group: + value: group + summary: Embedded assigned Group + metadata: + value: metadata + summary: Embedded group assignment metadata queryLanguage: name: language schema: @@ -22189,24 +47073,90 @@ components: schema: type: boolean required: false + queryUserExpand: + name: expand + in: query + description: 'An optional parameter to include metadata in the `_embedded` attribute. Valid value: `blocks`' + required: false + schema: + type: string + example: blocks simulateParameter: name: expand - description: Use `expand=EVALUATED` to include a list of evaluated but not matched policies and policy rules. Use `expand=RULE` to include details about why a rule condition was (not) matched. + description: Use `expand=EVALUATED` to include a list of evaluated but not matched policies and policy rules. Use `expand=RULE` to include details about why a rule condition wasn't matched. in: query schema: type: string - example: expand=EVALUATED&expand=RULE + example: EVALUATED + yubikeyTokenId: + name: tokenId + description: ID of a Yubikey token + in: path + required: true + schema: + type: string + example: ykkxdtCA1fKVxyu6R0g3 requestBodies: AuthenticatorRequestBody: content: application/json: schema: - $ref: '#/components/schemas/Authenticator' + $ref: '#/components/schemas/AuthenticatorBase' examples: Duo: $ref: '#/components/examples/AuthenticatorRequestDuo' required: true responses: + ErrorAppUserForbidden403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AppUserProvEx: + $ref: '#/components/examples/ErrorAppUserForbiddenAction' + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorAppUserUpdateBadRequest400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AppUserUpdateCredEx: + $ref: '#/components/examples/ErrorAppUserUpdateBadRequest' + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + AuthenticatorResponse: + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorBase' + examples: + Duo: + $ref: '#/components/examples/AuthenticatorResponseDuo' + Email: + $ref: '#/components/examples/AuthenticatorResponseEmail' + Password: + $ref: '#/components/examples/AuthenticatorResponsePassword' + Phone: + $ref: '#/components/examples/AuthenticatorResponsePhone' + WebAuthn: + $ref: '#/components/examples/AuthenticatorResponseWebAuthn' + SecurityQuestion: + $ref: '#/components/examples/AuthenticatorResponseSecurityQuestion' + AuthenticatorResponseInactiveWebAuthn: + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorBase' + examples: + WebAuthn: + $ref: '#/components/examples/AuthenticatorResponseInactiveWebAuthn' ErrorApiValidationFailed400: description: Bad Request content: @@ -22261,26 +47211,121 @@ components: examples: TooManyRequests: $ref: '#/components/examples/ErrorTooManyRequests' - AuthenticatorResponse: + Error502NoConnectedAgents: + description: There are no connected agents. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AgentTimeOut: + $ref: '#/components/examples/ErrorAgentTimeOut' + Error504AgentTimeOut: + description: Timed out waiting for agent. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AgentTimeOut: + $ref: '#/components/examples/ErrorNoConnectedAgents' + DRStatusResponse: description: OK content: application/json: schema: - $ref: '#/components/schemas/Authenticator' + description: List of domains and their disaster recovery status + type: array + items: + $ref: '#/components/schemas/DRStatusItem' + headers: + Link: + description: A link to the next page of responses + schema: + type: string + ErrorResponse: + description: | + 400 - When request validation fails <br> + 401 - When the user is not authenticated or the feature is not enabled <br> + 403 - When the user is not authorized <br> + 429 - When rate limits are exceeded <br> + 500 - When an internal server error is encountred <br> + 501 - When the operation is not supported <br> + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + GetFactorResponse: + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactor' examples: - Duo: - $ref: '#/components/examples/AuthenticatorResponseDuo' + SMS: + $ref: '#/components/examples/FactorResponseSms' Email: - $ref: '#/components/examples/AuthenticatorResponseEmail' - Password: - $ref: '#/components/examples/AuthenticatorResponsePassword' - Phone: - $ref: '#/components/examples/AuthenticatorResponsePhone' - WebAuthn: - $ref: '#/components/examples/AuthenticatorResponseWebAuthn' - SecurityQuestion: - $ref: '#/components/examples/AuthenticatorResponseSecurityQuestion' + $ref: '#/components/examples/FactorEmail' + Error-FF-NotEnabled-Response-401: + description: Unauthorized + content: + application/json: + examples: + Unauthorized: + value: + errorCode: E0000015 + errorSummary: You do not have permission to access the feature you are requesting + errorLink: E0000015 + errorId: oaeStOuPPxDRUm3PJhf-tL7bQ + errorCauses: [] + ErrorInternalServer500: + description: Internal Server Error + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InternalServerError: + $ref: '#/components/examples/ErrorInternalServer' + NzErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/NzErrorApiValidationFailed' + NzErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/NzErrorResourceNotFound' schemas: + AAGUIDGroupObject: + description: | + <x-lifecycle class="ea"></x-lifecycle> + The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + + This feature has several limitations when enrolling a security key: + - Enrollment is currently unsupported on Firefox. + - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key. + - If prompted during enrollment, users must allow Okta to see the make and model of the security key. + type: object + properties: + aaguids: + description: A list of YubiKey hardware FIDO2 Authenticator Attestation Global Unique Identifiers (AAGUIDs). The available [AAGUIDs](https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs) (opens new window) are provided by the FIDO Alliance Metadata Service. + type: array + items: + type: string + description: AAGUID + name: + type: string + description: A name to identify the group of YubiKey hardware FIDO2 AAGUIDs APIServiceIntegrationInstance: type: object properties: @@ -22417,10 +47462,31 @@ components: - type: object properties: conditions: - $ref: '#/components/schemas/PolicyRuleConditions' + type: string + description: Policy conditions aren't supported. Conditions are applied at the rule level for this policy type. + default: null + nullable: true + _embedded: + type: object + properties: + resourceType: + type: string + description: The resource that this policy controls. For the [Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/#example-response), `END_USER_ACCOUNT_MANAGEMENT` is returned. For other policies, `APP` is returned. + additionalProperties: + type: object + properties: {} AccessPolicyConstraint: type: object properties: + authenticationMethods: + description: This property specifies the precise authenticator and method for authentication. <x-lifecycle class="oie"></x-lifecycle> + type: array + items: + $ref: '#/components/schemas/AuthenticationMethodObject' + excludedAuthenticationMethods: + description: This property specifies the precise authenticator and method to exclude from authentication. <x-lifecycle class="oie"></x-lifecycle> + items: + $ref: '#/components/schemas/AuthenticationMethodObject' methods: description: The Authenticator methods that are permitted items: @@ -22443,6 +47509,9 @@ components: reauthenticateIn: description: The duration after which the user must re-authenticate regardless of user activity. This re-authentication interval overrides the Verification Method object's `reauthenticateIn` interval. The supported values use ISO 8601 period format for recurring time intervals (for example, `PT1H`). type: string + required: + description: This property indicates whether the knowledge or possession factor is required by the assurance. It's optional in the request, but is always returned in the response. By default, this field is `true`. If the knowledge or possession constraint has values for `excludedAuthenticationMethods` the `required` value is false. <x-lifecycle class="oie"></x-lifecycle> + type: boolean types: description: The Authenticator types that are permitted items: @@ -22456,36 +47525,6 @@ components: - APP - FEDERATED type: array - authenticationMethods: - x-okta-lifecycle: - features: - - ASSURANCE_GRANULAR_AUTHENTICATOR_CONSTRAINTS - description: This property specifies the precise authenticator and method for authentication. - type: array - items: - $ref: '#/components/schemas/AuthenticationMethodObject' - excludedAuthenticationMethods: - x-okta-lifecycle: - features: - - ASSURANCE_GRANULAR_AUTHENTICATOR_CONSTRAINTS - description: This property specifies the precise authenticator and method to exclude from authentication. - items: - $ref: '#/components/schemas/AuthenticationMethodObject' - required: - x-okta-lifecycle: - features: - - ASSURANCE_GRANULAR_AUTHENTICATOR_CONSTRAINTS - description: This property indicates whether the knowledge or possession factor is required by the assurance. It's optional in the request, but is always returned in the response. By default, this field is `true`. If the knowledge or possession constraint has values for`excludedAuthenticationMethods` the `required` value is false. - type: boolean - AuthenticationMethodObject: - type: object - properties: - key: - type: string - description: A label that identifies the authenticator - method: - type: string - description: Specifies the method used for the authenticator AccessPolicyConstraints: type: object properties: @@ -22493,6 +47532,10 @@ components: $ref: '#/components/schemas/KnowledgeConstraint' possession: $ref: '#/components/schemas/PossessionConstraint' + AccessPolicyLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app access policy resource AccessPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' @@ -22513,24 +47556,39 @@ components: type: object properties: access: - type: string + $ref: '#/components/schemas/AccessPolicyRuleApplicationSignOnAccess' verificationMethod: $ref: '#/components/schemas/VerificationMethod' + AccessPolicyRuleApplicationSignOnAccess: + type: string + enum: + - ALLOW + - DENY AccessPolicyRuleConditions: allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - type: object properties: device: $ref: '#/components/schemas/DeviceAccessPolicyRuleCondition' elCondition: $ref: '#/components/schemas/AccessPolicyRuleCustomCondition' + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + platform: + $ref: '#/components/schemas/PlatformPolicyRuleCondition' + riskScore: + $ref: '#/components/schemas/RiskScorePolicyRuleCondition' userType: $ref: '#/components/schemas/UserTypeCondition' AccessPolicyRuleCustomCondition: properties: condition: type: string + description: expression to match + required: + - condition AcsEndpoint: description: An array of ACS endpoints. You can configure a maximum of 100 endpoints. type: object @@ -22547,19 +47605,28 @@ components: required: - url - index - ActivateFactorRequest: + Actions: type: object properties: - attestation: - type: string - clientData: - type: string - passCode: - type: string - registrationData: - type: string - stateToken: - type: string + assignUserToRealm: + $ref: '#/components/schemas/AssignUserToRealm' + AdminConsoleSettings: + title: Okta Admin Console Settings + description: Settings specific to the Okta Admin Console + type: object + properties: + sessionIdleTimeoutMinutes: + description: The maximum idle time before the Okta Admin Console session expires. Must be no more than 12 hours. + type: integer + minimum: 5 + maximum: 720 + default: 15 + sessionMaxLifetimeMinutes: + description: The absolute maximum session lifetime of the Okta Admin Console. Must be no more than 7 days. + type: integer + minimum: 5 + maximum: 10080 + default: 720 Agent: description: Agent details type: object @@ -22590,6 +47657,15 @@ components: type: string _links: $ref: '#/components/schemas/LinksSelf' + AgentAction: + description: Details about the AD Group membership update + type: object + properties: + id: + type: string + description: ID of the AD group to update + parameters: + $ref: '#/components/schemas/Parameters' AgentPool: description: An AgentPool is a collection of agents that serve a common purpose. An AgentPool has a unique ID within an org, and contains a collection of agents disjoint to every other AgentPool (i.e. no two AgentPools share an Agent). type: object @@ -22689,12 +47765,45 @@ components: - Scheduled - Success AllowedForEnum: + description: The allowed types of uses for the Authenticator type: string enum: - any - none - recovery - sso + AndroidZeroTrust: + description: Android Zero Trust integration provider + type: object + properties: + deviceIntegrityLevel: + $ref: '#/components/schemas/DeviceIntegrity' + networkProxyDisabled: + description: Indicates whether a device has a network proxy disabled + type: boolean + playProtectVerdict: + $ref: '#/components/schemas/PlayProtectVerdict' + requireMajorVersionUpdate: + description: | + Indicates whether the device needs to be on the latest major version available to the device + + **Note:** This option requires an `osVersion.dynamicVersionRequirement` value to be supplied with the `osVersion.dynamicVersionRequirement.type` as either `MINIMUM` or `EXACT`. + type: boolean + requirePatchVersionUpdate: + description: | + Indicates whether the device needs to be on the latest patch version available to the device + + **Note:** This property mirrors `osVersion.dynamicVersionRequirement.latestSecurityPatch` and is meant for informational purposes only. + type: boolean + readOnly: true + screenLockComplexity: + $ref: '#/components/schemas/ScreenLockComplexity' + usbDebuggingDisabled: + description: Indicates whether Android Debug Bridge (adb) over USB is disabled + type: boolean + wifiSecured: + description: Indicates whether a device is on a password-protected Wi-Fi network + type: boolean ApiToken: title: API Token description: An API token for an Okta User. This token is NOT scoped any further and can be used for any API the user has permissions to call. @@ -22720,6 +47829,23 @@ components: readOnly: true name: type: string + network: + type: object + description: The Network Condition of the API Token + properties: + connection: + type: string + description: The connection type of the Network Condition + include: + type: array + description: List of included IP network zones + items: + type: string + exclude: + type: array + description: List of excluded IP network zones + items: + type: string tokenWindow: $ref: '#/components/schemas/TimeDuration' userId: @@ -22728,6 +47854,82 @@ components: $ref: '#/components/schemas/LinksSelf' required: - name + ApiTokenUpdate: + title: API Token Update + description: An API Token Update Object for an Okta user. This token is NOT scoped any further and can be used for any API that the user has permissions to call. + type: object + properties: + clientName: + type: string + description: The client name associated with the API Token + readOnly: true + created: + type: string + description: The creation date of the API Token + format: date-time + readOnly: true + name: + type: string + description: The name associated with the API Token + network: + type: object + description: The Network Condition of the API Token + properties: + connection: + type: string + description: The connection type of the Network Condition + include: + type: array + description: List of included IP network zones + items: + type: string + exclude: + type: array + description: List of excluded IP network zones + items: + type: string + userId: + type: string + description: The userId of the user who created the API Token + AppAccountContainerDetails: + description: Container details for resource type APP_ACCOUNT + type: object + properties: + appName: + type: string + description: The application name + readOnly: true + example: google + containerId: + type: string + description: The application ID associated with the privileged account + example: 0oa103099SBEb3Z2b0g4 + displayName: + type: string + description: Human-readable name of the container that owns the privileged resource + readOnly: true + example: Google App1 + globalAppId: + type: string + description: The application global ID + readOnly: true + example: 964b82aa-85b4-5645-b790-83312c473480 + passwordPushSupported: + type: boolean + description: Indicates if the application supports password push + readOnly: true + example: true + provisioningEnabled: + type: boolean + description: Indicates if provisioning is enabled for this application + readOnly: true + example: true + status: + $ref: '#/components/schemas/AppInstanceContainerStatus' + _links: + $ref: '#/components/schemas/appLink' + required: + - containerId AppAndInstanceConditionEvaluatorAppOrInstance: type: object properties: @@ -22745,17 +47947,55 @@ components: properties: exclude: type: array + description: The list of applications to exclude items: $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' include: type: array + description: The list of apps or app instances to match on items: $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' AppAndInstanceType: + description: Type of app type: string enum: - APP - APP_TYPE + AppCsrPkcs10: + description: Base64URL-encoded CSR in DER format + format: base64 + type: string + AppCustomHrefObject: + type: object + properties: + hints: + type: object + description: Describes allowed HTTP verbs for the `href` + properties: + allow: + type: array + items: + type: string + href: + type: string + description: Link URI + title: + type: string + description: Link name + type: + type: string + description: The media type of the link. If omitted, it is implicitly `application/json`. + required: + - href + readOnly: true + AppInstanceContainerStatus: + description: Current status of the application instance + type: string + enum: + - ACTIVE + - DELETED + - INACTIVE + readOnly: true AppInstancePolicyRuleCondition: type: object properties: @@ -22800,32 +48040,41 @@ components: sortOrder: type: integer readOnly: true + AppResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: + type: string + description: Link name + example: My App AppUser: title: Application User - description: The App User object defines a user's app-specific profile and credentials for an app. + description: The Application User object defines a user's app-specific profile and credentials for an app type: object properties: created: - type: string - description: Timestamp when the App User object was created - format: date-time - readOnly: true - example: '2014-06-24T15:27:59.000Z' + allOf: + - $ref: '#/components/schemas/createdProperty' + - example: '2014-06-24T15:27:59.000Z' credentials: $ref: '#/components/schemas/AppUserCredentials' externalId: type: string description: |- - The ID of the user in the target app that's linked to the Okta App User object. + The ID of the user in the target app that's linked to the Okta Application User object. This value is the native app-specific identifier or primary key for the user in the target app. - The `externalId` is set during import when the user is confirmed (reconciled) or during provisioning when the user has been successfully created in the target app. + The `externalId` is set during import when the user is confirmed (reconciled) or during provisioning when the user is created in the target app. This value isn't populated for SSO app assignments (for example, SAML or SWA) because it isn't synchronized with a target app. readOnly: true example: 70c14cc17d3745e8a9f98d599a68329c id: type: string - description: Unique identifier of the App User object (only required for apps with `signOnMode` or authentication schemes that don't require credentials) + description: Unique identifier for the Okta User example: 00u11z6WHMYCGPCHCRFK lastSync: type: string @@ -22834,14 +48083,12 @@ components: readOnly: true example: '2014-06-24T15:27:59.000Z' lastUpdated: - type: string - description: Timestamp when App User was last updated - format: date-time - readOnly: true - example: '2014-06-24T15:28:14.000Z' + allOf: + - $ref: '#/components/schemas/lastUpdatedProperty' + - example: '2014-06-24T15:28:14.000Z' passwordChanged: type: string - description: Timestamp when the App User password was last changed + description: Timestamp when the Application User password was last changed format: date-time readOnly: true nullable: true @@ -22850,7 +48097,7 @@ components: $ref: '#/components/schemas/AppUserProfile' scope: type: string - description: Toggles the assignment between user or group scope + description: Indicates if the assignment is direct (`USER`) or by group membership (`GROUP`). enum: - USER - GROUP @@ -22859,7 +48106,7 @@ components: $ref: '#/components/schemas/AppUserStatus' statusChanged: type: string - description: Timestamp when the App User status was last changed + description: Timestamp when the Application User status was last changed format: date-time readOnly: true example: '2014-06-24T15:28:14.000Z' @@ -22867,34 +48114,46 @@ components: $ref: '#/components/schemas/AppUserSyncState' _embedded: type: object - description: Embedded resources related to the App User using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + description: Embedded resources related to the Application User using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification additionalProperties: type: object properties: {} readOnly: true _links: $ref: '#/components/schemas/LinksAppAndUser' - required: - - created - - lastUpdated - - scope - - status - - statusChanged - - _links + AppUserAssignRequest: + allOf: + - $ref: '#/components/schemas/AppUser' + - required: + - id AppUserCredentials: - description: Specifies a user's credentials for the app. The authentication scheme of the app determines whether a username or password can be assigned to a user. + description: | + Specifies a user's credentials for the app. + This parameter can be omitted for apps with [sign-on mode](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/signOnMode&t=response) (`signOnMode`) or [authentication schemes](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/credentials/scheme&t=response) (`credentials.scheme`) that don't require credentials. type: object properties: password: $ref: '#/components/schemas/AppUserPasswordCredential' userName: type: string - description: Username for the app + description: |- + The user's username in the app + + > **Note:** The [userNameTemplate](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/userNameTemplate&t=request) in the Application object defines the default username generated when a user is assigned to that app. + > If you attempt to assign a username or password to an app with an incompatible [authentication scheme](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/scheme&t=request), the following error is returned: + > "Credentials should not be set on this resource based on the scheme." minLength: 1 maxLength: 100 - example: testuser + example: testuser@example.com + AppUserCredentialsRequestPayload: + title: Credentials + description: Updates the assigned user credentials + type: object + properties: + credentials: + $ref: '#/components/schemas/AppUserCredentials' AppUserPasswordCredential: - description: Specifies a password for a user. This is a write-only property. An empty `password` object is returned to indicate that a password value exists. + description: The user's password. This is a write-only property. An empty `password` object is returned to indicate that a password value exists. type: object properties: value: @@ -22903,17 +48162,24 @@ components: format: password writeOnly: true AppUserProfile: - description: |- - App user profiles are app-specific and can be customized by the Profile Editor in the Admin Console. - SSO apps typically don't support app user profiles, while apps with user provisioning features have app-specific profiles. + description: | + Specifies the default and custom profile properties for a user. Properties that are visible in the Admin Console for an app assignment can also be assigned through the API. Some properties are reference properties that are imported from the target app and can't be configured. - additionalProperties: - type: object - properties: {} + See [profile](/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response). + additionalProperties: true + type: object + AppUserProfileRequestPayload: + title: Profile + description: |- + Updates the assigned user profile + > **Note:** The Okta API currently doesn't support entity tags for conditional updates. As long as you're the only user updating the the user profile, Okta recommends you fetch the most recent profile with [Retrieve an Application User](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/getApplicationUser), apply your profile update, and then `POST` back the updated profile. type: object + properties: + profile: + $ref: '#/components/schemas/AppUserProfile' AppUserStatus: - description: Status of an App User + description: Status of an Application User example: ACTIVE type: string enum: @@ -22931,24 +48197,24 @@ components: - SUSPENDED - UNASSIGNED x-enumDescriptions: - ACTIVE: The App User is provisioned and is enabled to use the app. This status also occurs if the app has the `IMPORT_PROFILE_UPDATES` feature enabled and user import is confirmed, or if the app doesn't have provisioning enabled. - INACTIVE: The App User is provisioned, but isn't enabled to use the app. App Users in this status can be reactivated with a password reset or permanently deleted. - IMPORTED: The App User is created based on imported data. - MATCHED: The imported user is matched with an existing App User. - UNASSIGNED: The App User was imported, but the user-matching operation was skipped. - SUSPENDED: The App User is provisioned, but isn't enabled to use the app. App Users in this status can be reactivated without a password reset. - PENDING: The App User is provisioned, but in a pending state and can't use the app. The status moves to `ACTIVE` when the App User is activated. - APPROVED: The App User was created but not provisioned. This status can occur when manual provisioning acknowledgment is required. - REVOKED: The App User is disabled and waiting for deprovisioning acknowledgment. The App User can be deleted after deprovisioning acknowledgment. - IMPLICIT: The App User is now migrated to use implicit app assignment. - STAGED: The App User doesn't have `externalId` set and the background provisioning operation is queued. This applies to apps with the `PUSH_NEW_USERS` feature enabled. - PROVISIONED: The background provisioning operation completed and the App User was assigned an `externalId` successfully. + ACTIVE: The Application User is provisioned and is enabled to use the app. This status also occurs if the app has the `IMPORT_PROFILE_UPDATES` feature enabled and user import is confirmed, or if the app doesn't have provisioning enabled. + INACTIVE: The Application User is provisioned, but isn't enabled to use the app. Application Users in this status can be reactivated with a password reset or permanently deleted. + IMPORTED: The Application User is created based on imported data. + MATCHED: The imported user is matched with an existing Application User. + UNASSIGNED: The Application User was imported, but the user-matching operation was skipped. + SUSPENDED: The Application User is provisioned, but isn't enabled to use the app. Application Users in this status can be reactivated without a password reset. + PENDING: The Application User is provisioned, but in a pending state and can't use the app. The status moves to `ACTIVE` when the Application User is activated. + APPROVED: The Application User was created but not provisioned. This status can occur when manual provisioning acknowledgment is required. + REVOKED: The Application User is disabled and waiting for deprovisioning acknowledgment. The Application User can be deleted after deprovisioning acknowledgment. + IMPLICIT: The Application User is now migrated to use implicit app assignment. + STAGED: The Application User doesn't have `externalId` set and the background provisioning operation is queued. This applies to apps with the `PUSH_NEW_USERS` feature enabled. + PROVISIONED: The background provisioning operation completed and the Application User was assigned an `externalId` successfully. DEPROVISIONED: The user was removed by the provisioning operation and the `externalId` property is unassigned. readOnly: true AppUserSyncState: description: |- - The synchronization state for the App User. - The App User's `syncState` depends on whether the `PROFILE_MASTERING` feature is enabled for the app. + The synchronization state for the Application User. + The Application User's `syncState` depends on whether the `PROFILE_MASTERING` feature is enabled for the app. > **Note:** User provisioning currently must be configured through the Admin Console. example: SYNCHRONIZED @@ -22961,11 +48227,36 @@ components: - SYNCING x-enumDescriptions: DISABLED: The provisioning feature is disabled for the app (`PROFILE_MASTERING` feature is disabled). - OUT_OF_SYNC: The App User has changes that haven't been pushed to the target app. + OUT_OF_SYNC: The Application User has changes that haven't been pushed to the target app. SYNCING: A background provisioning operation is running to update the user's profile in the target app. - SYNCHRONIZED: All changes to the App User profile have successfully been synchronized with the target app. + SYNCHRONIZED: All changes to the Application User profile have successfully been synchronized with the target app. ERROR: A background provisioning operation failed to update the user's profile in the target app. You must resolve the provisioning task in the Admin Console before you retry the operation. readOnly: true + AppUserUpdateRequest: + oneOf: + - $ref: '#/components/schemas/AppUserCredentialsRequestPayload' + - $ref: '#/components/schemas/AppUserProfileRequestPayload' + AppleClientSigning: + description: |- + Information used to generate the secret JSON Web Token for the token requests to Apple IdP + > **Note:** The `privateKey` property is required for a CREATE request. For an UPDATE request, it can be null and keeps the existing value if it's null. The `privateKey` property isn't returned for LIST and GET requests or UPDATE requests if it's null. + type: object + properties: + kid: + type: string + description: The Key ID that you obtained from Apple when you created the private key for the client + maxLength: 1024 + example: test key id + privateKey: + type: string + description: The PKCS \#8 encoded private key that you created for the client and downloaded from Apple + maxLength: 1024 + example: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + teamId: + type: string + description: The Team ID associated with your Apple developer account + maxLength: 1024 + example: test team id Application: type: object properties: @@ -22975,26 +48266,127 @@ components: type: string format: date-time readOnly: true + description: Timestamp when the Application object was created features: type: array + description: | + Enabled app features + > **Note:** Some apps can support optional provisioning features. See [Application Features](/openapi/okta-management/management/tag/ApplicationFeatures/) items: type: string + enum: + - GROUP_PUSH + - IMPORT_NEW_USERS + - IMPORT_PROFILE_UPDATES + - IMPORT_USER_SCHEMA + - PROFILE_MASTERING + - PUSH_NEW_USERS + - PUSH_PASSWORD_UPDATES + - PUSH_PROFILE_UPDATES + - PUSH_USER_DEACTIVATION + - REACTIVATE_USERS + - OUTBOUND_DEL_AUTH + - DESKTOP_SSO + - FEDERATED_PROFILE + - SUPPRESS_ACTIVATION_EMAIL + - PUSH_PENDING_USERS + - MFA + - UPDATE_EXISTING_USERNAME + - EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH + - EXCHANGE_ACTIVE_SYNC + - IMPORT_SYNC + - IMPORT_SYNC_CONTACTS + - DEVICE_COMPLIANCE + - VPN_CONFIG + - IMPORT_SCHEMA_ENUM_VALUES + - SCIM_PROVISIONING + - DEVICE_FILTER_IN_SIGN_ON_RULES + - PROFILE_TEMPLATE_UPGRADE + - DEFAULT_PUSH_STATUS_TO_PUSH + - REAL_TIME_SYNC + - SSO + - AUTHN_CONTEXT + - JIT_PROVISIONING + - GROUP_SYNC + - OPP_SCIM_INCREMENTAL_IMPORTS + - IN_MEMORY_APP_USER + - LOG_STREAMING + - OAUTH_INTEGRATION + - IDP + - PUSH_NEW_USERS_WITHOUT_PASSWORD + - SKYHOOK_SERVICE + - ENTITLEMENT_MANAGEMENT + - PUSH_NEW_USERS_WITH_HASHED_PASSWORD + x-enumDescriptions: + GROUP_PUSH: Creates or links a group in the app when a mapping is defined for a group in Okta. Okta is the source for group memberships and all group members in Okta who are also assigned to the app are synced as group members to the app. + IMPORT_NEW_USERS: Creates or links a user in Okta to a user from the app + IMPORT_PROFILE_UPDATES: Updates a linked user's app profile during manual or scheduled imports + IMPORT_USER_SCHEMA: Discovers the profile schema for a user from the app automatically + PROFILE_MASTERING: Designates the app as the identity lifecycle and profile attribute authority for linked users. The user's profile in Okta is read-only. + PUSH_NEW_USERS: Creates or links a user account in the app when assigning the app to a user in Okta + PUSH_PASSWORD_UPDATES: Updates the user's app password when their password changes in Okta + PUSH_PROFILE_UPDATES: Updates a user's profile in the app when the user's profile changes in Okta (the profile source) + PUSH_USER_DEACTIVATION: Deactivates a user's account in the app when unassigned from the app in Okta or deactivated + REACTIVATE_USERS: Reactivates an existing inactive user when provisioning a user to the app + OUTBOUND_DEL_AUTH: Okta user authentication requests are delegated to a third-party app + DESKTOP_SSO: Okta user authentication requests are handled by desktop SSO negotiation (if possible) + FEDERATED_PROFILE: App User profiles are synchronized at sign-in and profile-view instances instead of during bulk imports + SUPPRESS_ACTIVATION_EMAIL: Activation emails aren't sent to users sourced by AD and orgs with DelAuth enabled + PUSH_PENDING_USERS: Users are in PENDING state in Okta and are created but not active in the sourced app user + MFA: App can verify credentials as a second factor + UPDATE_EXISTING_USERNAME: App can update the user name for existing users + EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH: Exclude username update during profile push + EXCHANGE_ACTIVE_SYNC: App supports synchronizing credentials with OMM enrolled devices + IMPORT_SYNC: Synchronize import events + IMPORT_SYNC_CONTACTS: Synchronize contacts + DEVICE_COMPLIANCE: Apps support device compliance rules + VPN_CONFIG: App supports pushing VPN configuration to OMM enrolled devices + IMPORT_SCHEMA_ENUM_VALUES: App supports downloading schema enum values. You can download custom objects and integrating them with UD without being tied to the type metadata system. + SCIM_PROVISIONING: App supports generic SCIM client provisioning and can leverage SCIM standard for provisioning and push custom attributes to a third-party app + DEVICE_FILTER_IN_SIGN_ON_RULES: App supports filtering by client type in app sign-on rules + PROFILE_TEMPLATE_UPGRADE: App supports profile template upgrades. This is primarily to help roll out the profile template upgrade feature for individual apps + DEFAULT_PUSH_STATUS_TO_PUSH: App defaults Push status to `PUSH`. This feature is for apps, such as SharePoint, that want to receive App User profile updates even though they didn't implement traditional PUSH_PROFILE_UPDATES in the client API. + REAL_TIME_SYNC: Apps support real-time synchronization + SSO: Apps support establishing a subject based on claims from an IdP + AUTHN_CONTEXT: Apps support establishing an authentication context based on claims from an IdP + JIT_PROVISIONING: Apps support provisioning a user based on claims from an IdP + GROUP_SYNC: Apps support syncing group information based on claims from an IdP + OPP_SCIM_INCREMENTAL_IMPORTS: Apps support incremental imports. Used for SCIM app instances + IN_MEMORY_APP_USER: Apps support in-memory App Users. This feature is used as an alternative to Implicit App Assignment for a non-persisted App User. + LOG_STREAMING: Apps support Log Streaming + OAUTH_INTEGRATION: App is an OAuth 2.0 Integration + IDP: Apps support IdP functionalities + PUSH_NEW_USERS_WITHOUT_PASSWORD: Don't send generated password for new users + SKYHOOK_SERVICE: Use the Skyhook microservice for LCM operations + ENTITLEMENT_MANAGEMENT: Marker to showcase which OIN apps are entitlement enabled + PUSH_NEW_USERS_WITH_HASHED_PASSWORD: Send hashed password for new users. This feature is only used for CIS to CIC migration. id: type: string readOnly: true + description: Unique ID for the app instance label: $ref: '#/components/schemas/ApplicationLabel' lastUpdated: type: string format: date-time readOnly: true + description: Timestamp when the Application object was last updated licensing: $ref: '#/components/schemas/ApplicationLicensing' + orn: + type: string + readOnly: true + description: The Okta resource name (ORN) for the current app instance profile: type: object - additionalProperties: - type: object - properties: {} + description: |- + Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps). + For example, add an app manager contact email address or define an allowlist of groups that you can then reference using the Okta Expression Language `getFilteredGroups` function. + + > **Notes:** + > * `profile` isn't encrypted, so don't store sensitive data in it. + > * `profile` doesn't limit the level of nesting in the JSON schema you created, but there is a practical size limit. Okta recommends a JSON schema size of 1 MB or less for best performance. + additionalProperties: true signOnMode: $ref: '#/components/schemas/ApplicationSignOnMode' status: @@ -23003,12 +48395,20 @@ components: $ref: '#/components/schemas/ApplicationVisibility' _embedded: type: object - additionalProperties: - type: object - properties: {} + description: Embedded resources related to the app using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. If the `expand=user/{userId}` query parameter is specified, then the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) is embedded. + properties: + user: + type: object + description: The specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) assigned to the app + additionalProperties: + type: object + properties: {} readOnly: true _links: $ref: '#/components/schemas/ApplicationLinks' + required: + - signOnMode + - label discriminator: propertyName: signOnMode mapping: @@ -23017,20 +48417,27 @@ components: BOOKMARK: '#/components/schemas/BookmarkApplication' BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication' OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication' - SAML_1_1: '#/components/schemas/SamlApplication' + SAML_1_1: '#/components/schemas/Saml11Application' SAML_2_0: '#/components/schemas/SamlApplication' SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication' WS_FEDERATION: '#/components/schemas/WsFederationApplication' ApplicationAccessibility: + description: Specifies access settings for the app type: object properties: errorRedirectUrl: type: string + description: Custom error page URL for the app loginRedirectUrl: type: string + description: |- + Custom login page URL for the app + > **Note:** The `loginRedirectUrl` property is deprecated in Identity Engine. This property is used with the custom app login feature. Orgs that actively use this feature can continue to do so. See [Okta-hosted sign-in (redirect authentication)](https://developer.okta.com/docs/guides/redirect-authentication/) or [configure IdP routing rules](https://help.okta.com/okta_help.htm?type=oie&id=ext-cfg-routing-rules) to redirect users to the appropriate sign-in app for orgs that don't use the custom app login feature. selfService: type: boolean + description: Represents whether the app can be self-assignable by users ApplicationCredentials: + description: Credentials for the specified `signOnMode` type: object properties: signing: @@ -23042,13 +48449,37 @@ components: properties: autoKeyRotation: type: boolean + description: Requested key rotation mode + default: true client_id: type: string + maxLength: 100 + minLength: 6 + description: |- + Unique identifier for the OAuth 2.0 client app + + > **Notes:** + > * If you don't specify the `client_id`, this immutable property is populated with the [Application instance ID](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=4/id&t=response). + > * The `client_id` must consist of alphanumeric characters or the following special characters: `$-_.+!*'(),`. + > * You can't use the reserved word `ALL_CLIENTS`. client_secret: type: string + maxLength: 100 + minLength: 14 + description: |- + OAuth 2.0 client secret string (used for confidential clients) + + > **Notes:** If a `client_secret` isn't provided on creation, and the `token_endpoint_auth_method` requires one, Okta generates a random `client_secret` for the client app. + > The `client_secret` is only shown when an OAuth 2.0 client app is created or updated (and only if the `token_endpoint_auth_method` requires a client secret). + pkce_required: + type: boolean + description: Requires Proof Key for Code Exchange (PKCE) for additional verification. If `token_endpoint_auth_method` is `none`, then `pkce_required` must be `true`. The default is `true` for browser and native app types. + default: true token_endpoint_auth_method: $ref: '#/components/schemas/OAuthEndpointAuthenticationMethod' ApplicationCredentialsScheme: + description: | + Apps with `BASIC_AUTH`, `BROWSER_PLUGIN`, or `SECURE_PASSWORD_STORE` sign-on modes have credentials vaulted by Okta and can be configured with the following schemes. type: string enum: - ADMIN_SETS_CREDENTIALS @@ -23056,62 +48487,99 @@ components: - EDIT_USERNAME_AND_PASSWORD - EXTERNAL_PASSWORD_SYNC - SHARED_USERNAME_AND_PASSWORD + x-enumDescriptions: + ADMIN_SETS_CREDENTIALS: Admin sets username and password + EDIT_PASSWORD_ONLY: Admin sets username, user sets password + EDIT_USERNAME_AND_PASSWORD: User sets username and password + EXTERNAL_PASSWORD_SYNC: Admin sets username, password is the same as user's Okta password + SHARED_USERNAME_AND_PASSWORD: Users share a single username and password set by the admin ApplicationCredentialsSigning: + description: | + App signing key properties + > **Note:** Only apps with SAML_2_0, SAML_1_1, WS_FEDERATION, or OPENID_CONNECT `signOnMode` support the key rotation feature. type: object properties: kid: type: string + description: |- + Key identifier used for signing assertions + > **Note:** Currently, only the X.509 JWK format is supported for apps with SAML_2_0 `signOnMode`. lastRotated: type: string + description: Timestamp when the signing key was last rotated format: date-time readOnly: true nextRotation: type: string + description: The scheduled time for the next signing key rotation format: date-time readOnly: true rotationMode: type: string + description: The mode of key rotation use: $ref: '#/components/schemas/ApplicationCredentialsSigningUse' ApplicationCredentialsSigningUse: + description: Specifies the intended use of the key type: string enum: - sig ApplicationCredentialsUsernameTemplate: + description: The template used to generate the username when the app is assigned through a group or directly to a user type: object properties: pushStatus: type: string + description: Determines if the username is pushed to the app on updates for CUSTOM `type` + enum: + - PUSH + - DONT_PUSH + - NOT_CONFIGURED template: type: string + description: |- + Mapping expression used to generate usernames. + + The following are supported mapping expressions that are used with the `BUILT_IN` template type: + + | Name | Template Expression | + | ------------------------------- | ---------------------------------------------- | + | AD Employee ID | `${source.employeeID}` | + | AD SAM Account Name | `${source.samAccountName}` | + | AD SAM Account Name (lowercase) | `${fn:toLowerCase(source.samAccountName)}` | + | AD User Principal Name | `${source.userName}` | + | AD User Principal Name prefix | `${fn:substringBefore(source.userName, "@")}` | + | Email | `${source.email}` | + | Email (lowercase) | `${fn:toLowerCase(source.email)}` | + | Email prefix | `${fn:substringBefore(source.email, "@")}` | + | LDAP UID + custom suffix | `${source.userName}${instance.userSuffix}` | + | Okta username | `${source.login}` | + | Okta username prefix | `${fn:substringBefore(source.login, "@")}` | + default: ${source.login} type: type: string + description: Type of mapping expression. Empty string is allowed. + enum: + - NONE + - BUILT_IN + - CUSTOM + default: BUILT_IN userSuffix: type: string + description: An optional suffix appended to usernames for `BUILT_IN` mapping expressions ApplicationFeature: description: | - The Feature object is used to configure application feature settings. - - The only feature currently supported is `USER_PROVISIONING` for the Org2Org application type. + The Feature object is used to configure app feature settings. type: object properties: - capabilities: - allOf: - - $ref: '#/components/schemas/CapabilitiesObject' description: type: string description: Description of the feature - example: Settings for provisioning users from Okta to a downstream application + example: Settings for provisioning users from Okta to a downstream app readOnly: true name: - type: string - description: Identifying name of the feature + $ref: '#/components/schemas/ApplicationFeatureType' readOnly: true - example: USER_PROVISIONING - enum: - - USER_PROVISIONING - x-enumDescriptions: - USER_PROVISIONING: Represents the **To App** provisioning feature setting in the Admin Console status: allOf: - $ref: '#/components/schemas/EnabledStatus' @@ -23122,32 +48590,71 @@ components: allOf: - $ref: '#/components/schemas/LinksSelf' - readOnly: true + discriminator: + propertyName: name + mapping: + USER_PROVISIONING: '#/components/schemas/UserProvisioningApplicationFeature' + INBOUND_PROVISIONING: '#/components/schemas/InboundProvisioningApplicationFeature' + ApplicationFeatureType: + description: | + Key name of the feature + + | Feature name | Description | + | --------- | ------------- | + | USER_PROVISIONING | User profiles are pushed from Okta to the third-party app. Represents the **To App** provisioning feature setting in the Admin Console. | + | INBOUND_PROVISIONING | User profiles are imported from the third-party app into Okta. This feature represents the **To Okta** provisioning feature setting in the Admin Console. | + + Select the feature: + example: USER_PROVISIONING + type: string + enum: + - USER_PROVISIONING + - USER_PROVISIONING + - INBOUND_PROVISIONING ApplicationGroupAssignment: + title: Application Group Assignment + description: The Application Group object that defines a group of users' app-specific profile and credentials for an app type: object properties: id: type: string + description: ID of the [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) readOnly: true + example: 00g4hb1HChfUriNgW0g4 lastUpdated: - type: string - format: date-time - readOnly: true + allOf: + - $ref: '#/components/schemas/lastUpdatedProperty' + - example: '2014-06-24T15:28:14.000Z' priority: type: integer + description: |- + Priority assigned to the group. If an app has more than one group assigned to the same user, then the group with the higher priority has its profile applied to the [Application User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/). + If a priority value isn't specified, then the next highest priority is assigned by default. + See [Assign attribute group priority](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-app-group-priority) and the [sample priority use case](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-combine-values-use). + example: 99 profile: - type: object - additionalProperties: - type: object - properties: {} + $ref: '#/components/schemas/GroupAssignmentProfile' _embedded: type: object + description: |- + Embedded resource related to the Application Group using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + If the `expand=group` query parameter is specified, then the [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) object is embedded. + If the `expand=metadata` query parameter is specified, then the group assignment metadata is embedded. additionalProperties: type: object properties: {} readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + $ref: '#/components/schemas/HrefObjectAppLink' + group: + $ref: '#/components/schemas/HrefObjectGroupLink' ApplicationLabel: + description: User-defined display name for app type: string ApplicationLayout: type: object @@ -23199,11 +48706,14 @@ components: $ref: '#/components/schemas/HrefObject' type: array ApplicationLicensing: + description: Licenses for the app type: object properties: seatCount: type: integer + description: Number of licenses purchased for the app ApplicationLifecycleStatus: + description: App instance status type: string enum: - ACTIVE @@ -23211,73 +48721,127 @@ components: - INACTIVE readOnly: true ApplicationLinks: + description: Discoverable resources related to the app properties: accessPolicy: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/AccessPolicyLink' activate: $ref: '#/components/schemas/HrefObjectActivateLink' + appLinks: + type: array + description: List of app link resources + items: + $ref: '#/components/schemas/HrefObject' deactivate: $ref: '#/components/schemas/HrefObjectDeactivateLink' groups: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/GroupsLink' + help: + $ref: '#/components/schemas/HelpLink' logo: type: array + description: List of app logo resources items: $ref: '#/components/schemas/HrefObject' metadata: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/MetadataLink' self: $ref: '#/components/schemas/HrefObjectSelfLink' users: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/UsersLink' + readOnly: true ApplicationSettings: + description: App settings type: object properties: identityStoreId: type: string + description: Identifies an additional identity store app, if your app supports it. The `identityStoreId` value must be a valid identity store app ID. This identity store app must be created in the same org as your app. implicitAssignment: type: boolean + description: Controls whether Okta automatically assigns users to the app based on the user's role or group membership. inlineHookId: type: string + description: Identifier of an inline hook. Inline hooks are outbound calls from Okta to your own custom code, triggered at specific points in Okta process flows. They allow you to integrate custom functionality into those flows. See [Inline hooks](/openapi/okta-management/management/tag/InlineHook/). notes: $ref: '#/components/schemas/ApplicationSettingsNotes' notifications: $ref: '#/components/schemas/ApplicationSettingsNotifications' ApplicationSettingsNotes: + description: App notes visible to either the admin or end user type: object properties: admin: type: string + description: An app message that's visible to admins enduser: type: string + description: A message that's visible in the End-User Dashboard ApplicationSettingsNotifications: + description: Specifies notifications settings for the app type: object properties: vpn: $ref: '#/components/schemas/ApplicationSettingsNotificationsVpn' ApplicationSettingsNotificationsVpn: + description: Sends customizable messages with conditions to end users when a VPN connection is required type: object properties: helpUrl: type: string + description: An optional URL to a help page to assist your end users in signing in to your company VPN message: type: string + description: A VPN requirement message that's displayed to users network: $ref: '#/components/schemas/ApplicationSettingsNotificationsVpnNetwork' + required: + - network ApplicationSettingsNotificationsVpnNetwork: + description: Defines network zones for VPN notification type: object properties: connection: type: string + description: Specifies the VPN connection details required to access the app + enum: + - DISABLED + - ANYWHERE + - ON_NETWORK + - OFF_NETWORK + - ZONE + x-enumDescriptions: + DISABLED: The default state. Retain this setting for apps that don't require a VPN connection. + ANYWHERE: Displays VPN connection information regardless of the browser's client IP. The notification appears before the end user can access the app. + ON_NETWORK: Displays VPN connection information only when a browser's client IP matches the configured Public Gateway IPs. The notification appears before the end user can access the app. + OFF_NETWORK: Displays VPN connection information only when the browser's client IP doesn't match the configured Public Gateway IPs. The notification appears before the end user can access the app. exclude: type: array + description: Defines the IP addresses or network ranges that are excluded from the VPN requirement items: type: string include: type: array + description: Defines the IP addresses or network ranges that are required to use the VPN items: type: string ApplicationSignOnMode: + description: | + Authentication mode for the app + + | signOnMode | Description | + | ---------- | ----------- | + | AUTO_LOGIN | Secure Web Authentication (SWA) | + | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin | + | BOOKMARK | Just a bookmark (no-authentication) | + | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser Plugin | + | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) | + | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not supported for custom apps) | + | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO | + | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST (plugin not required) | + | WS_FEDERATION | Federated Authentication with WS-Federation Passive Requestor Profile | + + Select the `signOnMode` for your custom app: type: string enum: - AUTO_LOGIN @@ -23289,26 +48853,45 @@ components: - SAML_2_0 - SECURE_PASSWORD_STORE - WS_FEDERATION + ApplicationType: + description: 'The type of client application. Default value: `web`.' + type: string + enum: + - browser + - native + - service + - web ApplicationVisibility: + description: Specifies visibility settings for the app type: object properties: appLinks: type: object + description: Links or icons that appear on the End-User Dashboard if they're set to `true`. additionalProperties: type: boolean autoLaunch: type: boolean + description: Automatically signs in to the app when user signs into Okta autoSubmitToolbar: type: boolean + description: Automatically sign in when user lands on the sign-in page hide: $ref: '#/components/schemas/ApplicationVisibilityHide' ApplicationVisibilityHide: + description: Hides the app for specific end-user apps type: object properties: iOS: type: boolean + description: Okta Mobile for iOS or Android (pre-dates Android) + default: false + example: false web: type: boolean + description: Okta End-User Dashboard on a web browser + default: false + example: true AssignGroupOwnerRequestBody: type: object properties: @@ -23322,6 +48905,11 @@ components: properties: type: $ref: '#/components/schemas/RoleType' + AssignUserToRealm: + type: object + properties: + realmId: + type: string AssociatedServerMediated: type: object properties: @@ -23330,14 +48918,160 @@ components: description: A list of the authorization server IDs items: type: string + AssuranceMethod: + allOf: + - $ref: '#/components/schemas/VerificationMethod' + - type: object + properties: + constraints: + items: + $ref: '#/components/schemas/AccessPolicyConstraints' + type: array + factorMode: + $ref: '#/components/schemas/AssuranceMethodFactorMode' + inactivityPeriod: + type: string + description: The inactivity duration after which the user must re-authenticate. Use the ISO 8601 period format (for example, PT2H). + reauthenticateIn: + type: string + description: The duration after which the user must re-authenticate, regardless of user activity. Keep in mind that the re-authentication intervals for constraints take precedent over this value. Use the ISO 8601 period format for recurring time intervals (for example, PT2H, PT0S, PT43800H, and so on). + AssuranceMethodFactorMode: + type: string + enum: + - 1FA + - 2FA + AttackProtectionAuthenticatorSettings: + type: object + properties: + verifyKnowledgeSecondWhen2faRequired: + type: boolean + description: If true, requires users to verify a possession factor before verifying a knowledge factor when the assurance requires two-factor authentication (2FA). + default: false + AuthServerLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + claims: + allOf: + - description: Link to the authorization server claims + - $ref: '#/components/schemas/HrefObject' + deactivate: + allOf: + - $ref: '#/components/schemas/HrefObjectDeactivateLink' + metadata: + description: Link to the authorization server metadata + type: array + items: + $ref: '#/components/schemas/HrefObject' + policies: + allOf: + - description: Link to the authorization server policies + - $ref: '#/components/schemas/HrefObject' + rotateKey: + allOf: + - description: Link to the authorization server key rotation + - $ref: '#/components/schemas/HrefObject' + scopes: + allOf: + - description: Link to the authorization server scopes + - $ref: '#/components/schemas/HrefObject' + AuthenticationMethod: + type: object + properties: + hardwareProtection: + type: string + description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + id: + type: string + description: An ID that identifies the authenticator + key: + type: string + description: A label that identifies the authenticator + method: + type: string + description: Specifies the method used for the authenticator + phishingResistant: + type: string + description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + userVerification: + type: string + description: Indicates the user interaction requirement (PIN or biometrics) to ensure verification of a possession factor + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL + required: + - key + - method + AuthenticationMethodChain: + type: object + properties: + authenticationMethods: + items: + $ref: '#/components/schemas/AuthenticationMethod' + type: array + next: + type: array + description: The next steps of the authentication method chain. This is an array of `AuthenticationMethodChain`. Only supports one item in the array. + items: + type: object + reauthenticateIn: + type: string + description: |- + Specifies how often the user should be prompted for authentication using duration format for the time period. + For example, `PT2H30M` for two and a half hours. This parameter can't be set at the same time as the `reauthenticateIn` property on the `verificationMethod`. + AuthenticationMethodChainMethod: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + allOf: + - $ref: '#/components/schemas/VerificationMethod' + - type: object + properties: + chains: + items: + $ref: '#/components/schemas/AuthenticationMethodChain' + type: array + description: Authentication method chains. Only supports 5 items in the array. Each chain can support maximum 3 steps. + reauthenticateIn: + description: |- + Specifies how often the user should be prompted for authentication using duration format for the time period. + For example, `PT2H30M` for two and a half hours. Don't set this parameter if you're setting the `reauthenticateIn` parameter in `chains`. + type: string + AuthenticationMethodObject: + type: object + properties: + key: + type: string + description: A label that identifies the authenticator + method: + type: string + description: Specifies the method used for the authenticator + required: + - key AuthenticationProvider: + description: Specifies the authentication provider that validates the user's password credential. The user's current provider is managed by the **Delegated Authentication** settings for your org. The provider object is **read-only**. type: object properties: name: type: string + description: The name of the authentication provider + readOnly: true + example: OKTA type: $ref: '#/components/schemas/AuthenticationProviderType' + readOnly: true AuthenticationProviderType: + description: The type of authentication provider type: string enum: - ACTIVE_DIRECTORY @@ -23346,40 +49080,390 @@ components: - LDAP - OKTA - SOCIAL - Authenticator: + x-enumDescriptions: + ACTIVE_DIRECTORY: Specifies the directory instance name as the `name` property + FEDERATION: Doesn't support a `password` or `recovery question` credential and must authenticate through a trusted Identity Provider + IMPORT: Specifies a hashed password that was imported from an external source + LDAP: Specifies the directory instance name as the `name` property + OKTA: Specifies the Okta Identity Provider + SOCIAL: Doesn't support a `password` or `recovery question` credential and must authenticate through a trusted Identity Provider + readOnly: true + AuthenticatorBase: type: object properties: created: + description: Timestamp when the Authenticator was created format: date-time readOnly: true type: string id: + description: A unique identifier for the Authenticator readOnly: true type: string key: - type: string + $ref: '#/components/schemas/AuthenticatorKeyEnum' lastUpdated: + description: Timestamp when the Authenticator was last modified format: date-time readOnly: true type: string name: + description: Display name of the Authenticator type: string - provider: - $ref: '#/components/schemas/AuthenticatorProvider' - settings: - $ref: '#/components/schemas/AuthenticatorSettings' status: + description: Status of the Authenticator $ref: '#/components/schemas/LifecycleStatus' type: $ref: '#/components/schemas/AuthenticatorType' _links: + description: Link relations for this object $ref: '#/components/schemas/AuthenticatorLinks' + discriminator: + propertyName: key + mapping: + custom_app: '#/components/schemas/AuthenticatorKeyCustomApp' + duo: '#/components/schemas/AuthenticatorKeyDuo' + okta_email: '#/components/schemas/AuthenticatorKeyEmail' + google_otp: '#/components/schemas/AuthenticatorKeyGoogleOtp' + external_idp: '#/components/schemas/AuthenticatorKeyExternalIdp' + okta_password: '#/components/schemas/AuthenticatorKeyPassword' + okta_verify: '#/components/schemas/AuthenticatorKeyOktaVerify' + onprem_mfa: '#/components/schemas/AuthenticatorKeyOnprem' + phone_number: '#/components/schemas/AuthenticatorKeyPhone' + security_key: '#/components/schemas/AuthenticatorKeySecurityKey' + security_question: '#/components/schemas/AuthenticatorKeySecurityQuestion' + symantec_vip: '#/components/schemas/AuthenticatorKeySymantecVip' + smart_card_idp: '#/components/schemas/AuthenticatorKeySmartCard' + webauthn: '#/components/schemas/AuthenticatorKeyWebauthn' + yubikey_token: '#/components/schemas/AuthenticatorKeyYubikey' + AuthenticatorEnrollmentPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyConditions' + settings: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettings' + AuthenticatorEnrollmentPolicyAuthenticatorSettings: + type: object + properties: + constraints: + description: Constraints for the authenticator + nullable: true + minimum: 0 + type: object + properties: + aaguidGroups: + type: array + description: The list of FIDO2 WebAuthn authenticator groups allowed for enrollment + items: + type: string + uniqueItems: true + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + enroll: + type: object + description: Enrollment requirements for the authenticator + properties: + self: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorStatus' + key: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorType' + AuthenticatorEnrollmentPolicyAuthenticatorStatus: + description: Requirements for the user-initiated enrollment + default: NOT_ALLOWED + type: string + enum: + - NOT_ALLOWED + - OPTIONAL + - REQUIRED + AuthenticatorEnrollmentPolicyAuthenticatorType: + description: A label that identifies the authenticator + type: string + enum: + - custom_app + - custom_otp + - duo + - external_idp + - google_otp + - okta_email + - okta_password + - okta_verify + - onprem_mfa + - phone_number + - rsa_token + - security_question + - symantec_vip + - webauthn + - yubikey_token + AuthenticatorEnrollmentPolicyConditions: + allOf: + - type: object + properties: + people: + type: object + description: Identifies Users and Groups that are used together + properties: + groups: + type: object + description: Specifies a set of Groups whose Users are to be included or excluded + properties: + include: + type: array + description: Groups to be included + items: + type: string + AuthenticatorEnrollmentPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActions' + conditions: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleConditions' + AuthenticatorEnrollmentPolicyRuleActionEnroll: + description: Specifies whether the User is to be enrolled the first time they `LOGIN`, the next time they are in the `CHALLENGE` process, or `NEVER` + type: object + properties: + self: + type: string + enum: + - CHALLENGE + - LOGIN + - NEVER + AuthenticatorEnrollmentPolicyRuleActions: + allOf: + - $ref: '#/components/schemas/PolicyRuleActions' + - type: object + properties: + enroll: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActionEnroll' + AuthenticatorEnrollmentPolicyRuleConditions: + type: object + properties: + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + people: + type: object + description: Identifies Users and Groups that are used together + properties: + users: + type: object + description: Specifies a set of Users to be included or excluded + properties: + exclude: + type: array + description: Users to be excluded + items: + type: string + AuthenticatorEnrollmentPolicySettings: + description: '**Note:** In Identity Engine, the Multifactor (MFA) Enrollment Policy name has changed to authenticator enrollment policy. The policy type of `MFA_ENROLL` remains unchanged. However, the `settings` data is updated for authenticators. Policy `settings` are included only for those authenticators that are enabled.' + type: object + properties: + authenticators: + description: | + List of authenticator policy settings + + <x-lifecycle class="oie"></x-lifecycle> For orgs with the Authenticator enrollment policy feature enabled, the new default authenticator enrollment policy created by Okta contains the `authenticators` property in the policy settings. Existing default authenticator enrollment policies from a migrated Classic Engine org remain unchanged. The policies still use the `factors` property in their settings. The `authenticators` parameter allows you to configure all available authenticators, including authentication and recovery. The `factors` parameter only allows you to configure multifactor authentication. + items: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorSettings' + type: array + type: + $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettingsType' + AuthenticatorEnrollmentPolicySettingsType: + description: | + Type of policy configuration object + + <x-lifecycle class="oie"></x-lifecycle> The `type` property in the policy `settings` is only applicable to the authenticator enrollment policy available in Identity Engine. + default: FACTORS + type: string + enum: + - AUTHENTICATORS + - FACTORS AuthenticatorIdentity: description: Represents a particular authenticator serving as a constraint on a method type: object properties: key: type: string + AuthenticatorKeyCustomApp: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + agreeToTerms: + type: boolean + description: A value of `true` indicates that the administrator accepts the [terms](https://www.okta.com/privacy-policy/)for creating a new authenticator. Okta requires that you accept the terms when creating a new `custom_app` authenticator. Other authenticators don't require this field. + provider: + type: object + properties: + type: + type: string + description: Provider type + enum: + - PUSH + configuration: + type: object + description: The configuration of the provider + properties: + apns: + type: object + properties: + id: + type: string + description: ID of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) + appBundleId: + type: string + description: AppBundleId of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) + debugAppBundleId: + type: string + description: DebugAppBundleId of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) + fcm: + type: object + properties: + id: + type: string + description: ID of the FCM (Firebase Cloud Messaging Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) + settings: + type: object + properties: + userVerification: + $ref: '#/components/schemas/CustomAppUserVerificationEnum' + appInstanceId: + type: string + description: The application instance ID. For custom_app, you need to create an OIDC native app using the [Apps API](https://developer.okta.com/docs/reference/api/apps/) with `Authorization Code` and `Refresh Token` grant types. You can leave both `Sign-in redirect URIs` and `Sign-out redirect URIs` as the default values. + AuthenticatorKeyDuo: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + provider: + type: object + properties: + type: + type: string + description: Provider type + enum: + - DUO + configuration: + type: object + properties: + host: + type: string + description: The Duo Security API hostname + integrationKey: + type: string + description: The Duo Security integration key + secretKey: + type: string + description: The Duo Security secret key + userNameTemplate: + type: object + properties: + template: + type: string + description: The Duo Security user template name + AuthenticatorKeyEmail: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + settings: + type: object + properties: + allowedFor: + $ref: '#/components/schemas/AllowedForEnum' + tokenLifetimeInMinutes: + description: Specifies the lifetime of an email token. Default value is 5 minutes. + type: number + default: 5 + AuthenticatorKeyEnum: + description: A human-readable string that identifies the Authenticator + type: string + enum: + - custom_app + - duo + - external_idp + - google_otp + - okta_email + - okta_password + - okta_verify + - onprem_mfa + - phone_number + - security_key + - security_question + - smart_card_idp + - symantec_vip + - webauthn + - yubikey_token + AuthenticatorKeyExternalIdp: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyGoogleOtp: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyOktaVerify: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + settings: + type: object + properties: + channelBinding: + $ref: '#/components/schemas/ChannelBinding' + compliance: + $ref: '#/components/schemas/Compliance' + userVerification: + $ref: '#/components/schemas/UserVerificationEnum' + appInstanceId: + type: string + description: The application instance ID + AuthenticatorKeyOnprem: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyPassword: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyPhone: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + settings: + type: object + properties: + allowedFor: + $ref: '#/components/schemas/AllowedForEnum' + AuthenticatorKeySecurityKey: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeySecurityQuestion: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + - type: object + properties: + settings: + type: object + properties: + allowedFor: + $ref: '#/components/schemas/AllowedForEnum' + AuthenticatorKeySmartCard: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeySymantecVip: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyWebauthn: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' + AuthenticatorKeyYubikey: + allOf: + - $ref: '#/components/schemas/AuthenticatorSimple' AuthenticatorLinks: allOf: - $ref: '#/components/schemas/LinksSelfAndLifecycle' @@ -23390,7 +49474,6 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' AuthenticatorMethodAlgorithm: - description: The encryption algorithm for this authenticator method type: string enum: - ES256 @@ -23399,6 +49482,7 @@ components: type: object properties: status: + description: The status of the authenticator method $ref: '#/components/schemas/LifecycleStatus' type: $ref: '#/components/schemas/AuthenticatorMethodType' @@ -23421,17 +49505,16 @@ components: duo: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' cert: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' AuthenticatorMethodConstraint: - description: |- - Limits the authenticators that can be used for a given method. Currently, only the `otp` method supports constraints, and Google authenticator (key : 'google_otp') is the only allowed authenticator. + description: 'Limits the authenticators that can be used for a given method. Currently, only the `otp` method supports constraints, and Google authenticator (key : ''google_otp'') is the only allowed authenticator.' type: object properties: - method: - enum: - - otp allowedAuthenticators: type: array items: $ref: '#/components/schemas/AuthenticatorIdentity' + method: + enum: + - otp AuthenticatorMethodOtp: allOf: - $ref: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' @@ -23439,6 +49522,7 @@ components: properties: acceptableAdjacentIntervals: type: integer + description: The number of acceptable adjacent intervals, also known as the clock drift interval. This setting allows you to build in tolerance for any time difference between the token and the server. For example, with a `timeIntervalInSeconds` of 60 seconds and an `acceptableAdjacentIntervals` value of 5, Okta accepts passcodes within 300 seconds (60 * 5) before or after the end user enters their code. minimum: 0 maximum: 10 algorithm: @@ -23447,15 +49531,14 @@ components: $ref: '#/components/schemas/OtpTotpEncoding' factorProfileId: type: string + description: The `id` value of the factor profile + example: aut1nd8PQhGcQtSxB0g4 passCodeLength: - type: integer - minimum: 6 - maximum: 10 - multipleOf: 2 + $ref: '#/components/schemas/OtpTotpPassCodeLength' protocol: $ref: '#/components/schemas/OtpProtocol' timeIntervalInSeconds: - type: integer + $ref: '#/components/schemas/OtpTotpTimeIntervalInSeconds' AuthenticatorMethodProperty: type: string enum: @@ -23510,19 +49593,20 @@ components: type: object properties: timeIntervalInSeconds: - type: integer + $ref: '#/components/schemas/OtpTotpTimeIntervalInSeconds' encoding: - type: string + $ref: '#/components/schemas/OtpTotpEncoding' algorithm: - type: string + $ref: '#/components/schemas/OtpTotpAlgorithm' passCodeLength: - type: integer + $ref: '#/components/schemas/OtpTotpPassCodeLength' AuthenticatorMethodTransactionType: type: string enum: - CIBA - LOGIN AuthenticatorMethodType: + description: The type of authenticator method type: string enum: - cert @@ -23546,6 +49630,11 @@ components: settings: type: object properties: + aaguidGroups: + description: <x-lifecycle class="ea"></x-lifecycle> The FIDO2 AAGUID groups available to the WebAuthn authenticator + type: array + items: + $ref: '#/components/schemas/AAGUIDGroupObject' userVerification: $ref: '#/components/schemas/UserVerificationEnum' attachment: @@ -23559,44 +49648,11 @@ components: type: array items: $ref: '#/components/schemas/AuthenticatorMethodProperty' - AuthenticatorProvider: - properties: - configuration: - $ref: '#/components/schemas/AuthenticatorProviderConfiguration' - type: - type: string - AuthenticatorProviderConfiguration: - properties: - authPort: - type: integer - hostName: - type: string - instanceId: - type: string - sharedSecret: - type: string - userNameTemplate: - $ref: '#/components/schemas/AuthenticatorProviderConfigurationUserNameTemplate' - AuthenticatorProviderConfigurationUserNameTemplate: - properties: - template: - type: string - AuthenticatorSettings: - type: object - properties: - allowedFor: - $ref: '#/components/schemas/AllowedForEnum' - appInstanceId: - type: string - channelBinding: - $ref: '#/components/schemas/ChannelBinding' - compliance: - $ref: '#/components/schemas/Compliance' - tokenLifetimeInMinutes: - type: integer - userVerification: - $ref: '#/components/schemas/UserVerificationEnum' + AuthenticatorSimple: + allOf: + - $ref: '#/components/schemas/AuthenticatorBase' AuthenticatorType: + description: The type of Authenticator type: string enum: - app @@ -23611,6 +49667,7 @@ components: properties: audiences: type: array + description: The recipients that the tokens are intended for. This becomes the `aud` claim in an access token. Okta currently supports only one audience. items: type: string created: @@ -23621,29 +49678,46 @@ components: $ref: '#/components/schemas/AuthorizationServerCredentials' description: type: string + description: The description of the custom authorization server id: type: string + description: The ID of the custom authorization server readOnly: true issuer: type: string + description: The complete URL for the custom authorization server. This becomes the `iss` claim in an access token. issuerMode: - $ref: '#/components/schemas/IssuerMode' + type: string + description: |- + Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL. + + `issuerMode` is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses. + + When set to `ORG_URL`, then in responses, `issuer` is the Okta org domain URL: `https://${yourOktaDomain}`. + + When set to `CUSTOM_URL`, then in responses, `issuer` is the custom domain URL configured in the administration user interface. + + When set to `DYNAMIC`, then in responses, `issuer` is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain. + + After you configure a custom URL domain, all new custom authorization servers use `CUSTOM_URL` by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use `DYNAMIC` by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled. lastUpdated: type: string format: date-time readOnly: true name: type: string + description: The name of the custom authorization server status: $ref: '#/components/schemas/LifecycleStatus' _links: - $ref: '#/components/schemas/LinksSelf' + $ref: '#/components/schemas/AuthServerLinks' AuthorizationServerCredentials: type: object properties: signing: $ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig' AuthorizationServerCredentialsRotationMode: + description: The Key rotation mode for the authorization server type: string enum: - AUTO @@ -23653,12 +49727,16 @@ components: properties: kid: type: string + description: The ID of the JSON Web Key used for signing tokens issued by the authorization server + readOnly: true lastRotated: type: string + description: The timestamp when the authorization server started using the `kid` for signing tokens format: date-time readOnly: true nextRotation: type: string + description: The timestamp when the authorization server changes the Key for signing tokens. This is only returned when `rotationMode` is set to `AUTO`. format: date-time readOnly: true rotationMode: @@ -23666,25 +49744,151 @@ components: use: $ref: '#/components/schemas/AuthorizationServerCredentialsUse' AuthorizationServerCredentialsUse: + description: How the key is used type: string enum: - sig + AuthorizationServerJsonWebKey: + type: object + properties: + alg: + description: 'The algorithm used with the Key. Valid value: `RS256`' + type: string + e: + description: RSA key value (public exponent) for Key binding + type: string + readOnly: true + kid: + description: Unique identifier for the key + type: string + readOnly: true + kty: + description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`' + type: string + readOnly: true + 'n': + description: RSA modulus value that is used by both the public and private keys and provides a link between them + type: string + status: + description: |- + An `ACTIVE` Key is used to sign tokens issued by the authorization server. Supported values: `ACTIVE`, `NEXT`, or `EXPIRED`<br> + A `NEXT` Key is the next Key that the authorization server uses to sign tokens when Keys are rotated. The `NEXT` Key might not be listed if it hasn't been generated. + An `EXPIRED` Key is the previous Key that the authorization server used to sign tokens. The `EXPIRED` Key might not be listed if no Key has expired or the expired Key was deleted. + type: string + use: + description: 'Acceptable use of the key. Valid value: `sig`' + type: string + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' AuthorizationServerPolicy: allOf: - - $ref: '#/components/schemas/Policy' - type: object properties: + id: + type: string + description: ID of the Policy + type: + type: string + description: Indicates that the Policy is an authorization server Policy + enum: + - OAUTH_AUTHORIZATION_POLICY + name: + type: string + description: Name of the Policy conditions: - $ref: '#/components/schemas/PolicyRuleConditions' + $ref: '#/components/schemas/AuthorizationServerPolicyConditions' + description: + type: string + description: Description of the Policy + priority: + type: integer + description: Specifies the order in which this Policy is evaluated in relation to the other Policies in a custom authorization server + status: + type: string + description: Specifies whether requests have access to this Policy + enum: + - ACTIVE + - INACTIVE + system: + type: boolean + description: Specifies whether Okta created this Policy + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the Policy was created + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the Policy was last updated + _links: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + rules: + allOf: + - description: Link to the authorization server policy's rules + - $ref: '#/components/schemas/HrefObject' + AuthorizationServerPolicyConditions: + type: object + properties: + clients: + $ref: '#/components/schemas/ClientPolicyCondition' + AuthorizationServerPolicyPeopleCondition: + description: Identifies Users and Groups that are used together + type: object + properties: + groups: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleGroupCondition' + users: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleUserCondition' AuthorizationServerPolicyRule: - allOf: - - $ref: '#/components/schemas/PolicyRule' - - type: object - properties: - actions: - $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions' - conditions: - $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions' + type: object + properties: + actions: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions' + conditions: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions' + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the rule was created + id: + type: string + description: Identifier of the rule + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the rule was last modified + name: + type: string + description: Name of the rule + priority: + type: integer + description: Priority of the rule + status: + type: string + description: Status of the rule + enum: + - ACTIVE + - INACTIVE + system: + type: boolean + description: Set to `true` for system rules. You can't delete system rules. + type: + type: string + description: Rule type + enum: + - RESOURCE_ACCESS + _links: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' AuthorizationServerPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' @@ -23693,18 +49897,58 @@ components: token: $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleAction' AuthorizationServerPolicyRuleConditions: + type: object + properties: + grantTypes: + $ref: '#/components/schemas/GrantTypePolicyRuleCondition' + people: + $ref: '#/components/schemas/AuthorizationServerPolicyPeopleCondition' + scopes: + $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' + AuthorizationServerPolicyRuleGroupCondition: + description: Specifies a set of Groups whose Users are to be included + type: object + properties: + include: + type: array + description: Groups to be included + items: + type: string + AuthorizationServerPolicyRuleRequest: allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' + - $ref: '#/components/schemas/AuthorizationServerPolicyRule' - type: object - properties: - clients: - $ref: '#/components/schemas/ClientPolicyCondition' - grantTypes: - $ref: '#/components/schemas/GrantTypePolicyRuleCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - scopes: - $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' + required: + - name + - conditions + - type + AuthorizationServerPolicyRuleUserCondition: + description: Specifies a set of Users to be included + type: object + properties: + include: + description: Users to be included + type: array + items: + type: string + AuthorizationServerResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: + type: string + description: Link name + example: Example Authorization Server + AutoAssignAdminAppSetting: + description: The org setting that automatically assigns the Okta Admin Console when an admin role is assigned + type: object + properties: + autoAssignAdminAppSetting: + type: boolean + description: Automatically assigns the Okta Admin Console to the user when an admin role is assigned AutoLoginApplication: allOf: - $ref: '#/components/schemas/Application' @@ -23714,6 +49958,8 @@ components: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string + description: A unique key is generated for the custom SWA app instance when you use AUTO_LOGIN `signOnMode`. + readOnly: true settings: $ref: '#/components/schemas/AutoLoginApplicationSettings' AutoLoginApplicationSettings: @@ -23728,8 +49974,12 @@ components: properties: loginUrl: type: string + description: Primary URL of the sign-in page for this app redirectUrl: type: string + description: Secondary URL of the sign-in page for this app + required: + - loginUrl AutoUpdateSchedule: description: The schedule of auto-update configured by admin. type: object @@ -23782,6 +50032,110 @@ components: - us-east-2 - us-west-1 - us-west-2 + BaseContext: + description: This object contains a number of sub-objects, each of which provide some type of contextual information. + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + session: + description: Details of the user session + type: object + properties: + id: + description: The unique identifier for the user's session + type: string + example: 102LN9Bnuc4S_ewfc9BYwageA + userId: + description: The unique identifier for the user + type: string + example: 00uq8tMo3zV0OfJON0g3 + login: + description: The username used to identify the user. This is often the user's email address. + type: string + example: user@example.com + createdAt: + description: Timestamp of when the session was created + type: string + format: date-time + example: '2019-03-28T16:45:55.000Z' + expiresAt: + description: Timestamp of when the session expires + type: string + format: date-time + example: '2019-03-28T21:15:23.000Z' + status: + description: Represents the current status of the user's session + type: string + example: ACTIVE + lastPasswordVerification: + description: Timestamp of when the user was last authenticated + type: string + format: date-time + example: '2019-03-28T16:45:55.000Z' + amr: + description: The authentication method reference + type: array + items: + type: string + example: + - PASSWORD + idp: + $ref: '#/components/schemas/SessionIdentityProvider' + mfaActive: + description: Describes whether multifactor authentication was enabled + type: boolean + example: false + user: + description: Identifies the Okta user that the token was generated to authenticate and provides details of their Okta user profile + type: object + properties: + id: + description: The unique identifier for the user + type: string + example: 00uq8tMo3zV0OfJON0g3 + passwordChanged: + description: The timestamp when the user's password was last updated + type: string + format: date-time + example: '2018-09-11T23:19:12.000Z' + profile: + type: object + properties: + login: + description: The username used to identify the user. This is often the user's email address. + type: string + example: user@example.com + firstName: + description: The first name of the user + type: string + example: John + lastName: + description: The last name of the user + type: string + example: Smith + locale: + description: |- + The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. + A locale value is a concatenation of the [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes) two-letter language code, an underscore, and the [ISO 3166-1](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) two-letter country code. For example, `en_US` specifies the language English and country US. This value is `en_US` by default. + type: string + example: en_US + timeZone: + description: The user's timezone + type: string + example: America/Los_Angeles + _links: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled. + type: object + properties: + groups: + description: URL to retrieve the individual user's group memberships + allOf: + - $ref: '#/components/schemas/HrefObject' + factors: + description: URL to retrieve individual user's factor enrollments + allOf: + - $ref: '#/components/schemas/HrefObject' BaseEmailDomain: type: object properties: @@ -23797,19 +50151,36 @@ components: properties: alias: type: string - description: A name to identify this configuration + description: Human-readable name for your SMTP server + example: CustomServer1 enabled: type: boolean - description: True if and only if all email traffic should be routed through this SMTP Server + description: If `true`, routes all email traffic through your SMTP server host: type: string - description: The address of the SMTP Server + description: Hostname or IP address of your SMTP server + example: 192.168.160.1 port: type: integer - description: The port number of the SMTP Server + description: Port number of your SMTP server + example: 587 username: type: string - description: The username to use with your SMTP Server + description: Username used to access your SMTP server + example: aUser + BaseToken: + type: object + properties: + claims: + description: Claims included in the token. Consists of name-value pairs for each included claim. For descriptions of the claims that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#claims). + type: object + lifetime: + description: Lifetime of the token + type: object + properties: + expiration: + description: Time in seconds until the token expires + type: integer BasicApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' @@ -23822,8 +50193,13 @@ components: properties: authURL: type: string + description: The URL of the authenticating site for this app url: type: string + description: The URL of the sign-in page for this app + required: + - authURL + - url BasicAuthApplication: x-okta-defined-as: name: template_basic_auth @@ -23835,9 +50211,14 @@ components: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string - default: template_basic_auth + description: '`template_basic_auth` is the key name for a Basic Authentication scheme app instance' + enum: + - template_basic_auth settings: $ref: '#/components/schemas/BasicApplicationSettings' + required: + - name + - settings BeforeScheduledActionPolicyRuleCondition: type: object properties: @@ -23970,6 +50351,13 @@ components: properties: settings: $ref: '#/components/schemas/BehaviorRuleSettingsVelocity' + BindingMethod: + description: The method used to bind the out-of-band channel with the primary channel. + type: string + enum: + - none + - prompt + - transfer BookmarkApplication: x-okta-defined-as: name: bookmark @@ -23981,9 +50369,14 @@ components: $ref: '#/components/schemas/ApplicationCredentials' name: type: string - default: bookmark + description: '`bookmark` is the key name for a Bookmark app' + enum: + - bookmark settings: $ref: '#/components/schemas/BookmarkApplicationSettings' + required: + - name + - settings BookmarkApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' @@ -23996,27 +50389,37 @@ components: properties: requestIntegration: type: boolean + description: Would you like Okta to add an integration for this app? + default: false url: type: string + description: The URL of the launch page for this app + required: + - url BouncesRemoveListError: type: object properties: emailAddress: type: string + description: An email address with a validation error reason: type: string + description: Validation error reason BouncesRemoveListObj: type: object properties: emailAddresses: type: array + description: A list of email addresses to remove from the email-service bounce list items: type: string + description: Email address BouncesRemoveListResult: type: object properties: errors: type: array + description: A list of emails that wasn't added to the email-bounced remove list and the error reason items: $ref: '#/components/schemas/BouncesRemoveListError' Brand: @@ -24024,24 +50427,33 @@ components: properties: agreeToCustomPrivacyPolicy: type: boolean + description: Consent for updating the custom privacy URL. Not required when resetting the URL. customPrivacyPolicyUrl: type: string + description: Custom privacy policy URL + default: null defaultApp: $ref: '#/components/schemas/DefaultApp' emailDomainId: type: string + description: The ID of the email domain id: readOnly: true type: string + description: The Brand ID isDefault: readOnly: true type: boolean + description: If `true`, the Brand is used for the Okta subdomain locale: $ref: '#/components/schemas/Language' name: type: string + description: The name of the Brand removePoweredByOkta: type: boolean + default: false + description: Removes "Powered by Okta" from the sign-in page in redirect authentication deployments, and "© [current year] Okta, Inc." from the Okta End-User Dashboard BrandDomains: title: BrandDomains items: @@ -24052,18 +50464,26 @@ components: properties: agreeToCustomPrivacyPolicy: type: boolean + description: Consent for updating the custom privacy URL. Not required when resetting the URL. customPrivacyPolicyUrl: type: string + description: Custom privacy policy URL defaultApp: $ref: '#/components/schemas/DefaultApp' emailDomainId: type: string + description: The ID of the email domain locale: $ref: '#/components/schemas/Language' name: type: string + description: The name of the Brand removePoweredByOkta: type: boolean + default: false + description: Removes "Powered by Okta" from the sign-in page in redirect authentication deployments, and "© [current year] Okta, Inc." from the Okta End-User Dashboard + required: + - name BrandWithEmbedded: allOf: - $ref: '#/components/schemas/Brand' @@ -24098,8 +50518,18 @@ components: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string + description: The key name for the app definition + enum: + - template_swa + - template_swa3field + x-enumDescriptions: + template_swa: The key name for a SWA app instance that requires a browser plugin + template_swa3field: The key name for a SWA app instance that requires a browser plugin and supports three CSS selectors settings: $ref: '#/components/schemas/SwaApplicationSettings' + required: + - name + - settings BulkDeleteRequestBody: type: object properties: @@ -24121,7 +50551,61 @@ components: profiles: type: array items: - $ref: '#/components/schemas/IdentitySourceUserProfileForUpsert' + type: object + properties: + externalId: + type: string + description: The external ID of the entity that needs to be created or updated in Okta + maxLength: 512 + profile: + $ref: '#/components/schemas/IdentitySourceUserProfileForUpsert' + BundleEntitlement: + type: object + properties: + description: + type: string + id: + type: string + name: + type: string + role: + type: string + _links: + allOf: + - properties: + values: + $ref: '#/components/schemas/HrefObject' + BundleEntitlementsResponse: + type: object + properties: + entitlements: + type: array + items: + $ref: '#/components/schemas/BundleEntitlement' + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + next: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the next resource + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + bundle: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the bundle resource + ByDateTimeExpiry: + allOf: + - $ref: '#/components/schemas/DateTime' + ByDurationExpiry: + allOf: + - $ref: '#/components/schemas/TimeDuration' + description: |- + A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). + Must be between 1 and 180 days inclusive. CAPTCHAInstance: title: CAPTCHAInstance description: '' @@ -24151,32 +50635,207 @@ components: enum: - HCAPTCHA - RECAPTCHA_V2 - CallUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/CallUserFactorProfile' - CallUserFactorProfile: + CSRLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of a CSR object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + properties: + publish: + $ref: '#/components/schemas/HrefCsrPublishLink' + self: + $ref: '#/components/schemas/HrefCsrSelfLink' + readOnly: true + CaepDeviceComplianceChangeEvent: + description: The subject's device compliance was revoked type: object properties: - phoneExtension: + current_status: type: string - phoneNumber: + description: Current device compliance status + enum: + - compliant + - not-compliant + example: non-compliant + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: + type: string + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + previous_status: + type: string + description: Previous device compliance status + enum: + - compliant + - not-compliant + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + - current_status + - previous_status + CaepSecurityEvent: + type: object + properties: + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: + type: string + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + CaepSessionRevokedEvent: + description: The session of the subject was revoked + type: object + properties: + current_ip: + type: string + description: Current IP of the session + example: 123.4.5.6 + current_user_agent: + type: string + description: Current User Agent of the session + example: CurrentUserAgent + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: type: string + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + last_known_ip: + type: string + description: Last known IP of the session + example: 123.4.5.6 + last_known_user_agent: + type: string + description: Last known User Agent of the session + example: LastUserAgent + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject CapabilitiesCreateObject: description: | - Determines whether Okta assigns a new application account to each user managed by Okta. + Determines whether Okta assigns a new app account to each user managed by Okta. - Okta doesn't create a new account if it detects that the username specified in Okta already exists in the application. + Okta doesn't create a new account if it detects that the username specified in Okta already exists in the app. The user's Okta username is assigned by default. type: object properties: lifecycleCreate: $ref: '#/components/schemas/LifecycleCreateSettingObject' + CapabilitiesImportRulesObject: + description: Defines user import rules + type: object + properties: + userCreateAndMatch: + $ref: '#/components/schemas/CapabilitiesImportRulesUserCreateAndMatchObject' + CapabilitiesImportRulesUserCreateAndMatchObject: + description: Rules for matching and creating users + type: object + properties: + allowPartialMatch: + type: boolean + description: Allows user import upon partial matching. Partial matching occurs when the first and last names of an imported user match those of an existing Okta user, even if the username or email attributes don't match. + autoActivateNewUsers: + type: boolean + description: If set to `true`, imported new users are automatically activated. + autoConfirmExactMatch: + type: boolean + description: If set to `true`, exact-matched users are automatically confirmed on activation. If set to `false`, exact-matched users need to be confirmed manually. + autoConfirmNewUsers: + type: boolean + description: If set to `true`, imported new users are automatically confirmed on activation. This doesn't apply to imported users that already exist in Okta. + autoConfirmPartialMatch: + type: boolean + description: If set to `true`, partially matched users are automatically confirmed on activation. If set to `false`, partially matched users need to be confirmed manually. + exactMatchCriteria: + type: string + description: Determines the attribute to match users + enum: + - EMAIL + - USERNAME + CapabilitiesImportSettingsObject: + description: Defines import settings + type: object + properties: + schedule: + $ref: '#/components/schemas/ImportScheduleObject' + username: + $ref: '#/components/schemas/ImportUsernameObject' + CapabilitiesInboundProvisioningObject: + title: INBOUND_PROVISIONING + description: Defines the configuration for the INBOUND_PROVISIONING feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: object + properties: + importRules: + $ref: '#/components/schemas/CapabilitiesImportRulesObject' + importSettings: + $ref: '#/components/schemas/CapabilitiesImportSettingsObject' + required: + - importSettings + - importRules CapabilitiesObject: - description: Defines the configurations related to an application feature + title: USER_PROVISIONING + description: Defines the configurations for the USER_PROVISIONING feature type: object properties: create: @@ -24184,7 +50843,7 @@ components: update: $ref: '#/components/schemas/CapabilitiesUpdateObject' CapabilitiesUpdateObject: - description: Determines whether updates to a user's profile are pushed to the application + description: Determines whether updates to a user's profile are pushed to the app type: object properties: lifecycleDeactivate: @@ -24232,8 +50891,13 @@ components: enum: - ACTIVE - INACTIVE + ChallengeType: + type: string + enum: + - http://auth0.com/oauth/grant-type/mfa-oob + - http://auth0.com/oauth/grant-type/mfa-otp ChangeEnum: - description: Determines whether a change in a user's password also updates the user's password in the application + description: Determines whether a change in a user's password also updates the user's password in the app default: KEEP_EXISTING example: CHANGE type: string @@ -24249,6 +50913,15 @@ components: $ref: '#/components/schemas/PasswordCredential' revokeSessions: type: boolean + description: When set to `true`, revokes all user sessions, except for the current session + default: false + Channel: + description: The out-of-band channel for use with authentication. Required for all `/oob-authenticate` requests and any `/challenge` request with an out-of-band authenticator. + type: string + enum: + - push + - sms + - voice ChannelBinding: type: object properties: @@ -24256,26 +50929,212 @@ components: $ref: '#/components/schemas/RequiredEnum' style: type: string + enum: + - NUMBER_CHALLENGE + ChildOrg: + type: object + properties: + admin: + $ref: '#/components/schemas/OrgCreationAdmin' + created: + description: Timestamp when the org was created + type: string + format: date-time + readOnly: true + example: '2022-08-25T00:05:00.000Z' + edition: + description: Edition for the org. `SKU` is the only supported value. + type: string + enum: + - SKU + example: SKU + id: + type: string + description: Org ID + readOnly: true + example: 00o1n8sbwArJ7OQRw406 + lastUpdated: + description: Timestamp when the org was last updated + type: string + format: date-time + readOnly: true + example: '2022-08-25T00:05:00.000Z' + name: + description: |- + Unique name of the org. + This name appears in the HTML `<title>` tag of the new org sign-in page. + Only less than 4-width UTF-8 encoded characters are allowed. + type: string + format: utf-8 + minimum: 1 + maximum: 100 + example: My Child Org 1 + settings: + description: Settings associated with the created org + readOnly: true + type: object + additionalProperties: true + status: + description: Status of the org. `ACTIVE` is returned after the org is created. + type: string + readOnly: true + enum: + - ACTIVE + subdomain: + description: Subdomain of the org. Must be unique and include no spaces. + type: string + minimum: 1 + maximum: 57 + example: my-child-org-1 + token: + description: |- + API token associated with the child org super admin account. + Use this API token to provision resources (such as policies, apps, and groups) on the newly created child org. + This token is revoked if the super admin account is deactivated. + > **Note:** If this API token expires, sign in to the Admin Console as the super admin user and create a new API token. See [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/). + type: string + readOnly: true + tokenType: + description: Type of returned `token`. See [Okta API tokens](https://developer.okta.com/docs/guides/create-an-api-token/main/#okta-api-tokens). + type: string + readOnly: true + example: SSWS + enum: + - SSWS + website: + description: Default website for the org + type: string + example: https://www.okta.com + _links: + description: Specifies available link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + type: object + additionalProperties: true + required: + - admin + - edition + - name + - subdomain ChromeBrowserVersion: description: Current version of the Chrome Browser type: object properties: minimum: type: string - ClientPolicyCondition: + Claim: + type: string + Client: type: object + properties: + application_type: + $ref: '#/components/schemas/ApplicationType' + client_id: + type: string + description: Unique key for the client application. The `client_id` is immutable. When you create a client Application, you can't specify the `client_id` because Okta uses the application ID for the `client_id`. + readOnly: true + client_id_issued_at: + type: integer + readOnly: true + description: Time at which the `client_id` was issued (measured in unix seconds) + client_name: + type: string + description: Human-readable string name of the client application + client_secret: + type: string + readOnly: true + description: OAuth 2.0 client secret string (used for confidential clients). The `client_secret` is shown only on the response of the creation or update of a client Application (and only if the `token_endpoint_auth_method` is one that requires a client secret). You can't specify the `client_secret`. If the `token_endpoint_auth_method` requires one, Okta generates a random `client_secret` for the client Application. + nullable: true + client_secret_expires_at: + type: integer + readOnly: true + description: Time at which the `client_secret` expires or 0 if it doesn't expire (measured in unix seconds) + minimum: 0 + nullable: true + frontchannel_logout_session_required: + type: boolean + description: Include user session details + frontchannel_logout_uri: + type: string + description: URL where Okta sends the logout request + nullable: true + grant_types: + type: array + description: 'Array of OAuth 2.0 grant type strings. Default value: `[authorization_code]`' + items: + $ref: '#/components/schemas/GrantType' + initiate_login_uri: + type: string + description: URL that a third party can use to initiate a login by the client + jwks_uri: + type: string + description: URL string that references a [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta + logo_uri: + type: string + description: URL string that references a logo for the client consent dialog (not the sign-in dialog) + nullable: true + policy_uri: + type: string + description: URL string of a web page providing the client's policy document + nullable: true + post_logout_redirect_uris: + type: string + description: Array of redirection URI strings for use for relying party initiated logouts + items: + type: string + redirect_uris: + type: array + description: 'Array of redirection URI strings for use in redirect-based flows. All redirect URIs must be absolute URIs and must not include a fragment component. At least one redirect URI and response type is required for all client types, with the following exceptions: If the client uses the Resource Owner Password flow (if `grant_type` contains the value password) or the Client Credentials flow (if `grant_type` contains the value `client_credentials`), then no redirect URI or response type is necessary. In these cases, you can pass either null or an empty array for these attributes.' + items: + type: string + request_object_signing_alg: + type: array + description: The type of [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) algorithm that must be used for signing request objects + items: + $ref: '#/components/schemas/SigningAlgorithm' + response_types: + type: array + description: 'Array of OAuth 2.0 response type strings. Default value: `[code]`' + items: + $ref: '#/components/schemas/ResponseType' + token_endpoint_auth_method: + $ref: '#/components/schemas/EndpointAuthMethod' + tos_uri: + type: string + description: URL string of a web page providing the client's terms of service document + nullable: true + ClientPolicyCondition: description: Specifies which clients are included in the Policy + type: object properties: include: type: array description: Which clients are included in the Policy items: type: string + ClientPrivilegesSetting: + description: The org setting that assigns the super admin role by default to a public client app + type: object + properties: + clientPrivilegesSetting: + type: boolean + description: If true, assigns the super admin role by default to new public client apps + example: true + CodeChallengeMethod: + type: string + enum: + - S256 Compliance: type: object properties: fips: $ref: '#/components/schemas/FipsEnum' + Conditions: + type: object + properties: + expression: + $ref: '#/components/schemas/Expression' + profileSourceId: + type: string ContentSecurityPolicySetting: type: object properties: @@ -24303,8 +51162,25 @@ components: properties: name: type: string + description: The name of the Brand required: - name + CreateGroupRuleRequest: + type: object + properties: + actions: + $ref: '#/components/schemas/GroupRuleAction' + conditions: + $ref: '#/components/schemas/GroupRuleConditions' + name: + type: string + description: Name of the Group rule + minLength: 1 + maxLength: 50 + type: + type: string + enum: + - group_rule CreateIamRoleRequest: type: object properties: @@ -24316,13 +51192,29 @@ components: description: Unique label for the role permissions: type: array - description: Array of permissions that the role will grant. See [Permission Types](https://developer.okta.com/docs/concepts/role-assignment/#permission-types). + description: Array of permissions that the Role grants. See [Permissions](/openapi/okta-management/guides/roles/#permissions). items: $ref: '#/components/schemas/RolePermissionType' required: - label - description - permissions + CreateRealmAssignmentRequest: + type: object + properties: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' + name: + type: string + priority: + type: integer + CreateRealmRequest: + type: object + properties: + profile: + $ref: '#/components/schemas/RealmProfile' CreateResourceSetRequest: type: object properties: @@ -24331,11 +51223,17 @@ components: description: Description of the Resource Set label: type: string - description: Unique label for the Resource Set + description: Unique name for the Resource Set resources: type: array + description: The endpoint (URL) that references all resource objects included in the Resource Set. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn). + maximum: 1000 items: type: string + required: + - description + - label + - resources CreateSessionRequest: type: object properties: @@ -24347,8 +51245,6 @@ components: type: object properties: uiSchema: - type: object - description: Updated schema property expressions (Okta object or App Instance object) $ref: '#/components/schemas/UISchemaObject' CreateUpdateIamRolePermissionRequest: type: object @@ -24368,31 +51264,91 @@ components: $ref: '#/components/schemas/UserProfile' realmId: type: string - description: The ID of the realm in which the user is residing + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the realm in which the user is residing example: guo1bfiNtSnZYILxO0g4 x-okta-lifecycle: - features: - - UD_REALMS + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] type: - $ref: '#/components/schemas/UserType' + type: object + description: |- + The ID of the user type. Add this value if you want to create a user with a non-default [User Type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/). + The user type determines which [schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can + only be assigned a different user type by an administrator through a full replacement (`PUT`) operation. + properties: + id: + type: string + description: The ID of the user type required: - profile - Csr: + Created: + format: date-time + description: Timestamp when the object was created + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true + CredentialSyncInfo: type: object properties: - created: + errorCode: + type: string + description: The error code for the type of error + readOnly: true + errorReason: type: string + description: A short description of the error + readOnly: true + secretVersionId: + type: string + description: The version ID of the password secret from the OPA vault. + minLength: 1 + maxLength: 36 + example: 9f8400-e29b-41d4-a716-926655440034 + syncState: + $ref: '#/components/schemas/CredentialSyncState' + example: NOT_SYNCED + syncTime: + type: string + description: Timestamp when the credential was changed format: date-time readOnly: true + example: '2024-06-10T11:30:01.000Z' + CredentialSyncState: + description: Current credential sync status of the privileged resource + type: string + enum: + - NOT_SYNCED + - SYNCED + - SYNCING + - SYNC_FAILED + x-enumDescriptions: + NOT_SYNCED: Credentials are not yet synced + SYNCING: Credentials are currently being synced + SYNCED: Credentials are successfully synced + SYNC_FAILED: Credential sync failed + readOnly: true + Csr: + type: object + properties: + created: + $ref: '#/components/schemas/createdProperty' csr: type: string readOnly: true + example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= id: type: string readOnly: true + example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 kty: type: string readOnly: true + example: RSA + _links: + $ref: '#/components/schemas/CSRLinks' + readOnly: true + nullable: false CsrMetadata: type: object properties: @@ -24405,42 +51361,128 @@ components: properties: commonName: type: string + description: Common name of the subject + example: SP Issuer countryName: type: string + description: Country name or code + example: US localityName: type: string + description: Locality (city) name + example: San Francisco organizationalUnitName: type: string + description: Name of the smaller organization, for example, the department or the division + example: Dev organizationName: type: string + description: Large organization name + example: Okta, Inc. stateOrProvinceName: type: string + description: State or province name + example: California CsrMetadataSubjectAltNames: type: object properties: dnsNames: type: array + description: DNS names of the subject items: type: string - CustomHotpUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - factorProfileId: - type: string - profile: - $ref: '#/components/schemas/CustomHotpUserFactorProfile' - CustomHotpUserFactorProfile: + example: dev.okta.com + CsrPublishHrefHints: + description: Describes allowed HTTP verbs for the `href` type: object properties: - sharedSecret: + allow: + type: array + items: + type: string + enum: + - POST + CsrSelfHrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + type: string + enum: + - GET + - DELETE + CustomAppUserVerificationEnum: + description: User verification setting + type: string + enum: + - PREFERRED + - REQUIRED + CustomRole: + title: Custom Role Assignment + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + id: + type: string + description: Binding Object ID + readOnly: true + label: + type: string + description: Label for the custom role assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + resource-set: type: string + description: Resource Set ID + readOnly: true + role: + type: string + description: Custom Role ID + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the Custom Role Assignment + type: + type: string + description: CUSTOM for a custom role + enum: + - CUSTOM + _links: + $ref: '#/components/schemas/LinksCustomRoleResponse' + CustomRoleAssignmentSchema: + title: Custom Role + type: object + properties: + resource-set: + type: string + description: Resource Set ID + role: + type: string + description: Custom Role ID + type: + type: string + description: The type of role. Specify `CUSTOM` for a custom role. + enum: + - CUSTOM CustomizablePage: type: object properties: pageContent: type: string + description: The HTML for the page DNSRecord: description: DNS TXT and CNAME records to be registered for the Domain type: object @@ -24467,6 +51509,17 @@ components: enum: - CNAME - TXT + DRStatusItem: + description: Provides the status whether a domain has been failed over or not + type: object + properties: + domain: + type: string + description: domain + isFailedOver: + type: boolean + description: Indicates if the domain has been failed over + nullable: false DTCChromeOS: description: Google Chrome Device Trust Connector provider type: object @@ -24485,16 +51538,19 @@ components: deviceEnrollmentDomain: description: Enrollment domain of the customer that is currently managing the device type: string - diskEnrypted: + diskEncrypted: description: Indicates whether the main disk is encrypted type: boolean keyTrustLevel: $ref: '#/components/schemas/KeyTrustLevelOSMode' + managedDevice: + description: Indicates whether the device is enrolled in ChromeOS device management + type: boolean osFirewall: description: Indicates whether a firewall is enabled at the OS-level on the device type: boolean osVersion: - $ref: '#/components/schemas/OSVersion' + $ref: '#/components/schemas/OSVersionFourComponents' passwordProtectionWarningTrigger: $ref: '#/components/schemas/PasswordProtectionWarningTrigger' realtimeUrlCheckMode: @@ -24523,7 +51579,7 @@ components: deviceEnrollmentDomain: description: Enrollment domain of the customer that is currently managing the device type: string - diskEnrypted: + diskEncrypted: description: Indicates whether the main disk is encrypted type: boolean keyTrustLevel: @@ -24532,7 +51588,7 @@ components: description: Indicates whether a firewall is enabled at the OS-level on the device type: boolean osVersion: - $ref: '#/components/schemas/OSVersion' + $ref: '#/components/schemas/OSVersionThreeComponents' passwordProtectionWarningTrigger: $ref: '#/components/schemas/PasswordProtectionWarningTrigger' realtimeUrlCheckMode: @@ -24567,7 +51623,7 @@ components: deviceEnrollmentDomain: description: Enrollment domain of the customer that is currently managing the device type: string - diskEnrypted: + diskEncrypted: description: Indicates whether the main disk is encrypted type: boolean keyTrustLevel: @@ -24576,7 +51632,7 @@ components: description: Indicates whether a firewall is enabled at the OS-level on the device type: boolean osVersion: - $ref: '#/components/schemas/OSVersion' + $ref: '#/components/schemas/OSVersionFourComponents' passwordProtectionWarningTrigger: $ref: '#/components/schemas/PasswordProtectionWarningTrigger' realtimeUrlCheckMode: @@ -24602,15 +51658,90 @@ components: windowsUserDomain: description: Windows domain for the current OS user type: string + DateTime: + description: An [ISO-8601](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations) formatted date and time. + format: date-time + example: '2024-12-01T00:00:00Z' + type: string DefaultApp: type: object properties: appInstanceId: type: string + description: ID for the App instance appLinkName: type: string + description: Name for the app instance classicApplicationUri: type: string + description: Application URI for classic Orgs + DesktopMFAEnforceNumberMatchingChallengeOrgSetting: + type: object + properties: + desktopMFAEnforceNumberMatchingChallengeEnabled: + type: boolean + description: Indicates whether or not the Desktop MFA Enforce Number Matching Challenge push notifications feature is enabled + default: false + DesktopMFARecoveryPinOrgSetting: + type: object + properties: + desktopMFARecoveryPinEnabled: + type: boolean + description: Indicates whether or not the Desktop MFA Recovery PIN feature is enabled + default: false + DetailedHookKeyInstance: + title: DetailedHookKeyInstance + description: A key object with public key details + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the key was created + readOnly: true + nullable: true + id: + type: string + description: The unique Okta ID of this key record + readOnly: true + nullable: false + isUsed: + type: string + format: boolean + description: Whether this key is currently in use by other applications + nullable: false + readOnly: true + keyId: + type: string + description: The alias of the public key + nullable: false + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the key was updated + readOnly: true + nullable: true + name: + type: string + description: Display name of the key + readOnly: false + nullable: false + minLength: 1 + maxLength: 255 + _embedded: + $ref: '#/components/schemas/_embedded' + DetectedRiskEvents: + type: string + enum: + - ADMIN_REPORTED_USER_RISK + - BRUTE_FORCE_ATTACK + - ENTITY_CRITICAL_ACTION_FROM_HIGH_THREAT_IP + - OKTA_THREAT_INTELLIGENCE + - SECURITY_EVENTS_PROVIDER_REPORTED_RISK + - SESSION_INFLUENCED_USER_RISK + - SUSPICIOUS_APP_ACCESS + - USER_REPORTED_SUSPICIOUS_ACTIVITY Device: type: object properties: @@ -24648,23 +51779,19 @@ components: _links: $ref: '#/components/schemas/LinksSelfAndFullUsersLifecycle' DeviceAccessPolicyRuleCondition: - allOf: - - $ref: '#/components/schemas/DevicePolicyRuleCondition' - - type: object - properties: - managed: - type: boolean - registered: - type: boolean - assurance: - $ref: '#/components/schemas/DevicePolicyRuleConditionAssurance' - DevicePolicyRuleConditionAssurance: + description: <x-lifecycle class="oie"></x-lifecycle> Specifies the device condition to match on type: object properties: - include: - type: array - items: - type: string + assurance: + $ref: '#/components/schemas/DevicePolicyRuleConditionAssurance' + managed: + type: boolean + description: Indicates if the device is managed. A device is considered managed if it's part of a device management system. + registered: + type: boolean + description: | + Indicates if the device is registered. A device is registered if the User enrolls with Okta Verify that's installed on the device. + When the `managed` property is passed, you must also include the `registered` property and set it to `true`. DeviceAssurance: title: DeviceAssurance type: object @@ -24678,15 +51805,15 @@ components: id: type: string readOnly: true - lastUpdatedBy: + lastUpdate: type: string readOnly: true - lastUpdatedDate: + lastUpdatedBy: type: string readOnly: true name: type: string - description: Display name of the Device Assurance Policy + description: Display name of the device assurance policy platform: $ref: '#/components/schemas/Platform' _links: @@ -24710,7 +51837,7 @@ components: include: type: array items: - $ref: '#/components/schemas/DiskEncryptionType' + $ref: '#/components/schemas/DiskEncryptionTypeAndroid' jailbreak: type: boolean osVersion: @@ -24726,8 +51853,9 @@ components: type: boolean DeviceAssuranceChromeOSPlatform: x-okta-lifecycle: - features: - - GOOGLE_DEVICE_CONTEXT_CONNECTOR + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] allOf: - $ref: '#/components/schemas/DeviceAssurance' - type: object @@ -24743,13 +51871,6 @@ components: - $ref: '#/components/schemas/DeviceAssurance' - type: object properties: - diskEncryptionType: - type: object - properties: - include: - type: array - items: - $ref: '#/components/schemas/DiskEncryptionType' jailbreak: type: boolean osVersion: @@ -24761,8 +51882,6 @@ components: type: array items: $ref: '#/components/schemas/ScreenLockType' - secureHardwarePresent: - type: boolean DeviceAssuranceMacOSPlatform: allOf: - $ref: '#/components/schemas/DeviceAssurance' @@ -24774,9 +51893,7 @@ components: include: type: array items: - $ref: '#/components/schemas/DiskEncryptionType' - jailbreak: - type: boolean + $ref: '#/components/schemas/DiskEncryptionTypeDesktop' osVersion: $ref: '#/components/schemas/OSVersion' screenLockType: @@ -24790,8 +51907,9 @@ components: type: boolean thirdPartySignalProviders: x-okta-lifecycle: - features: - - GOOGLE_DEVICE_CONTEXT_CONNECTOR + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] type: object description: Settings for third-party signal providers (based on the `MACOS` platform) properties: @@ -24808,11 +51926,27 @@ components: include: type: array items: - $ref: '#/components/schemas/DiskEncryptionType' - jailbreak: - type: boolean + $ref: '#/components/schemas/DiskEncryptionTypeDesktop' osVersion: - $ref: '#/components/schemas/OSVersion' + $ref: '#/components/schemas/OSVersionFourComponents' + osVersionConstraints: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + type: array + description: | + <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>Specifies the Windows version requirements for the assurance policy. Each requirement must correspond to a different major version (Windows 11 or Windows 10). If a requirement isn't specified for a major version, then devices on that major version satisfy the condition. + + There are two types of OS requirements: + * **Static**: A specific Windows version requirement that doesn't change until you update the policy. A static OS Windows requirement is specified with `majorVersionConstraint` and `minimum`. + * **Dynamic**: A Windows version requirement that is relative to the latest major release and security patch. A dynamic OS Windows requirement is specified with `majorVersionConstraint` and `dynamicVersionRequirement`. + + > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. The `osVersionConstraints` property is only supported for the Windows platform. You can't specify both `osVersion.minimum` and `osVersionConstraints` properties at the same time. + items: + $ref: '#/components/schemas/OSVersionConstraint' + minItems: 1 + maxItems: 2 screenLockType: type: object properties: @@ -24824,13 +51958,68 @@ components: type: boolean thirdPartySignalProviders: x-okta-lifecycle: - features: - - GOOGLE_DEVICE_CONTEXT_CONNECTOR + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] type: object description: Settings for third-party signal providers (based on the `WINDOWS` platform) properties: dtc: $ref: '#/components/schemas/DTCWindows' + DeviceCheck: + title: DeviceCheck + type: object + properties: + createdBy: + type: string + readOnly: true + description: User who created the Device Check + example: 00u217pyf72CdUrBt1c5 + createdDate: + type: string + readOnly: true + description: Time the Device Check was created + example: '2019-10-02T18:03:07.000Z' + description: + type: string + description: Description of the Device Check + example: Query macOS devices to check if firewall is enabled + id: + type: string + readOnly: true + description: The ID of the Device Check + example: dch3m8o4rWhwReDeM1c5 + lastUpdate: + type: string + readOnly: true + description: Time the Device Check was updated + example: '2019-10-02T18:03:07.000Z' + lastUpdatedBy: + type: string + readOnly: true + description: User who updated the Device Check + example: 00u217pyf72CdUrBt1c5 + name: + type: string + description: Display name of the Device Check + example: Device Check macOS + platform: + $ref: '#/components/schemas/DeviceChecksPlatform' + query: + type: string + description: OSQuery for the Device Check + example: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; + variableName: + type: string + description: Unique name of the Device Check + example: macOSFirewall + _links: + $ref: '#/components/schemas/LinksSelf' + DeviceChecksPlatform: + type: string + enum: + - MACOS + - WINDOWS DeviceDisplayName: description: Display name of the device type: object @@ -24839,6 +52028,31 @@ components: type: boolean value: type: string + DeviceIntegrity: + description: Indicates how well a device can enforce app integrity + type: string + enum: + - MEETS_BASIC_INTEGRITY + - MEETS_DEVICE_INTEGRITY + - MEETS_STRONG_INTEGRITY + x-enumDescriptions: + MEETS_BASIC_INTEGRITY: The app is running on a device that passes basic system integrity checks. The device may not meet Android compatibility requirements and may not be approved to run Google Play services. + MEETS_DEVICE_INTEGRITY: The app is running on an Android-powered device with Google Play services. The device passes system integrity checks and meets Android compatibility requirements. + MEETS_STRONG_INTEGRITY: The app is running on an Android-powered device with Google Play services. It has a strong guarantee of system integrity such as a hardware-backed proof of boot integrity. The device passes system integrity checks and meets Android compatibility requirements. + DeviceList: + allOf: + - $ref: '#/components/schemas/Device' + - properties: + _embedded: + type: object + description: List of associated users for the device if the `expand=user` query parameter is specified in the request. Use `expand=userSummary` to get only a summary of each associated user for the device. + properties: + users: + description: Users for the device + type: array + items: + $ref: '#/components/schemas/DeviceUser' + readOnly: true DevicePlatform: description: OS platform of the device type: string @@ -24871,6 +52085,13 @@ components: type: boolean trustLevel: $ref: '#/components/schemas/DevicePolicyTrustLevel' + DevicePolicyRuleConditionAssurance: + type: object + properties: + include: + type: array + items: + type: string DevicePolicyRuleConditionPlatform: type: object properties: @@ -24939,7 +52160,7 @@ components: maxLength: 256 tpmPublicKeyHash: type: string - description: Windows Trsted Platform Module hash value + description: Windows Trusted Platform Module hash value udid: type: string description: macOS Unique Device identifier of the device @@ -24986,14 +52207,14 @@ components: user: $ref: '#/components/schemas/User' DigestAlgorithm: + description: Algorithm used to generate the key. Only required for the PBKDF2 algorithm. type: string enum: - SHA256_HMAC - SHA512_HMAC - DiskEncryptionType: + DiskEncryptionTypeAndroid: type: string enum: - - ALL_INTERNAL_VOLUMES - FULL - USER DiskEncryptionTypeDef: @@ -25013,6 +52234,10 @@ components: USER: Encryption key is tied to the user or profile. Only applicable to `ANDROID` platform. ALL_INTERNAL_VOLUMES: All internal disks are encrypted. Only applicable to `WINDOWS` and `MACOS` platforms. SYSTEM_VOLUME: Only the system volume is encrypted. Only applicable to `WINDOWS` and `MACOS` platforms. + DiskEncryptionTypeDesktop: + type: string + enum: + - ALL_INTERNAL_VOLUMES DomainCertificate: description: Defines the properties of the certificate type: object @@ -25141,19 +52366,96 @@ components: Duration: type: object properties: - number: - type: integer - unit: + number: + type: integer + unit: + type: string + DynamicNetworkZone: + allOf: + - $ref: '#/components/schemas/NetworkZone' + - title: Dynamic Network Zone + - type: object + properties: + asns: + allOf: + - $ref: '#/components/schemas/NetworkZoneAsns' + - description: An array of ASNs for a Network Zone + proxyType: + type: string + description: The proxy type used for a Dynamic Network Zone + enum: + - 'null' + - Any + - Tor + - NotTorAnonymizer + x-enumDescriptions: + 'null': (Or `""`) No proxy used + Any: Use any proxy type for the Dynamic Zone. + Tor: Use Tor Anonymizer proxy for the Dynamic Zone. + NotTorAnonymizer: Use a non Tor Anonymizer proxy for the Dynamic Zone. + locations: + allOf: + - $ref: '#/components/schemas/NetworkZoneLocationArray' + - description: An array of geolocations for a Dynamic Network Zone + ECKeyJWK: + description: Elliptic Curve Key in JWK format, currently used during enrollment to encrypt fulfillment requests to Yubico, or during activation to verify Yubico's JWS objects in fulfillment responses. The currently agreed protocol uses P-384. + type: object + properties: + crv: + type: string + enum: + - P-384 + kid: + type: string + description: The unique identifier of the key + kty: + type: string + enum: + - EC + description: The type of public key + use: + type: string + description: The intended use for the key. The ECKeyJWK is always `enc` because Okta uses it to encrypt requests to Yubico. + enum: + - enc + x: type: string + description: The public x coordinate for the elliptic curve point + 'y': + type: string + description: The public y coordinate for the elliptic curve point + required: + - x + - 'y' + - kty + - crv + - use + - kid EmailContent: type: object properties: body: type: string - description: The email's HTML body. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + description: | + The HTML body of the email. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + + <x-lifecycle class="ea"></x-lifecycle> Not required if Custom languages for Okta Email Templates is enabled. A `null` body is replaced with a default value from one of the following in priority order: + + 1. An existing default email customization, if one exists + 2. Okta-provided translated content for the specified language, if one exists + 3. Okta-provided translated content for the brand locale, if it's set + 4. Okta-provided content in English subject: type: string - description: The email's subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + description: | + The email subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + + <x-lifecycle class="ea"></x-lifecycle> Not required if Custom languages for Okta Email Templates is enabled. A `null` subject is replaced with a default value from one of the following in priority order: + + 1. An existing default email customization, if one exists + 2. Okta-provided translated content for the specified language, if one exists + 3. Okta-provided translated content for the brand locale, if it's set + 4. Okta-provided content in English required: - subject - body @@ -25220,6 +52522,10 @@ components: type: string domain: type: string + validationSubdomain: + type: string + description: Subdomain for the email sender's custom mail domain. Specify your subdomain when you configure a custom mail domain. + default: mail required: - domain - brandId @@ -25252,6 +52558,10 @@ components: type: string validationStatus: $ref: '#/components/schemas/EmailDomainStatus' + validationSubdomain: + type: string + description: The subdomain for the email sender's custom mail domain + default: mail EmailDomainResponseWithEmbedded: allOf: - $ref: '#/components/schemas/EmailDomainResponse' @@ -25318,13 +52628,14 @@ components: - properties: password: type: string - description: The password to use with your SMTP server + description: Password used to access your SMTP server EmailServerResponse: allOf: - $ref: '#/components/schemas/BaseEmailServer' - properties: id: type: string + description: ID of your SMTP server EmailSettings: type: object properties: @@ -25336,7 +52647,24 @@ components: - NO_USERS required: - recipients - EmailTemplate: + EmailSettingsResponse: + type: object + properties: + recipients: + type: string + enum: + - ALL_USERS + - ADMINS_ONLY + - NO_USERS + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + self: + $ref: '#/components/schemas/HrefObject' + template: + $ref: '#/components/schemas/HrefObject' + EmailTemplateResponse: type: object properties: name: @@ -25347,7 +52675,7 @@ components: type: object properties: settings: - $ref: '#/components/schemas/EmailSettings' + $ref: '#/components/schemas/EmailSettingsResponse' customizationCount: type: integer readOnly: true @@ -25364,34 +52692,30 @@ components: test: $ref: '#/components/schemas/HrefObject' EmailTemplateTouchPointVariant: + description: | + Variant for email templates. You can publish a theme for email templates with different combinations of assets. Variants are preset combinations of those assets. + default: OKTA_DEFAULT type: string enum: - FULL_THEME - OKTA_DEFAULT + x-enumDescriptions: + FULL_THEME: Uses the Okta logo and Okta colors in email templates + OKTA_DEFAULT: Uses the logo from the Theme. Uses `primaryColorHex` as the background color for buttons. EmailTestAddresses: type: object properties: from: type: string - description: An email address to send the test email from + description: Email address that sends test emails + example: sender@host.com to: type: string - description: An email address to send the test email to + description: Email address that receives test emails + example: receiver@host.com required: - from - to - EmailUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/EmailUserFactorProfile' - EmailUserFactorProfile: - type: object - properties: - email: - type: string EnabledStatus: description: Setting status type: string @@ -25399,12 +52723,298 @@ components: - DISABLED - ENABLED EndUserDashboardTouchPointVariant: + description: | + Variant for the Okta End-User Dashboard. You can publish a theme for end-user dashboard with different combinations of assets. Variants are preset combinations of those assets. + default: OKTA_DEFAULT type: string enum: - FULL_THEME - LOGO_ON_FULL_WHITE_BACKGROUND - OKTA_DEFAULT - WHITE_LOGO_BACKGROUND + x-enumDescriptions: + FULL_THEME: Uses the logo and favicon from the Theme. Uses `primaryColorHex` for the logo and the side navigation bar background color. + LOGO_ON_FULL_WHITE_BACKGROUND: Uses the logo and favicon from the Theme. Uses white background color for the logo and the side navigation bar background color. + OKTA_DEFAULT: Uses the Okta logo and favicon. Uses a white background color for the logo and the side navigation bar background color. + WHITE_LOGO_BACKGROUND: Uses the logo and favicon from the Theme, with a white background color for the logo. Uses `primaryColorHex` for the side navigation bar background color. + EndpointAuthMethod: + description: Requested authentication method for OAuth 2.0 endpoints. + type: string + enum: + - client_secret_basic + - client_secret_jwt + - client_secret_post + - none + - private_key_jwt + EnhancedDynamicNetworkZone: + allOf: + - $ref: '#/components/schemas/NetworkZone' + - title: Enhanced Dynamic Network Zone + - type: object + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + properties: + asns: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: object + description: The list of ASNs associated with an Enhanced Dynamic Network Zone + properties: + include: + allOf: + - $ref: '#/components/schemas/NetworkZoneAsns' + - description: An array of ASNs to include for an Enhanced Dynamic Network Zone + locations: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: object + description: The list of geolocations to include or exclude for an Enhanced Dynamic Network Zone + properties: + include: + allOf: + - $ref: '#/components/schemas/NetworkZoneLocationArray' + - description: An array of geolocations to include for an Enhanced Dynamic Network Zone + exclude: + allOf: + - $ref: '#/components/schemas/NetworkZoneLocationArray' + - description: An array of geolocations to exclude for an Enhanced Dynamic Network Zone + ipServiceCategories: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: object + description: IP services, such as a proxy or VPN, to include or exclude for an Enhanced Dynamic Network Zone + properties: + include: + type: array + description: IP services to include for an Enhanced Dynamic Network Zone + items: + $ref: '#/components/schemas/IPServiceCategory' + maximum: 75 + exclude: + type: array + description: IP services to exclude for an Enhanced Dynamic Network Zone + items: + $ref: '#/components/schemas/IPServiceCategory' + maximum: 75 + EnrollmentActivationRequest: + description: Enrollment Initialization Request + type: object + properties: + credResponses: + description: List of credential responses from the fulfillment provider + type: array + items: + $ref: '#/components/schemas/WebAuthnCredResponse' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + pinResponseJwe: + description: Encrypted JWE of PIN response from the fulfillment provider + type: string + serial: + description: Serial number of the YubiKey + type: string + userId: + description: ID of an existing Okta user + type: string + version: + description: Firmware version of the YubiKey + type: string + yubicoSigningJwks: + description: List of usable signing keys from Yubico (in JWKS format) used to verify the JWS inside the JWE + type: array + items: + $ref: '#/components/schemas/ECKeyJWK' + EnrollmentActivationResponse: + description: Enrollment Initialization Response + type: object + properties: + authenticatorEnrollmentIds: + description: List of IDs for preregistered WebAuthn Factors in Okta + type: array + items: + type: string + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + EnrollmentInitializationRequest: + description: Enrollment Initialization Request + type: object + properties: + enrollmentRpIds: + description: List of Relying Party hostnames to register on the YubiKey. + type: array + items: + type: string + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + yubicoTransportKeyJWK: + $ref: '#/components/schemas/ECKeyJWK' + EnrollmentInitializationResponse: + description: Yubico Transport Key in the form of a JWK, used to encrypt our fulfillment request to Yubico. The currently agreed protocol uses P-384. + type: object + properties: + credRequests: + description: List of credential requests for the fulfillment provider + type: array + items: + $ref: '#/components/schemas/WebAuthnCredRequest' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + pinRequestJwe: + description: Encrypted JWE of PIN request for the fulfillment provider + type: string + userId: + description: ID of an existing Okta user + type: string + EntitlementValue: + type: object + properties: + id: + type: string + name: + type: string + value: + type: string + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + group: + $ref: '#/components/schemas/HrefObjectGroupLink' + app: + $ref: '#/components/schemas/HrefObjectAppLink' + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + EntitlementValuesResponse: + type: object + properties: + entitlementValues: + type: array + items: + $ref: '#/components/schemas/EntitlementValue' + _links: + anyOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + - properties: + bundle: + $ref: '#/components/schemas/HrefObject' + entitlements: + $ref: '#/components/schemas/HrefObject' + EntityRiskPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + type: string + description: Policy conditions aren't supported for this policy type. + default: null + nullable: true + EntityRiskPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + type: object + description: The action to take based on the risk event + properties: + entityRisk: + type: object + description: The object that contains the `actions` array + properties: + actions: + type: array + description: The `entityRisk` object's `actions` array can be empty or contain one of two `action` object value pairs. This object determines the specific response to a risk event. + items: + $ref: '#/components/schemas/EntityRiskPolicyRuleActionsObject' + conditions: + $ref: '#/components/schemas/EntityRiskPolicyRuleConditions' + EntityRiskPolicyRuleActionRunWorkflow: + type: object + properties: + action: + type: string + enum: + - RUN_WORKFLOW + workflow: + type: object + description: This action runs a workflow + properties: + id: + type: integer + description: The `id` of the workflow that runs. + EntityRiskPolicyRuleActionTerminateAllSessions: + type: object + properties: + action: + type: string + description: This action revokes or terminates all of the user's active sessions. + enum: + - TERMINATE_ALL_SESSIONS + EntityRiskPolicyRuleActionsObject: + type: object + properties: + action: + type: string + enum: + - RUN_WORKFLOW + - TERMINATE_ALL_SESSIONS + discriminator: + propertyName: action + mapping: + RUN_WORKFLOW: '#/components/schemas/EntityRiskPolicyRuleActionRunWorkflow' + TERMINATE_ALL_SESSIONS: '#/components/schemas/EntityRiskPolicyRuleActionTerminateAllSessions' + EntityRiskPolicyRuleConditions: + allOf: + - type: object + properties: + entityRisk: + $ref: '#/components/schemas/EntityRiskScorePolicyRuleCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + riskDetectionTypes: + $ref: '#/components/schemas/RiskDetectionTypesPolicyRuleCondition' + EntityRiskScorePolicyRuleCondition: + description: <x-lifecycle class="oie"></x-lifecycle> The risk score level of the entity risk policy rule + type: object + properties: + level: + type: string + enum: + - ANY + - LOW + - MEDIUM + - HIGH + required: + - level Error: title: Error type: object @@ -25412,10 +53022,7 @@ components: errorCauses: type: array items: - type: object - properties: - errorSummary: - type: string + $ref: '#/components/schemas/ErrorCause' errorCode: type: string description: An Okta code for this type of error @@ -25428,6 +53035,11 @@ components: errorSummary: type: string description: A short description of what caused this error. Sometimes this contains dynamically-generated information about your specific error. + ErrorCause: + type: object + properties: + errorSummary: + type: string ErrorPage: allOf: - $ref: '#/components/schemas/CustomizablePage' @@ -25436,39 +53048,95 @@ components: contentSecurityPolicySetting: $ref: '#/components/schemas/ContentSecurityPolicySetting' ErrorPageTouchPointVariant: + description: | + Variant for the error page. You can publish a theme for error page with different combinations of assets. Variants are preset combinations of those assets. + default: OKTA_DEFAULT type: string enum: - BACKGROUND_IMAGE - BACKGROUND_SECONDARY_COLOR - OKTA_DEFAULT + x-enumDescriptions: + BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the Theme + BACKGROUND_SECONDARY_COLOR: Uses the logo and favicon from the Theme. Uses `secondaryColorHex` as the background color for the error page. + OKTA_DEFAULT: Uses the Okta logo, favicon, and background color + ErrorResponse: + type: object + properties: + errorCause: + type: string + description: The reason or cause for the error in the org domain for the dr operation + nullable: true + errorCode: + type: string + description: An error code unique to the error + errorId: + type: string + description: The unique identifier of this error + nullable: true + errorLink: + type: string + description: An indicator where to look out to troubleshoot the error + nullable: true + errorSummary: + type: string + description: An error code description, detailing the error + required: + - errorCode + - errorSummary EventHook: type: object properties: channel: $ref: '#/components/schemas/EventHookChannel' created: + description: Timestamp of the event hook creation type: string format: date-time readOnly: true createdBy: + description: The ID of the user who created the event hook + type: string + readOnly: true + description: + description: Description of the event hook type: string + nullable: true events: $ref: '#/components/schemas/EventSubscriptions' id: type: string + description: Unique key for the event hook readOnly: true lastUpdated: + description: Date of the last event hook update type: string format: date-time readOnly: true name: + description: Display name for the event hook type: string status: - $ref: '#/components/schemas/LifecycleStatus' + description: Status of the event hook + type: string + enum: + - ACTIVE + - INACTIVE + readOnly: true verificationStatus: $ref: '#/components/schemas/EventHookVerificationStatus' _links: - $ref: '#/components/schemas/LinksSelf' + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + deactivate: + $ref: '#/components/schemas/HrefObject' + verify: + $ref: '#/components/schemas/HrefObject' + required: + - name + - events + - channel EventHookChannel: type: object properties: @@ -25477,63 +53145,157 @@ components: type: $ref: '#/components/schemas/EventHookChannelType' version: + description: Version of the channel. Currently the only supported version is `1.0.0``. type: string + required: + - type + - config + - version EventHookChannelConfig: type: object properties: authScheme: $ref: '#/components/schemas/EventHookChannelConfigAuthScheme' headers: + description: |- + Optional list of key/value pairs for headers that can be sent with the request to the external service. For example, + `X-Other-Header` is an example of an optional header, with a value of `my-header-value`, that you want Okta to pass to your + external service. type: array items: $ref: '#/components/schemas/EventHookChannelConfigHeader' + method: + description: The method of the Okta event hook request + type: string + readOnly: true uri: + description: The external service endpoint called to execute the event hook handler type: string + required: + - uri EventHookChannelConfigAuthScheme: + description: |- + The authentication scheme used for this request. + + To use Basic Auth for authentication, set `type` to `HEADER`, + `key` to `Authorization`, and `value` to the Base64-encoded string of "username:password". Ensure that you include + the scheme (including space) as part of the `value` parameter. For example, `Basic YWRtaW46c3VwZXJzZWNyZXQ=`. type: object properties: key: + description: The name for the authorization header type: string type: $ref: '#/components/schemas/EventHookChannelConfigAuthSchemeType' value: + description: |- + The header value. This secret key is passed to your external service endpoint for security verification. + This property is not returned in the response. type: string + writeOnly: true EventHookChannelConfigAuthSchemeType: + description: The authentication scheme type. Currently only supports `HEADER`. type: string enum: - HEADER EventHookChannelConfigHeader: + nullable: true type: object properties: key: + description: The optional field or header name type: string value: + description: The value for the key type: string EventHookChannelType: + description: The channel type. Currently supports `HTTP`. type: string enum: - HTTP + EventHookFilterMap: + description: The object that maps the filter to the event type + items: + $ref: '#/components/schemas/EventHookFilterMapObject' + type: array + EventHookFilterMapObject: + type: object + properties: + condition: + $ref: '#/components/schemas/EventHookFilterMapObjectCondition' + event: + type: string + description: The filtered event type + EventHookFilterMapObjectCondition: + type: object + properties: + expression: + type: string + description: The Okta Expression language statement that filters the event type + version: + type: string + nullable: true + description: Internal field + readOnly: true + EventHookFilters: + nullable: true + description: |- + The optional filter defined on a specific event type + + > **Note:** Event hook filters is a [self-service Early Access (EA)](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) to enable. + If you want to disable this feature, it's recommended to first remove all event filters. + type: object + properties: + eventFilterMap: + $ref: '#/components/schemas/EventHookFilterMap' + type: + type: string + description: The type of filter. Currently only supports `EXPRESSION_LANGUAGE` + readOnly: true + EventHookSubscribedEventTypes: + description: |- + The subscribed event types that trigger the event hook. When you register an event hook + you need to specify which events you want to subscribe to. To see the list of event types + currently eligible for use in event hooks, use the [Event Types catalog](https://developer.okta.com/docs/reference/api/event-types/#catalog) + and search with the parameter `event-hook-eligible`. + items: + type: string + type: array EventHookVerificationStatus: + description: Verification status of the event hook. `UNVERIFIED` event hooks won't receive any events. type: string enum: - UNVERIFIED - VERIFIED + readOnly: true EventSubscriptionType: + description: The events object type. Currently supports `EVENT_TYPE`. type: string enum: - EVENT_TYPE - - FLOW_EVENT EventSubscriptions: type: object properties: + filter: + $ref: '#/components/schemas/EventHookFilters' items: - type: array - items: - type: string + $ref: '#/components/schemas/EventHookSubscribedEventTypes' type: $ref: '#/components/schemas/EventSubscriptionType' - discriminator: - propertyName: type + required: + - type + - items + ExpiresAt: + format: date-time + description: Timestamp when the object expires + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true + Expression: + type: object + properties: + value: + type: string FCMConfiguration: properties: fileName: @@ -25554,66 +53316,40 @@ components: properties: configuration: $ref: '#/components/schemas/FCMConfiguration' - FactorProvider: - type: string - enum: - - CUSTOM - - DUO - - FIDO - - GOOGLE - - OKTA - - RSA - - SYMANTEC - - YUBICO - FactorResultType: - type: string - enum: - - CANCELLED - - CHALLENGE - - ERROR - - FAILED - - PASSCODE_REPLAYED - - REJECTED - - SUCCESS - - TIMEOUT - - TIME_WINDOW_EXCEEDED - - WAITING - FactorStatus: + FailbackRequestSchema: + description: List of domains to failback + items: + type: string + description: Okta or custom domain to failback + example: yourOktaDomain.okta.com + type: array + FailbackResponseSchema: + description: successful failback message type: string - enum: - - ACTIVE - - DISABLED - - ENROLLED - - EXPIRED - - INACTIVE - - NOT_SETUP - - PENDING_ACTIVATION - FactorType: + FailoverRequestSchema: + description: List of domains to failover + items: + type: string + description: Okta or custom domain to failover + example: yourOktaDomain.okta.com + type: array + FailoverResponseSchema: + description: successful failover message type: string - enum: - - call - - email - - push - - question - - signed_nonce - - sms - - token - - token:hardware - - token:hotp - - token:software:totp - - u2f - - web - - webauthn Feature: + description: Specifies feature release cycle information type: object properties: description: type: string + description: Brief description of the feature and what it provides id: type: string + description: Unique identifier for this feature readOnly: true name: type: string + description: Name of the feature stage: $ref: '#/components/schemas/FeatureStage' status: @@ -25621,14 +53357,40 @@ components: type: $ref: '#/components/schemas/FeatureType' _links: - $ref: '#/components/schemas/LinksSelf' + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + dependents: + description: Link to feature dependents + type: object + readOnly: true + properties: + href: + description: Link URI + type: string + readOnly: true + dependencies: + description: Link to feature dependencies + type: object + readOnly: true + properties: + href: + description: Link URI + type: string + readOnly: true FeatureLifecycle: - example: enable + example: ENABLE type: string enum: - - disable - - enable + - DISABLE + - ENABLE FeatureStage: + description: |- + Current release cycle stage of a feature + + If a feature's stage value is `EA`, the state is `null` and not returned. If the value is `BETA`, the state is `OPEN` or `CLOSED` depending on whether the `BETA` feature is manageable. + + > **Note:** If a feature's stage is `OPEN BETA`, you can update it only in Preview cells. If a feature's stage is `CLOSED BETA`, you can disable it only in Preview cells. type: object properties: state: @@ -25636,16 +53398,19 @@ components: value: $ref: '#/components/schemas/FeatureStageValue' FeatureStageState: + description: Indicates the release state of the feature type: string enum: - CLOSED - OPEN FeatureStageValue: + description: Current release stage of the feature type: string enum: - BETA - EA FeatureType: + description: Type of feature type: string enum: - self-service @@ -25660,6 +53425,150 @@ components: resetPasswordUrl: type: string readOnly: true + FulfillmentData: + description: Fulfillment provider details + type: object + properties: + customizationId: + description: ID for the set of custom configurations of the requested Factor + type: string + inventoryProductId: + description: ID for the specific inventory bucket of the requested Factor + type: string + productId: + description: ID for the make and model of the requested Factor + type: string + FulfillmentRequest: + description: Fulfillment Request + type: object + properties: + fulfillmentData: + $ref: '#/components/schemas/FulfillmentData' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + GoogleApplication: + title: Google Workspace + x-tags: + - Application + x-okta-defined-as: + name: google + example: + name: google + label: Sample Google App + signOnMode: SAML_2_0 + settings: + app: + domain: my-company-domain + description: | + Schema for the Google Workspace app (key name: `google`) + + To create a Google Workspace app, use the [Create an Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Google Workspace app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + enum: + - google + example: google + signOnMode: + enum: + - BROWSER_PLUGIN + - SAML_2_0 + example: BROWSER_PLUGIN + settings: + $ref: '#/components/schemas/GoogleApplicationSettings' + GoogleApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/GoogleApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + GoogleApplicationSettingsApplication: + description: Google app instance properties + type: object + properties: + domain: + type: string + description: Your Google company domain + rpId: + type: string + description: RPID + required: + - domain + GovernanceBundle: + type: object + properties: + description: + type: string + id: + type: string + name: + type: string + orn: + type: string + status: + type: string + _links: + allOf: + - properties: + entitlements: + $ref: '#/components/schemas/HrefObject' + GovernanceBundleCreateRequest: + type: object + properties: + description: + type: string + entitlements: + type: array + items: + $ref: '#/components/schemas/IAMBundleEntitlement' + name: + type: string + GovernanceBundleUpdateRequest: + type: object + properties: + description: + type: string + entitlements: + type: array + items: + $ref: '#/components/schemas/IAMBundleEntitlement' + name: + type: string + GovernanceBundlesResponse: + type: object + properties: + bundles: + type: array + items: + $ref: '#/components/schemas/GovernanceBundle' + _links: + anyOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + GovernanceSourceType: + description: The grant type + type: string + enum: + - CUSTOM + - ENTITLEMENT-BUNDLE GrantOrTokenStatus: description: Status example: ACTIVE @@ -25668,13 +53577,39 @@ components: - ACTIVE - REVOKED readOnly: true - GrantTypePolicyRuleCondition: + GrantResourcesHrefObject: type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants + GrantType: + description: Determines the mechanism Okta uses to authorize the creation of the tokens. + type: string + enum: + - authorization_code + - client_credentials + - implicit + - interaction_code + - password + - refresh_token + - urn:ietf:params:oauth:grant-type:device_code + - urn:ietf:params:oauth:grant-type:jwt-bearer + - urn:ietf:params:oauth:grant-type:saml2-bearer + - urn:ietf:params:oauth:grant-type:token-exchange + - urn:openid:params:grant-type:ciba + - urn:okta:params:oauth:grant-type:otp + - urn:okta:params:oauth:grant-type:oob + - http://auth0.com/oauth/grant-type/mfa-otp + - http://auth0.com/oauth/grant-type/mfa-oob + GrantTypePolicyRuleCondition: description: Array of grant types that this condition includes. Determines the mechanism that Okta uses to authorize the creation of the tokens. + type: object properties: include: type: array - description: Array of grant types thagt this condition includes. + description: Array of grant types that this condition includes. items: type: string Group: @@ -25684,20 +53619,26 @@ components: type: string format: date-time readOnly: true + description: Timestamp when the Group was created id: type: string readOnly: true + example: 0gabcd1234 + description: Unique ID for the Group lastMembershipUpdated: type: string format: date-time readOnly: true + description: Timestamp when the Groups memberships were last updated lastUpdated: type: string format: date-time readOnly: true + description: Timestamp when the Group's Profile was last updated objectClass: type: array readOnly: true + description: Determines the Group's `profile` items: type: string profile: @@ -25706,11 +53647,13 @@ components: $ref: '#/components/schemas/GroupType' _embedded: type: object + description: Embedded resources related to the Group additionalProperties: type: object properties: {} readOnly: true _links: + description: '[Discoverable resources](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links&t=response) related to the Group' allOf: - $ref: '#/components/schemas/LinksSelf' - properties: @@ -25724,9 +53667,15 @@ components: $ref: '#/components/schemas/HrefObject' users: $ref: '#/components/schemas/HrefObject' - GroupCondition: + GroupAssignmentProfile: + description: |- + Specifies the profile properties applied to [Application Users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) that are assigned to the app through group membership. + Some reference properties are imported from the target app and can't be configured. See [profile](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response). + additionalProperties: true type: object + GroupCondition: description: Specifies a set of Groups whose Users are to be included or excluded + type: object properties: exclude: type: array @@ -25738,6 +53687,9 @@ components: description: Groups to be included items: type: string + required: + - exclude + - include GroupOwner: type: object properties: @@ -25776,8 +53728,8 @@ components: - GROUP - USER GroupPolicyRuleCondition: - type: object description: Specifies a set of Groups whose Users are to be included or excluded + type: object properties: exclude: type: array @@ -25790,14 +53742,15 @@ components: items: type: string GroupProfile: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - x-okta-extensible: true + description: |- + Specifies required and optional properties for a Group. The `objectClass` of a Group determines which additional properties are available. + + You can extend Group Profiles with custom properties, but you must first add the properties to the Group Profile schema before you can reference them. Use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/)to manage schema extensions. + + Custom properties can contain HTML tags. It is the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. + anyOf: + - $ref: '#/components/schemas/OktaUserGroupProfile' + - $ref: '#/components/schemas/OktaActiveDirectoryGroupProfile' GroupRule: type: object properties: @@ -25809,25 +53762,34 @@ components: type: string format: date-time readOnly: true + description: Creation date for group rule id: type: string readOnly: true + description: ID of the group rule lastUpdated: type: string format: date-time readOnly: true + description: Date group rule was last updated name: type: string + description: Name of the Group rule + minLength: 1 + maxLength: 50 status: $ref: '#/components/schemas/GroupRuleStatus' type: type: string + description: Type to indicate a Group rule operation. Only `group_rule` is allowed. GroupRuleAction: + description: Defines which users and groups to assign type: object properties: assignUserToGroups: $ref: '#/components/schemas/GroupRuleGroupAssignment' GroupRuleConditions: + description: Defines group rule conditions type: object properties: expression: @@ -25835,31 +53797,36 @@ components: people: $ref: '#/components/schemas/GroupRulePeopleCondition' GroupRuleExpression: + description: Defines Okta specific [group-rules expression](https://developer.okta.com/docs/reference/okta-expression-language/#expressions-in-group-rules) type: object properties: type: type: string + description: Expression type. Only valid value is '`urn:okta:expression:1.0`'. value: type: string + description: Okta expression that would result in a Boolean value + example: user.role==\"Engineer\" GroupRuleGroupAssignment: + description: Contains the `groupIds` array type: object properties: groupIds: + description: Array of `groupIds` to which Users are added type: array items: type: string GroupRuleGroupCondition: + description: Currently not supported type: object properties: exclude: type: array - items: - type: string - include: - type: array + description: Currently not supported items: type: string GroupRulePeopleCondition: + description: Defines conditions for `people` in a group rule type: object properties: groups: @@ -25867,20 +53834,19 @@ components: users: $ref: '#/components/schemas/GroupRuleUserCondition' GroupRuleStatus: + description: Status of group rule type: string enum: - ACTIVE - INACTIVE - INVALID GroupRuleUserCondition: + description: Defines conditions specific to user exclusion type: object properties: exclude: type: array - items: - type: string - include: - type: array + description: Excluded `userIds` when processing rules items: type: string GroupSchema: @@ -25889,29 +53855,38 @@ components: $schema: readOnly: true type: string + description: JSON Schema version identifier created: readOnly: true type: string + description: Timestamp when the Schema was created definitions: $ref: '#/components/schemas/GroupSchemaDefinitions' description: type: string + description: Description for the Schema id: readOnly: true type: string + description: URI of Group Schema lastUpdated: readOnly: true type: string + description: Timestamp when the Schema was last updated name: readOnly: true type: string + description: Name of the Schema properties: $ref: '#/components/schemas/UserSchemaProperties' + description: Group object properties title: type: string + description: User-defined display name for the Schema type: readOnly: true type: string + description: Type of [root Schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4) _links: $ref: '#/components/schemas/LinksSelf' x-okta-allow-null-property-value-for-updates: true @@ -25920,81 +53895,160 @@ components: properties: description: type: string + description: Description of the property enum: items: - type: string + anyOf: + - type: string + - type: integer type: array + nullable: true + description: |- + Enumerated value of the property. + + The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements. externalName: type: string + description: Name of the property as it exists in an external application externalNamespace: type: string + description: Namespace from the external application + format: + description: Identifies the type of data represented by the string + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeFormat' items: $ref: '#/components/schemas/UserSchemaAttributeItems' + nullable: true master: - $ref: '#/components/schemas/UserSchemaAttributeMaster' + description: Identifies where the property is mastered + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMaster' maxLength: type: integer + nullable: true + description: Maximum character length of a string property minLength: type: integer + nullable: true + description: Minimum character length of a string property mutability: - type: string + description: Defines the mutability of the property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString' oneOf: items: $ref: '#/components/schemas/UserSchemaAttributeEnum' type: array + nullable: true + description: |- + Non-empty array of valid JSON schemas. + + Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format: + + ``` + { + "const": "enumValue", + "title": "display name" + } + ```json + + When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order. + + ``` + {"enum": ["S","M","L","XL"], + "oneOf": [ + {"const": "S", "title": "Small"}, + {"const": "M", "title": "Medium"}, + {"const": "L", "title": "Large"}, + {"const": "XL", "title": "Extra Large"} + ] + } + ```json + + The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value. permissions: + description: Access control permissions for the property items: $ref: '#/components/schemas/UserSchemaAttributePermission' type: array + nullable: true required: type: boolean + nullable: true + description: Determines whether the property is required scope: - $ref: '#/components/schemas/UserSchemaAttributeScope' + description: Determines whether a group attribute can be set at the individual or group level + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeScope' title: type: string + minLength: 1 + description: User-defined display name for the property type: - $ref: '#/components/schemas/UserSchemaAttributeType' - union: - $ref: '#/components/schemas/UserSchemaAttributeUnion' + description: Type of property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeType' unique: - type: string + description: Determines whether property values must be unique + type: boolean + nullable: true GroupSchemaBase: type: object properties: id: readOnly: true type: string + description: The subschema name properties: - $ref: '#/components/schemas/GroupSchemaBaseProperties' + description: The `#base` object properties + allOf: + - $ref: '#/components/schemas/GroupSchemaBaseProperties' required: items: type: string type: array + description: A collection indicating required property names + readOnly: true type: + description: The object type type: string + readOnly: true GroupSchemaBaseProperties: + description: All Okta-defined Profile properties are defined in a Profile subschema with the resolution scope `#base`. These properties can't be removed or edited, regardless of any attempt to do so. type: object properties: description: - $ref: '#/components/schemas/GroupSchemaAttribute' + description: Human readable description of the Group + allOf: + - $ref: '#/components/schemas/GroupSchemaAttribute' name: - $ref: '#/components/schemas/GroupSchemaAttribute' + description: Unique identifier for the Group + allOf: + - $ref: '#/components/schemas/GroupSchemaAttribute' GroupSchemaCustom: + description: All custom Profile properties are defined in a Profile subschema with the resolution scope `#custom` type: object properties: id: readOnly: true type: string + description: The subschema name properties: additionalProperties: $ref: '#/components/schemas/GroupSchemaAttribute' type: object + description: The `#custom` object properties required: items: type: string type: array + description: A collection indicating required property names + readOnly: true type: type: string + description: The object type + readOnly: true GroupSchemaDefinitions: type: object properties: @@ -26003,54 +54057,67 @@ components: custom: $ref: '#/components/schemas/GroupSchemaCustom' GroupType: + description: Determines how a Group's Profile and memberships are managed type: string enum: - APP_GROUP - BUILT_IN - OKTA_GROUP - HardwareUserFactor: + x-enumDescriptions: + APP_GROUP: Group Profile and memberships are imported and must be managed within the app (such as Active Directory or LDAP) that imported the Group + BUILT_IN: Group Profile and memberships are managed by Okta and can't be modified + OKTA_GROUP: Group Profile and memberships are directly managed in Okta via static assignments or indirectly through Group rules + GroupsLink: allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/HardwareUserFactorProfile' - HardwareUserFactorProfile: - type: object - properties: - credentialId: - type: string + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Application Groups](/openapi/okta-management/management/tag/ApplicationGroups/#tag/ApplicationGroups/operation/listApplicationGroupAssignments) resource + HelpLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app help resource HookKey: + title: HookKeyInstance + description: |- + The `id` property in the response as `id` serves as the unique ID for the key, which you can specify when invoking other CRUD operations. + + The `keyId` provided in the response is the alias of the public key that you can use to get details of the public key data in a separate call. type: object properties: created: type: string format: date-time - description: Timestamp when the key was created. + description: Timestamp when the key was created readOnly: true + nullable: true id: type: string - description: The unique identifier for the key. + description: The unique identifier for the key readOnly: true + nullable: false isUsed: type: string format: boolean - description: Whether this key is currently in use by other hooks. + description: Whether this key is currently in use by other applications + nullable: false + readOnly: true keyId: type: string - description: The alias of the public key. + description: The alias of the public key + nullable: false readOnly: true lastUpdated: type: string format: date-time - description: Timestamp when the key was updated. + description: Timestamp when the key was updated readOnly: true + nullable: true name: type: string - description: Display name of the key. + description: Display name of the key readOnly: false - _embedded: - $ref: '#/components/schemas/JsonWebKey' + nullable: false + minLength: 1 + maxLength: 255 HostedPage: type: object properties: @@ -26065,42 +54132,76 @@ components: enum: - EXTERNALLY_HOSTED - OKTA_DEFAULT - HrefObject: + HrefCsrPublishLink: title: Link Object + description: Link to publish CSR type: object - additionalProperties: true properties: hints: - type: object - description: Describes allowed HTTP verbs for the `href` + $ref: '#/components/schemas/CsrPublishHrefHints' + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + required: + - href + readOnly: true + HrefCsrSelfLink: + title: Link Object + description: Link to the resource (self) + type: object + properties: + hints: + $ref: '#/components/schemas/CsrSelfHrefHints' + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + required: + - href + readOnly: true + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HrefHintsGuidanceObject: + allOf: + - $ref: '#/components/schemas/HrefHints' + - description: Describes allowed HTTP verbs and guidance for the `href` + - type: object properties: - allow: + guidance: type: array + description: | + Specifies the URI to invoke for granting scope consent required to complete the OAuth 2.0 connection items: - $ref: '#/components/schemas/HttpMethod' + type: string + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' href: type: string description: Link URI name: type: string description: Link name + templated: + type: boolean + description: Indicates whether the Link Object's `href` property is a URI template. type: type: string description: The media type of the link. If omitted, it is implicitly `application/json`. - templated: - type: boolean - description: Indicates whether the Link Object's "href" property is a URI Template. required: - href readOnly: true - HrefObjectMappingsLink: - allOf: - - $ref: '#/components/schemas/HrefObject' - - description: Link to the mappings resource - HrefObjectRulesLink: - allOf: - - $ref: '#/components/schemas/HrefObject' - - description: Link to the rules resource HrefObjectActivateLink: allOf: - $ref: '#/components/schemas/HrefObject' @@ -26109,6 +54210,25 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the app resource + HrefObjectAssigneeLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the assignee resource + HrefObjectAuthorizeLink: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + description: Link to authorize scopes + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHintsGuidanceObject' + href: + type: string + description: Link URI + required: + - href + readOnly: true HrefObjectClientLink: allOf: - $ref: '#/components/schemas/HrefObject' @@ -26121,10 +54241,54 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to delete the resource + HrefObjectGovernanceResourcesLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resources + HrefObjectGrantAerialConsent: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to grant Okta Aerial access to your Org + HrefObjectGroupLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the group resource HrefObjectLogoLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the logo resource + HrefObjectMappingsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the mappings resource + HrefObjectMemberLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the member resource + HrefObjectPermissionsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the permissions resource + HrefObjectResourceSetLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource-set resource + HrefObjectRetrieveAerialConsent: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to retrieve Okta Aerial consent for your Org + HrefObjectRevokeAerialConsent: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to revoke Okta Aerial consent for your Org + HrefObjectRoleLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the role resource + HrefObjectRulesLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the rules resource HrefObjectSelfLink: allOf: - $ref: '#/components/schemas/HrefObject' @@ -26148,6 +54312,62 @@ components: - GET - POST - PUT + IAMBundleEntitlement: + type: object + properties: + resourceSets: + type: array + items: + type: string + role: + type: string + targets: + type: array + items: + type: string + IPNetworkZone: + allOf: + - $ref: '#/components/schemas/NetworkZone' + - title: IP Network Zone + - type: object + properties: + gateways: + type: array + items: + $ref: '#/components/schemas/NetworkZoneAddress' + description: |- + The IP addresses (range or CIDR form) for an IP Network Zone. + The maximum array length is 150 entries for admin-created IP zones, 1000 entries for IP blocklist zones, and 5000 entries for the default system IP Zone. + proxies: + type: array + items: + $ref: '#/components/schemas/NetworkZoneAddress' + nullable: true + description: |- + The IP addresses (range or CIDR form) that are allowed to forward a request from gateway addresses for an IP Network Zone. + These proxies are automatically trusted by Threat Insights and used to identify the client IP of a request. + The maximum array length is 150 entries for admin-created zones and 5000 entries for the default system IP Zone. + IPServiceCategory: + description: An IP service offered by a provider, such as a proxy or VPN + type: string + enum: + - ALL_ANONYMIZERS + - ALL_ANONYMIZERS_EXCEPT_TOR + - ALL_IP_SERVICES + - ALL_PROXIES_VPNS + - ANONYMIZER_TOR + - APPLE_ICLOUD_RELAY_PROXY + - AVAST_VPN + - GLOBALPROTECT_VPN + - GOOGLE_VPN + - MULLVAD_VPN + - NORD_VPN + - OXYLABS_PROXY + - SAMSUNG_VPN + - SURFSHARK_VPN + - SYMANTEC_VPN + - TRENDMICRO_VPN + - ULTRASURF_VPN IamRole: type: object properties: @@ -26189,31 +54409,114 @@ components: $ref: '#/components/schemas/IamRole' _links: $ref: '#/components/schemas/LinksNext' - IdentityProvider: + IdPCertificateCredential: + type: object + properties: + x5c: + $ref: '#/components/schemas/X5c' + required: + - x5c + IdPCsr: + description: Defines a CSR for a signature or decryption credential for an IdP type: object properties: created: + $ref: '#/components/schemas/Created' + csr: + description: Base64-encoded CSR in DER format type: string - format: date-time readOnly: true - nullable: true + example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= id: + description: Unique identifier for the CSR type: string readOnly: true - issuerMode: - $ref: '#/components/schemas/IssuerMode' + example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + kty: + description: Cryptographic algorithm family for the CSR's keypair + type: string + example: RSA + _links: + type: object + additionalProperties: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + publish: + description: Publish the CSR + allOf: + - $ref: '#/components/schemas/HrefObject' + IdPCsrPkcs10: + description: Base64URL-encoded CSR in DER format + format: base64 + type: string + IdPKeyCredential: + description: A [JSON Web Key](https://tools.ietf.org/html/rfc7517) for a signature or encryption credential for an IdP + additionalProperties: true + type: object + properties: + created: + $ref: '#/components/schemas/Created' + e: + description: The exponent value for the RSA public key + type: string + example: AQAB + expiresAt: + $ref: '#/components/schemas/ExpiresAt' + kid: + description: Unique identifier for the key + type: string + example: your-key-id + kty: + description: 'Identifies the cryptographic algorithm family used with the key (Supported value: `RSA`)' + type: string + example: RSA lastUpdated: + $ref: '#/components/schemas/LastUpdated' + 'n': + description: The modulus value for the RSA public key + type: string + example: '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' + use: + description: 'Intended use of the public key (Supported value: `sig`)' + type: string + example: sig + x5c: + $ref: '#/components/schemas/X5c' + x5t#S256: + description: Base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate + type: string + example: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdentityProvider: + type: object + properties: + created: + $ref: '#/components/schemas/Created' + id: type: string - format: date-time readOnly: true + description: Unique key for the IdP + example: 0oaWma58liwx40w6boYD + issuerMode: + $ref: '#/components/schemas/IdentityProviderIssuerMode' + lastUpdated: + $ref: '#/components/schemas/LastUpdated' name: type: string + maxLength: 100 + description: Unique name for the IdP + example: Sample Identity Provider policy: $ref: '#/components/schemas/IdentityProviderPolicy' properties: $ref: '#/components/schemas/IdentityProviderProperties' protocol: - $ref: '#/components/schemas/Protocol' + description: IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages + oneOf: + - $ref: '#/components/schemas/ProtocolSaml' + - $ref: '#/components/schemas/ProtocolOAuth' + - $ref: '#/components/schemas/ProtocolOidc' + - $ref: '#/components/schemas/ProtocolMtls' status: $ref: '#/components/schemas/LifecycleStatus' type: @@ -26239,7 +54542,7 @@ components: metadata: description: 'Federation metadata document for the IdP (for example: SAML 2.0 Metadata)' allOf: - - $ref: '#/components/schemas/HrefObject' + - $ref: '#/components/schemas/HrefObject' users: description: IdP users allOf: @@ -26260,105 +54563,110 @@ components: type: object properties: created: - type: string + $ref: '#/components/schemas/Created' externalId: type: string + description: Unique IdP-specific identifier for the User + readOnly: true + maxLength: 512 + example: saml.jackson@example.com id: type: string + description: Unique key of the User readOnly: true lastUpdated: - type: string + $ref: '#/components/schemas/LastUpdated' profile: type: object + description: |- + IdP-specific profile for the User. + + Identity Provider User profiles are IdP-specific but may be customized by the Profile Editor in the Admin Console. + + > **Note:** Okta variable names have reserved characters that may conflict with the name of an IdP assertion attribute. You can use the **External name** to define the attribute name as defined in an IdP assertion such as a SAML attribute name. additionalProperties: type: object properties: {} + example: + lastName: Jackson + subjectNameQualifier: example.com + subjectSpNameQualifier: urn:federation:example + authnContextClassRef: null + subjectNameId: saml.jackson@example.com + subjectConfirmationAddress: null + displayName: Saml Jackson + mobilePhone: +1-415-555-5141 + email: saml.jackson@example.com + subjectNameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + firstName: Saml + subjectSpProvidedId: null + subjectConfirmationMethod: null _embedded: type: object + description: Embedded resources related to the IdP User additionalProperties: type: object properties: {} readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' - IdentityProviderCredentials: - type: object - properties: - client: - $ref: '#/components/schemas/IdentityProviderCredentialsClient' - signing: - $ref: '#/components/schemas/IdentityProviderCredentialsSigning' - trust: - $ref: '#/components/schemas/IdentityProviderCredentialsTrust' - IdentityProviderCredentialsClient: - type: object - properties: - client_id: - type: string - client_secret: - type: string - IdentityProviderCredentialsSigning: - type: object - properties: - kid: - type: string - IdentityProviderCredentialsTrust: - type: object - properties: - audience: - type: string - issuer: - type: string - kid: - type: string - revocation: - $ref: '#/components/schemas/IdentityProviderCredentialsTrustRevocation' - revocationCacheLifetime: - type: integer - IdentityProviderCredentialsTrustRevocation: + type: object + additionalProperties: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + - properties: + idp: + description: The IdP instance + example: + href: https://{yourOktaDomain}/api/v1/idps/0oa1k5d68qR2954hb0g4 + allOf: + - $ref: '#/components/schemas/HrefObject' + user: + description: The linked Okta User + example: + href: https://{yourOktaDomain}/api/v1/users/00ulwodIu7wCfdiVR0g3 + allOf: + - $ref: '#/components/schemas/HrefObject' + IdentityProviderIssuerMode: + description: Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP + default: DYNAMIC type: string enum: - - CRL - - DELTA_CRL - - OCSP + - CUSTOM_URL + - DYNAMIC + - ORG_URL + x-enumDescriptions: + ORG_URL: In the authorize request to the social IdP, Okta uses the Okta org's original domain URL (`https://${yourOktaDomain}`) as the domain in the `redirect_uri`. + CUSTOM_URL: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri`. You can set `issuerMode` to `CUSTOM_URL` only if you have a custom URL domain configured. + DYNAMIC: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri` if the request was made from the custom domain URL. Otherwise, Okta uses the Okta org's original domain URL if the request was made from the Okta org domain. IdentityProviderPolicy: + description: |- + Policy settings for the IdP. + The following provisioning and account linking actions are supported by each IdP provider: + | IdP type | User provisioning actions | Group provisioning actions | Account link actions | Account link filters | + | ----------------------------------------------------------------- | ------------------------- | ------------------------------------- | -------------------- | -------------------- | + | `SAML2` | `AUTO` or `DISABLED` | `NONE`, `ASSIGN`, `APPEND`, or `SYNC` | `AUTO`, `DISABLED` | `groups` | + | `X509` | `DISABLED` | No support for JIT provisioning | | | + | All social IdP types (any IdP type that isn't `SAML2` or `X509`) | `AUTO`, `DISABLED` | `NONE` or `ASSIGN` | `AUTO`, `DISABLED` | `groups` | allOf: - type: object properties: accountLink: $ref: '#/components/schemas/PolicyAccountLink' - mapAMRClaims: - type: boolean - description: Enable mapping AMR from IdP to Okta to downstream apps - default: false - x-okta-lifecycle: - features: - - IDP_AMR_CLAIMS_MAPPING maxClockSkew: type: integer + description: Maximum allowable clock skew when processing messages from the IdP + example: 120000 provisioning: $ref: '#/components/schemas/Provisioning' subject: $ref: '#/components/schemas/PolicySubject' - IdpDiscoveryPolicy: - allOf: - - $ref: '#/components/schemas/Policy' - - type: object - properties: - conditions: - type: object - nullable: true IdentityProviderPolicyProvider: type: string enum: - ANY - OKTA - SPECIFIC_IDP - IdpSelectionType: - type: string - enum: - - DYNAMIC - - SPECIFIC IdentityProviderPolicyRuleCondition: type: object properties: @@ -26370,44 +54678,113 @@ components: $ref: '#/components/schemas/IdentityProviderPolicyProvider' IdentityProviderProperties: nullable: true + description: The properties in the Identity Provider Properties object vary depending on the IdP type type: object properties: + aalValue: + type: string + nullable: true + description: |- + The [authentication assurance level](https://developers.login.gov/oidc/#aal-values) (AAL) value for the Login.gov IdP. + See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. additionalAmr: type: array + description: The additional Assurance Methods References (AMR) values for Smart Card IdPs. Applies to `X509` IdP type. nullable: true items: type: string + enum: + - sc + - hwk + - pin + - mfa + x-enumDescriptions: + sc: Smart card + hwk: Hardware-secured key + pin: Personal identification number + mfa: Multifactor authentication + ialValue: + type: string + nullable: true + description: |- + The [type of identity verification](https://developers.login.gov/oidc/#ial-values) (IAL) value for the Login.gov IdP. + See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. IdentityProviderType: + description: |- + The Identity Provider object's `type` property identifies the social or enterprise Identity Provider used for authentication. + Each Identity Provider uses a specific protocol, therefore the `protocol` property must correspond with the IdP `type`. + If the protocol is OAuth 2.0-based, the Protocol object's `scopes` property must also correspond with the scopes supported by the IdP `type`. + For policy actions supported by each IdP type, see [IdP type policy actions](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy&t=request). + + | Type | Description | Corresponding protocol | Corresponding protocol scopes | + | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -------------------------------------------------------------------- | + | `AMAZON` | [Amazon](https://developer.amazon.com/settings/console/registration?return_to=/) as the Identity Provider | OpenID Connect | `profile`, `profile:user_id` | + | `APPLE` | [Apple](https://developer.apple.com/sign-in-with-apple/) as the Identity Provider | OpenID Connect | `names`, `email`, `openid` | + | `DISCORD` | [Discord](https://discord.com/login) as the Identity Provider | OAuth 2.0 | `identify`, `email` | + | `FACEBOOK` | [Facebook](https://developers.facebook.com) as the Identity Provider | OAuth 2.0 | `public_profile`, `email` | + | `GITHUB` | [GitHub](https://github.com/join) as the Identity Provider | OAuth 2.0 | `user` | + | `GITLAB` | [GitLab](https://gitlab.com/users/sign_in) as the Identity Provider | OpenID Connect | `openid`, `read_user`, `profile`, `email` | + | `GOOGLE` | [Google](https://accounts.google.com/signup) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` | + | `LINKEDIN` | [LinkedIn](https://developer.linkedin.com/) as the Identity Provider | OAuth 2.0 | `r_emailaddress`, `r_liteprofile` | + | `LOGINGOV` | [Login.gov](https://developers.login.gov/) as the Identity Provider | OpenID Connect | `email`, `profile`, `profile:name` | + | `LOGINGOV_SANDBOX` | [Login.gov's identity sandbox](https://developers.login.gov/testing/) as the Identity Provider | OpenID Connect | `email`, `profile`, `profile:name` | + | `MICROSOFT` | [Microsoft Enterprise SSO](https://azure.microsoft.com/) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile`, `https://graph.microsoft.com/User.Read` | + | `OIDC` | IdP provider that supports [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) | OpenID Connect | `openid`, `email`, `profile` | + | `PAYPAL` | [Paypal](https://www.paypal.com/signin) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` | + | `PAYPAL_SANDBOX` | [Paypal Sandbox](https://developer.paypal.com/tools/sandbox/) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` | + | `SALESFORCE` | [SalesForce](https://login.salesforce.com/) as the Identity Provider | OAuth 2.0 | `id`, `email`, `profile` | + | `SAML2` | Enterprise IdP provider that supports the [SAML 2.0 Web Browser SSO Profile](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) | SAML 2.0 | | + | `SPOTIFY` | [Spotify](https://developer.spotify.com/) as the Identity Provider | OpenID Connect | `user-read-email`, `user-read-private` | + | `X509` | [Smart Card IdP](https://tools.ietf.org/html/rfc5280) | Mutual TLS | | + | `XERO` | [Xero](https://www.xero.com/us/signup/api/) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` | + | `YAHOO` | [Yahoo](https://login.yahoo.com/) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` | + | `YAHOOJP` | [Yahoo Japan](https://login.yahoo.co.jp/config/login) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` | type: string enum: - - AgentlessDSSO + - AMAZON + - APPLE + - DISCORD - FACEBOOK + - GITHUB + - GITLAB - GOOGLE - - IWA - LINKEDIN + - LOGINGOV + - LOGINGOV_SANDBOX - MICROSOFT - OIDC - - OKTA + - PAYPAL + - PAYPAL_SANDBOX + - SALESFORCE - SAML2 + - SPOTIFY - X509 + - XERO + - YAHOO + - YAHOOJP IdentitySourceSession: type: object properties: created: type: string + description: The timestamp when the Identity Source Session was created format: date-time readOnly: true id: type: string + description: The ID of the Identity Source Session readOnly: true identitySourceId: type: string + description: The ID of the custom Identity Source for which the session is created readOnly: true importType: type: string + description: The type of import. All imports are `INCREMENTAL` imports. readOnly: true lastUpdated: type: string + description: The timestamp when the Identity Source Session was created format: date-time readOnly: true status: @@ -26422,47 +54799,93 @@ components: - EXPIRED - IN_PROGRESS - TRIGGERED + x-enumDescriptions: + CREATED: This is a new Identity Source Session that hasn't been processed. You can upload bulk data in this stage. + IN_PROGRESS: The bulk data is being uploaded to Okta. + TRIGGERED: Okta is processing the import data in this session. You can't load bulk data in this stage. + COMPLETED: The bulk data was processed and imported into Okta. + CLOSED: The Identity Source Session was canceled and isn't available for further activity. + EXPIRED: This Identity Source Session had the `CREATED` status and timed-out after 24 hours of inactivity. + ERROR: The processing of import data in the session encountered an error. You need to open a new session to upload the data again. IdentitySourceUserProfileForDelete: type: object properties: externalId: type: string + description: The external ID of the entity that needs to be deleted in Okta maxLength: 512 IdentitySourceUserProfileForUpsert: - additionalProperties: {} type: object properties: email: type: string format: email + description: Email address of the user minLength: 5 maxLength: 100 firstName: type: string + description: First name of the user minLength: 1 maxLength: 50 nullable: true homeAddress: type: string + description: Home address of the user maxLength: 4096 nullable: true lastName: type: string + description: Last name of the user minLength: 1 maxLength: 50 nullable: true mobilePhone: type: string + description: Mobile phone number of the user maxLength: 100 nullable: true secondEmail: type: string + description: Alternative email address of the user format: email minLength: 5 maxLength: 100 userName: type: string + description: Username of the user maxLength: 100 + IdpDiscoveryPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + type: string + description: Policy conditions aren't supported for this policy type. + default: null + nullable: true + IdpDiscoveryPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + $ref: '#/components/schemas/IdpPolicyRuleAction' + conditions: + $ref: '#/components/schemas/IdpDiscoveryPolicyRuleCondition' + IdpDiscoveryPolicyRuleCondition: + allOf: + - type: object + properties: + app: + $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + userIdentifier: + $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' + platform: + $ref: '#/components/schemas/PlatformPolicyRuleCondition' IdpPolicyRuleAction: type: object properties: @@ -26485,13 +54908,13 @@ components: IdpPolicyRuleActionMatchCriteria: type: object properties: + propertyName: + type: string + description: The IdP property that the evaluated string should match to providerExpression: type: string description: | You can provide an Okta Expression Language expression with the Login Context that's evaluated with the IdP. For example, the value `login.identifier` refers to the user's username. If the user is signing in with the username `john.doe@mycompany.com`, the expression `login.identifier.substringAfter(@))` is evaluated to the domain name of the user, for example: `mycompany.com`. - propertyName: - type: string - description: The IdP property that the evaluated string should match to IdpPolicyRuleActionProvider: type: object properties: @@ -26503,6 +54926,12 @@ components: description: Provider `name` in Okta. Optional. Supported in `IDENTITY ENGINE`. type: $ref: '#/components/schemas/IdentityProviderType' + IdpSelectionType: + description: Determines whether the rule should use expression language or a specific IdP + type: string + enum: + - DYNAMIC + - SPECIFIC IframeEmbedScopeAllowedApps: type: string enum: @@ -26513,6 +54942,51 @@ components: url: readOnly: true type: string + ImportScheduleObject: + description: Import schedule configuration + type: object + properties: + fullImport: + allOf: + - $ref: '#/components/schemas/ImportScheduleSettings' + - description: Determines the full import schedule + incrementalImport: + allOf: + - $ref: '#/components/schemas/ImportScheduleSettings' + - description: Determines the incremental import schedule + status: + $ref: '#/components/schemas/EnabledStatus' + ImportScheduleSettings: + type: object + properties: + expression: + type: string + description: The import schedule in UNIX cron format + example: 00 21 * * Mon,Thu,Fri,Sat + timezone: + type: string + description: The import schedule time zone in Internet Assigned Numbers Authority (IANA) time zone name format + minLength: 1 + maxLength: 64 + example: America/Los_Angeles + required: + - expression + ImportUsernameObject: + description: Determines the Okta username for the imported user + type: object + properties: + userNameExpression: + type: string + description: For `usernameFormat=CUSTOM`, specifies the Okta Expression Language statement for a username format that imported users use to sign in to Okta + usernameFormat: + type: string + description: Determines the username format when users sign in to Okta + default: EMAIL + enum: + - EMAIL + - CUSTOM + required: + - usernameFormat InactivityPolicyRuleCondition: type: object properties: @@ -26520,7 +54994,15 @@ components: type: integer unit: type: string + InboundProvisioningApplicationFeature: + allOf: + - $ref: '#/components/schemas/ApplicationFeature' + - type: object + - properties: + capabilities: + $ref: '#/components/schemas/CapabilitiesInboundProvisioningObject' InlineHook: + description: An inline hook object that specifies the details of the inline hook type: object properties: channel: @@ -26529,23 +55011,54 @@ components: type: string format: date-time readOnly: true + description: Date of the inline hook creation id: type: string readOnly: true + description: The unique identifier for the inline hook lastUpdated: type: string format: date-time readOnly: true + description: Date of the last inline hook update name: type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 status: $ref: '#/components/schemas/InlineHookStatus' type: $ref: '#/components/schemas/InlineHookType' version: type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. + readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' + $ref: '#/components/schemas/InlineHookLinks' + InlineHookBasePayload: + type: object + properties: + cloudEventVersion: + description: The inline hook cloud version + example: 0.1 + type: string + contentType: + description: The inline hook request header content + example: application/JSON + type: string + eventId: + type: string + description: The individual inline hook request ID + example: 3o9jBzq1SmOGmmsDsqyyeQ + eventTime: + type: string + description: The time the inline hook request was sent + example: '2020-01-17T21:23:56.000Z' + eventTypeVersion: + description: The inline hook version + example: 1 + type: string InlineHookChannel: type: object properties: @@ -26553,47 +55066,105 @@ components: $ref: '#/components/schemas/InlineHookChannelType' version: type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. discriminator: propertyName: type mapping: HTTP: '#/components/schemas/InlineHookChannelHttp' OAUTH: '#/components/schemas/InlineHookChannelOAuth' InlineHookChannelConfig: + description: Properties of the communications channel that are used to contact your external service type: object properties: - authScheme: - $ref: '#/components/schemas/InlineHookChannelConfigAuthScheme' headers: type: array + description: An optional list of key/value pairs for headers that you can send with the request to the external service items: $ref: '#/components/schemas/InlineHookChannelConfigHeaders' method: type: string + description: The method of the Okta inline hook request uri: type: string - InlineHookChannelConfigAuthScheme: + description: The external service endpoint that executes the inline hook handler. It must begin with `https://` and be reachable by Okta. No white space is allowed in the URI. + maximum: 1024 + InlineHookChannelConfigAuthSchemeBody: + description: The authentication scheme to use for this request + nullable: true type: object properties: key: type: string + description: The header name for the authorization server type: type: string + description: The authentication scheme type. Supported type—`HEADER`. value: type: string + description: The header value. This secret value is passed to your external service endpoint. Your external service can check it as a security measure. + InlineHookChannelConfigAuthSchemeResponse: + description: The authentication scheme to use for this request + nullable: true + type: object + properties: + key: + type: string + description: The header name for the authorization server + type: + type: string + description: The authentication scheme type. Supported type—`HEADER` + InlineHookChannelConfigCreate: + description: Properties of the communications channel that are used to contact your external service + type: object + properties: + headers: + type: array + description: An optional list of key/value pairs for headers that you can send with the request to the external service. + items: + $ref: '#/components/schemas/InlineHookChannelConfigHeaders' + method: + type: string + description: The method of the Okta inline hook request + uri: + type: string + description: The external service endpoint that executes the inline hook handler. It must begin with `https://` and be reachable by Okta. No white space is allowed in the URI. + maximum: 1024 InlineHookChannelConfigHeaders: type: object properties: key: type: string + description: The optional field or header name value: type: string + description: The value for the key + InlineHookChannelCreate: + type: object + properties: + type: + $ref: '#/components/schemas/InlineHookChannelType' + version: + type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. + discriminator: + propertyName: type + mapping: + HTTP: '#/components/schemas/InlineHookChannelHttpCreate' + OAUTH: '#/components/schemas/InlineHookChannelOAuthCreate' InlineHookChannelHttp: allOf: - $ref: '#/components/schemas/InlineHookChannel' - type: object properties: config: - $ref: '#/components/schemas/InlineHookChannelConfig' + $ref: '#/components/schemas/InlineHookHttpConfig' + InlineHookChannelHttpCreate: + allOf: + - $ref: '#/components/schemas/InlineHookChannelCreate' + - type: object + properties: + config: + $ref: '#/components/schemas/InlineHookHttpConfigCreate' InlineHookChannelOAuth: allOf: - $ref: '#/components/schemas/InlineHookChannel' @@ -26601,11 +55172,117 @@ components: properties: config: $ref: '#/components/schemas/InlineHookOAuthChannelConfig' + InlineHookChannelOAuthCreate: + allOf: + - $ref: '#/components/schemas/InlineHookChannelCreate' + - type: object + properties: + config: + $ref: '#/components/schemas/InlineHookOAuthChannelConfigCreate' InlineHookChannelType: type: string enum: - HTTP - OAUTH + InlineHookCreate: + description: An inline hook object that specifies the details of the inline hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannelCreate' + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + type: + $ref: '#/components/schemas/InlineHookType' + version: + type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. + InlineHookCreateResponse: + description: An inline hook object that specifies the details of the inline hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannel' + created: + type: string + format: date-time + readOnly: true + description: Date of the inline hook creation + id: + type: string + readOnly: true + description: The unique identifier for the inline hook + lastUpdated: + type: string + format: date-time + readOnly: true + description: Date of the last inline hook update + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + status: + $ref: '#/components/schemas/InlineHookStatus' + type: + $ref: '#/components/schemas/InlineHookType' + version: + type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. + readOnly: true + _links: + $ref: '#/components/schemas/InlineHookLinksCreate' + InlineHookHttpConfig: + allOf: + - $ref: '#/components/schemas/InlineHookChannelConfig' + type: object + properties: + authScheme: + $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeResponse' + InlineHookHttpConfigCreate: + allOf: + - $ref: '#/components/schemas/InlineHookChannelConfigCreate' + type: object + properties: + authScheme: + $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeBody' + InlineHookLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + description: URL to activate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: URL to deactivate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + delete: + description: URL to delete the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + execute: + description: URL to test the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + InlineHookLinksCreate: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + deactivate: + description: URL to deactivate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + execute: + description: URL to test the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' InlineHookOAuthBasicConfig: allOf: - $ref: '#/components/schemas/InlineHookChannelConfig' @@ -26615,37 +55292,107 @@ components: type: string clientId: type: string + description: A publicly exposed string provided by the service that's used to identify the OAuth app and build authorization URLs scope: type: string + description: Include the scopes that allow you to perform the actions on the hook endpoint that you want to access tokenUrl: type: string + description: The URI where inline hooks can exchange an authorization code for access and refresh tokens InlineHookOAuthChannelConfig: type: object properties: authType: type: string + description: The authentication method for the token endpoint discriminator: propertyName: authType mapping: client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfig' private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig' + InlineHookOAuthChannelConfigCreate: + type: object + properties: + authType: + type: string + description: The authentication method for the token endpoint + discriminator: + propertyName: authType + mapping: + client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfigCreate' + private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig' InlineHookOAuthClientSecretConfig: + allOf: + - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' + type: object + properties: + authScheme: + type: string + description: Not applicable. Must be `null`. + nullable: true + InlineHookOAuthClientSecretConfigCreate: allOf: - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' type: object properties: clientSecret: type: string + description: A private value provided by the service used to authenticate the identity of the app to the service + method: + type: string + description: The method of the Okta inline hook request. Only accepts `POST`. InlineHookOAuthPrivateKeyJwtConfig: allOf: - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' type: object properties: + authScheme: + type: string + description: Not applicable. Must be `null`. + nullable: true hookKeyId: type: string + description: An ID value of the hook key pair generated from the [Hook Keys API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/HookKey/#tag/HookKey) + method: + type: string + description: The method of the Okta inline hook request. Only accepts `POST`. InlineHookPayload: type: object x-okta-extensible: true + InlineHookReplace: + description: An inline hook object that specifies the details of the inline hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannelCreate' + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + version: + type: string + description: Version of the inline hook type. The currently supported version is `1.0.0`. + InlineHookRequestObject: + description: The API request that triggered the inline hook + type: object + properties: + id: + type: string + description: The unique identifier that Okta assigned to the API request + ipAddress: + type: string + description: The IP address of the client that made the API request + method: + type: string + description: The HTTP request method of the API request + url: + type: object + description: The URL of the API endpoint + properties: + value: + type: string + description: The URL value of the API endpoint InlineHookResponse: type: object properties: @@ -26677,11 +55424,13 @@ components: - ACTIVE - INACTIVE InlineHookType: + description: One of the inline hook types type: string enum: - com.okta.import.transform - com.okta.oauth2.tokens.transform - com.okta.saml.tokens.transform + - com.okta.telephony.provider - com.okta.user.credential.password.import - com.okta.user.pre-registration IssuerMode: @@ -26690,62 +55439,102 @@ components: - CUSTOM_URL - DYNAMIC - ORG_URL - JsonWebKey: + JsonPatchOperation: + description: The update action type: object properties: - alg: + op: + $ref: '#/components/schemas/PatchAction' + path: type: string + description: The resource path of the attribute to update + value: + type: object + description: The update operation value + JsonWebKey: + type: object + properties: created: - type: string - format: date-time + $ref: '#/components/schemas/createdProperty' e: + description: RSA key value (public exponent) for Key binding type: string + readOnly: true expiresAt: + description: Timestamp when the certificate expires type: string format: date-time - key_ops: - type: array - items: - type: string + readOnly: true kid: + description: Unique identifier for the certificate type: string + readOnly: true kty: + description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`' type: string + readOnly: true lastUpdated: type: string format: date-time + $ref: '#/components/schemas/lastUpdatedProperty' 'n': - type: string - status: + description: RSA modulus value that is used by both the public and private keys and provides a link between them type: string use: + description: 'Acceptable use of the certificate. Valid value: `sig`' type: string + readOnly: true x5c: + description: X.509 certificate chain that contains a chain of one or more certificates type: array items: type: string - x5t: - type: string + readOnly: true x5t#S256: + description: X.509 certificate SHA-256 thumbprint, which is the base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of an X.509 certificate type: string - x5u: - type: string - _links: - $ref: '#/components/schemas/LinksSelf' + readOnly: true JwkUse: type: object properties: use: $ref: '#/components/schemas/JwkUseType' JwkUseType: + description: Purpose of the certificate. The only supported value is `sig`. type: string enum: - sig + KeepCurrent: + type: object + properties: + keepCurrent: + description: Skip deleting the user's current session when set to `true` + type: boolean + default: true + KeepMeSignedIn: + type: object + properties: + postAuth: + description: Whether the post-authentication Keep Me Signed In flow is allowed + type: string + enum: + - ALLOWED + - NOT_ALLOWED + postAuthPromptFrequency: + description: If allowed, how often to display the post-authentication Keep Me Signed In prompt + default: P30D + $ref: '#/components/schemas/TimeDuration' KeyRequest: type: object properties: name: + description: Display name for the key type: string + uniqueItems: true + readOnly: false + minLength: 1 + maxLength: 255 + nullable: false KeyTrustLevelBrowserKey: description: Represents the attestation strength used by the Chrome Verified Access API example: CHROME_BROWSER_HW_KEY @@ -26772,8 +55561,14 @@ components: Language: description: The language specified as an [IETF BCP 47 language tag](https://datatracker.ietf.org/doc/html/rfc5646) type: string + LastUpdated: + format: date-time + description: Timestamp when the object was last updated + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true LifecycleCreateSettingObject: - description: Determines whether to update a user in the application when a user in Okta is updated + description: Determines whether to update a user in the app when a user in Okta is updated type: object properties: status: @@ -26802,7 +55597,19 @@ components: enum: - ACTIVE - INACTIVE + LinkedHrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + href: + type: string + description: Link URI + required: + - href + readOnly: true LinkedObject: + title: LinkedObject type: object properties: associated: @@ -26810,31 +55617,139 @@ components: primary: $ref: '#/components/schemas/LinkedObjectDetails' _links: - $ref: '#/components/schemas/LinksSelf' + $ref: '#/components/schemas/LinkedObjectLinksSelf' LinkedObjectDetails: + title: LinkedObjectDetails type: object properties: description: type: string + description: Description of the `primary` or the `associated` relationship name: type: string + description: 'API name of the `primary` or the `associated` link. The `name` parameter can''t start with a number and can only contain the following characters: `a-z`, `A-Z`,` 0-9`, and `_`.' title: type: string + description: Display name of the `primary` or the `associated` link type: $ref: '#/components/schemas/LinkedObjectDetailsType' + required: + - name + - title + - type LinkedObjectDetailsType: + description: The object type for this relationship type: string enum: - USER + x-enumDescriptions: + USER: Specifies the type of object + LinkedObjectLinksSelf: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/LinkedHrefObject' + LinksActivate: + type: object + properties: + activate: + allOf: + - description: Activates an enrolled Factor. See [Activate a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/activateFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksAerialConsentGranted: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + revoke: + $ref: '#/components/schemas/HrefObjectRevokeAerialConsent' + LinksAerialConsentRevoked: + allOf: + - type: object + properties: + grant: + $ref: '#/components/schemas/HrefObjectGrantAerialConsent' LinksAppAndUser: - description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of resources related to the App User. + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of resources related to the Application User. type: object properties: app: $ref: '#/components/schemas/HrefObjectAppLink' + group: + $ref: '#/components/schemas/HrefObjectGroupLink' user: $ref: '#/components/schemas/HrefObjectUserLink' readOnly: true + LinksAssignee: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' + LinksCancel: + type: object + properties: + cancel: + allOf: + - description: Cancels a `push` factor challenge with a `WAITING` status + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksCustomRoleResponse: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' + member: + $ref: '#/components/schemas/HrefObjectMemberLink' + permissions: + $ref: '#/components/schemas/HrefObjectPermissionsLink' + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + role: + $ref: '#/components/schemas/HrefObjectRoleLink' + LinksDeactivate: + type: object + properties: + deactivate: + allOf: + - description: Deactivates the Factor. See [Unenroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/unenrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksEnroll: + type: object + properties: + enroll: + allOf: + - description: Enrolls a supported Factor. See [Enroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/enrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksFactor: + type: object + properties: + factor: + allOf: + - description: Link to the Factor resource + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksGovernanceResources: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the resources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + resources: + $ref: '#/components/schemas/HrefObjectGovernanceResourcesLink' + readOnly: true + LinksGovernanceSources: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the sources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectUserLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true LinksNext: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. Use the `LinksNext` object for dynamic discovery of related resources and lifecycle operations. type: object @@ -26842,8 +55757,49 @@ components: next: $ref: '#/components/schemas/HrefObject' readOnly: true + LinksNextForRoleAssignments: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. + type: object + properties: + next: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The next page of results if [pagination](#pagination) is required + readOnly: true + LinksPoll: + type: object + properties: + poll: + allOf: + - description: Polls the Factor resource for status information. Always use the `poll` link instead of manually constructing your own URL. + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksQrcode: + type: object + properties: + qrcode: + allOf: + - description: QR code that encodes the push activation code needed for enrollment on the device + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksQuestions: + type: object + properties: + question: + allOf: + - description: Lists all supported security questions. See [List all Supported Security Questions](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/listSupportedSecurityQuestions). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksResend: + type: object + properties: + resend: + allOf: + - description: Resends the factor enrollment challenge. See [Resend a Factor enrollment](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/resendEnrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true LinksSelf: - description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. type: object properties: self: @@ -26877,7 +55833,49 @@ components: - type: object properties: roles: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/HrefObjectRoleLink' + LinksSelfForRoleAssignment: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + LinksSelfLifecycleAndAuthorize: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + authorize: + $ref: '#/components/schemas/HrefObjectAuthorizeLink' + LinksSend: + type: object + properties: + send: + allOf: + - description: Sends an activation link through email or sms for users who can't scan the QR code + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksUser: + type: object + properties: + user: + allOf: + - description: Returns information on the specified user + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksUserRef: + type: object + properties: + user: + $ref: '#/components/schemas/HrefObjectUserLink' + LinksVerify: + type: object + properties: + verify: + allOf: + - description: Verifies the Factor resource. See [Verify a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true ListProfileMappings: description: |- A collection of the profile mappings that include a subset of the profile mapping object's properties. The Profile Mapping object describes a mapping between an Okta User's and an App User's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). @@ -26890,20 +55888,22 @@ components: description: Unique identifier for profile mapping readOnly: true source: - type: object - description: Source of the schema property expressions (Okta object or App Instance object) $ref: '#/components/schemas/ProfileMappingSource' target: - type: object - description: Target of the schema property expressions (Okta object or App Instance object) $ref: '#/components/schemas/ProfileMappingTarget' _links: $ref: '#/components/schemas/LinksSelf' LoadingPageTouchPointVariant: + description: | + Variant for the Okta loading page. You can publish a theme for Okta loading page with different combinations of assets. Variants are preset combinations of those assets. + default: OKTA_DEFAULT type: string enum: - NONE - OKTA_DEFAULT + x-enumDescriptions: + NONE: Uses no loading page animation during the redirect + OKTA_DEFAULT: Uses the default Okta loading page animation during the redirect LocationGranularity: type: string enum: @@ -26912,32 +55912,55 @@ components: - LAT_LONG - SUBDIVISION LogActor: + description: Describes the user, app, client, or other entity (actor) who performs an action on a target. The actor is dependent on the action that is performed. All events have actors. type: object properties: alternateId: + description: Alternative ID of the actor type: string readOnly: true detailEntry: + description: Further details about the actor type: object - additionalProperties: - type: object - properties: {} + additionalProperties: true readOnly: true displayName: + description: Display name of the actor type: string readOnly: true id: + description: ID of the actor type: string readOnly: true type: + description: Type of actor type: string readOnly: true LogAuthenticationContext: + description: |- + All authentication relies on validating one or more credentials that prove the authenticity of the actor's identity. Credentials are sometimes provided by the actor, as is the case with passwords, and at other times provided by a third party, and validated by the authentication provider. + + The authenticationContext contains metadata about how the actor is authenticated. For example, an authenticationContext for an event, where a user authenticates with Integrated Windows Authentication (IWA), looks like the following: + ``` + { + "authenticationProvider": "ACTIVE_DIRECTORY", + "authenticationStep": 0, + "credentialProvider": null, + "credentialType": "IWA", + "externalSessionId": "102N1EKyPFERROGvK9wizMAPQ", + "interface": null, + "issuer": null + } + ``` + In this case, the user enters an IWA credential to authenticate against an Active Directory instance. All of the user's future-generated events in this sign-in session are going to share the same `externalSessionId`. + + Among other operations, this response object can be used to scan for suspicious sign-in activity or perform analytics on user authentication habits (for example, how often authentication scheme X is used versus authentication scheme Y). type: object properties: authenticationProvider: $ref: '#/components/schemas/LogAuthenticationProvider' authenticationStep: + description: The zero-based step number in the authentication pipeline. Currently unused and always set to `0`. type: integer readOnly: true credentialProvider: @@ -26945,14 +55968,17 @@ components: credentialType: $ref: '#/components/schemas/LogCredentialType' externalSessionId: + description: A proxy for the actor's [session ID](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) type: string readOnly: true interface: + description: The third-party user interface that the actor authenticates through, if any. type: string readOnly: true issuer: $ref: '#/components/schemas/LogIssuer' LogAuthenticationProvider: + description: The system that proves the identity of an actor using the credentials provided to it type: string enum: - ACTIVE_DIRECTORY @@ -26962,25 +55988,31 @@ components: - OKTA_AUTHENTICATION_PROVIDER - SOCIAL LogClient: + description: When an event is triggered by an HTTP request, the `client` object describes the [client](https://datatracker.ietf.org/doc/html/rfc2616) that issues the HTTP request. For instance, the web browser is the client when a user accesses Okta. When this request is received and processed, a sign-in event is fired. When the event isn't sourced to an HTTP request, such as an automatic update, the `client` object field is blank. type: object properties: device: + description: Type of device that the client operates from (for example, computer) type: string readOnly: true geographicalContext: $ref: '#/components/schemas/LogGeographicalContext' id: + description: For OAuth requests, this is the ID of the OAuth [client](https://datatracker.ietf.org/doc/html/rfc6749#section-1.1) making the request. For SSWS token requests, this is the ID of the agent making the request. type: string readOnly: true ipAddress: + description: IP address that the client is making its request from type: string readOnly: true userAgent: $ref: '#/components/schemas/LogUserAgent' zone: + description: The `name` of the [Zone](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/NetworkZone/#tag/NetworkZone/operation/getNetworkZone) that the client's location is mapped to type: string readOnly: true LogCredentialProvider: + description: A credential provider is a software service that manages identities and their associated credentials. When authentication occurs through credentials provided by a credential provider, the credential provider is recorded here. type: string enum: - DUO @@ -26991,25 +56023,98 @@ components: - SYMANTEC - YUBIKEY LogCredentialType: + description: The underlying technology/scheme used in the credential type: string enum: - ASSERTION + - CERTIFICATE + - DEVICE_UDID - EMAIL - IWA - JWT - OAuth 2.0 + - OKTA_CLIENT_SESSION - OTP - PASSWORD + - PRE_SHARED_SYMMETRIC_KEY - SMS LogDebugContext: + description: |- + For some kinds of events (for example, OLM provisioning, sign-in request, second factor SMS, and so on), the fields that are provided in other response objects aren't sufficient to adequately describe the operations that the event has performed. In such cases, the `debugContext` object provides a way to store additional information. + + For example, an event where a second factor SMS token is sent to a user may have a `debugContext` that looks like the following: + ``` + { + "debugData": { + "requestUri": "/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify", + "smsProvider": "TELESIGN", + "transactionId": "268632458E3C100F5F5F594C6DC689D4" + } + } + ``` + By inspecting the debugData field, you can find the URI that is used to trigger the second factor SMS (`/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify`), the SMS provider (`TELESIGN`), and the ID used by Telesign to identify this transaction (`268632458E3C100F5F5F594C6DC689D4`). + + If for some reason the information that is needed to implement a feature isn't provided in other response objects, you should scan the `debugContext.debugData` field for potentially useful fields. + > **Important:** The information contained in `debugContext.debugData` is intended to add context when troubleshooting customer platform issues. Both key names and values may change from release to release and aren't guaranteed to be stable. Therefore, they shouldn't be viewed as a data contract but as a debugging aid instead. type: object properties: debugData: type: object - additionalProperties: - type: object - properties: {} + description: A dynamic field that contains miscellaneous information that is dependent on the event type. + additionalProperties: true + readOnly: true + LogDevice: + description: The entity that describes a device enrolled with passwordless authentication using Okta Verify. + example: + LogDeviceObject: + $ref: '#/components/examples/LogDeviceObject' + type: object + properties: + device_integrator: + description: The integration platform or software used with the device + type: object + readOnly: true + disk_encryption_type: + $ref: '#/components/schemas/LogDiskEncryptionType' + id: + description: ID of the device + type: string + readOnly: true + jailbreak: + description: If the device has removed software restrictions + type: boolean + readOnly: true + managed: + description: Indicates if the device is configured for device management and is registered with Okta + type: boolean readOnly: true + name: + type: string + readOnly: true + os_platform: + type: string + readOnly: true + os_version: + type: string + readOnly: true + registered: + description: Indicates if the device is registered with an Okta org and is bound to an Okta Verify instance on the device + type: boolean + readOnly: true + screen_lock_type: + $ref: '#/components/schemas/LogScreenLockType' + secure_hardware_present: + description: The availability of hardware security on the device + type: boolean + readOnly: true + LogDiskEncryptionType: + type: string + enum: + - ALL_INTERNAL_VALUES + - FULL + - NONE + - SYSTEM_VOLUME + - USER LogEvent: type: object properties: @@ -27022,17 +56127,21 @@ components: debugContext: $ref: '#/components/schemas/LogDebugContext' displayMessage: + description: The display message for an event type: string readOnly: true eventType: + description: Type of event that is published type: string readOnly: true legacyEventType: + description: Associated Events API Action `objectType` attribute value type: string readOnly: true outcome: $ref: '#/components/schemas/LogOutcome' published: + description: Timestamp when the event is published type: string format: date-time readOnly: true @@ -27050,36 +56159,46 @@ components: transaction: $ref: '#/components/schemas/LogTransaction' uuid: + description: Unique identifier for an individual event type: string readOnly: true version: + description: Versioning indicator type: string readOnly: true LogGeographicalContext: + description: Geographical context describes a set of geographic coordinates. In addition to containing latitude and longitude data, the `GeographicalContext` object also contains address data of postal code-level granularity. Within the `Client` object, the geographical context refers to the physical location of the client when it sends the request that triggers this event. All `Transaction` events with `type` equal to `WEB` have a geographical context set. `Transaction` events with `type` equal to `JOB` don't have a geographical context set. The geographical context data can be missing if the geographical data for a request can't be resolved. type: object properties: city: + description: The city that encompasses the area that contains the geolocation coordinates, if available (for example, Seattle, San Francisco) type: string readOnly: true country: + description: Full name of the country that encompasses the area that contains the geolocation coordinates (for example, France, Uganda) type: string readOnly: true geolocation: $ref: '#/components/schemas/LogGeolocation' postalCode: + description: Postal code of the area that encompasses the geolocation coordinates type: string readOnly: true state: + description: Full name of the state or province that encompasses the area that contains the geolocation coordinates (for example, Montana, Ontario) type: string readOnly: true LogGeolocation: + description: The latitude and longitude of the geolocation where an action was performed. The object is formatted according to the [ISO-6709](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en) standard. type: object properties: lat: + description: Latitude which uses two digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Latitude) type: number format: double readOnly: true lon: + description: Longitude which uses three digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Longitude) type: number format: double readOnly: true @@ -27089,59 +56208,92 @@ components: geographicalContext: $ref: '#/components/schemas/LogGeographicalContext' ip: + description: IP address type: string readOnly: true source: + description: Details regarding the source type: string readOnly: true version: + description: IP address version type: string readOnly: true LogIssuer: + description: Describes the issuer of the authorization server when the authentication is performed through OAuth. This is the location where well-known resources regarding the details of the authorization servers are published. type: object properties: id: + description: Varies depending on the type of authentication. If authentication is SAML 2.0, `id` is the issuer in the SAML assertion. For social login, `id` is the issuer of the token. type: string readOnly: true type: + description: Information on the `issuer` and source of the SAML assertion or token type: string readOnly: true LogOutcome: type: object properties: reason: + description: Reason for the result, for example, `INVALID_CREDENTIALS` type: string readOnly: true + minLength: 1 + maxLength: 255 result: + description: Result of the action type: string readOnly: true + enum: + - SUCCESS + - FAILURE + - SKIPPED + - ALLOW + - DENY + - CHALLENGE + - UNKNOWN LogRequest: + description: The `Request` object describes details that are related to the HTTP request that triggers this event, if available. When the event isn't sourced to an HTTP request, such as an automatic update on the Okta servers, the `Request` object still exists, but the `ipChain` field is empty. type: object properties: ipChain: + description: If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format of clientIp, proxy1, proxy2, and so on. This field is useful when working with trusted proxies. type: array readOnly: true items: $ref: '#/components/schemas/LogIpAddress' + LogScreenLockType: + type: string + enum: + - BIOMETRIC + - NONE + - PASSCODE LogSecurityContext: + description: The `securityContext` object provides security information that is directly related to the evaluation of the event's IP reputation. IP reputation is a trustworthiness rating that evaluates how likely a sender is to be malicious and is based on the sender's IP address. As the name implies, the `securityContext` object is useful for security applications-flagging and inspecting suspicious events. type: object properties: asNumber: + description: The [Autonomous system](https://docs.telemetry.mozilla.org/datasets/other/asn_aggregates/reference) number that's associated with the autonomous system the event request was sourced to type: integer readOnly: true asOrg: + description: The organization that is associated with the autonomous system that the event request is sourced to type: string readOnly: true domain: + description: The domain name that's associated with the IP address of the inbound event request type: string readOnly: true isp: + description: The Internet service provider that's used to send the event's request type: string readOnly: true isProxy: + description: Specifies whether an event's request is from a known proxy type: boolean readOnly: true LogSeverity: + description: Indicates how severe the event is type: string enum: - DEBUG @@ -27274,31 +56426,48 @@ components: $schema: type: string readOnly: true - created: - type: string - readOnly: true + description: JSON Schema version identifier errorMessage: type: object + description: A collection of error messages for individual properties in the schema. Okta implements a subset of [ajv-errors](https://github.com/ajv-validator/ajv-errors). id: type: string readOnly: true - lastUpdated: - type: string - readOnly: true - name: + description: URI of Log Stream Schema + oneOf: + items: + $ref: '#/components/schemas/UserSchemaAttributeEnum' + type: array + nullable: true + description: |- + Non-empty array of valid JSON schemas. + + Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format: + + ``` + { + "const": "enumValue", + "title": "display name" + } + ```json + pattern: type: string - readOnly: true + description: For `string` Log Stream Schema property type, specifies the regular expression used to validate the property properties: type: object + description: Log Stream Schema properties object required: type: array items: type: string + description: Required properties for this Log Stream Schema object title: type: string + description: Name of the Log Streaming integration type: type: string readOnly: true + description: Type of Log Stream Schema property _links: $ref: '#/components/schemas/LinksSelf' LogStreamSelfLink: @@ -27376,51 +56545,106 @@ components: - aws_eventbridge - splunk_cloud_logstreaming LogTarget: + description: The entity that an actor performs an action on. Targets can be anything, such as an app user, a sign-in token, or anything else. type: object properties: alternateId: type: string + description: The alternate ID of the target readOnly: true + changeDetails: + type: object + example: + LogTargetChangeDetails: + $ref: '#/components/examples/LogTargetChangeDetails' + description: |- + Details on the target's changes. Not all event types support the `changeDetails` property, and not all + `target` objects contain the `changeDetails` property. You must include a property within the object. + + > **Note:** When querying the `changeDetails` property, you can't search on the `to` or `from` objects alone. You must include a property within the object. + properties: + from: + type: object + description: The original properties of the target + additionalProperties: true + to: + type: object + description: The updated properties of the target + additionalProperties: true detailEntry: type: object - additionalProperties: - type: object - properties: {} + description: Further details on the target + additionalProperties: true readOnly: true displayName: type: string + description: The display name of the target readOnly: true id: type: string + description: The ID of the target readOnly: true type: type: string + description: The type of target readOnly: true LogTransaction: + description: |- + A `transaction` object comprises contextual information associated with its respective event. + This information is useful for understanding sequences of correlated events. + For example, a `transaction` object such as the following: + ``` + { + "id": "Wn4f-0RQ8D8lTSLkAmkKdQAADqo", + "type": "WEB", + "detail": null + } + ``` + indicates that a `WEB` request with `id` `Wn4f-0RQ8D8lTSLkAmkKdQAADqo` has created this event. + + A `transaction` object with a `requestApiTokenId` in the `detail` object, for example : + ``` + { + "id": "YjSlblAAqnKY7CdyCkXNBgAAAIU", + "type": "WEB", + "detail": { + "requestApiTokenId": "00T94e3cn9kSEO3c51s5" + } + } + ``` + indicates that this event was the result of an action performed through an API using the token identified by 00T94e3cn9kSEO3c51s5. The token ID is visible in the Admin Console, **Security** > **API**. See [API token management](https://help.okta.com/okta_help.htm?id=Security_API). For more information on API tokens, see [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/). type: object properties: detail: + description: Details for this transaction. type: object - additionalProperties: - type: object - properties: {} + additionalProperties: true readOnly: true id: + description: Unique identifier for this transaction. type: string readOnly: true type: + description: Describes the kind of transaction. `WEB` indicates a web request. `JOB` indicates an asynchronous task. type: string readOnly: true LogUserAgent: + description: | + "A user agent is software (a software agent) that is acting on behalf of a user." ([Definition of User Agent](https://developer.mozilla.org/en-US/docs/Glossary/User_agent)) + + In the Okta event data object, the `UserAgent` object provides specifications about the client software that makes event-triggering HTTP requests. User agent identification is often useful for identifying interoperability problems between servers and clients, and also for browser and operating system usage analytics. type: object properties: browser: + description: If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX) type: string readOnly: true os: + description: The operating system that the client runs on (for example, Windows 10) type: string readOnly: true rawUserAgent: + description: A raw string representation of the user agent that is formatted according to [section 5.5.3 of HTTP/1.1 Semantics and Content](https://datatracker.ietf.org/doc/html/rfc7231#section-5.5.3). Both the `browser` and the `OS` fields can be derived from this field. type: string readOnly: true MDMEnrollmentPolicyEnrollment: @@ -27435,153 +56659,110 @@ components: type: boolean enrollment: $ref: '#/components/schemas/MDMEnrollmentPolicyEnrollment' - MultifactorEnrollmentPolicy: + MetadataLink: allOf: - - $ref: '#/components/schemas/Policy' - - type: object - properties: - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - settings: - $ref: '#/components/schemas/MultifactorEnrollmentPolicySettings' - MultifactorEnrollmentPolicyAuthenticatorSettings: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [SAML metadata](/openapi/okta-management/management/tag/ApplicationSSO/#tag/ApplicationSSO/operation/previewSAMLmetadataForApplication) for SSO + MtlsCredentials: + description: Certificate chain description for verifying assertions from the Smart Card type: object properties: - constraints: - nullable: true - minimum: 0 - type: object - properties: - aaguidGroups: - type: array - items: - type: string - uniqueItems: true - x-okta-lifecycle: - features: - - WEBAUTHN_MDS_CATALOG_BASED_AAGUID_ALLOWLIST - enroll: - type: object - properties: - self: - $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorStatus' - key: - $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorType' - MultifactorEnrollmentPolicyAuthenticatorStatus: - type: string - enum: - - NOT_ALLOWED - - OPTIONAL - - REQUIRED - MultifactorEnrollmentPolicyAuthenticatorType: - type: string - enum: - - custom_app - - custom_otp - - duo - - external_idp - - google_otp - - okta_email - - okta_password - - okta_verify - - onprem_mfa - - phone_number - - rsa_token - - security_question - - symantec_vip - - webauthn - - yubikey_token - MultifactorEnrollmentPolicySettings: + trust: + $ref: '#/components/schemas/MtlsTrustCredentials' + MtlsEndpoints: type: object properties: - authenticators: - items: - $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorSettings' - type: array - type: - $ref: '#/components/schemas/MultifactorEnrollmentPolicySettingsType' - MultifactorEnrollmentPolicySettingsType: + sso: + $ref: '#/components/schemas/MtlsSsoEndpoint' + MtlsSsoEndpoint: + description: The Single Sign-On (SSO) endpoint is the IdP's `SingleSignOnService` endpoint + type: object + properties: + url: + type: string + maxLength: 1014 + example: https://{yourOktaDomain}.okta.com/login/cert + MtlsTrustCredentials: + type: object + properties: + audience: + type: string + description: Not used + example: null + issuer: + type: string + description: Description of the certificate issuer + maxLength: 1024 + example: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + revocation: + $ref: '#/components/schemas/MtlsTrustCredentialsRevocation' + revocationCacheLifetime: + type: number + description: Time in minutes to cache the certificate revocation information + maximum: 4320 + example: 2880 + MtlsTrustCredentialsRevocation: + description: Mechanism to validate the certificate + example: CRL type: string enum: - - AUTHENTICATORS + - CRL + - DELTA_CRL + - OCSP NetworkZone: type: object properties: - asns: - type: array - items: - type: string - description: Dynamic network zone property. array of strings that represent an ASN numeric value - maximum: 75 created: type: string format: date-time - description: Timestamp when the network zone was created + description: Timestamp when the object was created readOnly: true - gateways: - type: array - items: - $ref: '#/components/schemas/NetworkZoneAddress' - description: |- - IP network zone property: the IP addresses (range or CIDR form) of this zone. - The maximum array length is 150 entries for admin-created IP zones, 1000 entries for IP blocklist zones, and 5000 entries for the default system IP Zone. id: type: string - description: Unique identifier for the network zone + description: Unique identifier for the Network Zone readOnly: true lastUpdated: type: string format: date-time - description: Timestamp when the network zone was last modified + description: Timestamp when the object was last modified readOnly: true - locations: - type: array - items: - $ref: '#/components/schemas/NetworkZoneLocation' - description: 'Dynamic network zone property: an array of geolocations of this network zone' - maximum: 75 name: type: string - description: Unique name for this network zone. Maximum of 128 characters. - proxies: - type: array - items: - $ref: '#/components/schemas/NetworkZoneAddress' - nullable: true - description: |- - IP network zone property: the IP addresses (range or CIDR form) that are allowed to forward a request from gateway addresses - These proxies are automatically trusted by Threat Insights, and used to identify the client IP of a request. - The maximum array length is 150 entries for admin-created zones and 5000 entries for the default system IP Zone. - proxyType: - type: string - description: 'Dynamic network zone property: the proxy type used' - enum: - - 'null' - - Any - - Tor - - NotTorAnonymizer - x-enumDescriptions: - 'null': (Or `""`) No proxy used - Any: Use any proxy type for the dynamic zone. - Tor: Use TorAnonymizer as the proxy type for the dynamic zone. - NotTorAnonymizer: Use NotTorAnonymizer as the proxy type for the dynamic zone. + description: Unique name for this Network Zone + maxLength: 128 status: $ref: '#/components/schemas/NetworkZoneStatus' system: type: boolean - description: |- - Indicates if this is a system network zone. For admin-created zones, this is always `false`. - The system IP Policy Network Zone (`LegacyIpZone`) is included by default in your Okta org. Notice that `system=true` for the `LegacyIpZone` object. Admin users can modify the name of this default system Zone and can add up to 5000 gateway or proxy IP entries. + readOnly: true + description: | + Indicates a system Network Zone: + * `true` for system Network Zones + * `false` for custom Network Zones + + The Okta org provides the following default system Network Zones: + * `LegacyIpZone` + * `BlockedIpZone` + * `DefaultEnhancedDynamicZone` + + Admins can modify the name of the default system Network Zone and add up to 5000 gateway or proxy IP entries. type: $ref: '#/components/schemas/NetworkZoneType' usage: $ref: '#/components/schemas/NetworkZoneUsage' - _links: - allOf: - - $ref: '#/components/schemas/LinksSelf' - - properties: - deactivate: - $ref: '#/components/schemas/HrefObject' + _links: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + required: + - name + - type + discriminator: + propertyName: type + mapping: + IP: '#/components/schemas/IPNetworkZone' + DYNAMIC: '#/components/schemas/DynamicNetworkZone' + DYNAMIC_V2: '#/components/schemas/EnhancedDynamicNetworkZone' NetworkZoneAddress: description: Specifies the value of an IP address expressed using either `range` or `CIDR` form. type: object @@ -27590,42 +56771,56 @@ components: $ref: '#/components/schemas/NetworkZoneAddressType' value: type: string - description: Value in CIDR/range form depending on the type specified + description: Value in CIDR/range form, depending on the `type` specified NetworkZoneAddressType: - description: Format of the value + description: Format of the IP addresses type: string enum: - CIDR - RANGE + NetworkZoneAsns: + items: + type: string + maximum: 75 + type: array NetworkZoneLocation: type: object properties: country: type: string description: |- - Format of the country value: length 2 [ISO-3166-1](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) country code. - Do not use continent codes as they are treated as generic codes for undesignated countries. - example: US + The two-character ISO-3166-1 country code. + Don't use continent codes since they are treated as generic codes for undesignated countries. + <br>For example: `US` + maxLength: 2 + minLength: 2 region: type: string description: |- - Format of the region value (optional): region code [ISO-3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) appended to country code (`countryCode-regionCode`), or `null` if empty. - Do not use continent codes as they are treated as generic codes for undesignated regions. - example: US-CA + (Optional) The ISO-3166-2 region code appended to the country code (`countryCode-regionCode`), or `null` if empty. + Don't use continent codes since they are treated as generic codes for undesignated regions. + <br>For example: `CA` (for `US-CA` country and region code) + NetworkZoneLocationArray: + items: + $ref: '#/components/schemas/NetworkZoneLocation' + maximum: 75 + nullable: true + type: array NetworkZoneStatus: - description: Network zone status + description: Network Zone status type: string enum: - ACTIVE - INACTIVE NetworkZoneType: - description: The type of network zone + description: The type of Network Zone type: string enum: - DYNAMIC - IP + - DYNAMIC_V2 NetworkZoneUsage: - description: The usage of the network zone + description: The usage of the Network Zone type: string enum: - BLOCKLIST @@ -27636,6 +56831,7 @@ components: enum: - AD_AGENT - AGENT_AUTO_UPDATE_NOTIFICATION + - AGENT_AUTO_UPDATE_NOTIFICATION_LDAP - APP_IMPORT - CONNECTOR_AGENT - IWA_AGENT @@ -27668,8 +56864,8 @@ components: id: type: string description: User ID - example: 00uu3u0ujW1P6AfZC1d7 readOnly: true + example: 00u5t60iloOHN9pBi0h7 type: type: string description: Type of user @@ -27680,6 +56876,7 @@ components: properties: alwaysIncludeInToken: type: boolean + description: Specifies whether to include Claims in the token. The value is always `TRUE` for access token Claims. If the value is set to `FALSE` for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the `authorization_code`. The client instead uses the access token to get Claims from the `/userinfo` endpoint. claimType: $ref: '#/components/schemas/OAuth2ClaimType' conditions: @@ -27688,20 +56885,25 @@ components: $ref: '#/components/schemas/OAuth2ClaimGroupFilterType' id: type: string + description: ID of the Claim readOnly: true name: type: string + description: Name of the Claim status: $ref: '#/components/schemas/LifecycleStatus' system: + description: When `true`, indicates that Okta created the Claim type: boolean value: + description: Specifies the value of the Claim. This value must be a string literal if `valueType` is `GROUPS`, and the string literal is matched with the selected `group_filter_type`. The value must be an Okta EL expression if `valueType` is `EXPRESSION`. type: string valueType: $ref: '#/components/schemas/OAuth2ClaimValueType' _links: $ref: '#/components/schemas/LinksSelf' OAuth2ClaimConditions: + description: Specifies the scopes for the Claim type: object properties: scopes: @@ -27709,18 +56911,31 @@ components: items: type: string OAuth2ClaimGroupFilterType: + description: |- + Specifies the type of group filter if `valueType` is `GROUPS` + + If `valueType` is `GROUPS`, then the groups returned are filtered according to the value of `group_filter_type`. + + If you have complex filters for Groups, you can [create a Groups allowlist](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/) to put them all in a Claim. type: string enum: - CONTAINS - EQUALS - REGEX - STARTS_WITH + x-enumDescriptions: + STARTS_WITH: Group names start with `value` (not case-sensitive). For example, if `value` is `group1`, then `group123` and `Group123` are included. + EQUALS: Group name is the same as `value` (not case-sensitive). For example, if `value` is `group1`, then `group1` and `Group1` are included, but `group123` isn't. + CONTAINS: Group names contain `value` (not case-sensitive). For example, if `value` is `group1`, then `MyGroup123` and `group1` are included. + REGEX: Group names match the regular expression in `value` (case-sensitive). For example if `value` is `/^[a-z0-9_-]{3,16}$/`, then any Group name that has at least three letters, no more than 16, and contains lowercase letters, a hyphen, or numbers is a match. OAuth2ClaimType: + description: Specifies whether the Claim is for an access token (`RESOURCE`) or an ID token (`IDENTITY`) type: string enum: - IDENTITY - RESOURCE OAuth2ClaimValueType: + description: Specifies whether the Claim is an Okta Expression Language (EL) expression (`EXPRESSION`), a set of groups (`GROUPS`), or a system claim (`SYSTEM`) type: string enum: - EXPRESSION @@ -27730,59 +56945,307 @@ components: type: object properties: client_id: + description: Unique key for the client application. The `client_id` is immutable. type: string readOnly: true + example: 0oabskvc6442nkvQO0h7 client_name: + description: Human-readable string name of the client application type: string readOnly: true + example: My App client_uri: type: string readOnly: true + example: https://www.example.com logo_uri: + description: URL string that references a logo for the client consent dialog (not the sign-in dialog) type: string readOnly: true + example: https://www.example.com/logo.png _links: - $ref: '#/components/schemas/LinksSelf' - OAuth2RefreshToken: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + grants: + description: Link to the grant resources + allOf: + - $ref: '#/components/schemas/GrantResourcesHrefObject' + tokens: + description: Link to the token resources + allOf: + - $ref: '#/components/schemas/TokenResourcesHrefObject' + OAuth2ClientJsonWebKey: type: object properties: - clientId: + alg: type: string + description: Algorithm used in the key + example: RS256 + nullable: false created: type: string - format: date-time + description: Timestamp when the OAuth Client 2.0 JSON Web Key was created + example: '2023-02-21T20:08:24.000Z' readOnly: true - createdBy: - $ref: '#/components/schemas/OAuth2Actor' + nullable: false + e: + type: string + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false + id: + type: string + description: The unique ID of the OAuth Client JSON Web Key + example: pks2f4zrZbs8nUa7p0g4 + readOnly: true + nullable: false + kid: + type: string + description: Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS + example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + nullable: true + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + lastUpdated: + type: string + description: Timestamp when the OAuth Client 2.0 JSON Web Key was updated + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + 'n': + type: string + description: RSA key value (modulus) for key binding + example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client JSON Web Key + example: ACTIVE + nullable: false + default: ACTIVE + use: + type: string + description: Acceptable use of the JSON Web Key + example: sig + nullable: false + _links: + $ref: '#/components/schemas/OAuthClientSecretLinks' + readOnly: true + nullable: false + OAuth2ClientJsonWebKeyRequestBody: + type: object + properties: + alg: + type: string + description: Algorithm used in the key + example: RS256 + nullable: false + e: + type: string + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false + kid: + type: string + description: Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS + example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + nullable: true + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + 'n': + type: string + description: RSA key value (modulus) for key binding + example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client JSON Web Key + example: ACTIVE + use: + type: string + description: Acceptable use of the JSON Web Key + example: sig + nullable: false + OAuth2ClientSecret: + type: object + properties: + client_secret: + type: string + description: The OAuth 2.0 client secret string + example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + readOnly: true + nullable: false + created: + type: string + description: Timestamp when the OAuth Client 2.0 Secret was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + id: + type: string + description: The unique ID of the OAuth Client Secret + example: ocs2f4zrZbs8nUa7p0g4 + readOnly: true + nullable: false + lastUpdated: + type: string + description: Timestamp when the OAuth Client 2.0 Secret was updated + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + secret_hash: + type: string + description: OAuth 2.0 client secret string hash + example: yk4SVx4sUWVJVbHt6M-UPA + readOnly: true + nullable: false + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client Secret + example: ACTIVE + nullable: false + default: ACTIVE + _links: + $ref: '#/components/schemas/OAuthClientSecretLinks' + readOnly: true + nullable: false + OAuth2ClientSecretRequestBody: + type: object + properties: + client_secret: + type: string + description: The OAuth 2.0 client secret string + example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client Secret + example: ACTIVE + OAuth2RefreshToken: + type: object + properties: + clientId: + type: string + description: Client ID + created: + $ref: '#/components/schemas/createdProperty' expiresAt: type: string + description: Expiration time of the OAuth 2.0 Token format: date-time readOnly: true id: type: string + description: ID of the Token object readOnly: true + example: oar579Mcp7OUsNTlo0g3 issuer: type: string + description: The complete URL of the authorization server that issued the Token + example: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 lastUpdated: - type: string - format: date-time - readOnly: true + $ref: '#/components/schemas/lastUpdatedProperty' scopes: type: array + description: The scope names attached to the Token items: type: string + example: offline_access status: $ref: '#/components/schemas/GrantOrTokenStatus' userId: type: string + description: The ID of the user associated with the Token + example: 00u5t60iloOHN9pBi0h7 _embedded: type: object - additionalProperties: - type: object - properties: {} + description: The embedded resources related to the object if the `expand` query parameter is specified + properties: + scopes: + type: array + description: The scope objects attached to the Token + items: + $ref: '#/components/schemas/OAuth2RefreshTokenScope' readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + description: Link to the app resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + revoke: + description: Link to revoke the refresh Token + allOf: + - $ref: '#/components/schemas/RevokeRefreshTokenHrefObject' + - properties: + hints: + properties: + allow: + items: + enum: + - DELETE + default: DELETE + client: + description: Link to the client resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + user: + description: Link to the user resource + allOf: + - $ref: '#/components/schemas/UserResourceHrefObject' + authorizationServer: + description: Link to the Token authorization server resource + allOf: + - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject' + OAuth2RefreshTokenScope: + type: object + properties: + description: + type: string + description: Description of the Scope + example: Requests a refresh token by default, used to obtain more access tokens without re-prompting the user for authentication + displayName: + type: string + description: Name of the end user displayed in a consent dialog + id: + type: string + description: Scope object ID + readOnly: true + example: scppb56cIl4GvGxy70g3 + name: + type: string + description: Scope name + example: offline_access + _links: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + type: object + properties: + scope: + description: Link to Scope resource + allOf: + - $ref: '#/components/schemas/OfflineAccessScopeResourceHrefObject' OAuth2Scope: type: object properties: @@ -27790,19 +57253,35 @@ components: $ref: '#/components/schemas/OAuth2ScopeConsentType' default: type: boolean + description: Indicates if this Scope is a default scope + default: false description: type: string + description: Description of the Scope displayName: type: string + description: Name of the end user displayed in a consent dialog id: type: string + description: Scope object ID readOnly: true metadataPublish: $ref: '#/components/schemas/OAuth2ScopeMetadataPublish' name: type: string + description: Scope name + optional: + type: boolean + description: Indicates whether the Scope is optional. When set to `true`, the user can skip consent for the scope. + default: false system: type: boolean + description: Indicates if Okta created the Scope + default: false + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - name OAuth2ScopeConsentGrant: description: Grant object that represents an app consent scope grant type: object @@ -27810,31 +57289,23 @@ components: clientId: type: string description: Client ID of the app integration - example: 0oafxqCAJWWGELFTYASJ readOnly: true + example: oag3ih1zrm1cBFOiq0h6 created: - type: string - description: Timestamp when the Grant object was created - format: date-time - example: '2023-06-28T16:40:10.000Z' - readOnly: true + $ref: '#/components/schemas/createdProperty' createdBy: $ref: '#/components/schemas/OAuth2Actor' id: type: string description: ID of the Grant object - example: oagsebt2ltaSlR6t81d6 readOnly: true + example: oag3ih1zrm1cBFOiq0h6 issuer: type: string description: The issuer of your org authorization server. This is typically your Okta domain. example: https://my_test_okta_org.oktapreview.com lastUpdated: - type: string - description: Timestamp when the Grant object was last updated - format: date-time - example: '2023-06-28T16:40:10.000Z' - readOnly: true + $ref: '#/components/schemas/lastUpdatedProperty' scopeId: type: string description: The name of the [Okta scope](https://developer.okta.com/docs/api/oauth2/#oauth-20-scopes) for which consent is granted @@ -27847,6 +57318,7 @@ components: type: string description: User ID that granted consent (if `source` is `END_USER`) readOnly: true + example: 00u5t60iloOHN9pBi0h7 _embedded: type: object description: Embedded resources related to the Grant @@ -27865,13 +57337,25 @@ components: - type: object properties: app: - description: Link to app + description: Link to the app resource allOf: - - $ref: '#/components/schemas/HrefObject' + - $ref: '#/components/schemas/AppResourceHrefObject' client: - description: Link to client + description: Link to the client resource allOf: - - $ref: '#/components/schemas/HrefObject' + - $ref: '#/components/schemas/AppResourceHrefObject' + scope: + description: Link to the scope resource + allOf: + - $ref: '#/components/schemas/ScopeResourceHrefObject' + user: + description: Link to the user resource + allOf: + - $ref: '#/components/schemas/UserResourceHrefObject' + authorizationServer: + description: Link to the authorization server resource + allOf: + - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject' - readOnly: true required: - issuer @@ -27885,17 +57369,22 @@ components: - END_USER readOnly: true OAuth2ScopeConsentType: + description: Indicates whether a consent dialog is needed for the Scope + default: IMPLICIT type: string enum: - - ADMIN + - FLEXIBLE - IMPLICIT - REQUIRED OAuth2ScopeMetadataPublish: + description: Indicates whether the Scope is included in the metadata + default: NO_CLIENTS type: string enum: - ALL_CLIENTS - NO_CLIENTS OAuth2ScopesMediationPolicyRuleCondition: + description: Array of scopes that the condition includes type: object properties: include: @@ -27907,25 +57396,28 @@ components: properties: clientId: type: string - created: - type: string - format: date-time + description: Client ID + example: 0oabskvc6442nkvQO0h7 readOnly: true + created: + $ref: '#/components/schemas/createdProperty' expiresAt: type: string + description: Expiration time of the OAuth 2.0 Token format: date-time readOnly: true id: type: string + description: ID of the Token object readOnly: true issuer: type: string + description: The complete URL of the authorization server that issued the Token lastUpdated: - type: string - format: date-time - readOnly: true + $ref: '#/components/schemas/lastUpdatedProperty' scopes: type: array + description: Name of scopes attached to the Token items: type: string status: @@ -27934,6 +57426,7 @@ components: type: string _embedded: type: object + description: Embedded resources related to the object if the `expand` query parameter is specified additionalProperties: type: object properties: {} @@ -27947,7 +57440,61 @@ components: properties: oauthClient: $ref: '#/components/schemas/ApplicationCredentialsOAuthClient' + OAuthAuthorizationEndpoint: + description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18) + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the IdP Authorization Server (AS) authorization endpoint + example: https://idp.example.com/authorize + OAuthClientSecretLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + delete: + $ref: '#/components/schemas/HrefObjectDeleteLink' + readOnly: true + OAuthCredentials: + description: Client authentication credentials for an [OAuth 2.0 Authorization Server](https://tools.ietf.org/html/rfc6749#section-2.3) + type: object + properties: + client: + $ref: '#/components/schemas/OAuthCredentialsClient' + signing: + $ref: '#/components/schemas/AppleClientSigning' + OAuthCredentialsClient: + description: |- + OAuth 2.0 and OpenID Connect Client object + > **Note:** You must complete client registration with the IdP Authorization Server for your Okta IdP instance to obtain client credentials. + type: object + properties: + client_id: + type: string + description: The [Unique identifier](https://tools.ietf.org/html/rfc6749#section-2.2) issued by the AS for the Okta IdP instance + maxLength: 1024 + example: your-client-id + client_secret: + type: string + description: The [Client secret](https://tools.ietf.org/html/rfc6749#section-2.3.1) issued by the AS for the Okta IdP instance + maxLength: 1024 + example: your-client-secret + pkce_required: + type: boolean + description: Require Proof Key for Code Exchange (PKCE) for additional verification + token_endpoint_auth_method: + type: string + description: Client authentication methods supported by the token endpoint + enum: + - private_key_jwt OAuthEndpointAuthenticationMethod: + description: Requested authentication method for the token endpoint + default: client_secret_basic type: string enum: - client_secret_basic @@ -27955,7 +57502,23 @@ components: - client_secret_post - none - private_key_jwt + OAuthEndpoints: + description: |- + The `OAUTH2` and `OIDC` protocols support the `authorization` and `token` endpoints. Also, the `OIDC` protocol supports the `userInfo` and `jwks` endpoints. + + The IdP Authorization Server (AS) endpoints are currently defined as part of the [IdP provider]((https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request)) and are read-only. + type: object + properties: + authorization: + $ref: '#/components/schemas/OAuthAuthorizationEndpoint' + jwks: + $ref: '#/components/schemas/OidcJwksEndpoint' + token: + $ref: '#/components/schemas/OAuthTokenEndpoint' + userInfo: + $ref: '#/components/schemas/OidcUserInfoEndpoint' OAuthGrantType: + description: Array of OAuth 2.0 grant type strings type: string enum: - authorization_code @@ -27968,18 +57531,644 @@ components: - urn:ietf:params:oauth:grant-type:jwt-bearer - urn:ietf:params:oauth:grant-type:saml2-bearer - urn:ietf:params:oauth:grant-type:token-exchange + - urn:openid:params:grant-type:ciba + OAuthMetadata: + type: object + properties: + authorization_endpoint: + type: string + description: URL of the authorization server's authorization endpoint. + backchannel_authentication_request_signing_alg_values_supported: + description: <div class="x-lifecycle-container"><x-lifecycle class="lea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>A list of signing algorithms that this authorization server supports for signed requests. + type: array + items: + $ref: '#/components/schemas/SigningAlgorithm' + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + backchannel_token_delivery_modes_supported: + description: <div class="x-lifecycle-container"><x-lifecycle class="lea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>The delivery modes that this authorization server supports for Client-Initiated Backchannel Authentication. + type: array + items: + $ref: '#/components/schemas/TokenDeliveryMode' + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + claims_supported: + description: A list of the claims supported by this authorization server. + type: array + items: + $ref: '#/components/schemas/Claim' + code_challenge_methods_supported: + description: A list of PKCE code challenge methods supported by this authorization server. + type: array + items: + $ref: '#/components/schemas/CodeChallengeMethod' + device_authorization_endpoint: + type: string + dpop_signing_alg_values_supported: + description: A list of signing algorithms supported by this authorization server for Demonstrating Proof-of-Possession (DPoP) JWTs. + type: array + items: + type: string + enum: + - ES256 + - ES384 + - ES512 + - RS256 + - RS384 + - RS512 + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + end_session_endpoint: + description: URL of the authorization server's logout endpoint. + type: string + grant_types_supported: + description: A list of the grant type values that this authorization server supports. + type: array + items: + $ref: '#/components/schemas/GrantType' + introspection_endpoint: + description: URL of the authorization server's introspection endpoint. + type: string + introspection_endpoint_auth_methods_supported: + description: A list of client authentication methods supported by this introspection endpoint. + type: array + items: + $ref: '#/components/schemas/EndpointAuthMethod' + issuer: + type: string + description: The authorization server's issuer identifier. In the context of this document, this is your authorization server's base URL. This becomes the `iss` claim in an access token. + jwks_uri: + description: URL of the authorization server's JSON Web Key Set document. + type: string + pushed_authorization_request_endpoint: + type: string + registration_endpoint: + description: URL of the authorization server's JSON Web Key Set document. + type: string + request_object_signing_alg_values_supported: + description: A list of signing algorithms that this authorization server supports for signed requests. + type: array + items: + $ref: '#/components/schemas/SigningAlgorithm' + request_parameter_supported: + description: Indicates if Request Parameters are supported by this authorization server. + type: boolean + response_modes_supported: + description: A list of the `response_mode` values that this authorization server supports. More information here. + type: array + items: + $ref: '#/components/schemas/ResponseMode' + response_types_supported: + description: A list of the `response_type` values that this authorization server supports. Can be a combination of `code`, `token`, and `id_token`. + type: array + items: + $ref: '#/components/schemas/ResponseTypesSupported' + revocation_endpoint: + description: URL of the authorization server's revocation endpoint. + type: string + revocation_endpoint_auth_methods_supported: + description: A list of client authentication methods supported by this revocation endpoint. + type: array + items: + $ref: '#/components/schemas/EndpointAuthMethod' + scopes_supported: + description: A list of the scope values that this authorization server supports. + type: array + items: + $ref: '#/components/schemas/Scope' + subject_types_supported: + description: A list of the Subject Identifier types that this authorization server supports. Valid types include `pairwise` and `public`, but only `public` is currently supported. See the [Subject Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) section in the OpenID Connect specification. + type: array + items: + $ref: '#/components/schemas/SubjectType' + token_endpoint: + description: URL of the authorization server's token endpoint. + type: string + token_endpoint_auth_methods_supported: + description: A list of client authentication methods supported by this token endpoint. + type: array + items: + $ref: '#/components/schemas/EndpointAuthMethod' + OAuthProvisioningEnabledApp: + description: Application name for the provisioning connection + type: string + enum: + - google + - office365 + - slack + - zoomus OAuthResponseType: + description: Array of OAuth 2.0 response type strings type: string enum: - code - id_token - token + OAuthTokenEndpoint: + description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18) + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the IdP Authorization Server (AS) token endpoint + example: https://idp.example.com/token + OINApplication: + type: object + properties: + accessibility: + $ref: '#/components/schemas/ApplicationAccessibility' + credentials: + $ref: '#/components/schemas/SchemeApplicationCredentials' + label: + $ref: '#/components/schemas/ApplicationLabel' + licensing: + $ref: '#/components/schemas/ApplicationLicensing' + name: + type: string + description: The key name for the OIN app definition + profile: + type: object + description: Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps) + additionalProperties: + type: object + properties: {} + signOnMode: + type: string + description: Authentication mode for the app + status: + $ref: '#/components/schemas/ApplicationLifecycleStatus' + visibility: + $ref: '#/components/schemas/ApplicationVisibility' + OINSaml11ApplicationSettingsSignOn: + title: SAML 1.1 settings + description: Contains SAML 1.1 sign-on mode attributes + type: object + properties: + audienceOverride: + type: string + description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + defaultRelayState: + type: string + description: Identifies a specific application resource in an IdP-initiated SSO scenario + recipientOverride: + type: string + description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + ssoAcsUrlOverride: + type: string + description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + OINSaml20ApplicationSettingsSignOn: + title: SAML 2.0 settings + description: |- + Contains SAML 2.0 sign-on mode attributes. + > **Note:** Set `destinationOverride` to configure any other SAML 2.0 attributes in this section. + type: object + properties: + audienceOverride: + type: string + description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + configuredAttributeStatements: + type: array + items: + $ref: '#/components/schemas/SamlAttributeStatement' + defaultRelayState: + type: string + description: Identifies a specific application resource in an IdP-initiated SSO scenario + destinationOverride: + type: string + description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + recipientOverride: + type: string + description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). + samlAssertionLifetimeSeconds: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: integer + description: Determines the SAML app session lifetimes with Okta + example: 3600 + ssoAcsUrlOverride: + type: string + description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). OSVersion: - description: Current version of the operating system + description: | + Specifies the OS requirement for the policy. + + There are two types of OS requirements: + + * **Static**: A specific OS version requirement that doesn't change until you update the policy. A static OS requirement is specified with the `osVersion.minimum` property. + * **Dynamic**: An OS version requirement that is relative to the latest major OS release and security patch. A dynamic OS requirement is specified with the `osVersion.dynamicVersionRequirement` property. + > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. You can't specify both `osVersion.minimum` and `osVersion.dynamicVersionRequirement` properties at the same time. + type: object + properties: + dynamicVersionRequirement: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>Contains the necessary properties for a dynamic version requirement + type: object + properties: + type: + type: string + description: Indicates the type of the dynamic OS version requirement + enum: + - MINIMUM + - EXACT + - EXACT_ANY_SUPPORTED + x-enumDescriptions: + MINIMUM: The device version must be equal to or newer than the dynamically determined version. `distanceFromLatestMajor` must be specified for this type. + EXACT: The device version must be on the same major version as the dynamically determined version. `distanceFromLatestMajor` must be specified for this type. + EXACT_ANY_SUPPORTED: The device version must be on a major version which is supported. You can't specify `distanceFromLatestMajor` for this type. + distanceFromLatestMajor: + description: Indicates the distance from the latest major version + type: integer + minimum: 0 + maximum: 1 + latestSecurityPatch: + description: Indicates whether the device needs to be on the latest security patch + type: boolean + minimum: + description: The device version must be equal to or newer than the specified version string (maximum of three components for iOS and macOS, and maximum of four components for Android) + type: string + example: 12.4.5 + OSVersionConstraint: + type: object + properties: + dynamicVersionRequirement: + type: object + description: Contains the necessary properties for a dynamic Windows version requirement + properties: + type: + type: string + description: Indicates the type of the dynamic Windows version requirement + enum: + - MINIMUM + - EXACT + - EXACT_ANY_SUPPORTED + - NOT_ALLOWED + x-enumDescriptions: + MINIMUM: The device version must be equal to or newer than the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type. + EXACT: The device version must be on the same major version as the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type. + EXACT_ANY_SUPPORTED: The device version must be on a Windows major version which is supported. You can't specify `distanceFromLatestMajor` for this type. + NOT_ALLOWED: The device version isn't allowed. You can't specify `distanceFromLatestMajor` or `latestSecurityPatch` for this type. + distanceFromLatestMajor: + description: Indicates the distance from the latest Windows major version + type: integer + minimum: 0 + maximum: 1 + latestSecurityPatch: + description: Indicates whether the policy requires Windows devices to be on the latest security patch + type: boolean + majorVersionConstraint: + type: string + description: Indicates the Windows major version + enum: + - WINDOWS_11 + - WINDOWS_10 + x-enumDescriptions: + WINDOWS_11: The device is on Windows 11 + WINDOWS_10: The device is on Windows 10 or an older Windows version + minimum: + description: The Windows device version must be equal to or newer than the specified version + type: string + example: 12.4.5.9 + required: + - majorVersionConstraint + OSVersionFourComponents: + description: Current version of the operating system (maximum of four components in the versioning scheme) + type: object + properties: + minimum: + type: string + example: 12.4.5.9 + OSVersionThreeComponents: + description: Current version of the operating system (maximum of three components in the versioning scheme) type: object properties: minimum: type: string + example: 12.4.5 + Office365Application: + title: Microsoft Office 365 + x-tags: + - Application + x-okta-defined-as: + name: office365 + description: | + Schema for the Microsoft Office 365 app (key name: `office365`) + + To create a Microsoft Office 365 app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Office 365 app only supports `BROWSER_PLUGIN` and `SAML_1_1` sign-on modes. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + type: string + enum: + - office365 + example: office365 + signOnMode: + enum: + - BROWSER_PLUGIN + - SAML_1_1 + example: BROWSER_PLUGIN + settings: + $ref: '#/components/schemas/Office365ApplicationSettings' + example: + name: office365 + label: Sample Office365 App + signOnMode: SAML_1_1 + settings: + app: + domain: myintegration.okta365test.net + msftTenant: mycompanyinc + Office365ApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/Office365ApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml11ApplicationSettingsSignOn' + Office365ApplicationSettingsApplication: + description: Office365 app instance properties + type: object + properties: + domain: + type: string + description: The domain for your Office 365 account + msftTenant: + type: string + description: Microsoft tenant name + required: + - msftTenant + - domain + Office365ProvisioningSettings: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + title: Microsoft Office 365 provisioning settings + description: Settings required for the Microsoft Office 365 Provisioning Connection + type: object + properties: + adminPassword: + type: string + description: Microsoft Office 365 global administrator password + adminUsername: + type: string + description: Microsoft Office 365 global administrator username + required: + - adminUsername + - adminPassword + OfflineAccessScopeResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: + type: string + description: Link name + example: offline_access + Oidc: + description: OIDC configuration details + type: object + properties: + doc: + type: string + format: uri + description: The URL to your customer-facing instructions for configuring your OIDC integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines). + example: https://example.com/strawberry/help/oidcSetup + initiateLoginUri: + type: string + format: uri + description: The URL to redirect users when they click on your app from their Okta End-User Dashboard + example: https://${org.subdomain}.example.com/strawberry/oidc/sp-init + postLogoutUris: + type: array + description: The sign-out redirect URIs for your app. You can send a request to `/v1/logout` to sign the user out and redirect them to one of these URIs. + items: + type: string + format: uri + description: 'A sign-out redirect URI. You can use the org properties you defined in the `config` array as variables in your URI. For example: `https://${org.subdomain}.example.com/strawberry/oidc/logged-out`' + example: https://${org.subdomain}.example.com/strawberry/oidc/logged-out + redirectUris: + type: array + minItems: 1 + description: List of sign-in redirect URIs + items: + type: string + format: uri + description: Sign-in redirect URI + example: https://${org.subdomain}.example.com/strawberry/oidc/login + required: + - redirectUris + - doc + OidcAlgorithms: + type: object + properties: + request: + $ref: '#/components/schemas/OidcRequestAlgorithm' + OidcJwksEndpoint: + description: Endpoint for the JSON Web Key Set (JWKS) document. This document contains signing keys that are used to validate the signatures from the provider. For more information on JWKS, see [JSON Web Key](https://tools.ietf.org/html/rfc7517). + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the endpoint to the JWK Set + example: https://idp.example.com/keys + OidcRequestAlgorithm: + description: Algorithm settings used to sign an authorization request + type: object + properties: + signature: + $ref: '#/components/schemas/OidcRequestSignatureAlgorithm' + OidcRequestSignatureAlgorithm: + description: |- + Signature Algorithm settings for signing authorization requests sent to the IdP + > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`). + type: object + properties: + algorithm: + $ref: '#/components/schemas/OidcSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' + OidcSigningAlgorithm: + type: string + enum: + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + OidcUserInfoEndpoint: + description: Endpoint for getting identity information about the User. For more information on the `/userinfo` endpoint, see [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the resource server's `/userinfo` endpoint + example: https://idp.example.com/userinfo + OktaActiveDirectoryGroupProfile: + description: |- + Profile for a Group that is imported from Active Directory. + + The `objectClass` for such groups is `okta:windows_security_principal`. + type: object + properties: + description: + type: string + example: example.com/West Coast/West Coast Users + description: Description of the Windows Group + dn: + type: string + example: CN=West Coast Users,OU=West Coast,DC=example,DC=com + description: The distinguished name of the Windows Group + externalId: + type: string + example: VKzYZ1C+IkSZxIWlrW5ITg== + description: Base-64 encoded GUID (`objectGUID`) of the Windows Group + name: + type: string + example: West Coast Users + description: Name of the Windows Group + samAccountName: + type: string + example: West Coast Users + description: Pre-Windows 2000 name of the Windows Group + windowsDomainQualifiedName: + type: string + example: EXAMPLE\\West Coast Users + description: Fully qualified name of the Windows Group + OktaDeviceRiskChangeEvent: + description: The device risk level changed + type: object + properties: + current_level: + type: string + description: Current risk level of the device + enum: + - low + - medium + - high + - secure + - none + example: low + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: + type: string + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + previous_level: + type: string + description: Previous risk level of the device + enum: + - low + - medium + - high + - secure + - none + example: medium + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + - current_level + - previous_level + OktaIpChangeEvent: + description: IP changed for the subject's session + type: object + properties: + current_ip_address: + type: string + description: Current IP address of the subject + example: 123.4.5.6 + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: + type: string + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + previous_ip_address: + type: string + description: Previous IP address of the subject + example: 123.45.67.8 + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + - current_ip_address + - previous_ip_address + OktaPersonalAdminFeatureSettings: + description: Defines a list of Okta Personal settings that can be enabled or disabled for the org + type: object + properties: + enableEnduserEntryPoints: + type: boolean + description: Allow entry points for an Okta Personal account in a Workforce org + enableExportApps: + type: boolean + description: Allow users to migrate apps from a Workforce account to an Okta Personal account OktaSignOnPolicy: allOf: - $ref: '#/components/schemas/Policy' @@ -27989,12 +58178,26 @@ components: $ref: '#/components/schemas/OktaSignOnPolicyConditions' OktaSignOnPolicyConditions: allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - type: object properties: people: - $ref: '#/components/schemas/PolicyPeopleCondition' + type: object + description: Identifies Users and Groups that are used together + properties: + groups: + type: object + description: Specifies a set of Groups whose Users are to be included or excluded + properties: + include: + type: array + description: Groups to be included + items: + type: string OktaSignOnPolicyFactorPromptMode: + description: | + Indicates if the User should be challenged for a second factor (MFA) based on the device being used, a Factor session lifetime, or on every sign-in attempt + + **Note:** Required only if `requireFactor` is set to `true`. type: string enum: - ALWAYS @@ -28018,7 +58221,6 @@ components: $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions' OktaSignOnPolicyRuleConditions: allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - type: object properties: authContext: @@ -28027,33 +58229,132 @@ components: $ref: '#/components/schemas/PolicyNetworkCondition' people: $ref: '#/components/schemas/PolicyPeopleCondition' + identityProvider: + $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' OktaSignOnPolicyRuleSignonActions: type: object properties: access: - $ref: '#/components/schemas/PolicyAccess' + type: string + enum: + - ALLOW + - DENY factorLifetime: type: integer + description: | + Interval of time that must elapse before the User is challenged for MFA, if the Factor prompt mode is set to `SESSION` + + **Note:** Required only if `requireFactor` is `true`. factorPromptMode: $ref: '#/components/schemas/OktaSignOnPolicyFactorPromptMode' + primaryFactor: + $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonPrimaryFactor' rememberDeviceByDefault: type: boolean + description: Indicates if Okta should automatically remember the device default: false requireFactor: type: boolean default: false + description: Indicates if multifactor authentication is required session: $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonSessionActions' + OktaSignOnPolicyRuleSignonPrimaryFactor: + description: |- + <x-lifecycle class="oie"></x-lifecycle> Indicates the primary factor used to establish a session for the org. Supported values: `PASSWORD_IDP_ANY_FACTOR` (users can use any factor required by the app authentication policy to establish a session), `PASSWORD_IDP` (users must always use a password to establish a session). + + **Note:** Required only if `access` is set to `ALLOW`. + type: string + enum: + - PASSWORD_IDP + - PASSWORD_IDP_ANY_FACTOR OktaSignOnPolicyRuleSignonSessionActions: + description: Properties governing the User's session lifetime type: object properties: maxSessionIdleMinutes: + description: Maximum number of minutes that a User session can be idle before the session is ended type: integer + default: 120 maxSessionLifetimeMinutes: + description: Maximum number of minutes from User sign in that a user's session is active. Set this to force Users to sign in again after the number of specified minutes. Disable by setting to `0`. This property is read-only for the default rule of the default global session policy. type: integer + default: 0 usePersistentCookie: + description: If set to `false`, user session cookies only last the length of a browser session. If set to `true`, user session cookies last across browser sessions. This setting doesn't impact administrators who can never have persistent session cookies. This property is read-only for the default rule of the default global session policy. type: boolean default: false + OktaUserGroupProfile: + description: |- + Profile for any Group that is not imported from Active Directory. Specifies the standard + and custom profile properties for a Group. + + The `objectClass` for these groups is `okta:user_group`. + type: object + properties: + description: + type: string + example: All Users West of The Rockies + description: Description of the Group + name: + type: string + example: West Coast Users + description: Name of the Group + x-okta-extensible: true + OktaUserRiskChangeEvent: + description: The user risk level changed + type: object + properties: + current_level: + type: string + description: Current risk level of the user + enum: + - low + - medium + - high + - secure + - none + example: low + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + initiating_entity: + type: string + description: The entity that initiated the event + enum: + - admin + - user + - policy + - system + previous_level: + type: string + description: Previous risk level of the user + enum: + - low + - medium + - high + - secure + - none + example: medium + reason_admin: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. + reason_user: + allOf: + - $ref: '#/components/schemas/SecurityEventReason' + - type: object + description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + - current_level + - previous_level OpenIdConnectApplication: x-okta-defined-as: name: oidc_client @@ -28065,29 +58366,80 @@ components: $ref: '#/components/schemas/OAuthApplicationCredentials' name: type: string - default: oidc_client + description: '`oidc_client` is the key name for an OAuth 2.0 client app instance' + enum: + - oidc_client settings: $ref: '#/components/schemas/OpenIdConnectApplicationSettings' + required: + - name + - settings + - credentials OpenIdConnectApplicationConsentMethod: + description: | + Indicates whether user consent is required or implicit. + A consent dialog appears for the end user depending on the values of three elements: + + * [prompt](/openapi/okta-oauth/oauth/tag/OrgAS/#tag/OrgAS/operation/authorize!in=query&path=prompt&t=request): A query parameter that is used in requests to `/authorize` + * `consent_method` (this property) + * [consent](/openapi/okta-management/management/tag/AuthorizationServerScopes/#tag/AuthorizationServerScopes/operation/createOAuth2Scope!path=consent&t=request): A [Scope](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/AuthorizationServerScopes/) property that allows you to enable or disable user consent for an individual scope + + | `prompt` | `consent_method` | `consent` | Result + | ---------- | ----------- | ---------- | ----------- | + | CONSENT | TRUSTED or REQUIRED | REQUIRED | Prompted | + | CONSENT | TRUSTED or REQUIRED | FLEXIBLE | Prompted | + | CONSENT | TRUSTED | IMPLICIT | Not prompted | + | NONE | TRUSTED | FLEXIBLE, IMPLICIT, or REQUIRED | Not prompted | + | NONE | REQUIRED | FLEXIBLE or REQUIRED | Prompted | + | NONE | REQUIRED | IMPLICIT | Not prompted | + + > **Notes:** + > * If you request a scope that requires consent while using the `client_credentials` flow, an error is returned because the flow doesn't support user consent. + > * If the `prompt` value is set to `NONE`, but the `consent_method` and the consent values are set to `REQUIRED`, then an error occurs. + > * When a scope is requested during a Client Credentials grant flow and `consent` is set to `FLEXIBLE`, the scope is granted in the access token with no consent prompt. This occurs because there is no user involved in a two-legged OAuth 2.0 [Client Credentials](https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/) grant flow. + default: TRUSTED type: string enum: - REQUIRED - TRUSTED + x-enumDescriptions: + TRUSTED: The client is fully trusted (for example, a first-party app). The default consent method for app instances created with a [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request + REQUIRED: The client requires consent (for example, a third-party app). The default consent method for app instances created with a [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient) request OpenIdConnectApplicationIdpInitiatedLogin: + description: The type of IdP-initiated sign-in flow that the client supports type: object properties: default_scope: type: array + description: The scopes to use for the request when `mode` is `OKTA` items: type: string mode: type: string + description: | + The mode to use for the IdP-initiated sign-in flow. For `OKTA` or `SPEC` modes, the client must have an `initiate_login_uri` registered. + > **Note:** For web and SPA apps, if the mode is `SPEC` or `OKTA`, you must set `grant_types` to `authorization_code`, `implicit`, or `interaction_code`. + enum: + - DISABLED + - SPEC + - OKTA + x-enumDescriptions: + DISABLED: The client doesn't support the IdP-initiated sign-in flow. + SPEC: The client is redirected to the Relying Party's `initiate_login_uri`. + OKTA: Tokens are directly sent to the Relying Party. This corresponds to the **Okta Simplified** option in the Admin Console. + required: + - mode OpenIdConnectApplicationIssuerMode: + description: Indicates whether the Okta authorization server uses the original Okta org domain URL or a custom domain URL as the issuer of the ID token for this client type: string enum: - CUSTOM_URL - DYNAMIC - ORG_URL + x-enumDescriptions: + CUSTOM_URL: The issuer is returned in the appropriate OIDC token response. This is the default `issuer_mode` when you configured a custom domain for your org. + DYNAMIC: A request for the ID token made from the custom domain has the custom URL as the issuer. A request for the ID token made from an Okta org has the Org URL as the issuer. You can only set `issuer_mode` as DYNAMIC if the Dynamic Issuer Mode feature is enabled. Contact Okta Support to enable this feature. + ORG_URL: The issuer is returned based on the URL of your Okta organization. This is useful when you are using Okta’s default domain and do not have a custom domain configured. OpenIdConnectApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' @@ -28100,23 +58452,69 @@ components: properties: application_type: $ref: '#/components/schemas/OpenIdConnectApplicationType' + backchannel_authentication_request_signing_alg: + description: | + The signing algorithm for Client-Initiated Backchannel Authentication (CIBA) signed requests using JWT. If this value isn't set and a JWT-signed request is sent, the request fails. + > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. + type: string + enum: + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + - ES256 + - ES384 + - ES512 + backchannel_custom_authenticator_id: + description: | + The ID of the custom authenticator that authenticates the user + > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. + type: string + maxLength: 20 + minLength: 20 + backchannel_token_delivery_mode: + description: | + The delivery mode for Client-Initiated Backchannel Authentication (CIBA). Currently, only `poll` is supported. + > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. + enum: + - poll + - ping + - push + type: string client_uri: type: string + description: URL string of a web page providing information about the client + maxLength: 1024 consent_method: $ref: '#/components/schemas/OpenIdConnectApplicationConsentMethod' dpop_bound_access_tokens: type: boolean - description: Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header. + description: | + Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header. + > **Note:** If `dpop_bound_access_tokens` is true, then `client_credentials` and `implicit` aren't allowed in `grant_types`. default: false x-okta-lifecycle: - features: - - OAUTH2_DPOP + lifecycle: GA + isGenerallyAvailable: true frontchannel_logout_session_required: - description: Include user session details. + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>Determines whether Okta sends `sid` and `iss` in the logout request type: boolean + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine frontchannel_logout_uri: - description: URL where Okta sends the logout request. + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>URL where Okta sends the logout request type: string + maxLength: 1024 + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine grant_types: type: array items: @@ -28125,64 +58523,215 @@ components: $ref: '#/components/schemas/OpenIdConnectApplicationIdpInitiatedLogin' initiate_login_uri: type: string + description: URL string that a third party can use to initiate the sign-in flow by the client issuer_mode: $ref: '#/components/schemas/OpenIdConnectApplicationIssuerMode' jwks: $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClientKeys' jwks_uri: - description: URL string that references a JSON Web Key Set for validating JWTs presented to Okta. + description: URL string that references a JSON Web Key Set for validating JWTs presented to Okta type: string logo_uri: type: string + description: The URL string that references a logo for the client. This logo appears on the client tile in the End-User Dashboard. It also appears on the client consent dialog during the client consent flow. + maxLength: 1024 participate_slo: - description: Allows the app to participate in front-channel single logout. + description: | + <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></div>Allows the app to participate in front-channel Single Logout + + > **Note:** You can only enable `participate_slo` for `web` and `browser` application types (`application_type`). type: boolean + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine policy_uri: type: string + description: URL string of a web page providing the client's policy document post_logout_redirect_uris: type: array + description: Array of redirection URI strings for relying party-initiated logouts items: type: string redirect_uris: type: array + description: |- + Array of redirection URI strings for use in redirect-based flows. + > **Note:** At least one `redirect_uris` and `response_types` are required for all client types, with exceptions: if the client uses the [Resource Owner Password ](https://tools.ietf.org/html/rfc6749#section-4.3)flow (`grant_types` contains `password`) or [Client Credentials](https://tools.ietf.org/html/rfc6749#section-4.4)flow (`grant_types` contains `client_credentials`), then no `redirect_uris` or `response_types` is necessary. In these cases, you can pass either null or an empty array for these attributes. items: type: string refresh_token: $ref: '#/components/schemas/OpenIdConnectApplicationSettingsRefreshToken' + request_object_signing_alg: + description: The type of JSON Web Key Set (JWKS) algorithm that must be used for signing request objects + type: string + enum: + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + - ES256 + - ES384 + - ES512 response_types: type: array + description: Array of OAuth 2.0 response type strings items: $ref: '#/components/schemas/OAuthResponseType' + sector_identifier_uri: + type: string + description: The sector identifier used for pairwise `subject_type`. See [OIDC Pairwise Identifier Algorithm](https://openid.net/specs/openid-connect-messages-1_0-20.html#idtype.pairwise.alg) + maxLength: 1024 + subject_type: + description: Type of the subject + type: string + enum: + - public + - pairwise tos_uri: type: string + description: URL string of a web page providing the client's terms of service document wildcard_redirect: type: string + description: Indicates if the client is allowed to use wildcard matching of `redirect_uris` + enum: + - DISABLED + - SUBDOMAIN + x-enumDescriptions: + DISABLED: All redirect URIs must be absolute URIs and not include a fragment component. + SUBDOMAIN: | + Any configured redirect URIs may contain a single `*` character in the lowest-level domain (for example, `https://redirect-*-domain.example.com/oidc/redirect`) to act as a wildcard. + The wildcard subdomain must have at least one subdomain between it and the top level domain. + The wildcard can match any valid hostname characters, but can't span more than one domain. + For example, if `https://redirect-*-domain.example.com/oidc/redirect` is configured as a redirect URI, then `https://redirect-1-domain.example.com/oidc/redirect` and `https://redirect-sub-domain.example.com/oidc/redirect` match, but `https://redirect-1.sub-domain.example.com/oidc/redirect` doesn't match. + Only the `https` URI scheme can use wildcard redirect URIs. + > **Note:** The use of wildcard subdomains is discouraged as an insecure practice, since it may allow malicious actors to have tokens or authorization codes sent to unexpected or attacker-controlled pages. Exercise caution if you decide to include a wildcard redirect URI in your configuration. + required: + - grant_types OpenIdConnectApplicationSettingsClientKeys: + description: A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta type: object properties: keys: type: array items: - $ref: '#/components/schemas/JsonWebKey' + $ref: '#/components/schemas/schemas-JsonWebKey' OpenIdConnectApplicationSettingsRefreshToken: + description: | + Refresh token configuration for an OAuth 2.0 client + + When you create or update an OAuth 2.0 client, you can configure refresh token rotation by setting the `rotation_type` and `leeway` properties. If you don't set these properties when you create an app integration, the default values are used. + When you update an app integration, your previously configured values are used. type: object properties: leeway: type: integer + minimum: 0 + maximum: 60 + description: | + The leeway, in seconds, allowed for the OAuth 2.0 client. + After the refresh token is rotated, the previous token remains valid for the specified period of time so clients can get the new token. + + > **Note:** A leeway of 0 doesn't necessarily mean that the previous token is immediately invalidated. The previous token is invalidated after the new token is generated and returned in the response. + default: 30 + example: 20 rotation_type: $ref: '#/components/schemas/OpenIdConnectRefreshTokenRotationType' + required: + - rotation_type OpenIdConnectApplicationType: + description: |- + The type of client app + Specific `grant_types` are valid for each `application_type`. See [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient). type: string enum: - browser - native - service - web + x-enumDescriptions: + browser: Single-Page app (SPA) + native: Native app + service: API service app + web: Web app OpenIdConnectRefreshTokenRotationType: + description: The refresh token rotation mode for the OAuth 2.0 client + example: STATIC type: string enum: - ROTATE - STATIC + x-enumDescriptions: + ROTATE: The default rotation type for single-page apps (SPAs) + STATIC: The default rotation type for all clients, except SPAs + OperationRequest: + type: object + properties: + assignmentId: + type: string + OperationResponse: + type: object + properties: + assignmentOperation: + type: object + properties: + configuration: + type: object + properties: + actions: + type: object + properties: + assignUserToRealm: + type: object + properties: + realmId: + type: string + conditions: + $ref: '#/components/schemas/Conditions' + id: + type: string + name: + type: string + completed: + type: string + format: date-time + readOnly: true + created: + type: string + format: date-time + readOnly: true + id: + type: string + readOnly: true + numUserMoved: + type: number + readOnly: true + realmId: + type: string + readOnly: true + realmName: + type: string + readOnly: true + started: + type: string + format: date-time + readOnly: true + status: + type: string + readOnly: true + enum: + - COMPLETED + - SCHEDULED + - IN_PROGRESS + - FAILED + type: + type: string + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' OperationalStatus: description: Operational status of a given agent type: string @@ -28191,6 +58740,152 @@ components: - DISRUPTED - INACTIVE - OPERATIONAL + OptInStatusResponse: + type: object + properties: + optInStatus: + type: string + enum: + - OPTING_IN + - OPTED_IN + - OPTING_OUT + - OPTED_OUT + _links: + allOf: + - properties: + optInStatus: + $ref: '#/components/schemas/HrefObject' + Org2OrgApplication: + title: Org2Org + x-tags: + - Application + x-okta-defined-as: + name: okta_org2org + example: + name: okta_org2org + label: Okta Org2Org + signOnMode: SAML_2_0 + settings: + app: + acsUrl: https://example.okta.com/sso/saml2/exampleid + audRestriction: https://www.okta.com/saml2/service-provider/exampleid + baseUrl: https://example.okta.com + description: | + Schema for the Okta Org2Org app (key name: `okta_org2org`) + + To create an Org2Org app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Notes:** + > * The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team. + > * The Okta Org2Org app supports `SAML_2_0` and `AUTO_LOGIN` sign-on modes. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + type: string + enum: + - okta_org2org + example: okta_org2org + signOnMode: + default: SAML_2_0 + enum: + - SAML_2_0 + - AUTO_LOGIN + x-enumDescriptions: + SAML_2_0: Federated Authentication with SAML 2.0 WebSSO + AUTO_LOGIN: Secure Web Authentication (SWA) + settings: + $ref: '#/components/schemas/Org2OrgApplicationSettings' + Org2OrgApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/Org2OrgApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + Org2OrgApplicationSettingsApplication: + description: Org2Org app instance properties + type: object + properties: + acsUrl: + type: string + description: The Assertion Consumer Service (ACS) URL of the source org (for `SAML_2_0` sign-on mode) + audRestriction: + type: string + description: The entity ID of the SP (for `SAML_2_0` sign-on mode) + example: https://www.okta.com/saml2/service-provider/exampleid + baseUrl: + type: string + description: The base URL of the target Okta org (for `SAML_2_0` sign-on mode) + creationState: + type: string + description: Used to track and manage the state of the app's creation or the provisioning process between two Okta orgs + preferUsernameOverEmail: + type: boolean + description: Indicates that you don't want to use an email address as the username + token: + type: string + description: An API token from the target org that's used to secure the connection between the orgs + tokenEncrypted: + type: string + description: Encrypted token to enhance security + required: + - baseUrl + OrgAerialConsent: + type: object + properties: + accountId: + description: The unique ID of the Aerial account + type: string + required: + - accountId + OrgAerialConsentDetails: + type: object + properties: + accountId: + description: The unique ID of the Aerial account + type: string + grantedBy: + type: string + description: Principal ID of the user who granted the permission + example: 00u23ej02I2RLFxS5406 + grantedDate: + type: string + description: Date when grant was created + example: '2024-07-24T16:01:13.000Z' + _links: + $ref: '#/components/schemas/LinksAerialConsentGranted' + required: + - accountId + OrgAerialConsentRevoked: + type: object + properties: + _links: + $ref: '#/components/schemas/LinksAerialConsentRevoked' + OrgAerialGrantNotFound: + type: object + properties: + accountId: + description: The unique ID of the Aerial account + type: string + grantedBy: + type: string + description: Principal ID of the user who granted the permission + example: 00u23ej02I2RLFxS5406 + grantedDate: + type: string + description: Date when grant was created + example: '2024-07-24T16:01:13.000Z' + _links: + $ref: '#/components/schemas/LinksAerialConsentGranted' OrgCAPTCHASettings: title: OrgCAPTCHASettings description: '' @@ -28212,33 +58907,121 @@ components: $ref: '#/components/schemas/HrefObject' readOnly: true OrgContactType: + description: Type of contact type: string enum: - BILLING - TECHNICAL OrgContactTypeObj: + anyOf: + - $ref: '#/components/schemas/orgBillingContactType' + - $ref: '#/components/schemas/orgTechnicalContactType' type: object properties: contactType: $ref: '#/components/schemas/OrgContactType' - _links: - $ref: '#/components/schemas/LinksSelf' + discriminator: + propertyName: contactType + mapping: + BILLING: '#/components/schemas/orgBillingContactType' + TECHNICAL: '#/components/schemas/orgTechnicalContactType' OrgContactUser: type: object properties: userId: type: string + description: Contact user ID _links: - $ref: '#/components/schemas/LinksSelf' + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the Contact Type User object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + user: + $ref: '#/components/schemas/HrefObjectUserLink' + OrgCreationAdmin: + description: |- + Profile and credential information for the first super admin user of the child org. + If you plan to configure and manage the org programmatically, create a system user with a dedicated email address and a strong password. + > **Note:** If you don't provide `credentials`, the super admin user is prompted to set up their credentials when they sign in to the org for the first time. + writeOnly: true + type: object + properties: + credentials: + type: object + description: Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org. + properties: + password: + type: object + description: |- + Specifies a password for a user + > **Note:** For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation. + properties: + value: + type: string + writeOnly: true + description: Password value (which is validated by the password policy) + format: password + example: pa$$word + recovery_question: + $ref: '#/components/schemas/RecoveryQuestionCredential' + profile: + type: object + description: |- + Specifies the profile attributes for the first super admin user. The minimal set of required attributes are `email`, `firstName`, `lastName`, and `login`. + See [profile](/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response) for additional profile attributes. + properties: + firstName: + type: string + description: Given name of the User (`givenName`) + minLength: 1 + maxLength: 50 + nullable: true + lastName: + type: string + description: The family name of the User (`familyName`) + minLength: 1 + maxLength: 50 + nullable: true + email: + type: string + description: The primary email address of the User. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + format: email + minLength: 5 + maxLength: 100 + login: + type: string + description: The unique identifier for the User (`username`) + maxLength: 100 + additionalProperties: true + required: + - email + - login + - firstName + - lastName + required: + - profile OrgOktaCommunicationSetting: type: object properties: optOutEmailUsers: type: boolean + description: Indicates whether org users receive Okta communication emails readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + optIn: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to opt users in to communication emails + optOut: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to opt users out of communication emails OrgOktaSupportSetting: + description: Status of Okta Support Settings type: string enum: - DISABLED @@ -28249,68 +59032,118 @@ components: expiration: format: date-time type: string + description: Expiration of Okta Support readOnly: true + nullable: true support: $ref: '#/components/schemas/OrgOktaSupportSetting' _links: - $ref: '#/components/schemas/LinksSelf' + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the Okta Support Settings object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + extend: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to [extend Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/extendOktaSupport) + revoke: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to [revoke Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/revokeOktaSupport) + grant: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to [grant Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/grantOktaSupport) OrgPreferences: type: object properties: showEndUserFooter: type: boolean + description: Indicates if the footer is shown on the End-User Dashboard readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + hideEndUserFooter: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to hide the footer in the End-User Dashboard + showEndUserFooter: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to show the footer on the End-User Dashboard OrgSetting: type: object properties: address1: type: string + description: Primary address of the organization associated with the org address2: type: string + description: Secondary address of the organization associated with the org city: type: string + description: City of the organization associated with the org companyName: type: string + description: Name of org country: type: string + description: County of the organization associated with the org created: format: date-time readOnly: true type: string + description: When org was created endUserSupportHelpURL: type: string + description: Support link of org expiresAt: format: date-time readOnly: true type: string + description: Expiration of org id: readOnly: true type: string + description: Org ID lastUpdated: format: date-time readOnly: true type: string + description: When org was last updated phoneNumber: type: string + description: Phone number of the organization associated with the org postalCode: type: string + description: Postal code of the organization associated with the org state: type: string + description: State of the organization associated with the org status: readOnly: true type: string + description: Status of org + enum: + - ACTIVE + - INACTIVE subdomain: readOnly: true type: string + description: Subdomain of org supportPhoneNumber: type: string + description: Support help phone of the organization associated with the org website: type: string + description: Website of the organization associated with the org _links: - $ref: '#/components/schemas/LinksSelf' + $ref: '#/components/schemas/orgGeneralSettingLinks' OtpProtocol: + description: The protocol used type: string enum: - SYMANTEC @@ -28324,11 +59157,21 @@ components: - HMacSHA256 - HMacSHA512 OtpTotpEncoding: + description: The shared secret encoding type: string enum: - base32 - base64 - hexadecimal + OtpTotpPassCodeLength: + description: Number of digits in an OTP value + minimum: 6 + maximum: 10 + multipleOf: 2 + type: integer + OtpTotpTimeIntervalInSeconds: + description: Time interval for TOTP in seconds + type: integer PageRoot: type: object properties: @@ -28358,7 +59201,36 @@ components: $ref: '#/components/schemas/HrefObject' preview: $ref: '#/components/schemas/HrefObject' + Parameters: + description: Attributes used for processing AD Group membership update + type: object + properties: + action: + type: string + description: The update action to take + enum: + - ADD + - REMOVE + x-enumDescriptions: + ADD: Add to the membership of the group + REMOVE: Remove from the membership of the group + attribute: + type: string + description: The attribute that tracks group memberships in AD. This should be `member` for AD. + values: + type: array + description: List of user IDs whose group memberships to update + items: + type: string + description: ID of an existing user PasswordCredential: + description: |- + Specifies a password for a user. + + When a user has a valid password, imported hashed password, or password hook, and a response object contains + a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: **Security** > **Authenticators** > **Password** (or for Okta Classic orgs, use **Security** > **Authentication** > **Password**). + + For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation. type: object properties: hash: @@ -28367,8 +59239,16 @@ components: $ref: '#/components/schemas/PasswordCredentialHook' value: type: string + writeOnly: true + description: Specifies the password for a user. The password policy validates this password. format: password + example: pa$$word PasswordCredentialHash: + description: |- + Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly + from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. + A hashed password may be specified in a password object when creating or updating a user, but not for other operations. + See the **Create user with imported hashed password** section in the [Users API](https://developer.okta.com/docs/reference/api/users/#create-user-with-imported-hashed-password) description. When updating a user with a hashed password, the usermust be in the `STAGED` status. type: object properties: algorithm: @@ -28377,17 +59257,33 @@ components: $ref: '#/components/schemas/DigestAlgorithm' iterationCount: type: integer + description: The number of iterations used when hashing passwords using PBKDF2. Must be >= 4096. Only required for PBKDF2 algorithm. keySize: type: integer + description: Size of the derived key in bytes. Only required for PBKDF2 algorithm. salt: + description: |- + Only required for salted hashes. For BCRYPT, this specifies Radix-64 as the encoded salt used to generate the hash, + which must be 22 characters long. For other salted hashes, this specifies the Base64-encoded salt used to + generate the hash. type: string saltOrder: type: string + description: Specifies whether salt was pre- or postfixed to the password before hashing. Only required for salted algorithms. value: + description: |- + For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual base64-encoded hash of the password (and salt, if used). + This is the Base64-encoded `value` of the SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either pre-fixing or post-fixing + the `salt` to the `password`, depending on the `saltOrder`. If a `salt` was not used in the `source` system, then this should just be + the Base64-encoded `value` of the password's SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the actual Radix-64 encoded hashed password. type: string workFactor: type: integer + description: Governs the strength of the hash and the time required to compute it. Only required for BCRYPT algorithm. + minimum: 1 + maximum: 20 PasswordCredentialHashAlgorithm: + description: The algorithm used to generate the hash using the password (and salt, when applicable). type: string enum: - BCRYPT @@ -28397,20 +59293,25 @@ components: - SHA-256 - SHA-512 PasswordCredentialHook: + description: Specify a [password import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook) to trigger verification of the user's password the first time the user signs in. This allows an existing password to be imported into Okta directly from some other store. type: object properties: type: type: string + description: The type of password inline hook. Currently, must be set to default. PasswordDictionary: + description: Weak password dictionary lookup settings type: object properties: common: $ref: '#/components/schemas/PasswordDictionaryCommon' PasswordDictionaryCommon: + description: Lookup settings for commonly used passwords type: object properties: exclude: type: boolean + description: Indicates whether to check passwords against the common password dictionary default: false PasswordExpirationPolicyRuleCondition: type: object @@ -28419,6 +59320,72 @@ components: type: integer unit: type: string + PasswordImportRequest: + type: object + properties: + data: + $ref: '#/components/schemas/PasswordImportRequestData' + eventType: + type: string + description: The type of inline hook. The password import inline hook type is `com.okta.user.credential.password.import`. + source: + description: The ID and URL of the password import inline hook + type: string + PasswordImportRequestData: + type: object + properties: + action: + type: object + description: This object specifies the default action Okta is set to take. Okta takes this action if your external service sends an empty HTTP 204 response. You can override the default action by returning a commands object in your response specifying the action to take. + properties: + credential: + description: The status of the user credential, either `UNVERIFIED` or `VERIFIED` + default: UNVERIFIED + type: string + context: + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + credential: + type: object + properties: + username: + description: The `username` that the user supplied when attempting to sign in to Okta. + type: string + password: + description: The `password` that the user supplied when attempting to sign in to Okta. + type: string + PasswordImportRequestExecute: + description: Password import inline hook request + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/PasswordImportRequest' + PasswordImportResponse: + description: Password import inline hook response + type: object + properties: + commands: + description: The `commands` object specifies whether Okta accepts the end user's sign-in credentials as valid or not. For the password import inline hook, you typically only return one `commands` object with one array element in it. + type: array + items: + type: object + properties: + type: + description: The location where you specify the command. For the password import inline hook, there's only one command, `com.okta.action.update`. + value: + description: |- + The parameter value of the command. + * To indicate that the supplied credentials are valid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "VERIFIED"}`. + * To indicate that the supplied credentials are invalid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "UNVERIFIED"}`. + Alternatively, you can send an empty response (`204`). By default, the `data.action.credential` is always set to `UNVERIFIED`. + type: object + properties: + credential: + type: string + enum: + - UNVERIFIED + - VERIFIED PasswordPolicy: allOf: - $ref: '#/components/schemas/Policy' @@ -28446,13 +59413,23 @@ components: - OKTA PasswordPolicyConditions: allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - type: object properties: authProvider: $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' people: - $ref: '#/components/schemas/PolicyPeopleCondition' + type: object + description: Identifies Users and Groups that are used together + properties: + groups: + type: object + description: Specifies a set of Groups whose Users are to be included or excluded + properties: + include: + type: array + description: Groups to be included + items: + type: string PasswordPolicyDelegationSettings: type: object properties: @@ -28463,6 +59440,8 @@ components: properties: skipUnlock: type: boolean + description: Indicates if, when performing an unlock operation on an Active Directory sourced User who is locked out of Okta, the system should also attempt to unlock the User's Windows account + default: false PasswordPolicyPasswordSettings: type: object properties: @@ -28473,49 +59452,81 @@ components: lockout: $ref: '#/components/schemas/PasswordPolicyPasswordSettingsLockout' PasswordPolicyPasswordSettingsAge: + description: Age settings type: object properties: expireWarnDays: type: integer + description: 'Specifies the number of days prior to password expiration when a User is warned to reset their password: `0` indicates no warning' + default: 0 historyCount: type: integer + description: 'Specifies the number of distinct passwords that a User must create before they can reuse a previous password: `0` indicates none' + default: 0 maxAgeDays: type: integer + description: 'Specifies how long (in days) a password remains valid before it expires: `0` indicates no limit' + default: 0 minAgeMinutes: type: integer + description: 'Specifies the minimum time interval (in minutes) between password changes: `0` indicates no limit' + default: 0 PasswordPolicyPasswordSettingsComplexity: + description: Complexity settings type: object properties: dictionary: $ref: '#/components/schemas/PasswordDictionary' excludeAttributes: type: array + description: 'The User profile attributes whose values must be excluded from the password: currently only supports `firstName` and `lastName`' + default: [] items: type: string excludeUsername: type: boolean + description: Indicates if the Username must be excluded from the password default: true minLength: type: integer + description: Minimum password length + default: 8 minLowerCase: type: integer + description: 'Indicates if a password must contain at least one lower case letter: `0` indicates no, `1` indicates yes' + default: 1 minNumber: type: integer + description: 'Indicates if a password must contain at least one number: `0` indicates no, `1` indicates yes' + default: 1 minSymbol: type: integer + description: 'Indicates if a password must contain at least one symbol (For example: !@#$%^&*): `0` indicates no, `1` indicates yes' + default: 1 minUpperCase: type: integer + description: 'Indicates if a password must contain at least one upper case letter: `0` indicates no, `1` indicates yes' + default: 1 PasswordPolicyPasswordSettingsLockout: + description: Lockout settings type: object properties: autoUnlockMinutes: type: integer + description: 'Specifies the time interval (in minutes) a locked account remains locked before it is automatically unlocked: `0` indicates no limit' + default: 0 maxAttempts: type: integer + description: 'Specifies the number of times Users can attempt to sign in to their accounts with an invalid password before their accounts are locked: `0` indicates no limit' + default: 10 showLockoutFailures: type: boolean + description: Indicates if the User should be informed when their account is locked + default: false userLockoutNotificationChannels: type: array + description: How the user is notified when their account becomes locked. The only acceptable values are `[]` and `['EMAIL']`. + default: [] items: type: string PasswordPolicyRecoveryEmail: @@ -28534,13 +59545,16 @@ components: type: object properties: tokenLifetimeMinutes: + description: Lifetime (in minutes) of the recovery token type: integer + default: 10080 PasswordPolicyRecoveryFactorSettings: type: object properties: status: $ref: '#/components/schemas/LifecycleStatus' PasswordPolicyRecoveryFactors: + description: Settings for the Factors that can be used for recovery type: object properties: okta_call: @@ -28562,8 +59576,10 @@ components: type: object properties: minLength: + description: Minimum length of the password recovery question answer type: integer readOnly: true + default: 4 PasswordPolicyRecoveryQuestionProperties: type: object properties: @@ -28600,14 +59616,12 @@ components: selfServiceUnlock: $ref: '#/components/schemas/PasswordPolicyRuleAction' PasswordPolicyRuleConditions: - allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - - type: object - properties: - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' + type: object + properties: + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' PasswordPolicySettings: type: object properties: @@ -28630,7 +59644,7 @@ components: PASSWORD_REUSE: Password protection warning is triggered by password reuse PHISHING_REUSE: Password protection warning is triggered by password reuse on a phishing page PasswordSettingObject: - description: Determines whether Okta creates and pushes a password in the application for each assigned user + description: Determines whether Okta creates and pushes a password in the app for each assigned user type: object properties: change: @@ -28642,6 +59656,15 @@ components: - $ref: '#/components/schemas/EnabledStatus' - default: DISABLED - example: ENABLED + PatchAction: + description: The operation (PATCH action) + type: string + enum: + - remove + - replace + x-enumDescriptions: + remove: Removes the attribute in `path` + replace: Replaces the attribute in content `path` with the content in `value` PerClientRateLimitMode: type: string enum: @@ -28695,11 +59718,26 @@ components: $ref: '#/components/schemas/HrefObject' PermissionConditions: x-okta-lifecycle: - features: - - CUSTOM_ADMIN_ROLES_CONDITIONS + lifecycle: GA + isGenerallyAvailable: true description: Conditions for further restricting a permission nullable: true type: object + properties: + exclude: + type: object + description: Exclude attributes with specific values for the permission + additionalProperties: + type: object + properties: {} + nullable: true + include: + type: object + description: Include attributes with specific values for the permission + additionalProperties: + type: object + properties: {} + nullable: true Permissions: type: object properties: @@ -28707,12 +59745,37 @@ components: type: array items: $ref: '#/components/schemas/Permission' + PersonalAppsBlockList: + description: Defines a list of email domains with a subset of the properties for each domain + type: object + properties: + domains: + type: array + description: List of blocked email domains + PinRequest: + description: Pin Request + type: object + properties: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta + type: string + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string PipelineType: - description: The authentication pipeline of the org. `idx` means the org is using the Identity Engine, while `v1` means the org is using the Classic authentication pipeline. + description: The authentication pipeline of the org type: string enum: - idx - v1 + x-enumDescriptions: + idx: Identity Engine + v1: Classic Engine Platform: type: string enum: @@ -28760,6 +59823,17 @@ components: type: array items: $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' + PlayProtectVerdict: + description: Indicates if Google Play Protect is enabled on the device and whether it has found known malware + type: string + enum: + - HIGH + - LOW + - MEDIUM + x-enumDescriptions: + LOW: Play Protect is turned on and didn't find any app issues on the device + MEDIUM: Play Protect is turned on and either hasn't performed a scan yet or has found potentially harmful apps installed on the device + HIGH: Play Protect is turned on and has either found dangerous apps installed on the device or its verdict wasn't evaluated. That is, the device isn't trustworthy enough. Policy: type: object properties: @@ -28768,29 +59842,35 @@ components: type: string format: date-time readOnly: true + default: Assigned description: - description: Policy description + description: Description of the Policy type: string + default: null id: - description: Policy ID + description: Identifier of the Policy type: string readOnly: true + default: Assigned lastUpdated: - description: Timestamp when the Policy was last updated + description: Timestamp when the Policy was last modified type: string format: date-time readOnly: true + default: Assigned name: - description: Policy name + description: Name of the Policy type: string priority: description: Specifies the order in which this Policy is evaluated in relation to the other policies type: integer + default: Last / Lowest Priority, for example `1` status: $ref: '#/components/schemas/LifecycleStatus' system: description: Specifies whether Okta created the Policy type: boolean + default: false type: $ref: '#/components/schemas/PolicyType' _embedded: @@ -28801,34 +59881,27 @@ components: readOnly: true _links: $ref: '#/components/schemas/PolicyLinks' + required: + - name + - type discriminator: propertyName: type mapping: ACCESS_POLICY: '#/components/schemas/AccessPolicy' IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicy' - MFA_ENROLL: '#/components/schemas/MultifactorEnrollmentPolicy' + MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicy' OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' PASSWORD: '#/components/schemas/PasswordPolicy' PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy' - PolicyLinks: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObjectSelfLink' - activate: - $ref: '#/components/schemas/HrefObjectActivateLink' - deactivate: - $ref: '#/components/schemas/HrefObjectDeactivateLink' - rules: - $ref: '#/components/schemas/HrefObjectRulesLink' - mappings: - $ref: '#/components/schemas/HrefObjectMappingsLink' + POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicy' + ENTITY_RISK: '#/components/schemas/EntityRiskPolicy' PolicyAccess: type: string enum: - ALLOW - DENY PolicyAccountLink: + description: Specifies the behavior for linking an IdP User to an existing Okta User type: object properties: action: @@ -28836,34 +59909,48 @@ components: filter: $ref: '#/components/schemas/PolicyAccountLinkFilter' PolicyAccountLinkAction: + description: Specifies the account linking action for an IdP User type: string enum: - AUTO - DISABLED + x-enumDescriptions: + AUTO: The IdP User is automatically linked to an Okta User when the transformed IdP User matches an existing Okta User according to [subject match rules](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/subject&t=request). + DISABLED: Okta never attempts to link the IdP User to an existing Okta User, but may still attempt to provision a new Okta User according to the [provisioning action type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/provisioning/action&t=request). PolicyAccountLinkFilter: + description: Specifies Group memberships to restrict which Users are available for account linking by an IdP type: object properties: groups: $ref: '#/components/schemas/PolicyAccountLinkFilterGroups' PolicyAccountLinkFilterGroups: + description: Group memberships used to determine link candidates type: object properties: include: type: array + description: Specifies the allowlist of Group identifiers to match against. Group memberships are restricted to type `OKTA_GROUP`. items: type: string + example: 00gjg5lzfBpn62wuF0g3 PolicyContext: type: object properties: - user: + device: type: object - description: The user ID for the simulate operation. Only user IDs or Group IDs are allowed, not both. properties: - id: + platform: type: string - description: The unique ID number for the user. - required: - - id + description: The platform of the device, for example, IOS. + registered: + type: boolean + description: If the device is registered + managed: + type: boolean + description: If the device is managed + assuranceId: + type: string + description: The device assurance policy ID for the simulation groups: type: object description: An array of Group IDs for the simulate operation. Only user IDs or Group IDs are allowed, not both. @@ -28874,7 +59961,10 @@ components: type: string uniqueItems: true required: - - ids + - ids + ip: + type: string + description: The network rule condition, zone, or IP address risk: type: object description: The risk rule condition level @@ -28885,31 +59975,40 @@ components: - LOW - MEDIUM - HIGH - ip: - type: string - description: The network rule condition, zone, or IP address + user: + type: object + description: The user ID for the simulate operation. Only user IDs or Group IDs are allowed, not both. + properties: + id: + type: string + description: The unique ID number for the user. + required: + - id zones: type: object + description: The zone ID under the network rule condition. properties: ids: type: array items: type: string - device: - type: object - properties: - platform: - type: string - description: The platform of the device, for example, IOS. - registered: - type: boolean - description: If the device is registered - managed: - type: boolean - description: If the device is managed required: - user - groups + PolicyLinks: + type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + mappings: + $ref: '#/components/schemas/HrefObjectMappingsLink' + rules: + $ref: '#/components/schemas/HrefObjectRulesLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true PolicyMapping: type: object properties: @@ -28923,10 +60022,6 @@ components: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the mapped application - authenticator: - allOf: - - $ref: '#/components/schemas/HrefObject' - - description: Link to the mapped authenticator policy: allOf: - $ref: '#/components/schemas/HrefObject' @@ -28949,24 +60044,31 @@ components: $ref: '#/components/schemas/PolicyNetworkConnection' exclude: type: array + description: The zones to exclude. Required only if connection data type is `ZONE` items: type: string include: type: array + description: The zones to include. Required only if connection data type is `ZONE` items: type: string PolicyNetworkConnection: + description: Network selection mode type: string enum: - ANYWHERE - ZONE PolicyPeopleCondition: + description: Identifies Users and Groups that are used together type: object properties: groups: $ref: '#/components/schemas/GroupCondition' users: $ref: '#/components/schemas/UserCondition' + required: + - groups + - users PolicyPlatformOperatingSystemType: type: string enum: @@ -29015,6 +60117,8 @@ components: default: false type: $ref: '#/components/schemas/PolicyRuleType' + _links: + $ref: '#/components/schemas/PolicyLinks' discriminator: propertyName: type mapping: @@ -29024,6 +60128,9 @@ components: RESOURCE_ACCESS: '#/components/schemas/AuthorizationServerPolicyRule' SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule' IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicyRule' + POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicyRule' + ENTITY_RISK: '#/components/schemas/EntityRiskPolicyRule' + MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicyRule' PolicyRuleActions: type: object PolicyRuleActionsEnroll: @@ -29046,6 +60153,7 @@ components: type: string enum: - ANY + - LDAP_INTERFACE - RADIUS PolicyRuleConditions: type: object @@ -29093,31 +60201,52 @@ components: userStatus: $ref: '#/components/schemas/UserStatusPolicyRuleCondition' PolicyRuleType: + description: Rule type type: string enum: - ACCESS_POLICY + - ENTITY_RISK - IDP_DISCOVERY - MFA_ENROLL - PASSWORD + - POST_AUTH_SESSION - PROFILE_ENROLLMENT - RESOURCE_ACCESS - SIGN_ON + PolicyRuleVerificationMethodType: + description: Verification method type + type: string + enum: + - ASSURANCE + - AUTH_METHOD_CHAIN PolicySubject: + description: Specifies the behavior for establishing, validating, and matching a username for an IdP User type: object properties: filter: type: string - format: - type: array - items: - type: string + description: |- + Optional [regular expression pattern](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions) used to filter untrusted IdP usernames. + * As a best security practice, you should define a regular expression pattern to filter untrusted IdP usernames. This is especially important if multiple IdPs are connected to your org. The filter prevents an IdP from issuing an assertion for any User, including partners or directory Users in your Okta org. + * For example, the filter pattern `(\S+@example\.com)` allows only Users that have an `@example.com` username suffix. It rejects assertions that have any other suffix such as `@corp.example.com` or `@partner.com`. + * Only `SAML2` and `OIDC` IdP providers support the `filter` property. + maxLength: 1024 + example: (\S+@example\.com) matchAttribute: type: string + description: |- + Okta User profile attribute for matching a transformed IdP username. Only for matchType `CUSTOM_ATTRIBUTE`. + The `matchAttribute` must be a valid Okta User profile attribute of one of the following types: + * String (with no format or 'email' format only) + * Integer + * Number + example: login matchType: $ref: '#/components/schemas/PolicySubjectMatchType' userNameTemplate: $ref: '#/components/schemas/PolicyUserNameTemplate' PolicySubjectMatchType: + description: Determines the Okta User profile attribute match conditions for account linking and authentication of the transformed IdP username type: string enum: - CUSTOM_ATTRIBUTE @@ -29125,19 +60254,40 @@ components: - USERNAME - USERNAME_OR_EMAIL PolicyType: + description: |- + All Okta orgs contain only one IdP Discovery Policy with an immutable default Rule routing to your org's sign-in page. + Creating or replacing a policy with the `IDP_DISCOVERY` type isn't supported. The following policy types are available with + Identity Engine: `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, and `ENTITY_RISK`. type: string enum: - ACCESS_POLICY + - ENTITY_RISK - IDP_DISCOVERY - MFA_ENROLL - OKTA_SIGN_ON - PASSWORD + - POST_AUTH_SESSION + - PROFILE_ENROLLMENT + - RESOURCE_ACCESS + PolicyTypeSimulation: + type: string + enum: + - ACCESS_POLICY + - MFA_ENROLL + - OKTA_SIGN_ON - PROFILE_ENROLLMENT PolicyUserNameTemplate: + description: |- + [Okta Expression Language (EL) expression](https://developer.okta.com/docs/reference/okta-expression-language/) to generate or transform a unique username for the IdP User. + * IdP User profile attributes can be referenced with the `idpuser` prefix such as `idpuser.subjectNameId`. + * You must define an IdP User profile attribute before it can be referenced in an Okta EL expression. To define an IdP User attribute policy, you may need to create a new IdP instance without a base profile property. Then edit the IdP User profile to update the IdP instance with an expression that references the IdP User profile attribute that you just created. type: object properties: template: type: string + minLength: 9 + maxLength: 1024 + example: idpuser.subjectNameId PolicyUserStatus: type: string enum: @@ -29189,6 +60339,89 @@ components: - OPTIONAL - REQUIRED default: OPTIONAL + PostAuthKeepMeSignedInPrompt: + type: object + properties: + acceptButtonText: + type: string + description: The label on the accept button when prompting for Stay signed in + rejectButtonText: + type: string + description: The label on the reject button when prompting for Stay signed in + subtitle: + type: string + description: The subtitle on the Sign-In Widget when prompting for Stay signed in + title: + type: string + description: The title on the Sign-In Widget when prompting for Stay signed in + PostAuthSessionFailureActionsObject: + type: object + properties: + action: + type: string + enum: + - RUN_WORKFLOW + - TERMINATE_SESSION + discriminator: + propertyName: action + mapping: + RUN_WORKFLOW: '#/components/schemas/PostAuthSessionPolicyRuleRunWorkflow' + TERMINATE_SESSION: '#/components/schemas/PostAuthSessionPolicyRuleTerminateSession' + PostAuthSessionPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + type: string + description: Policy conditions aren't supported for this policy type. + default: null + nullable: true + PostAuthSessionPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + type: object + description: The action to take in response to a failure of the reevaluated global session policy or authentication polices. + properties: + postAuthSession: + type: object + description: This object contains a `failureActions` array that defines the specific action to take when post auth session evaluation detects a failure. + properties: + failureActions: + type: array + description: An array of objects that define the action. It can be empty or contain two `action` value pairs. + items: + $ref: '#/components/schemas/PostAuthSessionFailureActionsObject' + conditions: + type: object + properties: + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + PostAuthSessionPolicyRuleRunWorkflow: + type: object + properties: + action: + type: string + enum: + - RUN_WORKFLOW + workflow: + type: object + description: This action runs a workflow + properties: + id: + type: integer + description: The `id` of the workflow that runs. + PostAuthSessionPolicyRuleTerminateSession: + type: object + properties: + action: + type: string + description: The action to take when post auth session evaluation detects a failure. + enum: + - TERMINATE_SESSION PreRegistrationInlineHook: type: object properties: @@ -29236,13 +60469,373 @@ components: type: string enum: - SSWS_TOKEN + PrivilegedAccount: + type: object + properties: + accountType: + $ref: '#/components/schemas/PrivilegedAccountType' + created: + type: string + format: date-time + description: Timestamp when the Privileged Account was created + readOnly: true + description: + description: The description of the Privileged Account + format: regex + maxLength: 255 + minLength: 0 + type: string + example: This is for accessing AWS Prod-5 + id: + description: The UUID of the Privileged Account + format: regex + pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ + readOnly: true + type: string + example: a747a818-a4c4-4446-8a87-704216495a08 + lastUpdated: + type: string + format: date-time + description: Timestamp when the Privileged Account was last updated + readOnly: true + name: + description: The human-readable name for the Privileged Account + format: regex + maxLength: 50 + minLength: 1 + pattern: ^[\w\-_. ]+$ + type: string + example: AWS Prod-5 account + ownerGroupIds: + description: A list of IDs of the Okta groups that own the Privileged Account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + description: A list of IDs of the Okta users that own the Privileged Account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00u11s48P9zGW8yqm0g5 + status: + $ref: '#/components/schemas/PrivilegedAccountStatus' + statusDetail: + $ref: '#/components/schemas/PrivilegedAccountStatusDetail' + required: + - name + - accountType + discriminator: + propertyName: accountType + mapping: + APP_ACCOUNT: '#/components/schemas/PrivilegedAccountDetailsAppAccount' + OKTA_USER_ACCOUNT: '#/components/schemas/PrivilegedAccountDetailsOktaUserAccount' + PrivilegedAccountCredentials: + description: Credentials for a Privileged Account + type: object + properties: + password: + type: string + writeOnly: true + description: The password associated with the Privileged Account + format: password + username: + type: string + description: The username associated with the Privileged Account + minLength: 1 + maxLength: 100 + example: testuser@example.com + required: + - username + PrivilegedAccountDetailsAppAccount: + description: Details for a SaaS Application Account, which will be managed as a Privileged Account + allOf: + - $ref: '#/components/schemas/PrivilegedAccount' + - type: object + properties: + details: + $ref: '#/components/schemas/PrivilegedAccountDetailsAppAccountSub' + required: + - details + PrivilegedAccountDetailsAppAccountSub: + description: Details for a SaaS Application Account, which will be managed as a Privileged Account + type: object + properties: + appGlobalName: + description: The name of the SaaS Application in the Okta Integration Network catalog + type: string + example: Salesforce + appInstanceName: + description: The instance name of the SaaS Application + type: string + example: Salesforce Prod + credentials: + $ref: '#/components/schemas/PrivilegedAccountCredentials' + oktaApplicationId: + description: The Okta app instance ID of the SaaS Application + type: string + example: aln1aqcs055ZRoizW0g8 + required: + - oktaApplicationId + - credentials + PrivilegedAccountDetailsOktaUserAccount: + description: Details for managing an Okta Universal Directory Account as a Privileged Account + allOf: + - $ref: '#/components/schemas/PrivilegedAccount' + - type: object + properties: + details: + $ref: '#/components/schemas/PrivilegedAccountDetailsOktaUserAccountSub' + required: + - details + PrivilegedAccountDetailsOktaUserAccountSub: + description: Details for managing an Okta Universal Directory Account as a Privileged Account + type: object + properties: + credentials: + $ref: '#/components/schemas/PrivilegedAccountCredentials' + email: + description: The email address for the Okta Universal Directory Account + type: string + example: foo@bar.com + minLength: 5 + maxLength: 100 + oktaUserId: + description: An optional Okta user ID. If supplied, converts the matching Okta Universal Directory Account to a Privileged Account and updates the account with the provided details. + type: string + example: 00u11s48P9zGW8yqm0g5 + required: + - email + - credentials + PrivilegedAccountForUpdate: + type: object + properties: + description: + description: The description of the Privileged Account + format: regex + maxLength: 255 + minLength: 0 + type: string + example: This is for accessing AWS Prod-5 + email: + description: The email address for the Okta Universal Directory Account + type: string + example: foo@bar.com + minLength: 5 + maxLength: 100 + name: + description: The human-readable name for the Privileged Account + format: regex + maxLength: 50 + minLength: 1 + pattern: ^[\w\-_. ]+$ + type: string + example: AWS Prod-5 account + ownerGroupIds: + description: A list of IDs of the Okta groups who own the Privileged Account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + description: A list of IDs of the Okta users who own the Privileged Account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00u11s48P9zGW8yqm0g5 + username: + type: string + description: The username associated with the Privileged Account + minLength: 1 + maxLength: 100 + example: testuser@example.com + PrivilegedAccountStatus: + description: Describes the current status of a Privileged Account + type: string + enum: + - ALERT + - ERROR + - INFO + - NO_ISSUES + - UNSECURED + x-enumDescriptions: + NO_ISSUES: The Account is ready for use in Okta Privileged Access + UNSECURED: The Account needs to be assigned to a Resource Group and a Project in Okta Privileged Access + INFO: An action involving the Account is currently in progress in Okta Privileged Access + ALERT: The Account requires attention from an Administrator + ERROR: An error is preventing the Account from being used in Okta Privileged Access + PrivilegedAccountStatusDetail: + description: Describes the detailed status of a Privileged Account + type: string + enum: + - CREATION_FAILED + - MISSING_PASSWORD + - PENDING + - ROTATED + - ROTATING + - ROTATION_FAILED + - STAGED + - VAULTED + x-enumDescriptions: + PENDING: The Account is in the process of being created + CREATION_FAILED: The Account could not be created + STAGED: The Account is in the Okta Privileged Access resource assignment area + ROTATING: The Account is assigned to a Project in Okta Privileged Access. Credentials are currently being synced using Okta Lifecycle Management. + ROTATED: The Account is assigned to a Project in Okta Privileged Access. Password rotations are fulfilled by Okta Lifecycle Management. + ROTATION_FAILED: The Account is assigned to a Project in Okta Privileged Access. An error occurred while using Okta Lifecycle Management to rotate the password. + VAULTED: The Account is assigned to a Project in Okta Privileged Access. A manually managed password is assigned to the Account. + MISSING_PASSWORD: The Account is assigned to a Project in Okta Privileged Access. A password is not assigned to the Account. + PrivilegedAccountType: + description: The type of Privileged Account + type: string + enum: + - APP_ACCOUNT + - OKTA_USER_ACCOUNT + x-enumDescriptions: + APP_ACCOUNT: SaaS Application Account + OKTA_USER_ACCOUNT: Okta Universal Directory Account + PrivilegedResource: + default: + resourceType: OKTA_USER_ACCOUNT + type: object + properties: + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + example: '2024-06-10T11:11:01.000Z' + credentialSyncInfo: + $ref: '#/components/schemas/CredentialSyncInfo' + readOnly: true + example: + secretVersionId: 9f8400-e29b-41d4-a716-926655440034 + syncTime: '2024-06-10T11:13:01.000Z' + syncState: NOT_SYNCED + errorCode: UNKNOWN_ERROR + errorReason: Unknown error + id: + type: string + description: ID of the privileged resource + readOnly: true + example: opa100xTfFs4MasRf0g4 + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + example: '2024-06-10T11:13:01.000Z' + resourceType: + $ref: '#/components/schemas/PrivilegedResourceType' + example: APP_ACCOUNT + status: + $ref: '#/components/schemas/PrivilegedResourceStatus' + example: ACTIVE + discriminator: + propertyName: resourceType + mapping: + APP_ACCOUNT: '#/components/schemas/PrivilegedResourceAccountApp' + OKTA_USER_ACCOUNT: '#/components/schemas/PrivilegedResourceAccountOkta' + PrivilegedResourceAccountApp: + allOf: + - type: object + properties: + containerDetails: + $ref: '#/components/schemas/AppAccountContainerDetails' + credentials: + $ref: '#/components/schemas/PrivilegedResourceCredentials' + - $ref: '#/components/schemas/PrivilegedResource' + required: + - containerId + PrivilegedResourceAccountOkta: + allOf: + - type: object + properties: + resourceId: + type: string + description: The user ID associated with the Okta privileged resource + example: 00u100xTfFs4MasRf0g4 + credentials: + $ref: '#/components/schemas/PrivilegedResourceCredentials' + profile: + $ref: '#/components/schemas/profile' + example: + email: testuser@example.com + - $ref: '#/components/schemas/PrivilegedResource' + PrivilegedResourceCredentials: + description: Credentials for the privileged account + type: object + properties: + password: + type: string + description: The password associated with the privileged resource + format: password + writeOnly: true + example: xf1bs9am2 + userName: + type: string + description: The username associated with the privileged resource + minLength: 1 + maxLength: 100 + example: testuser@example.com + required: + - userName + PrivilegedResourceStatus: + description: Current status of the privileged resource + type: string + enum: + - ACTIVE + - CREATED + - CREATION_FAILED + - INACTIVE + - PENDING + x-enumDescriptions: + CREATED: The privileged resource is created but not yet managed by OPA + ACTIVE: The privileged resource is currently managed by OPA + INACTIVE: The privileged resource is `INACTIVE` and not currently managed by OPA + readOnly: true + PrivilegedResourceType: + description: The type of the resource + type: string + enum: + - APP_ACCOUNT + - OKTA_USER_ACCOUNT + PrivilegedResourceUpdateRequest: + description: Update request for a privileged resource + type: object + properties: + profile: + $ref: '#/components/schemas/profile' + example: + email: testuser@example.com + userName: + type: string + description: The username associated with the privileged resource + minLength: 1 + maxLength: 100 + example: testuser@example.com ProfileEnrollmentPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: - $ref: '#/components/schemas/PolicyRuleConditions' + type: string + description: Policy conditions aren't supported for this policy type + default: null + nullable: true ProfileEnrollmentPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' @@ -29251,36 +60844,63 @@ components: actions: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActions' conditions: - $ref: '#/components/schemas/PolicyRuleConditions' + type: string + description: Policy Rule conditions aren't supported for this policy type + default: null + nullable: true ProfileEnrollmentPolicyRuleAction: type: object properties: access: type: string + enum: + - ALLOW + - DENY + description: '**Note:** The Profile Enrollment Action object can''t be modified to set the `access` property to `DENY` after the policy is created.' activationRequirements: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActivationRequirement' + allowedIdentifiers: + items: + type: string + type: array + description: <x-lifecycle class="ea"></x-lifecycle> A list of attributes to identify an end user. Can be used across Okta sign-in, unlock, and recovery flows. + default: + - login + enrollAuthenticatorTypes: + items: + type: string + type: array + description: Additional authenticator fields that can be used on the first page of user registration. Valid values only includes `'password'`. preRegistrationInlineHooks: items: $ref: '#/components/schemas/PreRegistrationInlineHook' type: array + description: (Optional) The `id` of at most one registration inline hook profileAttributes: items: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleProfileAttribute' type: array + description: A list of attributes to prompt the user during registration or progressive profiling. Where defined on the User schema, these attributes are persisted in the User profile. Non-schema attributes can also be added, which aren't persisted to the User's profile, but are included in requests to the registration inline hook. A maximum of 10 Profile properties is supported. + progressiveProfilingAction: + type: string + enum: + - ENABLED + - DISABLED + description: Progressive profile enrollment helps evaluate the profile enrollment policy at every user login. Users can be prompted to provide input for newly required attributes. targetGroupIds: items: type: string type: array + description: (Optional, max 1 entry) The `id` of a Group that this User should be added to + uiSchemaId: + type: string + description: Value created by the backend. If present, all policy updates must include this attribute/value. unknownUserAction: type: string enum: - DENY - REGISTER - progressiveProfilingAction: - type: string - enum: - - ENABLED - - DISABLED + description: Which action should be taken if this User is new ProfileEnrollmentPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' @@ -29289,40 +60909,24 @@ components: profileEnrollment: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleAction' ProfileEnrollmentPolicyRuleActivationRequirement: + description: Contains a single Boolean property that indicates whether `emailVerification` should occur (`true`) or not (`false`, default) type: object properties: emailVerification: - type: boolean + type: boolean ProfileEnrollmentPolicyRuleProfileAttribute: type: object properties: label: type: string + description: A display-friendly label for this property name: type: string + description: The name of a User Profile property. Can be an existing property. required: type: boolean - IdpDiscoveryPolicyRule: - allOf: - - $ref: '#/components/schemas/PolicyRule' - - type: object - properties: - actions: - $ref: '#/components/schemas/IdpPolicyRuleAction' - conditions: - $ref: '#/components/schemas/IdpDiscoveryPolicyRuleCondition' - IdpDiscoveryPolicyRuleCondition: - allOf: - - type: object - properties: - app: - $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - userIdentifier: - $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' - platform: - $ref: '#/components/schemas/PlatformPolicyRuleCondition' + description: (Optional, default `FALSE`) Indicates if this property is required for enrollment + default: false ProfileMapping: description: |- The Profile Mapping object describes a mapping between an Okta User's and an App User's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). @@ -29340,10 +60944,8 @@ components: $ref: '#/components/schemas/ProfileMappingProperty' readOnly: false source: - type: object $ref: '#/components/schemas/ProfileMappingSource' target: - type: object $ref: '#/components/schemas/ProfileMappingTarget' _links: $ref: '#/components/schemas/LinksSelf' @@ -29422,10 +61024,10 @@ components: $ref: '#/components/schemas/SourceLinks' ProfileSettingObject: description: | - This setting determines whether a user in the application gets updated when they're updated in Okta. + This setting determines whether a user in the app gets updated when they're updated in Okta. - If enabled, Okta updates a user's attributes in the application when the application is assigned. - Future changes made to the Okta user's profile automatically overwrite the corresponding attribute value in the application. + If enabled, Okta updates a user's attributes in the app when the app is assigned. + Future changes made to the Okta user's profile automatically overwrite the corresponding attribute value in the app. type: object properties: status: @@ -29433,122 +61035,117 @@ components: - $ref: '#/components/schemas/EnabledStatus' - example: DISABLED - default: DISABLED - Protocol: - type: object - properties: - algorithms: - $ref: '#/components/schemas/ProtocolAlgorithms' - credentials: - $ref: '#/components/schemas/IdentityProviderCredentials' - endpoints: - $ref: '#/components/schemas/ProtocolEndpoints' - issuer: - $ref: '#/components/schemas/ProtocolEndpoint' - relayState: - $ref: '#/components/schemas/ProtocolRelayState' - scopes: - type: array - items: - type: string - settings: - $ref: '#/components/schemas/ProtocolSettings' - type: - $ref: '#/components/schemas/ProtocolType' - ProtocolAlgorithmType: - type: object - properties: - signature: - $ref: '#/components/schemas/ProtocolAlgorithmTypeSignature' - ProtocolAlgorithmTypeSignature: - type: object - properties: - algorithm: - type: string - scope: - $ref: '#/components/schemas/ProtocolAlgorithmTypeSignatureScope' - ProtocolAlgorithmTypeSignatureScope: + ProtocolAlgorithmRequestScope: + description: Specifies whether to digitally sign authorization requests to the IdP + example: REQUEST type: string enum: - - ANY - NONE - REQUEST + ProtocolAlgorithmResponseScope: + description: Specifies whether to verify responses from the IdP + example: ANY + type: string + enum: + - ANY - RESPONSE - TOKEN - ProtocolAlgorithms: - type: object - properties: - request: - $ref: '#/components/schemas/ProtocolAlgorithmType' - response: - $ref: '#/components/schemas/ProtocolAlgorithmType' - ProtocolEndpoint: - type: object - properties: - binding: - $ref: '#/components/schemas/ProtocolEndpointBinding' - destination: - type: string - type: - $ref: '#/components/schemas/ProtocolEndpointType' - url: - type: string + ProtocolCredentialsKeyId: + description: IdP Key Credential reference to the Okta X.509 signature certificate + example: your-key-id + type: string ProtocolEndpointBinding: type: string enum: - HTTP-POST - HTTP-REDIRECT - ProtocolEndpointType: - type: string - enum: - - INSTANCE - - ORG - ProtocolEndpoints: + ProtocolMtls: + title: Mutual TLS Protocol + description: Protocol settings for the [MTLS Protocol](https://tools.ietf.org/html/rfc5246#section-7.4.4) type: object properties: - acs: - $ref: '#/components/schemas/ProtocolEndpoint' - authorization: - $ref: '#/components/schemas/ProtocolEndpoint' - jwks: - $ref: '#/components/schemas/ProtocolEndpoint' - metadata: - $ref: '#/components/schemas/ProtocolEndpoint' - slo: - $ref: '#/components/schemas/ProtocolEndpoint' - sso: - $ref: '#/components/schemas/ProtocolEndpoint' - token: - $ref: '#/components/schemas/ProtocolEndpoint' - userInfo: - $ref: '#/components/schemas/ProtocolEndpoint' - ProtocolRelayState: + credentials: + $ref: '#/components/schemas/MtlsCredentials' + endpoints: + $ref: '#/components/schemas/MtlsEndpoints' + type: + type: string + description: Mutual TLS + enum: + - MTLS + ProtocolOAuth: + title: OAuth 2.0 Protocol + description: Protocol settings for authentication using the [OAuth 2.0 Authorization Code flow](https://tools.ietf.org/html/rfc6749#section-4.1) type: object properties: - format: - $ref: '#/components/schemas/ProtocolRelayStateFormat' - ProtocolRelayStateFormat: - type: string - enum: - - FROM_URL - - OPAQUE - ProtocolSettings: + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + scopes: + type: array + description: |- + IdP-defined permission bundles to request delegated access from the User + > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. + items: + type: string + example: public_profile + type: + type: string + description: OAuth 2.0 Authorization Code flow + enum: + - OAUTH2 + ProtocolOidc: + title: OpenID Connect Protocol + description: Protocol settings for authentication using the [OpenID Connect Protocol](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) type: object properties: - nameFormat: + algorithms: + $ref: '#/components/schemas/OidcAlgorithms' + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + scopes: + type: array + description: |- + OpenID Connect and IdP-defined permission bundles to request delegated access from the User + > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. + items: + type: string + example: openid + type: type: string - ProtocolType: - type: string - enum: - - MTLS - - OAUTH2 - - OIDC - - SAML2 + description: OpenID Connect Authorization Code flow + enum: + - OIDC + ProtocolSaml: + title: SAML 2.0 Protocol + description: Protocol settings for the [SAML 2.0 Authentication Request Protocol](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) + type: object + properties: + algorithms: + $ref: '#/components/schemas/SamlAlgorithms' + credentials: + $ref: '#/components/schemas/SamlCredentials' + endpoints: + $ref: '#/components/schemas/SamlEndpoints' + relayState: + $ref: '#/components/schemas/SamlRelayState' + settings: + $ref: '#/components/schemas/SamlSettings' + type: + type: string + description: SAML 2.0 protocol + enum: + - SAML2 ProviderType: type: string enum: - APNS - FCM Provisioning: + description: Specifies the behavior for just-in-time (JIT) provisioning of an IdP User as a new Okta User and their Group memberships type: object properties: action: @@ -29559,33 +61156,28 @@ components: $ref: '#/components/schemas/ProvisioningGroups' profileMaster: type: boolean + description: Determines if the IdP should act as a source of truth for User profile attributes ProvisioningAction: + description: |- + Specifies the User provisioning action during authentication when an IdP User isn't linked to an existing Okta User. + * To successfully provision a new Okta User, you must enable just-in-time (JIT) provisioning in your org security settings. + * If the target username isn't unique or the resulting Okta User profile is missing a required profile attribute, JIT provisioning may fail. + * New Okta Users are provisioned with either a `FEDERATION` or `SOCIAL` authentication provider depending on the IdP type. type: string enum: - AUTO - - CALLOUT - DISABLED + x-enumDescriptions: + AUTO: The IdP User profile is transformed through defined universal directory profile mappings to an Okta User profile and automatically provisioned as an Okta User. + DISABLED: Okta rejects the authentication request and skips provisioning of a new Okta User if the IdP User isn't linked to an existing Okta User. ProvisioningConditions: + description: Conditional behaviors for an IdP User during authentication type: object properties: deprovisioned: $ref: '#/components/schemas/ProvisioningDeprovisionedCondition' suspended: $ref: '#/components/schemas/ProvisioningSuspendedCondition' - ProvisioningConnection: - type: object - properties: - authScheme: - $ref: '#/components/schemas/ProvisioningConnectionAuthScheme' - profile: - $ref: '#/components/schemas/ProvisioningConnectionProfile' - status: - $ref: '#/components/schemas/ProvisioningConnectionStatus' - _links: - $ref: '#/components/schemas/LinksSelfAndLifecycle' - required: - - authScheme - - status ProvisioningConnectionAuthScheme: description: Defines the method of authentication type: string @@ -29597,62 +61189,75 @@ components: TOKEN: A token is used to authenticate with the app. OAUTH2: OAuth 2.0 is used to authenticate with the app. UNKNOWN: The authentication scheme used by the app isn't supported, or the app doesn't support provisioning. - ProvisioningConnectionProfile: - description: | - The profile used to configure the connection method of authentication and the credentials. - Currently, token-based and OAuth 2.0-based authentication are supported. - type: object - properties: - authScheme: - $ref: '#/components/schemas/ProvisioningConnectionAuthScheme' - discriminator: - propertyName: authScheme - mapping: - TOKEN: '#/components/schemas/ProvisioningConnectionProfileToken' - OAUTH2: '#/components/schemas/ProvisioningConnectionProfileOauth' - UNKNOWN: '#/components/schemas/ProvisioningConnectionProfileUnknown' - ProvisioningConnectionProfileOauth: - description: | - The app provisioning connection profile used to configure the method of authentication and the credentials. - Currently, token-based and OAuth 2.0-based authentication are supported. + ProvisioningConnectionOauthAuthScheme: + description: OAuth 2.0 is used to authenticate with the app. + type: string + enum: + - OAUTH2 + ProvisioningConnectionOauthRequest: + title: OAuth 2.0-based connection allOf: - - $ref: '#/components/schemas/ProvisioningConnectionProfile' - - type: object + - $ref: '#/components/schemas/ProvisioningConnectionRequest' + - description: OAuth 2.0-based Provisioning Connection request properties: - clientId: - type: string - description: Unique client identifier for the OAuth 2.0 service app from the target org + profile: + $ref: '#/components/schemas/ProvisioningConnectionOauthRequestProfile' required: - - authScheme - - clientId - ProvisioningConnectionProfileToken: + - profile + ProvisioningConnectionOauthRequestProfile: + properties: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionOauthAuthScheme' + clientId: + type: string + description: Only used for the Okta Org2Org (`okta_org2org`) app. The unique client identifier for the OAuth 2.0 service app from the target org. + settings: + $ref: '#/components/schemas/Office365ProvisioningSettings' + required: + - authScheme + ProvisioningConnectionProfileOauth: description: | The app provisioning connection profile used to configure the method of authentication and the credentials. Currently, token-based and OAuth 2.0-based authentication are supported. - allOf: - - $ref: '#/components/schemas/ProvisioningConnectionProfile' - - type: object - properties: - token: - type: string - description: Token used to authenticate with the app - required: - - authScheme - - token - ProvisioningConnectionProfileUnknown: - description: Unknown provisioning connection - allOf: - - $ref: '#/components/schemas/ProvisioningConnectionProfile' - - type: object + properties: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionOauthAuthScheme' + clientId: + type: string + required: + - authScheme ProvisioningConnectionRequest: type: object + ProvisioningConnectionRequestAuthScheme: + type: string + enum: + - OAUTH2 + - TOKEN + ProvisioningConnectionResponse: + type: object properties: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme' + baseUrl: + type: string + description: Base URL profile: - $ref: '#/components/schemas/ProvisioningConnectionProfile' + $ref: '#/components/schemas/ProvisioningConnectionResponseProfile' + status: + $ref: '#/components/schemas/ProvisioningConnectionStatus' + _links: + $ref: '#/components/schemas/LinksSelfLifecycleAndAuthorize' required: - profile + - status + ProvisioningConnectionResponseProfile: + properties: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionAuthScheme' + required: + - authScheme ProvisioningConnectionStatus: - description: Provisioning connection status + description: Provisioning Connection status default: DISABLED type: string enum: @@ -29660,35 +61265,89 @@ components: - ENABLED - UNKNOWN x-enumDescriptions: - DISABLED: The provisioning connection is disabled. - ENABLED: The provisioning connection is enabled. + DISABLED: The Provisioning Connection is disabled. + ENABLED: The Provisioning Connection is enabled. UNKNOWN: Provisioning isn't supported by the app, or the authentication method is unknown. + ProvisioningConnectionTokenAuthScheme: + description: A token is used to authenticate with the app. This property is only returned for the `TOKEN` authentication scheme. + type: string + enum: + - TOKEN + ProvisioningConnectionTokenRequest: + title: Token-based connection + allOf: + - $ref: '#/components/schemas/ProvisioningConnectionRequest' + - description: Token-based Provisioning Connection request + properties: + baseUrl: + type: string + description: Only used for the Zscaler 2.0 (`zscalerbyz`) app. The base URL for the Zscaler 2.0 target app, which also contains the Zscaler ID. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + profile: + $ref: '#/components/schemas/ProvisioningConnectionTokenRequestProfile' + required: + - profile + ProvisioningConnectionTokenRequestProfile: + properties: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme' + token: + type: string + description: Token used to authenticate with the app + required: + - authScheme ProvisioningDeprovisionedAction: + description: Specifies the action during authentication when an IdP User is linked to a previously deprovisioned Okta User type: string enum: - NONE - REACTIVATE + x-enumDescriptions: + NONE: Take no action. If an IdP User that matches a previously deprovisioned Okta User attempts to authenticate, authentication fails. + REACTIVATE: If an IdP User that matches a previously deprovisioned Okta User attempts to authenticate, reactivate the matching User in Okta and allow the authentication attempt to proceed. ProvisioningDeprovisionedCondition: + description: Behavior for a previously deprovisioned IdP User during authentication. Not supported with OIDC IdPs. type: object properties: action: $ref: '#/components/schemas/ProvisioningDeprovisionedAction' ProvisioningGroups: + description: Provisioning settings for a User's Group memberships type: object properties: action: $ref: '#/components/schemas/ProvisioningGroupsAction' assignments: type: array + description: List of `OKTA_GROUP` Group identifiers to add an IdP User as a member with the `ASSIGN` action items: type: string + example: 00gak46y5hydV6NdM0g4 filter: type: array + description: Allowlist of `OKTA_GROUP` Group identifiers for the `APPEND` or `SYNC` provisioning action items: type: string + example: 00gak46y5hydV6NdM0g4 sourceAttributeName: type: string + description: IdP User profile attribute name (case-insensitive) for an array value that contains Group memberships + maxLength: 1024 + example: Groups ProvisioningGroupsAction: + description: |- + Provisioning action for the IdP User's Group memberships + + | Enum | Description | Existing OKTA_GROUP Memberships | Existing APP_GROUP Memberships | Existing BUILT_IN Memberships | + | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------ | ----------------------------- | + | `APPEND` | Adds a User to any Group defined by the IdP as a value of the `sourceAttributeName` array that matches the name of the allow listed Group defined in the `filter` | Unchanged | Unchanged | Unchanged | + | `ASSIGN` | Assigns a User to Groups defined in the `assignments` array | Unchanged | Unchanged | Unchanged | + | `NONE` | Skips processing of Group memberships | Unchanged | Unchanged | Unchanged | + | `SYNC` | Group memberships are sourced by the IdP as a value of the `sourceAttributeName` array that matches the name of the Group defined in the `filter` | Removed if not defined by the IdP in `sourceAttributeName` and matching name of the Group in `filter` | Unchanged | Unchanged | + + > **Note:** Group provisioning action is processed independently from profile sourcing. You can sync Group memberships through SAML with profile sourcing disabled. type: string enum: - APPEND @@ -29696,16 +61355,22 @@ components: - NONE - SYNC ProvisioningSuspendedAction: + description: Specifies the action during authentication when an IdP User is linked to a previously suspended Okta User type: string enum: - NONE - UNSUSPEND + x-enumDescriptions: + NONE: Take no action. If an IdP User that matches a previously suspended Okta User attempts to authenticate, authentication fails. + UNSUSPEND: If an IdP User that matches a previously suspended Okta User attempts to authenticate, unsuspend the matching User in Okta and allow the authentication attempt to proceed. ProvisioningSuspendedCondition: + description: Behavior for a previously suspended IdP User during authentication. Not supported with OIDC IdPs. type: object properties: action: $ref: '#/components/schemas/ProvisioningSuspendedAction' PushMethodKeyProtection: + description: Indicates whether you must use a hardware key store type: string enum: - ANY @@ -29717,9 +61382,11 @@ components: id: type: string readOnly: true + description: Unique key for the Push Provider lastUpdatedDate: type: string readOnly: true + description: Timestamp when the Push Provider was last modified name: type: string description: Display name of the push provider @@ -29732,33 +61399,6 @@ components: mapping: APNS: '#/components/schemas/APNSPushProvider' FCM: '#/components/schemas/FCMPushProvider' - PushUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - expiresAt: - type: string - format: date-time - factorResult: - $ref: '#/components/schemas/FactorResultType' - profile: - $ref: '#/components/schemas/PushUserFactorProfile' - PushUserFactorProfile: - type: object - properties: - credentialId: - type: string - deviceToken: - type: string - deviceType: - type: string - name: - type: string - platform: - type: string - version: - type: string RateLimitAdminNotifications: title: RateLimitAdminNotifications description: '' @@ -29815,19 +61455,264 @@ components: $ref: '#/components/schemas/RealmProfile' _links: $ref: '#/components/schemas/LinksSelf' + RealmAssignment: + type: object + properties: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' + created: + type: string + format: date-time + readOnly: true + id: + type: string + readOnly: true + isDefault: + type: boolean + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + name: + type: string + priority: + type: integer + status: + $ref: '#/components/schemas/LifecycleStatus' + _links: + $ref: '#/components/schemas/LinksSelf' RealmProfile: type: object properties: name: type: string description: Name of a Realm + realmType: + type: string + description: Used to store partner users. This must be set to Partner to access Okta's external partner portal. + enum: + - PARTNER + - DEFAULT + x-enumDescriptions: + PARTNER: Realm with external partner portal + DEFAULT: Default + required: + - name RecoveryQuestionCredential: + description: |- + Specifies a secret question and answer that's validated (case insensitive) when a user forgets their + password or unlocks their account. The answer property is write-only. type: object properties: answer: type: string + description: The answer to the recovery question + minimum: 1 + maximum: 100 + writeOnly: true + example: se7en question: type: string + description: The recovery question + minimum: 1 + maximum: 100 + example: what is your favourite movie? + RefreshToken: + description: The refresh token + type: object + properties: + jti: + description: The refresh token ID + type: string + RegistrationInlineHook: + allOf: + - $ref: '#/components/schemas/InlineHook' + - type: object + RegistrationInlineHookCommand: + type: object + properties: + type: + type: string + enum: + - com.okta.user.profile.update + - com.okta.action.update + - com.okta.user.progressive.profile.update + RegistrationInlineHookPPData: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + - type: object + properties: + data: + type: object + properties: + context: + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + user: + type: object + properties: + passwordChanged: + type: string + format: date-time + description: The last time the user's password was updated + _links: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled. + type: object + properties: + groups: + description: URL to retrieve the individual user's group memberships + allOf: + - $ref: '#/components/schemas/HrefObject' + factors: + description: URL to retrieve individual user's factor enrollments + allOf: + - $ref: '#/components/schemas/HrefObject' + profile: + additionalProperties: true + type: object + description: The user to update's current attributes + id: + type: string + action: + description: The default action the system takes. Set to `ALLOW`. `DENY` is never sent to your external service + type: string + userProfileUpdate: + additionalProperties: true + type: object + description: Name-value pairs for each new attribute supplied by the user in the Progressive Profile form + RegistrationInlineHookRequest: + description: Registration inline hook request + type: object + properties: + eventType: + type: string + description: The type of inline hook. The registration inline hook type is `com.okta.user.pre-registration`. + requestType: + $ref: '#/components/schemas/RegistrationInlineHookRequestType' + discriminator: + propertyName: requestType + mapping: + self.service.registration: '#/components/schemas/RegistrationInlineHookSSRData' + progressive.profile: '#/components/schemas/RegistrationInlineHookPPData' + RegistrationInlineHookRequestType: + description: The type of registration hook. Use either `self.service.registration` or `progressive.profile`. + type: string + enum: + - progressive.profile + - self.service.registration + RegistrationInlineHookResponse: + description: Registration inline hook response + type: object + properties: + commands: + type: array + RegistrationInlineHookSSRData: + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + - type: object + properties: + data: + type: object + properties: + context: + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + action: + description: The default action the system will take. Will be `ALLOW`. `DENY` will never be sent to your external service. + type: string + userProfile: + additionalProperties: true + type: object + description: The name-value pairs for each registration-related attribute supplied by the user in the Profile Enrollment form. + RegistrationResponse: + type: object + properties: + commands: + description: |- + The `commands` object lets you invoke commands to modify or add values to the attributes in the Okta user profile that are created for this user. The object also lets you control whether or not the registration attempt is allowed to proceed. + + This object is an array, allowing you to send multiple commands in your response. Each array element requires a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you wish to execute, and `value` is where you supply parameters for that command. + + The registration inline hook supports these three commands: + * `com.okta.user.profile.update`: Change attribute values in the user's Okta user profile. For SSR only. Invalid if used with a Progressive Profile response. + * `com.okta.action.update`: Allow or deny the user's registration. + * `com.okta.user.progressive.profile.update`: Change attribute values in the user's Okta Progressive Profile. + type: array + items: + type: object + properties: + type: + description: |- + The location where you specify the command. To set attributes in the user's Okta profile, supply a `type` property set to `com.okta.user.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Okta user profile attributes you want to set. The attributes must already exist in your user profile schema. + + To explicitly allow or deny registration to the user, supply a type property set to `com.okta.action.update`, together with a value property set to `{"registration": "ALLOW"}` or `{"registration": "DENY"}`. The default is to allow registration. + + In Okta Identity Engine, to set attributes in the user's profile, supply a `type` property set to `com.okta.user.progressive.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Progressive Enrollment attributes that you want to set. See [Registration inline hook - Send response](https://developer.okta.com/docs/guides/registration-inline-hook/nodejs/main/#send-response). + + Commands are applied in the order that they appear in the array. Within a single `com.okta.user.profile.update` or `com.okta.user.progressive.profile.update command`, attributes are updated in the order that they appear in the `value` object. + + You can never use a command to update the user's password, but you are allowed to set the values of attributes other than password that are designated sensitive in your Okta user schema. However, the values of those sensitive attributes, if included as fields in the Profile Enrollment form, aren't included in the `data.userProfile` object sent to your external service by Okta. See [data.userProfile](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook!path=0/data/userProfile&t=request). + type: string + value: + additionalProperties: true + description: |- + The `value` object is the parameter to pass to the command. + + For `com.okta.user.profile.update` commands, `value` should be an object containing one or more name-value pairs for the attributes you wish to update. + + For `com.okta.action.update` commands, the value should be an object containing the attribute `action` set to a value of either `ALLOW` or `DENY`, indicating whether the registration should be permitted or not. + + Registrations are allowed by default, so setting a value of `ALLOW` for the action field is valid but superfluous. + type: object + Error: + description: |- + For the registration inline hook, the `error` object provides a way of displaying an error message to the end user who is trying to register or update their profile. + + * If you're using the Okta Sign-In Widget for Profile Enrollment, only the `errorSummary` messages of the `errorCauses` objects that your external service returns appear as inline errors, given the following: + * You don't customize the error handling behavior of the widget. + * The `location` of `errorSummary` in the `errorCauses` object specifies the request object's user profile attribute. + * If you don't return a value for the `errorCauses` object, and deny the user's registration attempt through the `commands` object in your response to Okta, one of the following generic messages appears to the end user: + * "Registration cannot be completed at this time." (SSR) + * "We found some errors. Please review the form and make corrections." (Progressive Enrollment) + * If you don't return an `error` object at all and the registration is denied, the following generic message appears to the end user: + * "Registration denied." (SSR) + * "Profile update denied." (Progressive Enrollment) + + >**Note:** If you include an error object in your response, no commands are executed and the registration fails. This holds true even if the top-level `errorSummary` and the `errorCauses` objects are omitted. + type: object + properties: + errorSummary: + type: string + description: Human-readable summary of one or more errors + errorCauses: + type: array + items: + type: object + properties: + errorSummary: + type: string + description: Human-readable summary of the error. + reason: + type: string + description: A brief, enum-like string that indicates the nature of the error. For example, `UNIQUE_CONSTRAINT` for a property uniqueness violation. + locationType: + type: string + description: Where in the request the error was found (`body`, `header`, `url`, or `query`). + location: + description: The valid JSON path to the location of the error. For example, if there was an error in the user's `login` field, the `location` might be `data.userProfile.login`. + type: string + domain: + type: string + description: Indicates the source of the error. If the error was in the user's profile, for example, you might use `end-user`. If the error occurred in the external service, you might use `external-service`. ReleaseChannel: description: Release channel for auto-update type: string @@ -29842,12 +61727,106 @@ components: - ALWAYS - HIGH_RISK_ONLY - NEVER + ResendUserFactor: + type: object + properties: + factorType: + description: Type of the Factor + type: string + enum: + - call + - email + - sms + discriminator: + propertyName: factorType + mapping: + call: '#/components/schemas/UserFactorCall' + email: '#/components/schemas/UserFactorEmail' + sms: '#/components/schemas/UserFactorSMS' ResetPasswordToken: type: object properties: resetPasswordUrl: type: string readOnly: true + example: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO + ResourceSelectorCreateRequestSchema: + type: object + properties: + description: + type: string + description: Description of the Resource Selector + filter: + type: string + description: SCIM filter of the Resource Selector + name: + type: string + description: Name of the Resource Selector + schema: + type: string + description: Schema of the Resource Selector + ResourceSelectorPatchRequestSchema: + type: object + properties: + description: + type: string + description: Description of the Resource Selector + filter: + type: string + description: SCIM filter of the Resource Selector + name: + type: string + description: Name of the Resource Selector + ResourceSelectorResponseSchema: + type: object + properties: + description: + type: string + description: Description of the Resource Selector + id: + type: string + description: Unique key for the Resource Selector + name: + type: string + description: Name of the Resource Selector + orn: + type: string + description: An Okta resource name + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + resources: + $ref: '#/components/schemas/HrefObject' + ResourceSelectorResponseWithoutSelfLinkSchema: + type: object + properties: + description: + type: string + description: Description of the Resource Selector + id: + type: string + description: Unique key for the Resource Selector + name: + type: string + description: Name of the Resource Selector + orn: + type: string + description: An Okta resource name + _links: + allOf: + - properties: + resources: + $ref: '#/components/schemas/HrefObject' + ResourceSelectorsSchema: + type: object + properties: + resourceSelectors: + type: array + items: + $ref: '#/components/schemas/ResourceSelectorResponseWithoutSelfLinkSchema' + _links: + $ref: '#/components/schemas/LinksNext' ResourceSet: type: object properties: @@ -29861,7 +61840,7 @@ components: description: Description of the Resource Set id: type: string - description: Unique key for the role + description: Unique ID for the Resource Set object readOnly: true label: type: string @@ -29974,29 +61953,60 @@ components: created: type: string format: date-time - description: Timestamp when the role was created + description: Timestamp when the Resource Set Resource object was created readOnly: true - description: - type: string - description: Description of the Resource Set id: type: string - description: Unique key for the role + description: Unique ID of the Resource Set Resource object readOnly: true lastUpdated: type: string format: date-time - description: Timestamp when the role was last updated + description: Timestamp when this object was last updated readOnly: true + orn: + type: string + description: The Okta Resource Name (ORN) of the resource _links: - $ref: '#/components/schemas/LinksSelf' + description: Related discoverable resources + readOnly: true + properties: + self: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The REST API URL of the related resource + resource: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to this Resource Set Resource object (self) + groups: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: If applicable, the REST API URL of the related Groups resource + users: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: If applicable, the REST API URL of the related Users resource ResourceSetResourcePatchRequest: type: object properties: additions: type: array + description: A list of resources to add to the Resource Set items: type: string + description: Resource in ORN or REST API URL format + ResourceSetResourcePostRequest: + type: object + properties: + resourceOrnOrUrl: + type: string + description: Resource in ORN or REST API URL format + required: + - resourceOrnOrUrl + - conditions + ResourceSetResourcePutRequest: + type: object ResourceSetResources: type: object properties: @@ -30020,7 +62030,86 @@ components: _links: $ref: '#/components/schemas/LinksNext' ResponseLinks: + description: Link objects + type: object + properties: + _links: + $ref: '#/components/schemas/LinksSelf' + ResponseMode: + type: string + enum: + - form_post + - fragment + - okta_post_message + - query + x-enumDescriptions: + fragment: Parameters are encoded in the URL fragment added to the `redirect_uri` when redirecting back to the client. + query: Parameters are encoded in the query string added to the `redirect_uri` when redirecting back to the client. + form_post: Parameters are encoded as HTML form values (`application/x-www-form-urlencoded` format) and are transmitted through the HTTP POST method to the client. + okta_post_message: |- + Uses [HTML5 Web Messaging](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) (for example, `window.postMessage()`) instead of the redirect for the authorization response from the `/authorize` endpoint. + + `okta_post_message` is an adaptation of the [Web Message Response Mode](https://tools.ietf.org/html/draft-sakimura-oauth-wmrm-00#section-4.1). + This value provides a secure way for a single-page application to perform a sign-in flow in a pop-up window or an iFrame and receive the ID token, access token, and/or authorization code back in the parent page without leaving the context of that page. The data object for the `postMessage` call is in the next section. + ResponseType: + type: string + enum: + - code + - id_token + - none + - token + ResponseTypesSupported: + type: string + enum: + - code + - code id_token + - code id_token token + - code token + - id_token + - id_token token + - token + RevokeRefreshTokenHrefObject: type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + RiscIdentifierChangedEvent: + description: The subject's identifier has changed, which is either an email address or a phone number change + type: object + properties: + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + new-value: + type: string + description: The new identifier value + example: new.email@okta.example.com + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + RiskDetectionTypesPolicyRuleCondition: + description: <x-lifecycle class="oie"></x-lifecycle> An object that references detected risk events. This object can have an `include` parameter or an `exclude` parameter, but not both. + type: object + properties: + exclude: + type: array + description: An array of detected risk events to exclude in the entity policy rule + items: + $ref: '#/components/schemas/DetectedRiskEvents' + include: + type: array + description: An array of detected risk events to include in the entity policy rule + items: + $ref: '#/components/schemas/DetectedRiskEvents' + required: + - exclude + - include RiskEvent: type: object properties: @@ -30122,10 +62211,19 @@ components: none: No action enforce_and_log: Use risk event information to evaluate risks during authentication attempts and include risk event information in the System Log RiskScorePolicyRuleCondition: + description: Specifies a particular level of risk to match on type: object properties: level: type: string + description: The level to match + enum: + - ANY + - LOW + - MEDIUM + - HIGH + required: + - level Role: type: object properties: @@ -30165,9 +62263,11 @@ components: id: type: string readOnly: true + description: The ID of the User orn: type: string readOnly: true + description: ORN representing the assignee _links: $ref: '#/components/schemas/LinksSelfAndRoles' RoleAssignedUsers: @@ -30178,13 +62278,79 @@ components: items: $ref: '#/components/schemas/RoleAssignedUser' _links: - $ref: '#/components/schemas/LinksNext' + $ref: '#/components/schemas/LinksNextForRoleAssignments' RoleAssignmentType: + description: Role assignment type type: string enum: + - CLIENT - GROUP - USER + x-enumDescriptions: + USER: The Role is assigned to a User + GROUP: The Role is assigned to a Group + CLIENT: The Role is assigned to a Client Application + RoleGovernance: + description: List of all User Role Governance Sources + type: object + properties: + grants: + type: array + items: + $ref: '#/components/schemas/RoleGovernanceSource' + _links: + $ref: '#/components/schemas/LinksGovernanceSources' + RoleGovernanceResource: + description: The resource of a grant + type: object + properties: + label: + type: string + description: The resource name + resource: + type: string + description: The resources id + RoleGovernanceResources: + description: The resources of a grant + type: object + properties: + resources: + type: array + items: + $ref: '#/components/schemas/RoleGovernanceResource' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + RoleGovernanceSource: + description: User Role Governance Source + type: object + properties: + bundleId: + type: string + readOnly: true + description: '`id` of the entitlement bundle' + expirationDate: + type: string + format: date-time + readOnly: true + description: The expiration date of the entitlement bundle + grantId: + type: string + readOnly: true + description: '`id` of the grant' + type: + $ref: '#/components/schemas/GovernanceSourceType' + _links: + allOf: + - $ref: '#/components/schemas/LinksGovernanceResources' + - $ref: '#/components/schemas/LinksSelf' + required: + - type + - grantId + - resources RolePermissionType: + description: Permission type type: string enum: - okta.apps.assignment.manage @@ -30195,6 +62361,14 @@ components: - okta.authzServers.read - okta.customizations.manage - okta.customizations.read + - okta.devices.lifecycle.activate + - okta.devices.lifecycle.deactivate + - okta.devices.lifecycle.delete + - okta.devices.lifecycle.manage + - okta.devices.lifecycle.suspend + - okta.devices.lifecycle.unsuspend + - okta.devices.manage + - okta.devices.read - okta.governance.accessCertifications.manage - okta.governance.accessRequests.manage - okta.groups.appAssignment.manage @@ -30205,6 +62379,7 @@ components: - okta.identityProviders.manage - okta.identityProviders.read - okta.profilesources.import.run + - okta.support.cases.manage - okta.users.appAssignment.manage - okta.users.create - okta.users.credentials.expirePassword @@ -30224,8 +62399,11 @@ components: - okta.users.read - okta.users.userprofile.manage RoleType: + description: Standard role type type: string enum: + - ACCESS_CERTIFICATIONS_ADMIN + - ACCESS_REQUESTS_ADMIN - API_ACCESS_MANAGEMENT_ADMIN - API_ADMIN - APP_ADMIN @@ -30239,18 +62417,246 @@ components: - SUPER_ADMIN - USER_ADMIN x-enumDescriptions: - - API_ACCESS_MANAGEMENT_ADMIN: Access Management Administrator - - API_ADMIN: Access Management Administrator - - APP_ADMIN: Application Administrator - - CUSTOM: Custom Label specified by the client - - GROUP_MEMBERSHIP_ADMIN: Group Membership Administrator - - HELP_DESK_ADMIN: Help Desk Administrator - - MOBILE_ADMIN: Mobile Administrator - - ORG_ADMIN: Organizational Administrator - - READ_ONLY_ADMIN: Read-Only Administrator - - REPORT_ADMIN: Report Administrator - - SUPER_ADMIN: Super Administrator - - USER_ADMIN: Group Administrator + API_ACCESS_MANAGEMENT_ADMIN: Access Management Administrator + API_ADMIN: Access Management Administrator + APP_ADMIN: Application Administrator + CUSTOM: Custom label specified by the client + GROUP_MEMBERSHIP_ADMIN: Group Membership Administrator + HELP_DESK_ADMIN: Help Desk Administrator + MOBILE_ADMIN: Mobile Administrator + ORG_ADMIN: Organizational Administrator + READ_ONLY_ADMIN: Read-Only Administrator + REPORT_ADMIN: Report Administrator + SUPER_ADMIN: Super Administrator + USER_ADMIN: Group Administrator + ACCESS_CERTIFICATIONS_ADMIN: Access Certifications Administrator (predefined Resource Sets) + ACCESS_REQUESTS_ADMIN: Access Requests Administrator (predefined Resource Sets) <x-lifecycle class="ea"></x-lifecycle> + RotatePasswordRequest: + description: Rotate password request for the privileged account + type: object + properties: + password: + type: string + description: The password associated with the privileged resource + format: password + writeOnly: true + example: xf1bs9am2 + secretVersionId: + type: string + description: The version ID of the password secret from the OPA vault + minLength: 1 + maxLength: 36 + example: 9f8400-e29b-41d4-a716-926655440034 + required: + - password + - secretVersionId + SAMLHookResponse: + type: object + properties: + commands: + description: |- + The `commands` object is where you tell Okta to add additional claims to the assertion or to modify the existing assertion statements. + + `commands` is an array, allowing you to send multiple commands. In each array element, include a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command. + In the case of the SAML assertion inline hook, the `value` property is itself a nested object, in which you specify a particular operation, a path to act on, and a value. + type: array + items: + type: object + properties: + type: + type: string + description: One of the supported commands `com.okta.assertion.patch` + value: + type: array + items: + type: object + properties: + op: + type: string + description: |- + The name of one of the supported ops: + `add`: Add a new claim to the assertion + `replace`: Modify any element of the assertion + > **Note:** If a response to the SAML assertion inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta process flow continues with the original SAML assertion returned. + path: + type: string + description: Location, within the assertion, to apply the operation + value: + oneOf: + - type: string + - type: integer + - type: object + description: |- + The value of the claim that you add or replace, and can also include other attributes. If adding to a claim, add another `value` attribute residing within an array called `attributeValues`. + + See the following examples: + + #### Simple value (integer or string) + + `"value": 300` or `"value": "replacementString"` + + #### Attribute value (object) + + ` "value": { + "authContextClassRef": "replacementValue" + }` + + #### AttributeValues array value (object) + + ` "value": { + "attributes": { + "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" + }, + "attributeValues": [ + {"attributes": { + "xsi:type": "xs:string" + }, + "value": "4321"} + ] + }` + error: + description: |- + An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log. + The string supplied in the `errorSummary` property is recorded in the System Log event. + > **Note:** If the error object doesn't include the defined `errorSummary` property, the following common default message + is returned to the end user: `The callback service returned an error`. + + > **Note:** If a response to a SAML inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta SAML inline hook process continues, and the user is created. + type: object + properties: + errorSummary: + description: A human-readable summary of the error + type: string + SAMLPayLoad: + type: object + properties: + data: + type: object + properties: + context: + allOf: + - $ref: '#/components/schemas/BaseContext' + - type: object + properties: + protocol: + description: Details of the assertion protocol being used + type: object + properties: + type: + description: The type of authentication protocol being used for the assertion + type: string + example: SAML2.0 + issuer: + type: object + properties: + id: + description: The unique identifier of the issuer that provided the SAML assertion + type: string + example: 0oath92zlO60urQOP0g3 + name: + description: The name of the issuer that provided the SAML assertion + type: string + example: SAML 2.0 App + uri: + description: The base URI of the SAML endpoint that's used to assert the authorization + type: string + example: http://www.okta.com/exkth8lMzFm0HZOTU0g3 + assertion: + description: Details of the SAML assertion that was generated + type: object + properties: + subject: + description: Provides a JSON representation of the `<saml:Subject>` element of the SAML assertion + type: object + properties: + nameId: + description: The unique identifier of the user + type: string + example: user@example.com + nameFormat: + description: Indicates how to interpret the attribute name + type: string + example: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + confirmation: + type: object + properties: + method: + description: Used to indicate how the authorization server confirmed the SAML assertion + type: string + example: urn:oasis:names:tc:SAML:2.0:cm:bearer + data: + type: object + properties: + recipient: + description: The token endpoint URL of the authorization server + type: string + example: http://www.example.com:7070/saml/sso + authentication: + description: Provides a JSON representation of the `<saml:AuthnStatement>` element of the SAML assertion + type: object + properties: + sessionIndex: + description: The unique identifier describing the assertion statement + type: string + example: id1553800523546.312669168 + authnContext: + description: Details of the authentication methods used for the SAML assertion + type: object + properties: + authnContextClassRef: + description: Describes the identity provider's supported authentication context classes + type: string + example: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + conditions: + description: Provides a JSON representation of the `<saml:Conditions>` element of the SAML assertion + type: object + properties: + audienceRestriction: + description: Describes which service providers the assertion is valid for + type: array + items: + type: string + example: + - urn:example:sp + claims: + description: Provides a JSON representation of the `<saml:AttributeStatement>` element contained in the generated SAML assertion. Contains any optional SAML attribute statements that you have defined for the app using the Admin Console's **SAML Settings**. + type: object + additionalProperties: + type: object + properties: + attributes: + type: object + properties: + NameFormat: + type: string + description: Indicates how to interpret the attribute name + attributeValues: + type: array + items: + type: object + properties: + attributes: + type: object + properties: + xsi:type: + type: string + description: Used to derive the type of the attribute + value: + type: string + description: The actual value of the attribute + lifetime: + description: Specifies the expiration time, in seconds, of the SAML assertion + type: object + properties: + expiration: + description: The expiration time in seconds + type: integer + example: 300 + SAMLPayloadExecute: + description: SAML assertion inline hook request + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/SAMLPayLoad' SafeBrowsingProtectionLevel: description: Represents the current value of the Safe Browsing protection level example: ENHANCED_PROTECTION @@ -30263,7 +62669,144 @@ components: NO_SAFE_BROWSING: Safe Browsing is never active STANDARD_PROTECTION: Safe Browsing is active in the standard mode ENHANCED_PROTECTION: Safe Browsing is active in the enhanced mode - SamlApplication: + SalesforceApplication: + title: Salesforce + x-tags: + - Application + x-okta-defined-as: + name: salesforce + example: + name: salesforce + label: Sample Salesforce App + signOnMode: SAML_2_0 + settings: + app: + instanceType: SANDBOX + integrationType: STANDARD + description: | + Schema for the Salesforce app (key name: `salesforce`) + + To create a Salesforce app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Salesforce app only supports `BROWSER_PLUGIN`, `BOOKMARK`, and `SAML_2_0` sign-on modes. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + type: string + enum: + - salesforce + example: salesforce + signOnMode: + enum: + - BROWSER_PLUGIN + - BOOKMARK + - SAML_2_0 + example: BROWSER_PLUGIN + settings: + $ref: '#/components/schemas/SalesforceApplicationSettings' + SalesforceApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/SalesforceApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + SalesforceApplicationSettingsApplication: + description: Salesforce app instance properties + type: object + properties: + instanceType: + type: string + description: Salesforce instance that you want to connect to + enum: + - SANDBOX + - PRODUCTION + - GOVERNMENT + integrationType: + type: string + description: Salesforce integration type + enum: + - STANDARD + - PORTAL + - COMMUNITY + loginUrl: + type: string + description: The Login URL specified in your Salesforce Single Sign-On settings + logoutUrl: + type: string + description: Salesforce Logout URL + required: + - integrationType + - instanceType + Saml: + description: SAML configuration details + type: object + properties: + acs: + type: array + minItems: 1 + description: 'List of Assertion Consumer Service (ACS) URLs. The default ACS URL is required and is indicated by a null `index` value. You can use the org-level variables you defined in the `config` array in the URL. For example: `https://${org.subdomain}.example.com/saml/login`' + items: + type: object + properties: + index: + type: number + minimum: 0 + maximum: 65535 + description: Index of ACS URL. You can't reuse the same index in the ACS URL array. + example: 0 + url: + type: string + format: uri + maxLength: 1024 + description: Assertion Consumer Service (ACS) URL + example: https://${org.subdomain}.example.com/saml/login + claims: + type: array + description: Attribute statements to appear in the Okta SAML assertion + items: + type: object + properties: + name: + type: string + description: The attribute name + example: Address + values: + type: array + description: The Okta values inserted in the attribute statement + items: + type: string + example: ${user.homeAddress} + doc: + type: string + format: uri + description: The URL to your customer-facing instructions for configuring your SAML integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines). + example: https://example.com/strawberry/help/samlSetup + entityId: + type: string + description: Globally unique name for your SAML entity. For instance, your Identity Provider (IdP) or Service Provider (SP) URL. + example: https://${org.subdomain}.example.com + groups: + type: array + description: Defines the group attribute names for the SAML assertion statement. Okta inserts the list of Okta user groups into the attribute names in the statement. + items: + type: string + description: A group attribute name in your SAML app + example: groups + required: + - acs + - entityId + - doc + Saml11Application: allOf: - $ref: '#/components/schemas/Application' - type: object @@ -30272,111 +62815,462 @@ components: $ref: '#/components/schemas/ApplicationCredentials' name: type: string + description: The key name for the SAML 1.1 app definition. You can't create a custom SAML 1.1 app integration instance. Only existing OIN SAML 1.1 app integrations are supported. settings: - $ref: '#/components/schemas/SamlApplicationSettings' - SamlApplicationSettings: + $ref: '#/components/schemas/Saml11ApplicationSettings' + required: + - name + Saml11ApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: app: - $ref: '#/components/schemas/SamlApplicationSettingsApplication' + type: object + additionalProperties: true signOn: - $ref: '#/components/schemas/SamlApplicationSettingsSignOn' - SamlApplicationSettingsApplication: + $ref: '#/components/schemas/Saml11ApplicationSettingsSignOn' + Saml11ApplicationSettingsSignOn: + title: SAML 1.1 settings + description: SAML 1.1 sign-on mode attributes type: object - additionalProperties: true properties: - acsUrl: + audienceOverride: type: string - audRestriction: + description: The intended audience of the SAML assertion. This is usually the Entity ID of your application. + defaultRelayState: type: string - baseUrl: + description: The URL of the resource to direct users after they successfully sign in to the SP using SAML. See the SP documentation to check if you need to specify a RelayState. In most instances, you can leave this field blank. + recipientOverride: + type: string + description: The location where the application can present the SAML assertion. This is usually the Single Sign-On (SSO) URL. + ssoAcsUrlOverride: type: string + description: Assertion Consumer Services (ACS) URL value for the Service Provider (SP). This URL is always used for Identity Provider (IdP) initiated sign-on requests. + SamlAcsEndpoint: + description: Okta's `SPSSODescriptor` endpoint where the IdP sends a `<SAMLResponse>` message + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + type: + $ref: '#/components/schemas/SamlEndpointType' + SamlAlgorithms: + description: Settings for signing and verifying SAML messages + type: object + properties: + request: + $ref: '#/components/schemas/SamlRequestAlgorithm' + response: + $ref: '#/components/schemas/SamlResponseAlgorithm' + SamlApplication: + allOf: + - $ref: '#/components/schemas/Application' + - type: object + properties: + credentials: + $ref: '#/components/schemas/ApplicationCredentials' + name: + type: string + description: A unique key is generated for the custom app instance when you use SAML_2_0 `signOnMode`. + readOnly: true + settings: + $ref: '#/components/schemas/SamlApplicationSettings' + SamlApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + properties: + signOn: + $ref: '#/components/schemas/SamlApplicationSettingsSignOn' SamlApplicationSettingsSignOn: + description: |- + SAML 2.0 sign-on attributes. + > **Note:** Set either `destinationOverride` or `ssoAcsUrl` to configure any other SAML 2.0 attributes in this section. type: object properties: acsEndpoints: type: array + description: An array of ACS endpoints. You can configure a maximum of 100 endpoints. items: $ref: '#/components/schemas/AcsEndpoint' allowMultipleAcsEndpoints: + description: Determines whether the app allows you to configure multiple ACS URIs type: boolean assertionSigned: type: boolean + description: Determines whether the SAML assertion is digitally signed attributeStatements: type: array + description: | + A list of custom attribute statements for the app's SAML assertion. See [SAML 2.0 Technical Overview](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html). + + There are two types of attribute statements: + | Type | Description | + | ---- | ----------- | + | EXPRESSION | Generic attribute statement that can be dynamic and supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/) | + | GROUP | Group attribute statement | items: $ref: '#/components/schemas/SamlAttributeStatement' audience: type: string + description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP. audienceOverride: type: string + description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). authnContextClassRef: type: string + description: Identifies the SAML authentication context class for the assertion's authentication statement + enum: + - urn:federation:authentication:windows + - oasis:names:tc:SAML:2.0:ac:classes:Kerberos + - urn:oasis:names:tc:SAML:2.0:ac:classes:Password + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + - urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient + - urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified + - urn:oasis:names:tc:SAML:2.0:ac:classes:X509 + x-enumDescriptions: + urn:federation:authentication:windows: Integrated Windows Authentication + oasis:names:tc:SAML:2.0:ac:classes:Kerberos: Kerberos + urn:oasis:names:tc:SAML:2.0:ac:classes:Password: Password + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport: PasswordProtectedTransport + urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient: TLS Client + urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified: Unspecified + urn:oasis:names:tc:SAML:2.0:ac:classes:X509: X509 Certificate configuredAttributeStatements: type: array + description: | + The list of dynamic attribute statements for the SAML assertion inherited from app metadata (apps from the OIN) during app creation. + + There are two types of attribute statements: `EXPRESSION` and `GROUP`. items: $ref: '#/components/schemas/SamlAttributeStatement' defaultRelayState: type: string + description: Identifies a specific application resource in an IdP-initiated SSO scenario destination: type: string + description: Identifies the location inside the SAML assertion where the SAML response should be sent destinationOverride: type: string + description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). digestAlgorithm: type: string + description: Determines the digest algorithm used to digitally sign the SAML assertion and response + enum: + - SHA1 + - SHA256 honorForceAuthn: type: boolean + description: Set to `true` to prompt users for their credentials when a SAML request has the `ForceAuthn` attribute set to `true` idpIssuer: type: string + description: SAML Issuer ID inlineHooks: + description: Associates the app with SAML inline hooks. See [the SAML assertion inline hook reference](https://developer.okta.com/docs/reference/saml-hook/). items: $ref: '#/components/schemas/SignOnInlineHook' type: array participateSlo: $ref: '#/components/schemas/SloParticipate' recipient: + description: The location where the app may present the SAML assertion type: string recipientOverride: type: string + description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). requestCompressed: type: boolean + description: Determines whether the SAML request is expected to be compressed responseSigned: type: boolean + description: |- + Determines whether the SAML authentication response message is digitally signed by the IdP + > **Note:** Either (or both) `responseSigned` or `assertionSigned` must be `TRUE`. + samlAssertionLifetimeSeconds: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: integer + description: Determines the SAML app session lifetimes with Okta + example: 3600 signatureAlgorithm: type: string + description: Determines the signing algorithm used to digitally sign the SAML assertion and response + enum: + - RSA_SHA1 + - RSA_SHA256 slo: $ref: '#/components/schemas/SingleLogout' spCertificate: - $ref: '#/components/schemas/SpCertificate' + $ref: '#/components/schemas/SamlSpCertificate' spIssuer: type: string + description: The issuer ID for the Service Provider. This property appears when SLO is enabled. ssoAcsUrl: type: string + description: Single Sign-On Assertion Consumer Service (ACS) URL ssoAcsUrlOverride: type: string + description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). subjectNameIdFormat: type: string + description: 'Identifies the SAML processing rules. Supported values:' + enum: + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName + x-enumDescriptions: + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Email Address + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: Persistent + urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Transient + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: Unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName: x509SubjectName subjectNameIdTemplate: type: string + description: Template for app user's username when a user is assigned to the app + required: + - allowMultipleAcsEndpoints + - assertionSigned + - audience + - authnContextClassRef + - destination + - digestAlgorithm + - honorForceAuthn + - idpIssuer + - recipient + - requestCompressed + - responseSigned + - signatureAlgorithm + - ssoAcsUrl + - subjectNameIdFormat + - subjectNameIdTemplate SamlAttributeStatement: + anyOf: + - $ref: '#/components/schemas/SamlAttributeStatementExpression' + - $ref: '#/components/schemas/SamlAttributeStatementGroup' + type: object + properties: + type: + type: string + description: The type of attribute statements object + enum: + - EXPRESSION + - GROUP + discriminator: + propertyName: type + mapping: + EXPRESSION: '#/components/schemas/SamlAttributeStatementExpression' + GROUP: '#/components/schemas/SamlAttributeStatementGroup' + SamlAttributeStatementExpression: + description: Generic `EXPRESSION` attribute statements + type: object + properties: + name: + type: string + description: The name of the attribute in your app. The attribute name must be unique across all user and group attribute statements. + example: attributeOne + namespace: + type: string + description: 'The name format of the attribute. Supported values:' + enum: + - urn:oasis:names:tc:SAML:2.0:attrname-format:basic + - urn:oasis:names:tc:SAML:2.0:attrname-format:uri + - urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + x-enumDescriptions: + urn:oasis:names:tc:SAML:2.0:attrname-format:basic: Basic + urn:oasis:names:tc:SAML:2.0:attrname-format:uri: URI reference + urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified: Unspecified + example: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + type: + type: string + description: The type of attribute statements object + example: EXPRESSION + values: + type: array + description: The attribute values (supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/)) + items: + type: string + example: ValueOne + SamlAttributeStatementGroup: + description: '`GROUP` attribute statements' type: object properties: filterType: type: string + description: The operation to filter groups based on `filterValue` + enum: + - STARTS_WITH + - EQUALS + - CONTAINS + - REGEX filterValue: type: string + description: Filter the groups based on a specific value. + example: Team name: type: string + description: The name of the group attribute in your app. The attribute name must be unique across all user and group attribute statements. namespace: type: string + description: 'The name format of the group attribute. Supported values:' + enum: + - urn:oasis:names:tc:SAML:2.0:attrname-format:basic + - urn:oasis:names:tc:SAML:2.0:attrname-format:uri + - urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + x-enumDescriptions: + urn:oasis:names:tc:SAML:2.0:attrname-format:basic: Basic + urn:oasis:names:tc:SAML:2.0:attrname-format:uri: URI reference + urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified: Unspecified + example: urn:oasis:names:tc:SAML:2.0:attrname-format:basic type: type: string - values: + description: The type of attribute statements object + example: GROUP + SamlCredentials: + description: Federation Trust Credentials for verifying assertions from the IdP and signing requests to the IdP + type: object + properties: + signing: + $ref: '#/components/schemas/SamlSigningCredentials' + trust: + $ref: '#/components/schemas/SamlTrustCredentials' + SamlEndpointType: + description: Determines whether to publish an instance-specific (trust) or organization (shared) ACS endpoint in the SAML metadata + default: INSTANCE + type: string + enum: + - INSTANCE + - ORG + SamlEndpoints: + description: SAML 2.0 HTTP binding settings for IdP and SP (Okta) + type: object + properties: + acs: + $ref: '#/components/schemas/SamlAcsEndpoint' + sso: + $ref: '#/components/schemas/SamlSsoEndpoint' + SamlNameIdFormat: + description: SAML 2.0 Name Identifier formats + default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + type: string + enum: + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + SamlRelayState: + description: Relay state settings for IdP + type: object + properties: + format: + $ref: '#/components/schemas/SamlRelayStateFormat' + SamlRelayStateFormat: + description: The format used to generate the `relayState` in the SAML request. The `FROM_URL` format is used if this value is null. + type: string + enum: + - FROM_URL + - OPAQUE + SamlRequestAlgorithm: + description: Algorithm settings used to secure an `<AuthnRequest>` message + type: object + properties: + signature: + $ref: '#/components/schemas/SamlRequestSignatureAlgorithm' + SamlRequestSignatureAlgorithm: + description: |- + XML digital Signature Algorithm settings for signing `<AuthnRequest>` messages sent to the IdP + > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`). + type: object + properties: + algorithm: + $ref: '#/components/schemas/SamlSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' + SamlResponseAlgorithm: + description: Algorithm settings for verifying `<SAMLResponse>` messages and `<Assertion>` elements from the IdP + type: object + properties: + signature: + $ref: '#/components/schemas/SamlResponseSignatureAlgorithm' + SamlResponseSignatureAlgorithm: + description: XML digital Signature Algorithm settings for verifying `<SAMLResponse>` messages and `<Assertion>` elements from the IdP + type: object + properties: + algorithm: + $ref: '#/components/schemas/SamlSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmResponseScope' + SamlSettings: + description: Advanced settings for the SAML 2.0 protocol + type: object + properties: + honorPersistentNameId: + type: boolean + description: Determines if the IdP should persist account linking when the incoming assertion NameID format is `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` + default: true + nameFormat: + $ref: '#/components/schemas/SamlNameIdFormat' + SamlSigningAlgorithm: + example: SHA-256 + type: string + enum: + - SHA-1 + - SHA-256 + SamlSigningCredentials: + description: Key used for signing requests to the IdP + type: object + properties: + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + SamlSpCertificate: + description: The certificate that Okta uses to validate Single Logout (SLO) requests and responses + type: object + properties: + x5c: type: array + description: A list that contains exactly one x509 encoded certificate items: type: string + SamlSsoEndpoint: + description: IdP's `SingleSignOnService` endpoint where Okta sends an `<AuthnRequest>` message + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + destination: + type: string + description: |- + URI reference that indicates the address to which the `<AuthnRequest>` message is sent. + The `destination` property is required if request signatures are specified. See [SAML 2.0 Request Algorithm object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=protocol/0/algorithms/request&t=request). + maxLength: 512 + example: https://idp.example.com/saml2/sso + url: + type: string + description: |- + URL of the binding-specific endpoint to send an `<AuthnRequest>` message to the IdP. + The value of `url` defaults to the same value as the `sso` endpoint if omitted during creation of a new IdP instance. + The `url` should be the same value as the `Location` attribute for a published binding in the IdP's SAML Metadata `IDPSSODescriptor`. + maxLength: 1014 + example: https://idp.example.com/saml2/sso + SamlTrustCredentials: + description: Federation Trust Credentials for verifying assertions from the IdP + type: object + properties: + audience: + type: string + description: URI that identifies the target Okta IdP instance (SP) for an `<Assertion>` + maxLength: 1024 + example: https://www.okta.com/saml2/service-provider/spgv32vOnpdyeGSaiUpL + issuer: + type: string + description: URI that identifies the issuer (IdP) of a `<SAMLResponse>` message `<Assertion>` element + maxLength: 1024 + example: urn:example:idp + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' ScheduledUserLifecycleAction: type: object properties: @@ -30391,16 +63285,48 @@ components: $ref: '#/components/schemas/PasswordCredential' revealPassword: type: boolean + description: Allow users to securely see their password scheme: $ref: '#/components/schemas/ApplicationCredentialsScheme' signing: $ref: '#/components/schemas/ApplicationCredentialsSigning' userName: type: string + description: Shared username for the app + minLength: 1 + maxLength: 100 + Scope: + type: string + ScopeResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scpCmCCV1DpxVkCaye2X + title: + type: string + description: Link name + example: My phone + ScreenLockComplexity: + description: | + Indicates whether a device has a screen lock set, and the type or complexity of the screen lock + + **Note:** This option requires a `screenLockType.include` value. + type: string + enum: + - HIGH + - LOW + - MEDIUM + x-enumDescriptions: + LOW: A pattern or PIN is set + MEDIUM: A complex PIN, or alphabetic or alphanumeric screen lock with at least 4 digits is set + HIGH: A complex 8-digit PIN, or 6-character alphabetic or alphanumeric screen lock is set ScreenLockType: type: string enum: - BIOMETRIC + - NONE - PASSCODE SecurePasswordStoreApplication: x-okta-defined-as: @@ -30413,9 +63339,14 @@ components: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string - default: template_sps + description: '`template_sps` is the key name for a SWA app instance that uses HTTP POST and doesn''t require a browser plugin' + enum: + - template_sps settings: $ref: '#/components/schemas/SecurePasswordStoreApplicationSettings' + required: + - name + - settings SecurePasswordStoreApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' @@ -30428,47 +63359,272 @@ components: properties: optionalField1: type: string + description: Name of the optional parameter in the sign-in form optionalField1Value: type: string + description: Name of the optional value in the sign-in form optionalField2: type: string + description: Name of the optional parameter in the sign-in form optionalField2Value: type: string + description: Name of the optional value in the sign-in form optionalField3: type: string + description: Name of the optional parameter in the sign-in form optionalField3Value: type: string + description: Name of the optional value in the sign-in form passwordField: type: string + description: CSS selector for the **Password** field in the sign-in form url: type: string + description: The URL of the sign-in page for this app usernameField: type: string - SecurityQuestion: + description: CSS selector for the **Username** field in the sign-in form + required: + - passwordField + - url + - usernameField + SecurityEvent: type: object properties: - answer: + event_timestamp: + type: integer + format: int64 + description: The time of the event (UNIX timestamp) + example: 1702448550 + subject: + $ref: '#/components/schemas/SecurityEventSubject' + required: + - event_timestamp + - subject + SecurityEventReason: + type: object + properties: + en: type: string - question: + description: The event reason in English + example: Event message example + required: + - en + SecurityEventSubject: + description: The event subjects + properties: + device: + type: object + description: The device involved with the event + tenant: + type: object + description: The tenant involved with the event + user: + type: object + description: The user involved with the event + SecurityEventTokenError: + title: Security Event Token Error + description: Error object thrown when parsing the Security Event Token + type: object + properties: + description: type: string - questionText: + description: | + Describes the error + > **Note:** SET claim fields with underscores (snake case) are presented in camelcase. For example, `previous_status` appears as `previousStatus`. + example: 'Failed claim validation in security event token. ''events.mediationDeviceComplianceChangeEvent.previousStatus'': The field cannot be left blank' + err: type: string - SecurityQuestionUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/SecurityQuestionUserFactorProfile' - SecurityQuestionUserFactorProfile: + description: A code that describes the category of the error + example: invalid_request + enum: + - authentication_failed + - invalid_audience + - invalid_issuer + - invalid_key + - invalid_request + SecurityEventTokenRequestJwtBody: + title: Security Event Token JWT body payload + x-tags: + - SSFSecurityEventToken + description: JSON Web Token body payload for a Security Event Token type: object properties: - answer: + aud: type: string - question: + description: Audience + example: https://receiverexample.okta.com/ + events: + $ref: '#/components/schemas/SecurityEventTokenRequestJwtEvents' + iat: + type: integer + format: int64 + description: Token issue time (UNIX timestamp) + example: 1702448550 + iss: type: string - questionText: + description: Token issuer + example: https://transmitter.example.com + jti: + type: string + description: Token ID + example: 24c63fb56f ... a9fa24 + required: + - iss + - aud + - jti + - iat + - events + SecurityEventTokenRequestJwtEvents: + description: A non-empty collection of events + type: object + properties: + https://schemas.okta.com/secevent/okta/event-type/device-risk-change: + $ref: '#/components/schemas/OktaDeviceRiskChangeEvent' + https://schemas.okta.com/secevent/okta/event-type/ip-change: + $ref: '#/components/schemas/OktaIpChangeEvent' + https://schemas.okta.com/secevent/okta/event-type/user-risk-change: + $ref: '#/components/schemas/OktaUserRiskChangeEvent' + https://schemas.openid.net/secevent/caep/event-type/device-compliance-change: + $ref: '#/components/schemas/CaepDeviceComplianceChangeEvent' + https://schemas.openid.net/secevent/caep/event-type/session-revoked: + $ref: '#/components/schemas/CaepSessionRevokedEvent' + https://schemas.openid.net/secevent/risc/event-type/identifier-changed: + $ref: '#/components/schemas/RiscIdentifierChangedEvent' + SecurityEventTokenRequestJwtHeader: + title: Security Event Token JWT header + x-tags: + - SSFSecurityEventToken + description: JSON Web Token header for a Security Event Token + type: object + properties: + alg: + type: string + description: Algorithm used to sign or encrypt the JWT + example: RS256 + kid: + type: string + description: Key ID used to sign or encrypt the JWT + typ: + type: string + description: The type of content being signed or encrypted + example: secevent+jwt + required: + - kid + - typ + - alg + SecurityEventsProviderRequest: + title: Security Events Provider Request + description: The request schema for creating or updating a Security Events Provider. The `settings` must match one of the schemas. + type: object + properties: + name: + description: The name of the Security Events Provider instance + type: string + maxLength: 100 + example: Target SSF Provider + settings: + type: object + description: Information about the Security Events Provider for signal ingestion + oneOf: + - $ref: '#/components/schemas/SecurityEventsProviderSettingsSSFCompliant' + - $ref: '#/components/schemas/SecurityEventsProviderSettingsNonSSFCompliant' + type: + description: The application type of the Security Events Provider + maxLength: 255 + type: string + example: okta + required: + - name + - settings + - type + SecurityEventsProviderResponse: + title: Security Events Provider Response + description: The Security Events Provider response + type: object + properties: + id: + description: The unique identifier of this instance + type: string + readOnly: true + example: sse1qg25RpusjUP6m0g5 + name: + description: The name of the Security Events Provider instance + type: string + maxLength: 100 + example: Target SSF Provider + settings: + description: Information about the Security Events Provider for signal ingestion + $ref: '#/components/schemas/SecurityEventsProviderSettingsResponse' + status: + description: Indicates whether the Security Events Provider is active or not + type: string + enum: + - ACTIVE + - INACTIVE + readOnly: true + type: + description: The application type of the Security Events Provider + maxLength: 255 + type: string + example: okta + _links: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + SecurityEventsProviderSettingsNonSSFCompliant: + title: Provider with issuer and JWKS settings + description: Security Events Provider with issuer and JWKS settings for signal ingestion + type: object + properties: + issuer: + type: string + description: Issuer URL + maxLength: 700 + example: example.okta.com + jwks_url: + type: string + format: url + description: The public URL where the JWKS public key is uploaded + maxLength: 1000 + example: https://example.okta.com/oauth2/v1/keys + required: + - jwks_url + - issuer + SecurityEventsProviderSettingsResponse: + title: Security Events Provider settings + description: Security Events Provider settings + type: object + properties: + issuer: + type: string + description: Issuer URL + maxLength: 700 + example: example.okta.com + jwks_url: + type: string + format: url + description: The public URL where the JWKS public key is uploaded + maxLength: 1000 + example: https://example.okta.com/oauth2/v1/keys + well_known_url: + type: string + format: url + description: The well-known URL of the Security Events Provider (the SSF transmitter) + nullable: true + maxLength: 1000 + example: https://example.okta.com/.well-known/ssf-configuration + SecurityEventsProviderSettingsSSFCompliant: + title: Provider with well-known URL setting + description: Security Events Provider with well-known URL setting + type: object + properties: + well_known_url: type: string + format: url + description: The published well-known URL of the Security Events Provider (the SSF transmitter) + maxLength: 1000 + example: https://example.okta.com/.well-known/ssf-configuration + required: + - well_known_url SeedEnum: description: Determines whether the generated password is the user's Okta password or a randomly generated password default: RANDOM @@ -30478,19 +63634,18 @@ components: - OKTA - RANDOM SelfServicePasswordResetAction: - allOf: - - $ref: '#/components/schemas/PasswordPolicyRuleAction' - - type: object - - description: Enables or disables users to reset their own password and defines the authenticators and constraints needed to complete the reset - properties: - type: - type: string - readOnly: true - description: The type of rule action - enum: - - selfServicePasswordReset - requirement: - $ref: '#/components/schemas/SsprRequirement' + description: Enables or disables users to reset their own password and defines the authenticators and constraints needed to complete the reset + type: object + properties: + access: + $ref: '#/components/schemas/PolicyAccess' + requirement: + $ref: '#/components/schemas/SsprRequirement' + type: + type: string + description: <x-lifecycle class="oie"></x-lifecycle> The type of rule action + enum: + - selfServicePasswordReset Session: type: object properties: @@ -30594,6 +63749,7 @@ components: MFA_REQUIRED: The Session is established, but requires second factor verification. MFA_ENROLL: The Session is established, but the user needs to enroll a second factor. ShowSignInWithOV: + description: Controls whether to show the Sign in with Okta Verify button on the Sign-In Widget type: string enum: - ALWAYS @@ -30610,443 +63766,2064 @@ components: properties: signInLabel: type: string + description: The label for the sign in widget usernameLabel: type: string + description: The label for the username field usernameInfoTip: type: string + description: The label for the username information tip passwordLabel: type: string + description: The label for the password field passwordInfoTip: type: string + description: The label for the password information tip showPasswordVisibilityToggle: type: boolean + description: Allows users to see their passwords as they type showUserIdentifier: type: boolean + description: Allows the user's identifier to appear on authentication and enrollment pages forgotPasswordLabel: type: string + description: The label for the forgot password page forgotPasswordUrl: type: string + description: The forgot password URL unlockAccountLabel: type: string + description: The label for the unlock account link unlockAccountUrl: type: string + description: The unlock account URL helpLabel: type: string + description: The label for the help link helpUrl: type: string + description: The help link URL customLink1Label: type: string + description: The label for the first custom link customLink1Url: type: string + description: The URL for the first custom link customLink2Label: type: string + description: The label for the second custom link customLink2Url: type: string + description: The URL for the second custom link authenticatorPageCustomLinkLabel: type: string + description: The label for the authenticator page custom link authenticatorPageCustomLinkUrl: type: string + description: The URL for the authenticator page custom link classicRecoveryFlowEmailOrUsernameLabel: type: string + description: The label for the username field in the classic recovery flow + widgetGeneration: + $ref: '#/components/schemas/WidgetGeneration' widgetVersion: $ref: '#/components/schemas/Version' SignInPageTouchPointVariant: + description: | + Variant for the Okta sign-in page. You can publish a theme for sign-in page with different combinations of assets. Variants are preset combinations of those assets. + > **Note:** For a non-`OKTA_DEFAULT` variant, `primaryColorHex` is used for button background color and `primaryColorContrastHex` is used to optimize the opacity for button text. + type: string + enum: + - BACKGROUND_IMAGE + - BACKGROUND_SECONDARY_COLOR + - OKTA_DEFAULT + x-enumDescriptions: + BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the Theme + BACKGROUND_SECONDARY_COLOR: Uses the logo and favicon from the Theme. Uses `secondaryColorHex` as the background color for the Okta sign-in page. + OKTA_DEFAULT: Uses the Okta logo and favicon with no background image. Uses the Okta colors on the Okta sign-in page. + SignOnInlineHook: + properties: + id: + type: string + readOnly: false + SigningAlgorithm: + type: string + enum: + - ES256 + - ES384 + - ES512 + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + SimulatePolicyBody: + description: The request body required for a simulate policy operation + type: object + properties: + appInstance: + type: string + description: The application instance ID for a simulate operation + policyContext: + $ref: '#/components/schemas/PolicyContext' + policyTypes: + type: array + description: Supported policy types for a simulate operation. The default value, `null`, returns all types. + items: + $ref: '#/components/schemas/PolicyTypeSimulation' + required: + - appInstance + SimulatePolicyEvaluations: + type: object + properties: + evaluated: + type: object + description: A list of evaluated but not matched policies and rules + properties: + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + policyType: + type: array + description: The policy type of the simulate operation + items: + $ref: '#/components/schemas/PolicyTypeSimulation' + result: + $ref: '#/components/schemas/SimulatePolicyResult' + status: + $ref: '#/components/schemas/SimulateResultStatus' + undefined: + type: object + description: A list of undefined but not matched policies and rules + properties: + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + SimulatePolicyResponse: + description: The response body returned for a simulate policy operation. An array of `evaluations`. + items: + $ref: '#/components/schemas/SimulatePolicyEvaluations' + type: array + SimulatePolicyResult: + description: The result of the policy evaluation + type: object + properties: + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + SimulateResultConditions: + type: object + properties: + status: + $ref: '#/components/schemas/SimulateResultStatus' + type: + type: string + description: The type of condition + SimulateResultPolicies: + items: + $ref: '#/components/schemas/SimulateResultPoliciesItems' + type: array + SimulateResultPoliciesItems: + type: object + properties: + conditions: + type: array + description: List of all conditions involved for this policy evaluation + items: + $ref: '#/components/schemas/SimulateResultConditions' + id: + type: string + description: ID of the specified policy type + name: + type: string + description: Policy name + rules: + type: array + items: + $ref: '#/components/schemas/SimulateResultRules' + status: + $ref: '#/components/schemas/SimulateResultStatus' + SimulateResultRules: + type: object + properties: + conditions: + type: array + description: List of all conditions involved for this rule evaluation + items: + $ref: '#/components/schemas/SimulateResultConditions' + id: + type: string + description: The unique ID number of the policy rule + name: + type: string + description: The name of the policy rule + status: + $ref: '#/components/schemas/SimulateResultStatus' + SimulateResultStatus: + description: The result of this entity evaluation + type: string + enum: + - MATCH + - NOT_MATCH + - UNDEFINED + SingleLogout: + description: Determines if the app supports Single Logout (SLO) + type: object + properties: + enabled: + type: boolean + description: Whether the application supports SLO + issuer: + type: string + description: The issuer of the Service Provider that generates the SLO request + logoutUrl: + type: string + description: The location where the logout response is sent + SlackApplication: + title: Slack + x-tags: + - Application + x-okta-defined-as: + name: slack + example: + name: slack + label: Sample Slack App + signOnMode: SAML_2_0 + settings: + app: + domain: my-company-domain + description: | + Schema for the Slack app (key name: `slack`) + + To create a Slack app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Slack app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + type: string + enum: + - slack + example: slack + signOnMode: + enum: + - BROWSER_PLUGIN + - SAML_2_0 + settings: + $ref: '#/components/schemas/SlackApplicationSettings' + SlackApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/SlackApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + SlackApplicationSettingsApplication: + description: Slack app instance properties + type: object + properties: + domain: + type: string + description: The Slack app domain name + userEmailValue: + type: string + description: The `User.Email` attribute value + required: + - domain + SloParticipate: + description: Determines if the app participates in Single Logout (SLO) + type: object + properties: + bindingType: + type: string + description: Request binding type + enum: + - POST + - REDIRECT + enabled: + type: boolean + description: Indicates whether the app is allowed to participate in front-channel SLO + logoutRequestUrl: + type: string + description: URL where Okta sends the logout request + sessionIndexRequired: + type: boolean + description: Determines whether Okta sends the `SessionIndex` elements in the logout request + SmsTemplate: + type: object + properties: + created: + type: string + format: date-time + readOnly: true + id: + type: string + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + name: + type: string + description: Human-readable name of the Template + maxLength: 50 + minLength: 1 + template: + type: string + description: Text of the Template, including any [macros](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/) + maxLength: 161 + minLength: 1 + translations: + $ref: '#/components/schemas/SmsTemplateTranslations' + type: + $ref: '#/components/schemas/SmsTemplateType' + SmsTemplateTranslations: + description: | + - Template translations are optionally provided when you want to localize the SMS messages. Translations are provided as an object that contains `key:value` pairs: the language and the translated Template text. The key portion is a two-letter country code that conforms to [ISO 639-1](https://www.loc.gov/standards/iso639-2/php/code_list.php). The value is the translated SMS Template. + - Just like with regular SMS Templates, the length of the SMS message can't exceed 160 characters. + type: object + x-okta-extensible: true + SmsTemplateType: + description: Type of the Template + maxLength: 50 + minLength: 1 + type: string + enum: + - SMS_VERIFY_CODE + SocialAuthToken: + description: The Social Authentication Token object provides the tokens and associated metadata provided by social providers during social authentication. + type: object + properties: + expiresAt: + $ref: '#/components/schemas/ExpiresAt' + id: + type: string + description: Unique identifier for the token + readOnly: true + example: NXp9GaX1eOA-XVF_H9fn2Q + scopes: + type: array + description: The scopes that the token is good for + readOnly: true + items: + type: string + example: + - openid + - foo + token: + type: string + description: The raw token + readOnly: true + example: JBTWGV22G4ZGKV3N + tokenAuthScheme: + type: string + readOnly: true + description: The token authentication scheme as defined by the social provider + example: Bearer + tokenType: + type: string + readOnly: true + description: The type of token defined by the [OAuth Token Exchange Spec](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07#section-3) + example: urn:ietf:params:oauth:token-type:access_token + SourceLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + schema: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The associated schema + SplunkEdition: + description: Edition of the Splunk Cloud instance + example: aws + type: string + enum: + - aws + - aws_govcloud + - gcp + SplunkHost: + description: 'The domain name for your Splunk Cloud instance. Don''t include `http` or `https` in the string. For example: `acme.splunkcloud.com`' + minLength: 17 + maxLength: 116 + example: acme.splunkcloud.com + type: string + SplunkToken: + description: The HEC token for your Splunk Cloud HTTP Event Collector. The token value is set at object creation, but isn't returned. + example: 11111111-1111-2222-2222-222222222222 + writeOnly: true + type: string + pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ + Sso: + description: 'Supported SSO protocol configurations. You must configure at least one protocol: `oidc` or `saml`' + type: object + properties: + oidc: + $ref: '#/components/schemas/Oidc' + saml: + $ref: '#/components/schemas/Saml' + SsprPrimaryRequirement: + description: Defines the authenticators permitted for the initial authentication step of password recovery + type: object + properties: + methodConstraints: + description: Constraints on the values specified in the `methods` array. Specifying a constraint limits methods to specific authenticator(s). Currently, Google OTP is the only accepted constraint. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodConstraint' + methods: + type: array + description: Authenticator methods allowed for the initial authentication step of password recovery. Method `otp` requires a constraint limiting it to a Google authenticator. + items: + type: string + enum: + - push + - sms + - voice + - email + - otp + SsprRequirement: + description: <x-lifecycle class="oie"></x-lifecycle> Describes the initial and secondary authenticator requirements a user needs to reset their password + type: object + properties: + accessControl: + description: Determines which authentication requirements a user needs to perform self-service operations. `AUTH_POLICY` defers conditions and authentication requirements to the [Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). `LEGACY` refers to the requirements described by this rule. + type: string + enum: + - AUTH_POLICY + - LEGACY + primary: + $ref: '#/components/schemas/SsprPrimaryRequirement' + stepUp: + $ref: '#/components/schemas/SsprStepUpRequirement' + SsprStepUpRequirement: + description: |- + Defines the secondary authenticators needed for password reset if `required` is true. The following are three valid configurations: + * `required`=false + * `required`=true with no methods to use any SSO authenticator + * `required`=true with `security_question` as the method + type: object + properties: + methods: + description: Authenticator methods required for secondary authentication step of password recovery. Specify this value only when `required` is true and `security_question` is permitted for the secondary authentication. + type: array + items: + type: string + enum: + - security_question + required: + type: boolean + StandardRole: + title: Standard Role Assignment + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + id: + type: string + description: Role Assignment ID + readOnly: true + label: + type: string + description: Label for the Role Assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the Role Assignment + type: + $ref: '#/components/schemas/RoleType' + _embedded: + type: object + description: Optional embedded resources for the Role Assignment + properties: + targets: + type: object + description: Targets configured for the Role Assignment + properties: + groups: + type: array + description: Group targets + items: + $ref: '#/components/schemas/Group' + catalog: + description: App targets + properties: + apps: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + _links: + $ref: '#/components/schemas/LinksAssignee' + StandardRoleAssignmentSchema: + title: Standard Role + type: object + properties: + type: + type: string + description: Specify the standard or IAM-based role type. See [standard roles](/openapi/okta-management/guides/roles/#standard-roles). + StreamConfiguration: + title: Stream Configuration + type: object + properties: + aud: + oneOf: + - type: string + format: uri + example: https://example.com + - type: array + items: + type: string + format: uri + example: https://example.com + description: |- + The audience used in the SET. This value is set as `aud` in the claim. + + A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. + example: https://example.com + delivery: + $ref: '#/components/schemas/StreamConfigurationDelivery' + events_delivered: + type: array + items: + type: string + format: uri + description: |- + The events (mapped by the array of event type URIs) that the transmitter actually delivers to the SSF Stream. + + A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. + example: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_requested: + type: array + maxItems: 50 + items: + type: string + format: uri + maxLength: 256 + description: The events (mapped by the array of event type URIs) that the receiver wants to receive + example: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + events_supported: + type: array + items: + type: string + format: uri + description: |- + An array of event type URIs that the transmitter supports. + + A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. + example: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + format: + type: string + description: The Subject Identifier format expected for any SET transmitted. + enum: + - iss_sub + iss: + type: string + description: |- + The issuer used in Security Event Tokens (SETs). This value is set as `iss` in the claim. + + A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. + example: https://{yourOktaDomain} + min_verification_interval: + type: integer + nullable: true + example: 60 + description: |- + The minimum amount of time, in seconds, between two verification requests. + + A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. + stream_id: + type: string + description: The ID of the SSF Stream configuration + example: esc1k235GIIztAuGK0g5 + required: + - events_requested + - delivery + StreamConfigurationCreateRequest: + title: Stream Configuration Create Request + type: object + properties: + delivery: + $ref: '#/components/schemas/StreamConfigurationDelivery' + events_requested: + type: array + maxItems: 50 + items: + type: string + format: uri + maxLength: 256 + description: The events (mapped by the array of event type URIs) that the receiver wants to receive + example: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - https://schemas.openid.net/secevent/caep/event-type/credential-change + format: + type: string + description: The Subject Identifier format expected for any SET transmitted. + enum: + - iss_sub + required: + - events_requested + - delivery + StreamConfigurationDelivery: + title: Stream Configuration Delivery + description: Contains information about the intended SET delivery method by the receiver + type: object + properties: + authorization_header: + type: string + description: The HTTP Authorization header that is included for each HTTP POST request + example: '{authorizationHeaderValue}' + nullable: true + maxLength: 8192 + endpoint_url: + type: string + format: uri + description: The target endpoint URL where the transmitter delivers the SET using HTTP POST requests + example: https://example.com/ + maxLength: 2048 + method: + type: string + description: The delivery method that the transmitter uses for delivering a SET + enum: + - https://schemas.openid.net/secevent/risc/delivery-method/push + - urn:ietf:rfc:8935 + required: + - method + - endpoint_url + SubjectType: + type: string + enum: + - pairwise + - public + SubmissionRequest: + allOf: + - $ref: '#/components/schemas/SubmissionResponse' + required: + - name + - description + - logo + SubmissionResponse: + type: object + properties: + config: + type: array + description: 'List of org-level variables for the customer per-tenant configuration. For example, a `subdomain` variable can be used in the ACS URL: `https://${org.subdomain}.example.com/saml/login`' + items: + type: object + properties: + label: + type: string + description: Display name of the variable in the Admin Console + example: Subdomain + name: + type: string + maxLength: 1024 + minLength: 1 + description: Name of the variable + example: subdomain + description: + type: string + maxLength: 1024 + minLength: 1 + description: A general description of your application and the benefits provided to your customers + example: Your one source for in-season strawberry deals. Okta's Strawberry Central integration allow users to securely access those sweet deals. + id: + type: string + description: OIN Integration ID + readOnly: true + example: acme_submissionapp_1 + lastPublished: + type: string + description: Timestamp when the OIN Integration was last published + readOnly: true + example: '2023-08-24T14:15:22.000Z' + lastUpdated: + type: string + description: Timestamp when the OIN Integration instance was last updated + readOnly: true + example: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: + type: string + description: ID of the user who made the last update + readOnly: true + example: 00ub0oNGTSWTBKOLGLNR + logo: + type: string + format: uri + description: URL to an uploaded application logo. This logo appears next to your app integration name in the OIN catalog. You must first [Upload an OIN Integration logo](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/uploadSubmissionLogo) to obtain the logo URL before you can specify this value. + example: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + name: + type: string + maxLength: 64 + minLength: 1 + description: The app integration name. This is the main title used for your integration in the OIN catalog. + example: Strawberry Central + sso: + $ref: '#/components/schemas/Sso' + status: + type: string + description: Status of the OIN Integration submission + readOnly: true + example: New + Subscription: + type: object + properties: + channels: + description: |- + An array of sources send notifications to users. + > **Note**: Currently, Okta only allows `email` channels. + items: + type: string + type: array + notificationType: + $ref: '#/components/schemas/NotificationType' + status: + $ref: '#/components/schemas/SubscriptionStatus' + _links: + type: object + description: Discoverable resources related to the subscription + properties: + self: + $ref: '#/components/schemas/HrefObject' + readOnly: true + SubscriptionStatus: + description: The status of the subscription type: string enum: - - BACKGROUND_IMAGE - - BACKGROUND_SECONDARY_COLOR - - OKTA_DEFAULT - SignOnInlineHook: + - subscribed + - unsubscribed + SupportedMethods: + description: The supported methods of an Authenticator + type: object properties: - id: + settings: + type: object + properties: + keyProtection: + $ref: '#/components/schemas/PushMethodKeyProtection' + algorithms: + description: The encryption algorithm for this authenticator method + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodAlgorithm' + transactionTypes: + type: array + description: The transaction type for this authenticator method + items: + $ref: '#/components/schemas/AuthenticatorMethodTransactionType' + status: + description: The status of the authenticator method + $ref: '#/components/schemas/LifecycleStatus' + type: type: string - readOnly: false - SimulatePolicyBody: + description: The type of authenticator method + enum: + - push + SwaApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + properties: + app: + $ref: '#/components/schemas/SwaApplicationSettingsApplication' + SwaApplicationSettingsApplication: type: object - description: The request body required for a simulate policy operation. properties: - policyTypes: - type: array - description: Supported policy types for a simulate operation. The default value, `null`, returns all types. - items: - $ref: '#/components/schemas/PolicyType' - appInstance: + buttonField: type: string - description: The application instance ID for a simulate operation - policyContext: - $ref: '#/components/schemas/PolicyContext' + description: CSS selector for the **Sign-In** button in the sign-in form (for SWA apps with the `template_swa` app name definition) + buttonSelector: + type: string + description: CSS selector for the **Sign-In** button in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) + extraFieldSelector: + type: string + description: Enter the CSS selector for the extra field (for three-field SWA apps with the `template_swa3field` app name definition). + extraFieldValue: + type: string + description: Enter the value for the extra field in the form (for three-field SWA apps with the `template_swa3field` app name definition). + loginUrlRegex: + type: string + description: A regular expression that further restricts targetURL to the specified regular expression + passwordField: + type: string + description: CSS selector for the **Password** field in the sign-in form (for SWA apps with the `template_swa` app name definition) + passwordSelector: + type: string + description: CSS selector for the **Password** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) + targetURL: + type: string + description: The URL of the sign-in page for this app (for three-field SWA apps with the `template_swa3field` app name definition) + url: + type: string + description: The URL of the sign-in page for this app (for SWA apps with the `template_swa` app name definition) + usernameField: + type: string + description: CSS selector for the **Username** field in the sign-in form (for SWA apps with the `template_swa` app name definition) + userNameSelector: + type: string + description: CSS selector for the **Username** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) required: - - appInstance - SimulatePolicyEvaluations: + - buttonField + - passwordField + - usernameField + - url + TelephonyRequest: type: object properties: - status: + data: + $ref: '#/components/schemas/TelephonyRequestData' + eventType: type: string - description: The result of this entity evaluation - enum: - - MATCH - - NOT_MATCH - - UNDEFINED - policyType: - type: array - description: The policy type of the simulate operation - items: - $ref: '#/components/schemas/PolicyType' - result: - $ref: "#/components/schemas/SimulatePolicyResult" - undefined: + description: The type of inline hook. The Telephony inline hook type is `com.okta.telephony.provider`. + requestType: + type: string + description: The type of inline hook request. For example, `com.okta.user.telephony.pre-enrollment`. + source: + description: The ID and URL of the Telephony inline hook + type: string + TelephonyRequestData: + type: object + properties: + context: type: object - description: A list of undefined but not matched policies and rules properties: - policies: - $ref: "#/components/schemas/SimulateResultPolicies" - evaluated: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + messageProfile: type: object - description: A list of evaluated but not matched policies and rules + description: Message profile specifies information about the telephony (sms/voice) message to be sent to the Okta user properties: - policies: - $ref: "#/components/schemas/SimulateResultPolicies" - SimulatePolicyResponse: - description: The response body returned for a simulate policy operation. An array of `evaluations`. - items: - $ref: '#/components/schemas/SimulatePolicyEvaluations' - type: array - SimulatePolicyResult: - description: The result of the policy evaluation + msgTemplate: + description: Default or Okta org configured sms or voice message template + type: string + phoneNumber: + description: The Okta's user's phone number + type: string + otpExpires: + description: The time when OTP expires + type: string + deliveryChannel: + description: The channel for OTP delivery - SMS or voice + type: string + otpCode: + description: The OTP code requested by the Okta user + type: string + locale: + description: The locale associated with the Okta user + type: string + userProfile: + type: object + description: User profile specifies information about the Okta user + properties: + firstName: + description: The user's first name + type: string + lastName: + description: The user's last name + type: string + login: + description: The user's Okta login + type: string + userId: + description: The user's Okta user ID + type: string + TelephonyRequestExecute: + description: Telephony inline hook request body + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/TelephonyRequest' + TelephonyResponse: + description: Telephony inline hook response type: object properties: - policies: - $ref: '#/components/schemas/SimulateResultPolicies' - SimulateResultConditions: + commands: + description: The `commands` object specifies whether Okta accepts the end user's sign-in credentials as valid or not. For the Telephony inline hook, you typically only return one `commands` object with one array element in it. + type: array + items: + type: object + properties: + type: + description: The location where you specify the command. For the Telephony inline hook, there's only one command, `com.okta.telephony.action`. + type: string + value: + description: The status of the telephony operation along with optional additional information about the provider, transaction ID and any other transaction metadata. + type: array + items: + type: object + properties: + status: + type: string + description: Status of telephony callout + enum: + - SUCCESSFUL + - PENDING + - FAILED + x-enumDescriptions: + SUCCESSFUL: External web service was able to deliver the OTP to the Requester. + PENDING: External web service wasn't able to confirm delivery of the OTP to the Requester. + FAILED: External web service was unable to deliver the OTP to the Requester. + provider: + type: string + description: Telephony provider for sms/voice + transactionId: + type: string + description: Transaction ID for sms/voice + transactionMetadata: + type: string + description: Any relevant metadata for the telephony transaction + TempPassword: type: object properties: - status: + tempPassword: type: string - description: The result of the entity evaluation - enum: - - MATCH - - UNMATCHED - - UNDEFINED - type: + readOnly: true + TestInfo: + description: Integration Testing Information + type: object + properties: + escalationSupportContact: type: string - description: The type of condition - SimulateResultPolicies: - items: - $ref: '#/components/schemas/SimulateResultPoliciesItems' - type: array - SimulateResultPoliciesItems: + maxLength: 255 + description: An email for Okta to contact your company about your integration. This email isn't shared with customers. + example: strawberry.support@example.com + oidcTestConfiguration: + type: object + description: OIDC test details + properties: + idp: + type: boolean + description: Read only.<br>Indicates if your integration supports IdP-initiated sign-in flows. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) is specified, this property is set to `true`. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) isn't set for the integration submission, this property is set to `false` + readOnly: true + sp: + type: boolean + description: Read only.<br>Indicates if your integration supports SP-initiated sign-in flows and is always set to `true` for OIDC SSO + readOnly: true + jit: + type: boolean + description: Indicates if your integration supports Just-In-Time (JIT) provisioning + spInitiateUrl: + type: string + format: uri + maxLength: 512 + description: URL for SP-initiated sign-in flows (required if `sp = true`) + example: https://test.example.com/strawberry/oidc/sp-init + required: + - spInitiateUrl + samlTestConfiguration: + type: object + description: SAML test details + properties: + idp: + type: boolean + description: Indicates if your integration supports IdP-initiated sign-in + sp: + type: boolean + description: Indicates if your integration supports SP-initiated sign-in + jit: + type: boolean + description: Indicates if your integration supports Just-In-Time (JIT) provisioning + spInitiateUrl: + type: string + format: uri + maxLength: 512 + description: URL for SP-initiated sign-in flows (required if `sp = true`) + example: https://test.example.com/strawberry/saml/sp-init + spInitiateDescription: + type: string + maxLength: 2048 + description: Instructions on how to sign in to your app using the SP-initiated flow (required if `sp = true`) + example: Go to your app URL from a browser and enter your username + required: + - spInitiateUrl + testAccount: + type: object + description: An account on a test instance of your app with admin privileges. A test admin account is required by Okta for integration testing. During OIN QA testing, an Okta analyst uses this admin account to configure your app for the various test case flows. + properties: + url: + type: string + format: uri + maxLength: 512 + description: The sign-in URL to a test instance of your app + example: https://example.com/strawberry/login + username: + type: string + maxLength: 255 + description: The username for your app admin account + example: test@example.com + password: + type: string + maxLength: 255 + description: The password for your app admin account + example: sUperP@ssw0rd + instructions: + type: string + maxLength: 2048 + description: Additional instructions to test the app integration, including instructions for obtaining test accounts + example: Go to your app URL from a browser and enter your credentials + required: + - url + - username + - password + required: + - escalationSupportContact + ThemeResponse: type: object properties: + backgroundImage: + readOnly: true + type: string + emailTemplateTouchPointVariant: + $ref: '#/components/schemas/EmailTemplateTouchPointVariant' + endUserDashboardTouchPointVariant: + $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' + errorPageTouchPointVariant: + $ref: '#/components/schemas/ErrorPageTouchPointVariant' + favicon: + readOnly: true + type: string id: + readOnly: true type: string - name: + loadingPageTouchPointVariant: + $ref: '#/components/schemas/LoadingPageTouchPointVariant' + logo: + readOnly: true type: string - status: + primaryColorContrastHex: type: string - conditions: - type: array - $ref: "#/components/schemas/SimulateResultConditions" - rules: - type: array - $ref: "#/components/schemas/SimulateResultRules" - SimulateResultRules: - type: object - properties: - id: + description: Primary color contrast hex code + primaryColorHex: type: string - description: The unique ID number of the policy rule - name: + description: Primary color hex code + secondaryColorContrastHex: type: string - description: The name of the policy rule - status: + description: Secondary color contrast hex code + secondaryColorHex: type: string - description: The result of the entity evaluation - enum: - - MATCH - - UNMATCHED - - UNDEFINED - conditions: - type: array - $ref: "#/components/schemas/SimulateResultConditions" - SingleLogout: + description: Secondary color hex code + signInPageTouchPointVariant: + $ref: '#/components/schemas/SignInPageTouchPointVariant' + _links: + $ref: '#/components/schemas/LinksSelf' + ThirdPartyAdminSetting: + description: The third-party admin setting type: object properties: - enabled: + thirdPartyAdmin: type: boolean - issuer: - type: string - logoutUrl: - type: string - SloParticipate: + description: Indicates if third-party admin is enabled + example: false + ThreatInsightConfiguration: type: object properties: - bindingType: + action: type: string - description: Request binding type + description: Specifies how Okta responds to authentication requests from suspicious IP addresses enum: - - POST - - REDIRECT - enabled: - type: boolean - description: Allows the app to participate in front-channel single logout. - logoutRequestUrl: - type: string - description: URL where Okta sends the logout request. - sessionIndexRequired: - type: boolean - description: Include user session details. - SmsTemplate: - type: object - properties: + - none + - audit + - block + x-enumDescriptions: + none: Indicates that ThreatInsight is disabled + audit: Indicates that Okta logs suspicious requests to the System Log + block: Indicates that Okta logs suspicious requests to the System Log and blocks the requests + example: none created: type: string format: date-time + description: Timestamp when the ThreatInsight Configuration object was created + example: '2020-08-05T22:18:30.629Z' readOnly: true - id: - type: string - readOnly: true + excludeZones: + type: array + description: |- + Accepts a list of [Network Zone](/openapi/okta-management/management/tag/NetworkZone/) IDs. + IPs in the excluded network zones aren't logged or blocked. + This ensures that traffic from known, trusted IPs isn't accidentally logged or blocked. + items: + type: string + example: [] lastUpdated: type: string format: date-time + description: Timestamp when the ThreatInsight Configuration object was last updated readOnly: true - name: - type: string - template: - type: string - translations: - $ref: '#/components/schemas/SmsTemplateTranslations' - type: - $ref: '#/components/schemas/SmsTemplateType' - SmsTemplateTranslations: + example: '2020-09-08T20:53:20.882Z' + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - action + TimeDuration: + description: A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). + type: string + pattern: ^P(?:$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?:\d)(\d+H)?(\d+M)?(\d+S)?)?$ + TokenAuthorizationServerPolicyRuleAction: type: object - x-okta-extensible: true - SmsTemplateType: + properties: + accessTokenLifetimeMinutes: + type: integer + description: Lifetime of the access token in minutes. The minimum is five minutes. The maximum is one day. + inlineHook: + $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook' + refreshTokenLifetimeMinutes: + type: integer + description: Lifetime of the refresh token is the minimum access token lifetime. + refreshTokenWindowMinutes: + type: integer + description: Timeframe when the refresh token is valid. The minimum is 10 minutes. The maximum is five years (2,628,000 minutes). + TokenAuthorizationServerPolicyRuleActionInlineHook: + type: object + properties: + id: + type: string + readOnly: false + TokenDeliveryMode: type: string enum: - - SMS_VERIFY_CODE - SmsUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object + - poll + TokenHookResponse: + description: |- + For the token inline hook, the `commands` and `error` objects that you can return in the JSON payload of your response are defined in the following sections. + > **Note:** The size of your response payload must be less than 256 KB. + type: object + properties: + commands: + description: |- + You can use the `commands` object to provide commands to Okta. It's where you can tell Okta to add more claims to the token. + The `commands` object is an array, allowing you to send multiple commands. In each array element, there needs to be a `type` property and `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command. + In the case of the token hook type, the `value` property is itself a nested object in which you specify a particular operation, a path to act on, and a value. + type: array + items: + type: object + properties: + type: + description: |- + One of the supported commands: + `com.okta.identity.patch`: Modify an ID token + `com.okta.access.patch`: Modify an access token + > **Note:** The `commands` array should only contain commands that can be applied to the requested tokens. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`. + type: string + value: + description: The `value` object is where you specify the operation to perform. It's an array, which allows you to request more than one operation. + type: array + items: + type: object + properties: + op: + description: |- + The name of one of the supported ops: `add`: Add a claim. `replace`: Modify an existing claim and update the token lifetime. `remove`: Remove an existing claim. + #### `op: add` notes + + <details> + <summary>Add a claim</summary> + + Add a claim + + **Existing JSON** + + ``` + { + "employeeId": "00u12345678" + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.assertion.patch", + "value": [ + { + "op": "add", + "path": "/claims/extPatientId", + "value": "1234" + } + ] + }, + { + "type": "com.okta.assertion.patch", + "value": [ + { + "op": "add", + "path": "/claims/external_guid", + "value": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 1234, + "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ``` + + > **Note:** If you use the `add` operation and include an existing claim in your response with a different value, that value is replaced. Use the `replace` operation instead. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. See `op: replace` notes. + </details> + + <details> + <summary>Add new members to existing JSON objects</summary> + + If you have a JSON object in a claim called `employee_profile`, and you want to add the `department_id` member to the claim, the existing JSON is updated by specifying the claim in the path, followed by the name of the object member. + + **Existing JSON** + + ``` + { + "employee_profile": { + "employee_id": "1234", + "name": "Anna" + } + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "add", + "path": "/claims/employee_profile/department_id", + "value": "4947" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employee_profile": { + "employee_id": "1234", + "name": "Anna", + "department_id": "4947" + } + } + ``` + + > **Note:** If you attempt to add a member within a JSON object that doesn't exist or using an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. + </details> + + <details> + <summary>Add new elements to existing arrays</summary> + + Append an element to an array by specifying the name of the array, followed by the index where you want to insert the element in the path. Alternatively, you can specify the array name followed by a hyphen (-) in the path to append an element at the end of the array. For example, you have an array that contains the user's preferred airports, and you want to add a new airport to the array. The existing target JSON object is updated by specifying the claim in the path, followed by the index of where to insert the claim. + + **Existing JSON** + + ``` + { + "preferred_airports":[ + "sjc", + "sfo", + "oak" + ] + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "add", + "path": "/claims/preferred_airports/3", + "value": "lax" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "preferred_airports":[ + "sjc", + "sfo", + "oak", + "lax" + ] + } + ``` + + > **Note:** If you attempt to add an element within an array that doesn't exist or specify an invalid index, the entire PATCH fails and errors are logged in the token hooks events. + </details> + + #### `op: replace` notes + + <details> + <summary>Modify an existing claim</summary> + + You can modify (`replace`) existing custom claims or OIDC standard profile claims, such as `birthdate` and `locale`. You can't, however, modify any system-specific claims, such as `iss` or `ver`. Also, you can't modify a claim that isn't currently part of the token in the request payload. Attempting to modify a system-specific claim or using an invalid operation results in the entire PATCH failing and errors logged in the token hooks events. + + See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify. + + > **Note:** Although the `aud` and `sub` claims are listed as reserved claims, you can modify those claims in access tokens. You can't modify these claims in ID tokens. + + See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify. + + **Existing target JSON object** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 1234, + "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/claims/extPatientId", + "value": "12345" + }, + { + "op": "replace", + "path": "/claims/external_guid", + "value": "D1495796-G98E-585C-959E-1269CD6766B8" + } + ] + } + ] + } + ``` + + **Updated JSON*** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 12345, + "external_guid": "D1495796-G98E-585C-959E-1269CD6766B8" + } + ``` + + </details> + + <details> + <summary>Modify members within existing JSON objects and arrays</summary> + + Use the `replace` operation to modify members within JSON objects and elements within arrays. For example, you have a JSON object in a claim called `employee_profile`, and you want to update the email address of the employee. The existing target JSON object is updated by specifying the claim in the path, followed by the name of the object member that you want to modify. + + **Existing target JSON object** + + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna.v@company.com" + } + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/claims/employee_profile/email", + "value": "anna@company.com" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna@company.com" + } + } + ``` + + > **Note:** If you attempt to modify a member within a JSON object that doesn't exist or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. + + Similarly, you can replace elements in an array by specifying the array name and the valid index of the element that you want to replace in the path. + </details> + + <details> + <summary>Modify token lifetimes</summary> + You can modify how long the access and ID tokens are valid by specifying the `lifetime` in seconds. The `lifetime` value must be a minimum of five minutes (300 seconds) and a maximum of 24 hours (86,400 seconds). + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/token/lifetime/expiration", + "value": 36000 + } + ] + }, + { + "type": "com.okta.access.patch", + "value": [ + { + "op": "replace", + "path": "/token/lifetime/expiration", + "value": 36000 + } + ] + } + ] + } + ``` + + </details> + + #### `op: remove` notes + + <details> + <summary>Remove a claim</summary> + + You can remove existing custom claims or OIDC standard profile claims, such as `birthdate` or `locale`. You can't, however, remove any system-specific claims, such as `iss` or `ver`. You also can't remove a claim that isn't currently part of the token in the request payload. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. + + See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify. + + See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify. + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/birthdate", + "value": null + } + ] + }, + { + "type": "com.okta.access.patch", + "value": [ + { + "op": "remove", + "path": "/claims/external_guid" + } + ] + } + ] + } + ``` + + > **Note:** The `value` property for the `remove` operation isn't required. If you provide it in the response, it should be set to `null`. Providing any other value fails the entire PATCH response. + + </details> + + <details> + <summary>Remove members from existing arrays</summary> + + Use the `remove` operation to remove members from existing arrays. For example, you have an array that contains the user's preferred airports, and you want to remove an airport from the array. The existing target JSON object is updated by specifying the array name followed by the index of the element that you want to remove. You don't need to specify a value for the remove operation, but you can specify `null` as the value if you want. + + **Existing target JSON object** + + ``` + { + "preferred_airports": [ + "sjc", + "lax", + "sfo", + "oak" + ] + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/preferred_airports/1" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "preferred_airports": [ + "sjc", + "sfo", + "oak" + ] + } + ``` + + </details> + + <details> + <summary>Remove members from existing JSON objects</summary> + + Use the `remove` operation to remove members from existing JSON objects. Do this by specifying the JSON object in the path, followed by the claim member that you would like to remove. For example, you have an `employee_profile` claim, and you want to remove `email` from it. + + **Existing target JSON object** + + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna.v@company.com" + } + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/employee_profile/email" + } + ] + } + ] + } + ``` + + **Updated JSON** + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + } + } + ``` + + </details> + type: string + path: + description: Location within the token to apply the operation, specified as a slash-delimited path. When you add, replace, or remove a claim, this path always begins with `/claims/` and is followed by the name of the new claim that you're adding. When you replace a token lifetime, the path should always be `/token/lifetime/expiration`. + type: string + value: + description: Value to set the claim to. + oneOf: + - type: string + - type: integer + - type: object + error: + description: When an error object is returned, it causes Okta to return an OAuth 2.0 error to the requester of the token. In the error response, the value of `error` is `server_error`, and the value of `error_description` is the string that you supplied in the `errorSummary` property of the `error` object that you returned. + type: object properties: - profile: - $ref: '#/components/schemas/SmsUserFactorProfile' - SmsUserFactorProfile: + errorSummary: + description: 'Human-readable summary of the error. If the error object doesn''t include the `errorSummary` property defined, the following common default message is returned to the end user: `The callback service returned an error`.' + type: string + TokenPayLoad: type: object properties: - phoneNumber: - type: string - SocialAuthToken: + data: + type: object + properties: + context: + allOf: + - $ref: '#/components/schemas/BaseContext' + - type: object + properties: + protocol: + description: Details of the authentication protocol + type: object + properties: + type: + description: The type of authentication protocol used + type: string + example: OAUTH2.0 + request: + $ref: '#/components/schemas/TokenProtocolRequest' + OriginalGrant: + description: Information about the original token request used to get the refresh token being used, when in a refresh token request + type: object + properties: + request: + $ref: '#/components/schemas/TokenProtocolRequest' + refresh_token: + $ref: '#/components/schemas/RefreshToken' + issuer: + description: The authorization server's issuer identifier + type: object + properties: + uri: + description: The authorization server's issuer identifier + type: string + format: uri + client: + description: The client making the token request + type: object + properties: + id: + description: The unique identifier of the client + type: string + name: + description: The name of the client + type: string + type: + description: The type of client + type: string + example: PUBLIC + policy: + description: The authorization server policy used to mint the token + type: object + properties: + id: + description: The unique identifier for the policy + type: string + example: 00p4ktaq2ryOYtsHC0g7 + rule: + description: The authorization server policy rule used to mint the token + type: object + properties: + id: + description: The unique identifier for the policy rule + type: string + example: 0pr4ktb7elD3ZvrMy0g7 + identity: + allOf: + - description: Provides information on the properties of the ID token that Okta has generated, including the existing claims that it contains + - $ref: '#/components/schemas/BaseToken' + access: + allOf: + - description: Provides information on the properties of the access token that Okta has generated, including the existing claims that it contains + - $ref: '#/components/schemas/BaseToken' + - type: object + properties: + scopes: + description: The scopes contained in the token. For descriptions of the scopes that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#scopes). + type: object + refresh_token: + $ref: '#/components/schemas/RefreshToken' + TokenProtocolRequest: + description: Details of the token request type: object properties: - expiresAt: + client_id: + description: The ID of the client associated with the token type: string - format: date-time - readOnly: true - id: + grant_type: + $ref: '#/components/schemas/GrantType' + redirect_uri: + description: Specifies the callback location where the authorization was sent type: string - readOnly: true - scopes: - type: array - items: - type: string - token: + format: uri + response_mode: + description: The authorization response mode type: string - tokenAuthScheme: + enum: + - form_post + - fragment + - okta_post_message + - query + response_type: + description: The authorization response type type: string - tokenType: + enum: + - code + - id_token + - token + - none + scope: + description: The scopes requested type: string - SourceLinks: + state: + type: string + TokenRequest: + description: Token inline hook request allOf: - - $ref: '#/components/schemas/LinksSelf' - - type: object - properties: - schema: - allOf: - - $ref: '#/components/schemas/HrefObject' - - description: The associated schema - SpCertificate: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/TokenPayLoad' + TokenResourcesHrefObject: type: object properties: - x5c: - type: array - items: - type: string - SplunkEdition: - description: Edition of the Splunk Cloud instance - example: aws + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens + TokenResponse: + type: object + properties: + access_token: + type: string + description: An access token. + device_secret: + type: string + description: An opaque device secret. This is returned if the `device_sso` scope is granted. + expires_in: + type: integer + description: The expiration time of the access token in seconds. + id_token: + type: string + description: An ID token. This is returned if the `openid` scope is granted. + issued_token_type: + $ref: '#/components/schemas/TokenType' + refresh_token: + type: string + description: An opaque refresh token. This is returned if the `offline_access` scope is granted. + scope: + type: string + description: The scopes contained in the access token. + token_type: + $ref: '#/components/schemas/TokenResponseTokenType' + TokenResponseTokenType: + description: The token type in a `/token` response. The value is generally `Bearer` except for a few instances of token exchange. type: string enum: - - aws - - aws_govcloud - - gcp - SplunkHost: - description: 'The domain name for your Splunk Cloud instance. Don''t include `http` or `https` in the string. For example: `acme.splunkcloud.com`' - minLength: 17 - maxLength: 116 - example: acme.splunkcloud.com - type: string - SplunkToken: - description: The HEC token for your Splunk Cloud HTTP Event Collector. The token value is set at object creation, but isn't returned. - example: 11111111-1111-2222-2222-222222222222 - writeOnly: true + - Bearer + - N_A + TokenType: + description: The type of token for token exchange. type: string - pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ - SsprPrimaryRequirement: - type: object - description: Defines the authenticators permitted for the initial authentication step of password recovery - properties: - methods: - type: array - description: Authenticator methods allowed for the initial authentication step of password recovery - items: - type: string - enum: - - push - - sms - - voice - - email - x-okta-feature-flag-amends: - IDX_SSPR_EXTENDED_PRIMARY_FACTORS: - description: Authenticator methods allowed for the initial authentication step of password recovery. Method `otp` requires a constraint limiting it to a Google authenticator. - items: - type: string - enum: - - push - - sms - - voice - - email - - otp - methodConstraints: - description: Constraints on the values specified in the `methods` array. Specifying a constraint limits methods to specific authenticator(s). Currently, Google OTP is the only accepted constraint. - x-okta-lifecycle: - features: - - IDX_SSPR_EXTENDED_PRIMARY_FACTORS - type: array - items: - $ref: '#/components/schemas/AuthenticatorMethodConstraint' - SsprRequirement: - description: Describes the initial and secondary authenticator requirements a user needs to reset their password + enum: + - urn:ietf:params:oauth:token-type:access_token + - urn:ietf:params:oauth:token-type:id_token + - urn:ietf:params:oauth:token-type:jwt + - urn:ietf:params:oauth:token-type:refresh_token + - urn:ietf:params:oauth:token-type:saml1 + - urn:ietf:params:oauth:token-type:saml2 + - urn:okta:oauth:token-type:web_sso_token + - urn:x-oath:params:oauth:token-type:device-secret + TrendMicroApexOneServiceApplication: + title: Trend Micro Apex One Service + x-tags: + - Application + x-okta-defined-as: + name: trendmicroapexoneservice + example: + name: trendmicroapexoneservice + label: Sample Trend Micro Apex One as a Service App + signOnMode: SAML_2_0 + settings: + app: + baseURL: https://acme.trendmicro.com + description: | + Schema for Trend Micro Apex One as a Service app (key name: `trendmicroapexoneservice`) + + To create a Trend Micro Apex One as a Service app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Trend Micro Apex One as a Service app only supports `SAML_2_0` sign-on mode. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + type: string + enum: + - trendmicroapexoneservice + example: trendmicroapexoneservice + signOnMode: + enum: + - SAML_2_0 + settings: + $ref: '#/components/schemas/TrendMicroApexOneServiceApplicationSettings' + TrendMicroApexOneServiceApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/TrendMicroApexOneServiceApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + TrendMicroApexOneServiceApplicationSettingsApplication: + description: Trend Micro Apex One as a Service app instance properties type: object properties: - primary: - $ref: '#/components/schemas/SsprPrimaryRequirement' - stepUp: - $ref: '#/components/schemas/SsprStepUpRequirement' - SsprStepUpRequirement: - description: |- - Defines the secondary authenticators needed for password reset if `required` is true. The following are three valid configurations: - * `required`=false - * `required`=true with no methods to use any SSO authenticator - * `required`=true with `security_question` as the method + baseURL: + type: string + description: Base Trend Micro Apex One Service URL + required: + - baseURL + TrustedOrigin: type: object properties: - methods: - description: Authenticator methods required for secondary authentication step of password recovery. Specify this value only when `required` is true and `security_question` is permitted for the secondary authentication. - type: array - items: - type: string - enum: - - security_question - required: - type: boolean - Subscription: + created: + description: Timestamp when the Trusted Origin was created + type: string + format: date-time + readOnly: true + createdBy: + description: The ID of the user who created the Trusted Origin + type: string + id: + description: Unique identifier for the Trusted Origin + type: string + readOnly: true + lastUpdated: + description: Timestamp when the Trusted Origin was last updated + type: string + format: date-time + readOnly: true + lastUpdatedBy: + description: The ID of the user who last updated the Trusted Origin + type: string + name: + $ref: '#/components/schemas/TrustedOriginName' + origin: + $ref: '#/components/schemas/TrustedOriginOrigin' + scopes: + $ref: '#/components/schemas/TrustedOriginScopes' + status: + $ref: '#/components/schemas/LifecycleStatus' + _links: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + TrustedOriginName: + maximum: 255 + description: Unique name for the Trusted Origin + type: string + TrustedOriginOrigin: + maximum: 255 + description: Unique origin URL for the Trusted Origin. The supported schemes for this attribute are HTTP, HTTPS, FTP, Ionic 2, and Capacitor. + type: string + TrustedOriginScope: type: object properties: - channels: - description: |- - An array of sources send notifications to users. - > **Note**: Currently, Okta only allows `email` channels. - items: - type: string + allowedOktaApps: type: array - notificationType: - $ref: '#/components/schemas/NotificationType' - status: - $ref: '#/components/schemas/SubscriptionStatus' - _links: - type: object - description: Discoverable resources related to the subscription - properties: - self: - $ref: '#/components/schemas/HrefObject' - readOnly: true - SubscriptionStatus: - description: The status of the subscription + description: The allowed Okta apps for the Trusted Origin scope + items: + $ref: '#/components/schemas/IframeEmbedScopeAllowedApps' + type: + $ref: '#/components/schemas/TrustedOriginScopeType' + TrustedOriginScopeType: + description: | + The scope type. Supported values: When you use `IFRAME_EMBED` as the scope type, leave the allowedOktaApps property + empty to allow iFrame embedding of only Okta sign-in pages. Include `OKTA_ENDUSER` as a value for the allowedOktaApps + property to allow iFrame embedding of both Okta sign-in pages and the Okta End-User Dashboard. type: string enum: - - subscribed - - unsubscribed - SupportedMethods: + - CORS + - IFRAME_EMBED + - REDIRECT + TrustedOriginScopes: + maximum: 3 + description: Array of Scope types that this Trusted Origin is used for + items: + $ref: '#/components/schemas/TrustedOriginScope' + type: array + TrustedOriginWrite: type: object properties: - settings: + name: + $ref: '#/components/schemas/TrustedOriginName' + origin: + $ref: '#/components/schemas/TrustedOriginOrigin' + scopes: + $ref: '#/components/schemas/TrustedOriginScopes' + UIElement: + description: Specifies the configuration of an input field on an enrollment form + type: object + properties: + label: + type: string + description: Label name for the UI element + options: type: object + description: UI Schema element options object properties: - keyProtection: + format: type: string - algorithms: - type: array - items: - $ref: '#/components/schemas/AuthenticatorMethodAlgorithm' - transactionTypes: - type: array - items: - $ref: '#/components/schemas/AuthenticatorMethodTransactionType' - status: + description: Specifies how the input appears + enum: + - text + - radio + - select + - checkbox + - radio_yes_no + - radio_true_false + x-enumDescriptions: + text: The default format for the majority of property types + radio: Radio button options. This option is only available for `string` data types with an `enum` or `one of` constraint. + select: Displays input as a dropdown list. This option is only available for the `country-code` data type or a string data type with an enum or one of constraint. + checkbox: Displays input as a checkbox. This option is only available for Boolean data types. + radio_yes_no: Displays input as two radio buttons, one with the option `yes` and the other `no`. This option is only available for Boolean data types. + radio_true_false: Displays input as two radio buttons, one with the option `true` and the other `false`. This option is only available for Boolean data types. + scope: type: string + description: Specifies the property bound to the input field. It must follow the format `#/properties/PROPERTY_NAME` where `PROPERTY_NAME` is a variable name for an attribute in `profile editor`. type: type: string - enum: - - push - SwaApplicationSettings: - allOf: - - $ref: '#/components/schemas/ApplicationSettings' - - type: object - properties: - app: - $ref: '#/components/schemas/SwaApplicationSettingsApplication' - SwaApplicationSettingsApplication: + description: Specifies the relationship between this input element and `scope`. The `Control` value specifies that this input controls the value represented by `scope`. + UISchemaObject: + description: Properties of the UI schema type: object properties: - buttonField: - type: string - buttonSelector: - type: string - checkbox: - type: string - extraFieldSelector: - type: string - extraFieldValue: + buttonLabel: type: string - loginUrlRegex: + description: Specifies the button label for the `Submit` button at the bottom of the enrollment form + default: Submit + elements: + $ref: '#/components/schemas/UIElement' + label: type: string - passwordField: + description: Specifies the label at the top of the enrollment form under the logo + default: Sign in + type: type: string - passwordSelector: + description: Specifies the type of layout + UISchemasResponseObject: + type: object + properties: + created: type: string - redirectUrl: + format: date-time + description: Timestamp when the UI Schema was created (ISO-86001) + readOnly: true + id: type: string - targetURL: + description: Unique identifier for the UI Schema + readOnly: true + lastUpdated: type: string - url: + format: date-time + description: Timestamp when the UI Schema was last modified (ISO-86001) + readOnly: true + uiSchema: + $ref: '#/components/schemas/UISchemaObject' + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - id + - uiSchema + - created + - lastUpdated + - _links + UpdateDomain: + type: object + properties: + brandId: + description: The `id` of the brand used to replace the existing brand. type: string - usernameField: + example: bndul904tTZ6kWVhP0g3 + required: + - brandId + UpdateEmailDomain: + allOf: + - $ref: '#/components/schemas/BaseEmailDomain' + UpdateIamRoleRequest: + type: object + properties: + description: type: string - userNameSelector: + description: Description of the role + label: type: string - TempPassword: + description: Unique label for the role + required: + - label + - description + UpdateRealmAssignmentRequest: type: object properties: - tempPassword: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' + name: type: string - readOnly: true - Theme: + priority: + type: integer + UpdateRealmRequest: + type: object + properties: + profile: + $ref: '#/components/schemas/RealmProfile' + UpdateThemeRequest: type: object properties: - backgroundImage: - readOnly: true - type: string emailTemplateTouchPointVariant: $ref: '#/components/schemas/EmailTemplateTouchPointVariant' endUserDashboardTouchPointVariant: @@ -31057,370 +65834,995 @@ components: $ref: '#/components/schemas/LoadingPageTouchPointVariant' primaryColorContrastHex: type: string + description: Primary color contrast hex code + default: null primaryColorHex: type: string + description: Primary color hex code + default: null secondaryColorContrastHex: type: string + description: Secondary color contrast hex code + default: null secondaryColorHex: type: string + description: Secondary color hex code + default: null signInPageTouchPointVariant: $ref: '#/components/schemas/SignInPageTouchPointVariant' _links: $ref: '#/components/schemas/LinksSelf' - ThemeResponse: + required: + - primaryColorHex + - secondaryColorHex + - signInPageTouchPointVariant + - endUserDashboardTouchPointVariant + - errorPageTouchPointVariant + - emailTemplateTouchPointVariant + UpdateUISchema: + description: The updated request body properties type: object properties: - backgroundImage: - readOnly: true + uiSchema: + $ref: '#/components/schemas/UISchemaObject' + UpdateUserRequest: + type: object + properties: + credentials: + $ref: '#/components/schemas/UserCredentials' + profile: + $ref: '#/components/schemas/UserProfile' + realmId: type: string - emailTemplateTouchPointVariant: - $ref: '#/components/schemas/EmailTemplateTouchPointVariant' - endUserDashboardTouchPointVariant: - $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' - errorPageTouchPointVariant: - $ref: '#/components/schemas/ErrorPageTouchPointVariant' - favicon: + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the realm in which the user is residing + example: guo1bfiNtSnZYILxO0g4 + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + User: + type: object + properties: + activated: + type: string + description: The timestamp when the user status transitioned to `ACTIVE` + format: date-time readOnly: true + nullable: true + created: type: string + description: The timestamp when the user was created + format: date-time + readOnly: true + credentials: + $ref: '#/components/schemas/UserCredentials' id: + type: string + description: The unique key for the user readOnly: true + lastLogin: type: string - loadingPageTouchPointVariant: - $ref: '#/components/schemas/LoadingPageTouchPointVariant' - logo: + description: The timestamp of the last login + format: date-time readOnly: true + nullable: true + lastUpdated: type: string - primaryColorContrastHex: + description: The timestamp when the user was last updated + format: date-time + readOnly: true + passwordChanged: type: string - primaryColorHex: + description: The timestamp when the user's password was last updated + format: date-time + readOnly: true + nullable: true + profile: + $ref: '#/components/schemas/UserProfile' + realmId: type: string - secondaryColorContrastHex: + description: <div class="x-lifecycle-container"><x-lifecycle class="ea"></x-lifecycle></div>The ID of the realm in which the user is residing + example: guo1bfiNtSnZYILxO0g4 + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + readOnly: true + status: + $ref: '#/components/schemas/UserStatus' + statusChanged: type: string - secondaryColorHex: + description: The timestamp when the status of the user last changed + format: date-time + readOnly: true + nullable: true + transitioningToStatus: type: string - signInPageTouchPointVariant: - $ref: '#/components/schemas/SignInPageTouchPointVariant' + description: The target status of an in-progress asynchronous status transition. This property is only returned if the user's state is transitioning. + readOnly: true + nullable: true + enum: + - ACTIVE + - DEPROVISIONED + - PROVISIONED + type: + type: object + description: |- + The user type that determines the schema for the user's profile. The `type` property is a map that identifies the [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType). + + Currently it contains a single element, `id`. It can be specified when creating a new user, and ca be updated by an admin on a full replace of an existing user (but not a partial update). + properties: + id: + type: string + description: The ID of the user type + _embedded: + type: object + description: Embedded resources related to the user using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + additionalProperties: + type: object + properties: {} + readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' - ThreatInsightConfiguration: + description: |- + Specifies link relations (see [Web Linking](https://datatracker.ietf.org/doc/html/rfc8288) available for the current status of a user. + The links object is used for dynamic discovery of related resources, lifecycle operations, and credential operations. The links object is read-only. + + For an individual user result, the links object contains a full set of link relations available for that user as determined by your policies. + For a collection of users, the links object contains only the `self` link. Operations that return a collection of users include List users and List group Members. + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + self: + description: URL to the individual user + allOf: + - $ref: '#/components/schemas/HrefObject' + activate: + description: URL to activate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + resetPassword: + description: URL to reset the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + resetFactors: + description: URL to reset the user's factors + allOf: + - $ref: '#/components/schemas/HrefObject' + expirePassword: + description: URL to expire the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + forgotPassword: + description: URL to initiate a forgot password operation + allOf: + - $ref: '#/components/schemas/HrefObject' + changeRecoveryQuestion: + description: URL to change the user's recovery question + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: URL to deactivate a user + allOf: + - $ref: '#/components/schemas/HrefObject' + reactivate: + description: URL to reactivate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + changePassword: + description: URL to change the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + schema: + description: URL to the user's profile schema + allOf: + - $ref: '#/components/schemas/HrefObject' + suspend: + description: URL to suspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unsuspend: + description: URL to unsuspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unlock: + description: URL to unlock the locked-out user + allOf: + - $ref: '#/components/schemas/HrefObject' + type: + description: URL to the user type + allOf: + - $ref: '#/components/schemas/HrefObject' + - readOnly: true + UserActivationToken: type: object properties: - action: + activationToken: type: string - description: Specifies how Okta responds to authentication requests from suspicious IP addresses + readOnly: true + example: XE6wE17zmphl3KqAPFxO + description: |- + Token received as part of an activation user request. If a password was set before the user was activated, then user must sign in with their password or the `activationToken` and not the activation link. More information about using the `activationToken` + to login can be found in the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#primary-authentication-with-activation-token). + activationUrl: + type: string + readOnly: true + example: https://{yourOktaDomain}/welcome/XE6wE17zmphl3KqAPFxO + description: If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link. + UserBlock: + description: Describes how the account is blocked from access. If `appliesTo` is `ANY_DEVICES`, then the account is blocked for all devices. If `appliesTo` is `UNKNOWN_DEVICES`, then the account is only blocked for unknown devices. + type: object + properties: + appliesTo: + type: string + readOnly: true + description: The devices that the block applies to enum: - - none - - audit - - block + - ANY_DEVICES + - UNKNOWN_DEVICES x-enumDescriptions: - none: Indicates that ThreatInsight is disabled - audit: Indicates that Okta logs suspicious requests to the System Log - block: Indicates that Okta logs suspicious requests to the System Log and blocks the requests - example: none - created: + ANY_DEVICES: The account is blocked for all devices + UNKNOWN_DEVICES: The account is only blocked for unknown devices + type: type: string - format: date-time - description: Timestamp when the ThreatInsight Configuration object was created - example: '2020-08-05T22:18:30.629Z' readOnly: true - excludeZones: + description: Type of access block + enum: + - DEVICE_BASED + UserCondition: + description: Specifies a set of Users to be included or excluded + type: object + properties: + exclude: + description: Users to be excluded type: array - description: |- - Accepts a list of [Network Zone](/openapi/okta-management/management/tag/NetworkZone/) IDs. - IPs in the excluded network zones aren't logged or blocked. - This ensures that traffic from known, trusted IPs isn't accidentally logged or blocked. items: type: string - example: [] + include: + description: Users to be included + type: array + items: + type: string + required: + - exclude + - include + UserCredentials: + description: Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org. + type: object + properties: + password: + $ref: '#/components/schemas/PasswordCredential' + provider: + $ref: '#/components/schemas/AuthenticationProvider' + recovery_question: + $ref: '#/components/schemas/RecoveryQuestionCredential' + UserFactor: + type: object + properties: + created: + description: Timestamp when the Factor was enrolled + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + factorType: + $ref: '#/components/schemas/UserFactorType' + id: + description: ID of the Factor + type: string + example: caf8m6jbcvUH8mAep1d7 + readOnly: true lastUpdated: + description: Timestamp when the Factor was last updated type: string format: date-time - description: Timestamp when the ThreatInsight Configuration object was last updated + example: '2022-08-25T00:31:00.000Z' + readOnly: true + profile: + type: object + description: Specific attributes related to the Factor + provider: + $ref: '#/components/schemas/UserFactorProvider' + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: Name of the Factor vendor. This is usually the same as the provider except for On-Prem MFA where it depends on administrator settings. + type: string + example: OKTA + readOnly: true + _embedded: + type: object + additionalProperties: + type: object + properties: {} readOnly: true - example: '2020-09-08T20:53:20.882Z' _links: - $ref: '#/components/schemas/LinksSelf' - required: - - action - TimeDuration: - description: A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). + $ref: '#/components/schemas/UserFactorLinks' + discriminator: + propertyName: factorType + mapping: + call: '#/components/schemas/UserFactorCall' + email: '#/components/schemas/UserFactorEmail' + push: '#/components/schemas/UserFactorPush' + question: '#/components/schemas/UserFactorSecurityQuestion' + sms: '#/components/schemas/UserFactorSMS' + token: '#/components/schemas/UserFactorToken' + token:hardware: '#/components/schemas/UserFactorTokenHardware' + token:hotp: '#/components/schemas/UserFactorTokenHOTP' + token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP' + u2f: '#/components/schemas/UserFactorU2F' + web: '#/components/schemas/UserFactorWeb' + webauthn: '#/components/schemas/UserFactorWebAuthn' + hotp: '#/components/schemas/UserFactorTokenHOTP' + UserFactorActivatePush: + description: Activation requests have a short lifetime and expire if the activation isn't completed before the indicated timestamp. If the activation expires, use the returned `activate` link to restart the process. + type: object + properties: + expiresAt: + description: Timestamp when the Factor verification attempt expires + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + factorResult: + $ref: '#/components/schemas/UserFactorActivatePushResult' + readOnly: true + UserFactorActivatePushResult: + description: Result of a Factor activation type: string - pattern: ^P(?!$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?$ - TokenAuthorizationServerPolicyRuleAction: + enum: + - CANCELLED + - ERROR + - TIMEOUT + - WAITING + UserFactorActivateRequest: + oneOf: + - title: call + description: Attempts to activate a `call` Factor with the specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: email + description: Attempts to activate an `email` Factor with the specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: push + type: object + nullable: true + description: |- + Sends an asynchronous push notification to the device for approval by the user. You must poll the transaction to determine the state of the activation. See [Retrieve a Factor transaction status](./#tag/UserFactor/operation/getFactorTransactionStatus). + + No request body is required for `push` Factors. + + Activations have a short lifetime of several minutes and return a `TIMEOUT` if not completed before the timestamp specified in the `expiresAt` param. Use the published activate link to restart the activation process if the activation expires. + - title: sms + description: Attempts to activate an `sms` Factor with the specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: token:software:totp + description: Attempts to activate a `token:software:totp` Factor with the specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: u2f + description: Activates a `u2f` Factor with the specified client and registration information from the U2F token + properties: + clientData: + type: string + description: Base64-encoded client data from the U2F token + example: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ + registrationData: + type: string + description: Base64-encoded registration data from the U2F token + example: BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew + - title: webauthn + description: Activates a `webauthn` Factor with the specified attestation and registration information from the WebAuthn authenticator + properties: + attestation: + type: string + description: Base64-encoded attestation from the WebAuthn authenticator + example: o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ== + clientData: + type: string + description: Base64-encoded client data from the WebAuthn authenticator + example: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0 + type: object + UserFactorActivateResponse: type: object properties: - accessTokenLifetimeMinutes: - type: integer - inlineHook: - $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook' - refreshTokenLifetimeMinutes: - type: integer - refreshTokenWindowMinutes: - type: integer - TokenAuthorizationServerPolicyRuleActionInlineHook: + factorType: + description: Type of the Factor + type: string + enum: + - call + - email + - sms + - push + - token:software:totp + - u2f + - webauthn + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUser' + - $ref: '#/components/schemas/LinksVerify' + discriminator: + propertyName: factorType + mapping: + call: '#/components/schemas/UserFactorCall' + email: '#/components/schemas/UserFactorEmail' + sms: '#/components/schemas/UserFactorSMS' + push: '#/components/schemas/UserFactorPush' + token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP' + u2f: '#/components/schemas/UserFactorU2F' + webauthn: '#/components/schemas/UserFactorWebAuthn' + UserFactorCall: + title: call + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: call + profile: + $ref: '#/components/schemas/UserFactorCallProfile' + provider: + enum: + - OKTA + UserFactorCallProfile: type: object properties: - id: + phoneExtension: + description: Extension of the associated `phoneNumber` type: string - readOnly: false - TokenUserFactor: + example: 1234 + nullable: true + maxLength: 15 + phoneNumber: + description: Phone number of the Factor. Format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/). + example: '+15554151337' + type: string + pattern: ^\+[1-9]\d{1,14}$ + maxLength: 15 + UserFactorEmail: + title: email allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: + factorType: + example: email profile: - $ref: '#/components/schemas/TokenUserFactorProfile' - TokenUserFactorProfile: + $ref: '#/components/schemas/UserFactorEmailProfile' + provider: + enum: + - OKTA + UserFactorEmailProfile: type: object properties: - credentialId: + email: + description: Email address of the user. This must be either the primary or secondary email address associated with the Okta user account. + maxLength: 100 + example: z.cool@example.com type: string - TotpUserFactor: + UserFactorLinks: + allOf: + - $ref: '#/components/schemas/LinksActivate' + - $ref: '#/components/schemas/LinksCancel' + - $ref: '#/components/schemas/LinksDeactivate' + - $ref: '#/components/schemas/LinksEnroll' + - $ref: '#/components/schemas/LinksFactor' + - $ref: '#/components/schemas/LinksPoll' + - $ref: '#/components/schemas/LinksQrcode' + - $ref: '#/components/schemas/LinksQuestions' + - $ref: '#/components/schemas/LinksResend' + - $ref: '#/components/schemas/LinksSend' + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUser' + - $ref: '#/components/schemas/LinksVerify' + readOnly: true + UserFactorPassCode: + description: OTP for the current time window + example: 1234567890 + type: string + UserFactorProvider: + description: Provider for the Factor + type: string + enum: + - CUSTOM + - DUO + - FIDO + - GOOGLE + - OKTA + - RSA + - SYMANTEC + - YUBICO + UserFactorPush: + title: push allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: - $ref: '#/components/schemas/TotpUserFactorProfile' - TotpUserFactorProfile: + $ref: '#/components/schemas/UserFactorPushProfile' + provider: + enum: + - OKTA + UserFactorPushProfile: type: object properties: credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com type: string - TrustedOrigin: - type: object - properties: - created: - type: string - format: date-time - readOnly: true - createdBy: - type: string - id: - type: string - readOnly: true - lastUpdated: + deviceToken: + description: Token used to identify the device + example: fwf7ku6bsiSCieh6y1d7 type: string - format: date-time - readOnly: true - lastUpdatedBy: + deviceType: + description: Type of device + example: SmartPhone_IPhone type: string name: + description: Name of the device + example: My Phone type: string - origin: + platform: + description: OS version of the associated device + example: IOS type: string - scopes: - type: array - items: - $ref: '#/components/schemas/TrustedOriginScope' - status: + version: + description: Installed version of Okta Verify + example: '9.0' type: string - _links: - $ref: '#/components/schemas/LinksSelf' - TrustedOriginScope: + UserFactorPushTransaction: type: object properties: - allowedOktaApps: - type: array - items: - $ref: '#/components/schemas/IframeEmbedScopeAllowedApps' - type: - $ref: '#/components/schemas/TrustedOriginScopeType' - TrustedOriginScopeType: + factorResult: + description: Result of the verification transaction + type: string + enum: + - WAITING + - SUCCESS + - REJECTED + - TIMEOUT + discriminator: + propertyName: factorResult + mapping: + WAITING: '#/components/schemas/UserFactorPushTransactionWaiting' + SUCCESS: '#/components/schemas/UserFactorPushTransaction' + REJECTED: '#/components/schemas/UserFactorPushTransactionRejected' + TIMEOUT: '#/components/schemas/UserFactorPushTransactionTimeout' + UserFactorPushTransactionRejected: + allOf: + - $ref: '#/components/schemas/UserFactorPushTransaction' + - type: object + properties: + profile: + type: object + properties: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com + type: string + _links: + allOf: + - $ref: '#/components/schemas/LinksVerify' + - type: object + properties: + factor: + $ref: '#/components/schemas/UserFactor' + UserFactorPushTransactionSuccess: + $ref: '#/components/schemas/UserFactorPushTransaction' + UserFactorPushTransactionTimeout: + allOf: + - $ref: '#/components/schemas/UserFactorPushTransaction' + - type: object + properties: + profile: + type: object + properties: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com + type: string + _links: + allOf: + - $ref: '#/components/schemas/LinksVerify' + - type: object + properties: + factor: + $ref: '#/components/schemas/UserFactor' + UserFactorPushTransactionWaiting: + allOf: + - $ref: '#/components/schemas/UserFactorPushTransaction' + - type: object + properties: + profile: + type: object + properties: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com + type: string + _links: + allOf: + - $ref: '#/components/schemas/LinksPoll' + - $ref: '#/components/schemas/LinksCancel' + UserFactorResultType: + description: Result of a Factor verification attempt type: string enum: - - CORS - - IFRAME_EMBED - - REDIRECT - U2fUserFactor: + - CANCELLED + - CHALLENGE + - ERROR + - FAILED + - PASSCODE_REPLAYED + - REJECTED + - SUCCESS + - TIMEOUT + - TIME_WINDOW_EXCEEDED + - WAITING + readOnly: true + UserFactorSMS: + title: sms allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: + factorType: + example: sms profile: - $ref: '#/components/schemas/U2fUserFactorProfile' - U2fUserFactorProfile: - type: object - properties: - credentialId: - type: string - UIElement: - description: Specifies the configuration of an input field on an enrollment form + $ref: '#/components/schemas/UserFactorSMSProfile' + provider: + enum: + - OKTA + UserFactorSMSProfile: type: object properties: - label: + phoneNumber: + description: Phone number of the Factor. You should format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/). + example: '+15554151337' type: string - description: Label name for the UI element - options: - type: object - description: UI Schema element options object + pattern: ^\+[1-9]\d{1,14}$ + maxLength: 15 + UserFactorSecurityQuestion: + title: question + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object properties: - format: - type: string - description: Specifies how the input appears + factorType: + example: question + profile: + $ref: '#/components/schemas/UserFactorSecurityQuestionProfile' + provider: enum: - - text - - radio - - select - - checkbox - - radio_yes_no - - radio_true_false - x-enumDescriptions: - text: The default format for the majority of property types. - radio: Radio button options. This option is only available for `string` data types with an `enum` or `one of` constraint. - select: Displays input as a dropdown list. This option is only available for the `country-code` data type or a string data type with an enum or one of constraint. - checkbox: Displays input as a checkbox. This option is only available for Boolean data types. - radio_yes_no: Displays input as two radio buttons, one with the option `yes` and the other `no`. This option is only available for Boolean data types. - radio_true_false: Displays input as two radio buttons, one with the option `true` and the other `false`. This option is only available for Boolean data types. - scope: - type: string - description: Specifies the property bound to the input field. It must follow the format `#/properties/PROPERTY_NAME` where `PROPERTY_NAME` is a variable name for an attribute in `profile editor`. - type: - type: string - description: Specifies the relationship between this input element and `scope`. The `Control` value specifies that this input controls the value represented by `scope`. - UISchemaObject: - description: Properties of the UI schema + - OKTA + UserFactorSecurityQuestionProfile: type: object properties: - buttonLabel: + answer: + description: Answer to the question + minLength: 4 type: string - description: Specifies the button label for the `Submit` button at the bottom of the enrollment form. - default: Submit - elements: - allOf: - $ref: '#/components/schemas/UIElement' - label: + writeOnly: true + question: + description: Unique key for the question + example: disliked_food + enum: + - disliked_food + - name_of_first_plush_toy + - first_award + - favorite_security_question + - favorite_toy + - first_computer_game + - favorite_movie_quote + - first_sports_team_mascot + - first_music_purchase + - favorite_art_piece + - grandmother_favorite_desert + - first_thing_cooked + - childhood_dream_job + - first_kiss_location + - place_where_significant_other_was_met + - favorite_vacation_location + - new_years_two_thousand + - favorite_speaker_actor + - favorite_book_movie_character + - favorite_sports_player type: string - description: Specifies the label at the top of the enrollment form under the logo. - default: Sign in - type: + questionText: + description: Human-readable text that's displayed to the user + example: What is the food you least liked as a child? type: string - description: Specifies the type of layout - UISchemasResponseObject: + readOnly: true + UserFactorSignatureData: + description: Base64-encoded signature data from the WebAuthn authenticator + type: string + UserFactorStatus: + example: ACTIVE + description: Status of the Factor + type: string + enum: + - ACTIVE + - DISABLED + - ENROLLED + - EXPIRED + - INACTIVE + - NOT_SETUP + - PENDING_ACTIVATION + readOnly: true + UserFactorSupported: type: object properties: - created: + enrollment: type: string - format: date-time - description: Timestamp when the UI Schema was created (ISO-86001) - readOnly: true - id: + description: Indicates if the Factor is required for the specified user + example: OPTIONAL + enum: + - OPTIONAL + - REQUIRED + factorType: + $ref: '#/components/schemas/UserFactorType' + provider: + $ref: '#/components/schemas/UserFactorProvider' + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: Name of the Factor vendor. This is usually the same as the provider except for On-Prem MFA where it depends on administrator settings. type: string - description: Unique identifier for the UI Schema + example: OKTA readOnly: true - lastUpdated: - type: string - format: date-time - description: Timestamp when the UI Schema was last modified (ISO-86001) + _embedded: + type: object + description: Embedded resources related to the Factor + additionalProperties: + type: object + properties: {} readOnly: true - uiSchema: - $ref: '#/components/schemas/UISchemaObject' _links: - $ref: '#/components/schemas/LinksSelf' - required: - - id - - uiSchema - - created - - lastUpdated - - _links - UpdateDomain: + $ref: '#/components/schemas/UserFactorLinks' + UserFactorToken: + title: token + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: token + profile: + $ref: '#/components/schemas/UserFactorTokenProfile' + provider: + enum: + - RSA + - SYMANTEC + verify: + oneOf: + - $ref: '#/components/schemas/UserFactorTokenVerifyRSA' + - $ref: '#/components/schemas/UserFactorTokenVerifySymantec' + UserFactorTokenFactorVerificationObject: type: object properties: - brandId: - description: The `id` of the brand used to replace the existing brand. + nextPassCode: + description: OTP for the next time window type: string - example: bndul904tTZ6kWVhP0g3 - required: - - brandId - UpdateEmailDomain: + example: 678195 + passCode: + description: OTP for the current time window + type: string + example: 875498 + UserFactorTokenHOTP: + title: token:hotp allOf: - - $ref: '#/components/schemas/BaseEmailDomain' - UpdateIamRoleRequest: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorProfileId: + description: ID of an existing Custom TOTP Factor profile. To create this, see [Custom TOTP Factor](https://help.okta.com/okta_help.htm?id=ext-mfa-totp). + type: string + factorType: + example: token:hotp + profile: + $ref: '#/components/schemas/UserFactorTokenHOTPProfile' + provider: + enum: + - CUSTOM + UserFactorTokenHOTPProfile: type: object properties: - description: - type: string - description: Description of the role - label: + sharedSecret: + description: Unique secret key used to generate the OTP type: string - description: Unique label for the role - required: - - label - - description - UpdateUISchema: - description: The updated request body properties + example: 484f97be3213b117e3a20438e291540a + UserFactorTokenHardware: + title: token:hardware + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: token:hardware + profile: + $ref: '#/components/schemas/UserFactorTokenProfile' + provider: + enum: + - YUBICO + verify: + type: object + properties: + passCode: + description: OTP for the current time window + type: string + example: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji + UserFactorTokenProfile: type: object properties: - uiSchema: - type: object - description: Updated schema property expressions (Okta object or App Instance object) - $ref: '#/components/schemas/UISchemaObject' - UpdateUserRequest: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com + type: string + UserFactorTokenSoftwareTOTP: + title: token:software:totp + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: token:software:totp + profile: + $ref: '#/components/schemas/UserFactorTokenProfile' + provider: + enum: + - OKTA + - GOOGLE + UserFactorTokenVerifyRSA: + title: RSA SecurID type: object properties: - credentials: - $ref: '#/components/schemas/UserCredentials' - profile: - $ref: '#/components/schemas/UserProfile' - realmId: + passCode: + description: OTP for the current time window type: string - description: The ID of the realm in which the user is residing - example: guo1bfiNtSnZYILxO0g4 - x-okta-lifecycle: - features: - - UD_REALMS - User: + example: 5275875498 + UserFactorTokenVerifySymantec: + title: Symantec VIP type: object properties: - activated: - type: string - format: date-time - readOnly: true - nullable: true - created: - type: string - format: date-time - readOnly: true - credentials: - $ref: '#/components/schemas/UserCredentials' - id: + nextPassCode: + description: OTP for the next time window + type: integer + example: 3956685498 + passCode: + description: OTP for the current time window type: string - readOnly: true - lastLogin: + example: 5275875498 + UserFactorType: + description: Type of Factor + type: string + enum: + - call + - email + - push + - question + - signed_nonce + - sms + - token + - token:hardware + - token:hotp + - token:software:totp + - u2f + - web + - webauthn + UserFactorU2F: + title: u2f + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: u2f + profile: + $ref: '#/components/schemas/UserFactorU2FProfile' + provider: + enum: + - FIDO + UserFactorU2FProfile: + type: object + properties: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com type: string - format: date-time - readOnly: true + UserFactorVerifyRequest: + oneOf: + - title: call + description: Verifies an OTP sent by a `call` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone. + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: sms + description: Verifies an OTP sent by an `sms` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone. + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: push + type: object nullable: true - lastUpdated: + description: Sends an asynchronous push notification to the device for approval by the user. You must poll the transaction to determine the state of the verification. See [Retrieve a Factor transaction status](./#tag/UserFactor/operation/getFactorTransactionStatus). + - title: email + description: Verifies an OTP sent by an `email` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone. + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: question + description: Verifies an answer to a `question` Factor + properties: + answer: + description: Answer to the question + minLength: 4 + type: string + writeOnly: true + - title: token:software:totp + description: Verifies an OTP for a `token:software:totp` Factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: token:hotp + description: Verifies an OTP for a `token:hotp` Factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: token:hardware + description: Verifies an OTP for a `token:hardware` Factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: token + description: Verifies an OTP for a `token` Factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + - title: u2f + description: Verifies a `u2f` Factor challenge by posting a signed assertion using the challenge `nonce` + properties: + clientData: + type: string + description: Base64-encoded client data from the U2F token + example: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ + signatureData: + description: Base64-encoded signature data from the U2F token + - title: webauthn + description: Verifies a `webauthn` Factor challenge by posting a signed assertion using the challenge `nonce` + properties: + authenticatorData: + description: Base64-encoded authenticator data from the WebAuthn authenticator + type: string + clientData: + type: string + description: Base64-encoded client data from the WebAuthn authenticator + example: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0 + signatureData: + type: string + description: Base64-encoded signature data from the WebAuthn authenticator + UserFactorVerifyResponse: + type: object + properties: + expiresAt: + description: Timestamp when the verification expires type: string format: date-time + example: '2022-08-25T00:31:00.000Z' readOnly: true - passwordChanged: + factorMessage: + description: Optional display message for Factor verification type: string - format: date-time readOnly: true nullable: true - profile: - $ref: '#/components/schemas/UserProfile' - realmId: - type: string - description: The ID of the realm in which the user is residing - example: guo1bfiNtSnZYILxO0g4 - x-okta-lifecycle: - features: - - UD_REALMS - readOnly: true - status: - $ref: '#/components/schemas/UserStatus' - statusChanged: - type: string - format: date-time + factorResult: + $ref: '#/components/schemas/UserFactorVerifyResult' readOnly: true - nullable: true - transitioningToStatus: - $ref: '#/components/schemas/UserStatus' - type: - $ref: '#/components/schemas/UserType' _embedded: type: object additionalProperties: @@ -31428,109 +66830,155 @@ components: properties: {} readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' - UserActivationToken: + $ref: '#/components/schemas/UserFactorLinks' + UserFactorVerifyResult: + description: Result of a Factor verification + type: string + enum: + - CHALLENGE + - ERROR + - EXPIRED + - FAILED + - PASSCODE_REPLAYED + - REJECTED + - SUCCESS + - TIMEOUT + - TIME_WINDOW_EXCEEDED + - WAITING + x-enumDescriptions: + CANCELED: User cancelled the verification + CHALLENGE: Okta issued a verification challenge + ERROR: Verification encountered an unexpected server error + EXPIRED: User didn't complete the verification within the allowed time window + FAILED: Verification failed + PASSCODE_REPLAYED: User previously verified the Factor within the same time window. Another verification is required during another time window. + REJECTED: User rejected the verification + SUCCESS: User completed the verification + TIMEOUT: Okta didn't complete the verification within the allowed time window + TIME_WINDOW_EXCEEDED: User completed the verification outside of the allowed time window. Another verification is required. + WAITING: Verification is in progress + UserFactorWeb: + title: web + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: web + profile: + $ref: '#/components/schemas/UserFactorWebProfile' + provider: + enum: + - DUO + UserFactorWebAuthn: + title: webauthn + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorType: + example: webauthn + profile: + $ref: '#/components/schemas/UserFactorWebAuthnProfile' + provider: + enum: + - FIDO + UserFactorWebAuthnProfile: type: object properties: - activationToken: + authenticatorName: + description: Human-readable name of the authenticator + example: MacBook Touch ID type: string - readOnly: true - activationUrl: + credentialId: + description: ID for the Factor credential + example: AHoOEhwvYiMv6SSwLp7KYRNttXtg_kYgQoQiEIWPFH_T3Ztp5Vj3bQ5H0LypIFR8ka8kfiCJ3I5qVpxrsd6JTMWKcE3xNh_U2QVF0Kwlan8Fiw type: string - readOnly: true - UserBlock: + UserFactorWebProfile: type: object properties: - appliesTo: - type: string - readOnly: true - type: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com type: string - readOnly: true - UserCondition: - description: Specifies a set of Users to be included or excluded - type: object - properties: - exclude: - description: Users to be excluded - type: array - items: - type: string - include: - description: Users to be included - type: array - items: - type: string - UserCredentials: - type: object - properties: - password: - $ref: '#/components/schemas/PasswordCredential' - provider: - $ref: '#/components/schemas/AuthenticationProvider' - recovery_question: - $ref: '#/components/schemas/RecoveryQuestionCredential' - UserFactor: + UserFactorYubikeyOtpToken: type: object properties: created: + description: Timestamp when the Token was created type: string format: date-time + example: '2022-08-25T00:31:00.000Z' readOnly: true - factorType: - $ref: '#/components/schemas/FactorType' id: + description: ID of the Token type: string + example: ykkwcx13nrDq8g4oy0g3 readOnly: true lastUpdated: + description: Timestamp when the Token was last updated + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + lastVerified: + description: Timestamp when the Token was last verified type: string format: date-time + example: '2022-08-25T00:31:00.000Z' readOnly: true profile: type: object - description: Factor-specific attributes - provider: - $ref: '#/components/schemas/FactorProvider' + description: Specified profile information for token + additionalProperties: + type: object + properties: {} status: - $ref: '#/components/schemas/FactorStatus' - verify: - $ref: '#/components/schemas/VerifyFactorRequest' + description: Token status + type: string + enum: + - BLOCKED + - UNASSIGNED + - ACTIVE + - REVOKED + - DELETED + - INACTIVE _embedded: type: object additionalProperties: type: object properties: {} - readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' - discriminator: - propertyName: factorType - mapping: - call: '#/components/schemas/CallUserFactor' - email: '#/components/schemas/EmailUserFactor' - push: '#/components/schemas/PushUserFactor' - question: '#/components/schemas/SecurityQuestionUserFactor' - sms: '#/components/schemas/SmsUserFactor' - token: '#/components/schemas/TokenUserFactor' - token:hardware: '#/components/schemas/HardwareUserFactor' - token:hotp: '#/components/schemas/CustomHotpUserFactor' - token:software:totp: '#/components/schemas/TotpUserFactor' - u2f: '#/components/schemas/U2fUserFactor' - web: '#/components/schemas/WebUserFactor' - webauthn: '#/components/schemas/WebAuthnUserFactor' - hotp: '#/components/schemas/CustomHotpUserFactor' + $ref: '#/components/schemas/UserFactorLinks' + UserGetSingleton: + allOf: + - $ref: '#/components/schemas/User' + - type: object + properties: + _embedded: + type: object + description: The embedded resources related to the object if the `expand` query parameter is specified + properties: + blocks: + type: array + description: A list of access block details for the user account + items: + $ref: '#/components/schemas/UserBlock' UserIdentifierConditionEvaluatorPattern: - type: object description: Used in the User Identifier Condition object. Specifies the details of the patterns to match against. + type: object properties: matchType: $ref: '#/components/schemas/UserIdentifierMatchType' value: type: string - description: The regex expression of a simple match string + description: The regular expression or simple match string + required: + - matchType + - value UserIdentifierMatchType: - type: string description: The type of pattern. For regex, use `EXPRESSION`. + type: string enum: - CONTAINS - EQUALS @@ -31538,26 +66986,190 @@ components: - STARTS_WITH - SUFFIX UserIdentifierPolicyRuleCondition: + description: Specifies a user identifier condition to match on + type: object + properties: + attribute: + type: string + description: The name of the profile attribute to match against. Only used when type is `ATTRIBUTE`. + patterns: + type: array + items: + $ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern' + type: + $ref: '#/components/schemas/UserIdentifierType' + required: + - patterns + - type + UserIdentifierType: + description: What to match against, either user ID or an attribute in the user's Okta profile. + type: string + enum: + - ATTRIBUTE + - IDENTIFIER + UserIdentityProviderLinkRequest: + type: object + properties: + externalId: + type: string + description: Unique IdP-specific identifier for a User + example: '121749775026145' + UserImportRequest: + type: object + properties: + data: + $ref: '#/components/schemas/UserImportRequestData' + eventType: + type: string + description: The type of inline hook. The user import inline hook type is `com.okta.import.transform`. + source: + description: The ID of the user import inline hook + type: string + UserImportRequestData: + type: object + properties: + action: + type: object + description: The object that specifies the default action Okta is set to take + properties: + result: + description: |- + The current default action that results when Okta imports a user. The two possible values are `CREATE_USER` and `LINK_USER`. You + can change the action that is taken by means of the commands object you return. + type: string + enum: + - CREATE_USER + - LINK_USER + x-enumDescriptions: + CREATE_USER: A new Okta user profile is created for the user + LINK_USER: The user is treated as a match for the existing Okta user identified by the value of `data.user.id` + appUser: + type: object + description: The app user profile being imported + properties: + profile: + type: object + description: |- + Provides the name-value pairs of the attributes contained in the app user profile of the user who is being imported. You can change + the values of attributes in the user's app profile by means of the `commands` object you return. If you change attributes in the app + profile, they then flow through to the Okta user profile, based on matching and mapping rules. + additionalProperties: + type: string + context: + type: object + properties: + conflicts: + description: An array of user profile attributes that are in conflict + type: array + items: + additionalProperties: true + type: string + application: + type: object + description: Details of the app from which the user is being imported + properties: + name: + type: string + description: The app name + id: + type: string + description: The app ID + label: + type: string + description: The user-defined display name for the app + status: + type: string + description: The status of the app + enum: + - ACTIVE + - INACTIVE + job: + type: object + description: The details of the running import job + properties: + id: + type: string + description: The ID number of the import job + type: + type: string + description: The type of import job + matches: + type: array + description: The list of Okta users currently matched to the app user based on import matching. There can be more than one match. + items: + additionalProperties: true + type: string + policy: + type: array + description: The list of any policies that apply to the import matching + items: + additionalProperties: true + type: string + user: + type: object + description: |- + Provides information on the Okta user profile currently set to be used for the user who is being imported, based on the matching + rules and attribute mappings that were applied. + properties: + profile: + description: |- + The `data.user.profile` contains the name-value pairs of the attributes in the user profile. If the user has been matched to an existing + Okta user, a `data.user.id` object is included, containing the unique identifier of the Okta user profile. + + You can change the values of the attributes by means of the `commands` object you return. + type: object + additionalProperties: + type: string + UserImportRequestExecute: + description: User import inline hook request + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/UserImportRequest' + UserImportResponse: type: object properties: - attribute: - type: string - patterns: + commands: + description: |- + The `commands` object is where you can provide commands to Okta. It is an array that allows you to send multiple commands. + Each array element needs to consist of a type-value pair. type: array items: - $ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern' - type: - $ref: '#/components/schemas/UserIdentifierType' - UserIdentifierType: - type: string - enum: - - ATTRIBUTE - - IDENTIFIER - UserIdentityProviderLinkRequest: - type: object - properties: - externalId: - type: string + type: object + properties: + type: + description: |- + The command types supported for the import inline hook. + When using the `com.okta.action.update` command to specify that the user should be treated as a match, you need to also provide a `com.okta.user.update` command that sets the ID of the Okta user. + type: string + enum: + - com.okta.appUser.profile.update + - com.okta.user.profile.update + - com.okta.action.update + - com.okta.user.update + x-enumDescriptions: + com.okta.appUser.profile.update: Change values of attributes in the user's app user profile + com.okta.user.profile.update: Change values of attributes in the user's Okta user profile + com.okta.action.update: Specify whether to create a new Okta user for the user being imported or treat them as a match of an existing Okta user + com.okta.user.update: Specify the existing Okta user that the imported user should be treated as a match of. + value: + description: |- + The `value` object is the parameter to pass to the command. In the case of the `com.okta.appUser.profile.update` and `com.okta.user.profile.update` commands, + the parameter should be a list of one or more profile attributes and the values you wish to set them to. In the case of the `com.okta.action.update` command, + the parameter should be a `result` property set to either `CREATE_USER` or `LINK_USER`. + type: object + additionalProperties: + type: string + error: + description: |- + An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log. + The string supplied in the `errorSummary` property is recorded in the System Log event. + + >**Note:** If a response to an import inline hook request is not received from your external service within three seconds, a timeout occurs. In this scenario, the Okta import process continues and the user is created. + type: object + properties: + errorSummary: + description: A human-readable summary of the error + type: string UserLifecycleAttributePolicyRuleCondition: type: object properties: @@ -31571,21 +67183,25 @@ components: preventBruteForceLockoutFromUnknownDevices: type: boolean description: Prevents brute-force lockout from unknown devices for the password authenticator. + default: false UserNextLogin: type: string enum: - changePassword UserPolicyRuleCondition: + description: Specifies a set of Users to be included or excluded type: object properties: exclude: type: array + description: Users to be excluded items: type: string inactivity: $ref: '#/components/schemas/InactivityPolicyRuleCondition' include: type: array + description: Users to be included items: type: string lifecycleExpiration: @@ -31595,128 +67211,293 @@ components: userLifecycleAttribute: $ref: '#/components/schemas/UserLifecycleAttributePolicyRuleCondition' UserProfile: - additionalProperties: true # TODO: revisit + additionalProperties: true + description: |- + Specifies the default and custom profile properties for a user. + + The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643). + + The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications. + + You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. + You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions. + + Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. type: object properties: city: type: string + description: The city or locality of the user's address (`locality`) maxLength: 128 nullable: true costCenter: type: string + description: Name of the cost center assigned to a user + nullable: true countryCode: + description: The country name component of the user's address (`country`). For validation, see [ISO 3166-1 alpha 2 "short" code format](https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema-22#ref-ISO3166). type: string maxLength: 2 nullable: true department: type: string + description: Name of the user's department displayName: type: string + description: Name of the user suitable for display to end users + nullable: true division: type: string + description: Name of the user's division + nullable: true email: type: string + description: The primary email address of the user. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). format: email minLength: 5 maxLength: 100 employeeNumber: + description: The organization or company assigned unique identifier for the user type: string firstName: type: string + description: Given name of the user (`givenName`) minLength: 1 maxLength: 50 nullable: true honorificPrefix: type: string + description: Honorific prefix(es) of the user, or title in most Western languages + nullable: true honorificSuffix: type: string + description: Honorific suffix(es) of the user + nullable: true lastName: type: string + description: The family name of the user (`familyName`) minLength: 1 maxLength: 50 nullable: true locale: - $ref: '#/components/schemas/Language' + type: string + description: |- + The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. + A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example, en_US specifies the language English and country US. This value is `en_US` by default. login: type: string - maxLength: 100 + description: |- + The unique identifier for the user (`username`). For validation, see [Login pattern validation](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation). + + Every user within your Okta org must have a unique identifier for a login. This constraint applies to all users you import from other systems or applications such as Active Directory. Your organization is the top-level namespace to mix and match logins from all your connected applications or directories. Careful consideration of naming conventions for your login identifier will make it easier to onboard new applications in the future. + + Logins are not considered unique if they differ only in case and/or diacritical marks. If one of your users has a login of Isaac.Brock@example.com, there cannot be another user whose login is isaac.brock@example.com, nor isáàc.bröck@example.com. + + Okta has a default ambiguous name resolution policy for usernames that include @-signs. (By default, usernames must be formatted as email addresses and thus always include @-signs. You can remove that restriction using either the Admin Console or the Schemas API (opens new window).) Users can sign in with their non-qualified short name (for example: isaac.brock with username isaac.brock@example.com) as long as the short name is still unique within the organization. + maxLength: 100 + minLength: 5 manager: type: string + description: The `displayName` of the user's manager + nullable: true managerId: type: string + description: The `id` of the user's manager + nullable: true middleName: type: string + description: The middle name of the user + nullable: true mobilePhone: type: string + description: The mobile phone number of the user maxLength: 100 + minLength: 0 nullable: true nickName: type: string + description: The casual way to address the user in real life + nullable: true organization: type: string + description: Name of the the user's organization + nullable: true postalAddress: type: string + description: Mailing address component of the user's address maxLength: 4096 nullable: true preferredLanguage: type: string + description: The user's preferred written or spoken language. For validation, see [RFC 7231 Section 5.3.5](https://datatracker.ietf.org/doc/html/rfc7231#section-5.3.5). + nullable: true primaryPhone: type: string + description: The primary phone number of the user such as a home number maxLength: 100 + minLength: 0 nullable: true profileUrl: type: string + description: The URL of the user's online profile. For example, a web page. See [URL](https://datatracker.ietf.org/doc/html/rfc1808). + nullable: true secondEmail: type: string format: email + description: The secondary email address of the user typically used for account recovery. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). minLength: 5 maxLength: 100 nullable: true state: type: string + description: The state or region component of the user's address (`region`) maxLength: 128 nullable: true streetAddress: type: string + description: The full street address component of the user's address maxLength: 1024 nullable: true timezone: type: string + description: The user's time zone + nullable: true title: type: string + description: The user's title, such as Vice President + nullable: true userType: type: string + description: The property used to describe the organization-to-user relationship, such as employee or contractor + nullable: true zipCode: type: string + description: The ZIP code or postal code component of the user's address (`postalCode`) maxLength: 50 nullable: true + UserProvisioningApplicationFeature: + allOf: + - $ref: '#/components/schemas/ApplicationFeature' + - type: object + - properties: + capabilities: + $ref: '#/components/schemas/CapabilitiesObject' + UserResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + title: + type: string + description: Link name + example: SAML Jackson + UserRiskGetResponse: + type: object + properties: + riskLevel: + $ref: '#/components/schemas/UserRiskLevelAll' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUserRef' + discriminator: + propertyName: riskLevel + mapping: + HIGH: '#/components/schemas/UserRiskLevelExists' + MEDIUM: '#/components/schemas/UserRiskLevelExists' + LOW: '#/components/schemas/UserRiskLevelExists' + NONE: '#/components/schemas/UserRiskLevelNone' + UserRiskLevelAll: + description: The risk level associated with the user + type: string + enum: + - HIGH + - LOW + - MEDIUM + - NONE + UserRiskLevelExists: + allOf: + - $ref: '#/components/schemas/UserRiskGetResponse' + - type: object + properties: + reason: + $ref: '#/components/schemas/UserRiskReason' + UserRiskLevelNone: + allOf: + - $ref: '#/components/schemas/UserRiskGetResponse' + UserRiskLevelPut: + description: The risk level associated with the user + type: string + enum: + - HIGH + - LOW + UserRiskPutResponse: + type: object + properties: + reason: + $ref: '#/components/schemas/UserRiskReason' + riskLevel: + $ref: '#/components/schemas/UserRiskLevelPut' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUserRef' + UserRiskReason: + description: Describes the risk level for the user + example: Admin override risk + type: string + UserRiskRequest: + type: object + properties: + riskLevel: + type: string + description: The risk level associated with the user + enum: + - HIGH + - LOW UserSchema: type: object properties: $schema: type: string readOnly: true + description: JSON Schema version identifier created: type: string readOnly: true + description: Timestamp when the Schema was created definitions: - $ref: '#/components/schemas/UserSchemaDefinitions' + allOf: + - $ref: '#/components/schemas/UserSchemaDefinitions' + description: |- + User Profile subschemas + + The Profile object for a User is defined by a composite Schema of base and custom properties using a JSON path to reference subschemas. The `#base` properties are defined and versioned by Okta, while `#custom` properties are extensible. Custom property names for the Profile object must be unique and can't conflict with a property name defined in the `#base` subschema. id: type: string readOnly: true + description: URI of User Schema lastUpdated: type: string readOnly: true + description: Timestamp when the Schema was last updated name: type: string readOnly: true + description: Name of the Schema properties: - $ref: '#/components/schemas/UserSchemaProperties' + allOf: + - $ref: '#/components/schemas/UserSchemaProperties' + description: User Object Properties title: type: string + description: User-defined display name for the Schema type: type: string readOnly: true + description: Type of [root Schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4) _links: $ref: '#/components/schemas/LinksSelf' UserSchemaAttribute: @@ -31724,48 +67505,107 @@ components: properties: description: type: string + description: Description of the property enum: type: array + nullable: true + description: |- + Enumerated value of the property. + + The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements. items: - type: string + anyOf: + - type: string + - type: integer externalName: type: string + description: |- + Name of the property as it exists in an external application + + **NOTE**: When you add a custom property, only Identity Provider app user schemas require `externalName` to be + included in the request body. If an existing custom Identity Provider app user schema property has an empty + `externalName`, requests aren't allowed to update other properties until the `externalName` is defined. externalNamespace: type: string - items: - $ref: '#/components/schemas/UserSchemaAttributeItems' + description: Namespace from the external application + format: + description: Identifies the type of data represented by the string + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeFormat' master: - $ref: '#/components/schemas/UserSchemaAttributeMaster' + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMaster' + description: Identifies where the property is mastered maxLength: type: integer + description: Maximum character length of a string property nullable: true minLength: type: integer + description: Minimum character length of a string property nullable: true mutability: - type: string + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString' + description: Defines the mutability of the property oneOf: type: array + nullable: true + description: |- + Non-empty array of valid JSON schemas. + + Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format: + + ``` + { + "const": "enumValue", + "title": "display name" + } + ```json + + When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order. + + ``` + {"enum": ["S","M","L","XL"], + "oneOf": [ + {"const": "S", "title": "Small"}, + {"const": "M", "title": "Medium"}, + {"const": "L", "title": "Large"}, + {"const": "XL", "title": "Extra Large"} + ] + } + ```json + + The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value. items: $ref: '#/components/schemas/UserSchemaAttributeEnum' pattern: type: string + description: For `string` property types, specifies the regular expression used to validate the property permissions: type: array + nullable: true + description: Access control permissions for the property items: $ref: '#/components/schemas/UserSchemaAttributePermission' required: type: boolean + nullable: true + description: Determines whether the property is required scope: $ref: '#/components/schemas/UserSchemaAttributeScope' title: type: string + minLength: 1 + description: User-defined display name for the property type: - $ref: '#/components/schemas/UserSchemaAttributeType' - union: - $ref: '#/components/schemas/UserSchemaAttributeUnion' + description: Type of property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeType' unique: - type: string + description: Determines whether property values must be unique + type: boolean + nullable: true x-okta-allow-null-property-value-for-updates: true UserSchemaAttributeEnum: type: object @@ -31774,6 +67614,19 @@ components: type: string title: type: string + UserSchemaAttributeFormat: + type: string + enum: + - country-code + - date-time + - email + - encrypted + - hashed + - language-code + - locale + - ref-id + - timezone + - uri UserSchemaAttributeItems: type: object properties: @@ -31788,6 +67641,7 @@ components: type: type: string UserSchemaAttributeMaster: + nullable: true type: object properties: priority: @@ -31809,13 +67663,22 @@ components: - OKTA - OVERRIDE - PROFILE_MASTER + UserSchemaAttributeMutabilityString: + type: string + enum: + - IMMUTABLE + - READ_ONLY + - READ_WRITE + - WRITE_ONLY UserSchemaAttributePermission: type: object properties: action: type: string + description: Determines whether the principal can view or modify the property principal: type: string + description: Security principal UserSchemaAttributeScope: type: string enum: @@ -31829,89 +67692,169 @@ components: - integer - number - string - UserSchemaAttributeUnion: - type: string - enum: - - DISABLE - - ENABLE UserSchemaBase: + description: |- + All Okta-defined Profile properties are defined in a Profile subschema with the resolution scope `#base`. You can't modify these properties, except to update permissions, to change the nullability of `firstName` and `lastName`, or to specify a pattern for `login`. They can't be removed. + + The base User Profile is based on the [System for Cross-domain Identity Management: Core Schema](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#section-4.1.1) and has the standard properties detailed below. type: object properties: id: type: string + description: The subschema name + readOnly: true properties: - $ref: '#/components/schemas/UserSchemaBaseProperties' + description: The `#base` object properties + allOf: + - $ref: '#/components/schemas/UserSchemaBaseProperties' required: type: array + description: A collection indicating required property names + readOnly: true items: type: string type: type: string + description: The object type + readOnly: true UserSchemaBaseProperties: type: object properties: city: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: City or locality component of the User's address (`locality`) costCenter: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of a cost center assigned to the User countryCode: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Country name component of the User's address (`country`.) This property uses [ISO 3166-1 alpha 2 "short" code format](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166). department: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User's department displayName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User, suitable for display to end Users division: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User's division email: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Primary email address of the User. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). employeeNumber: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Organization or company assigned unique identifier for the User firstName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Given name of the User (`givenName`) honorificPrefix: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Honorific prefix(es) of the User or title in most Western languages honorificSuffix: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Honorific suffix(es) of the User lastName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Family name of the User (`familyName`) locale: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: |- + User's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. + + A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example: `en_US` specifies the language English and country US. This value is `en_US` by default. login: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: |- + Unique identifier for the User (`username`) + + The login property is validated according to its pattern attribute, which is a string. By default, the attribute is null. When the attribute is null, the username is required to be formatted as an email address as defined by [RFC 6531 Section 3.3](http://tools.ietf.org/html/rfc6531#section-3.3). The pattern can be set through the API to one of the following forms. (The Admin Console provides access to the same forms.) + * A login pattern of `".+"` indicates that there is no restriction on usernames. Any non-empty, unique value is permitted, and the minimum length of five isn't enforced. In this case, usernames don't need to include the `@` character. If a name does include `@`, the portion ahead of the `@` can be used for logging in, provided it identifies a unique User within the org. + * A login pattern of the form `"[...]+"` indicates that usernames must only contain characters from the set given between the brackets. The enclosing brackets and final `+` are required for this form. Character ranges can be indicated using hyphens. To include the hyphen itself in the allowed set, the hyphen must appear first. Any characters in the set except the hyphen, a-z, A-Z, and 0-9 must be preceded by a backslash (`\`). For example, `"[a-z13579\.]+"` would restrict usernames to lowercase letters, odd digits, and periods, while `"[-a-zA-Z0-9]+"` would allow basic alphanumeric characters and hyphens. manager: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: The `displayName` of the User's manager managerId: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: The `id` of the User's manager middleName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Middle name(s) of the User mobilePhone: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Mobile phone number of the User nickName: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Casual way to address the User in real life organization: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the User's organization postalAddress: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Mailing address component of the User's address preferredLanguage: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: User's preferred written or spoken languages. This property is formatted according to [RFC 7231 Section 5.3.5](https://tools.ietf.org/html/rfc7231#section-5.3.5). primaryPhone: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Primary phone number of the User, such as home number profileUrl: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: URL of the User's online Profile (for example, a web page.) This property is formatted according to the [Relative Uniform Resource Locators specification](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166). secondEmail: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Secondary email address of the User typically used for account recovery. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). state: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: State or region component of the User's address (`region`) streetAddress: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Full street address component of the User's address timezone: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: User's time zone. This property is formatted according to the [IANA Time Zone database format](https://tools.ietf.org/html/rfc6557). title: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: User's title, such as "Vice President" userType: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: |- + Used to describe the organization to the User relationship such as "Employee" or "Contractor". + + **Note:** The `userType` field is an arbitrary string value and isn't related to the newer [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature. zipCode: - $ref: '#/components/schemas/UserSchemaAttribute' + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: ZIP code or postal code component of the User's address (`postalCode`) UserSchemaDefinitions: type: object properties: @@ -31937,21 +67880,33 @@ components: $ref: type: string UserSchemaPublic: + description: All custom Profile properties are defined in a Profile subschema with the resolution scope `#custom` type: object properties: id: type: string + description: The subschema name + readOnly: true properties: type: object + description: The `#custom` object properties additionalProperties: $ref: '#/components/schemas/UserSchemaAttribute' required: type: array + description: A collection indicating required property names + readOnly: true items: type: string type: type: string + description: The object type + readOnly: true UserStatus: + description: |- + The current status of the user. + + The status of a user changes in response to explicit events, such as admin-driven lifecycle changes, user login, or self-service password recovery. Okta doesn't asynchronously sweep through users and update their password expiry state, for example. Instead, Okta evaluates password policy at login time, notices the password has expired, and moves the user to the expired state. When running reports, remember that the data is valid as of the last login or lifecycle event for that user. type: string enum: - ACTIVE @@ -31962,6 +67917,7 @@ components: - RECOVERY - STAGED - SUSPENDED + readOnly: true UserStatusPolicyRuleCondition: type: object properties: @@ -31992,7 +67948,7 @@ components: id: type: string description: The unique key for the User Type - readOnly: false # This should be editable since it's being used by other models that updates the user type + readOnly: true lastUpdated: type: string format: date-time @@ -32004,24 +67960,28 @@ components: readOnly: true name: type: string - description: |- - The name of the User Type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters. - This value becomes read-only after creation and can't be updated. + description: The name of the User Type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters. This value becomes read-only after creation and can't be updated. _links: $ref: '#/components/schemas/UserTypeLinks' required: - name - displayName UserTypeCondition: + description: <x-lifecycle class="oie"></x-lifecycle> Specifies which User Types to include and/or exclude properties: exclude: items: type: string type: array + description: The User Types to exclude include: items: type: string type: array + description: The User Types to include + required: + - exclude + - include UserTypeLinks: allOf: - $ref: '#/components/schemas/LinksSelf' @@ -32057,159 +68017,136 @@ components: - displayName - description UserVerificationEnum: - description: User verification setting + description: User verification setting. Possible values `DISCOURAGED` (the authenticator isn't asked to perform user verification, but may do so at its discretion), `PREFERRED` (the client uses an authenticator capable of user verification if possible), or `REQUIRED`(the client uses only an authenticator capable of user verification) type: string enum: - DISCOURAGED - PREFERRED - REQUIRED + UsersLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Application Users](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers) resource VerificationMethod: + description: |- + Describes the method for verifying the user. The supported method types are `ASSURANCE` and `AUTH_METHOD_CHAIN`. + + <x-lifecycle class="ea"></x-lifecycle> The method type `AUTH_METHOD_CHAIN` is an [Early Access](https://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) (Self-Service) feature. You can + enable the feature for your org from the **Settings** > **Features** page in the Admin Console. type: object properties: - constraints: - items: - $ref: '#/components/schemas/AccessPolicyConstraints' - type: array - factorMode: - type: string - reauthenticateIn: - type: string type: - type: string - VerifyFactorRequest: - type: object - properties: - activationToken: - type: string - answer: - type: string - attestation: - type: string - clientData: - type: string - nextPassCode: - type: string - passCode: - type: string - registrationData: - type: string - stateToken: - type: string - authenticatorData: - type: string - signatureData: - type: string - VerifyUserFactorResponseLinks: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObjectSelfLink' - poll: - $ref: '#/components/schemas/HrefObject' - cancel: - $ref: '#/components/schemas/HrefObject' - VerifyUserFactorResponse: - type: object - additionalProperties: true - properties: - expiresAt: - type: string - format: date-time - readOnly: true - factorResult: - $ref: '#/components/schemas/VerifyUserFactorResult' - factorResultMessage: - type: string - _embedded: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - _links: - $ref: '#/components/schemas/VerifyUserFactorResponseLinks' - VerifyUserFactorResult: - type: string - enum: - - CHALLENGE - - ERROR - - EXPIRED - - FAILED - - PASSCODE_REPLAYED - - REJECTED - - SUCCESS - - TIMEOUT - - TIME_WINDOW_EXCEEDED - - WAITING + $ref: '#/components/schemas/PolicyRuleVerificationMethodType' + discriminator: + propertyName: type + mapping: + ASSURANCE: '#/components/schemas/AssuranceMethod' + AUTH_METHOD_CHAIN: '#/components/schemas/AuthenticationMethodChainMethod' Version: description: The version specified as a [Semantic Version](https://semver.org/). type: string pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ WebAuthnAttachment: + description: Method attachment type: string enum: - ANY - BUILT_IN - ROAMING - WebAuthnUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/WebAuthnUserFactorProfile' - WebAuthnUserFactorProfile: + WebAuthnCredRequest: + description: Credential request object for the initialized credential, along with the enrollment and key identifiers to associate with the credential type: object properties: - authenticatorName: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta type: string - credentialId: + credRequestJwe: + description: Encrypted JWE of credential request for the fulfillment provider type: string - WebUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/WebUserFactorProfile' - WebUserFactorProfile: + keyId: + description: ID for the Okta response key-pair used to encrypt and decrypt credential requests and responses + type: string + WebAuthnCredResponse: + description: Credential response object for enrolled credential details, along with enrollment and key identifiers to associate the credential type: object properties: - credentialId: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta + type: string + credResponseJWE: + description: Encrypted JWE of credential response from the fulfillment provider + type: string + WebAuthnPreregistrationFactor: + description: User Factor variant used for WebAuthn Preregistration Factors + type: object + properties: + created: + description: Timestamp indicating when the Factor was enrolled + type: string + format: date-time + readOnly: true + factorType: + $ref: '#/components/schemas/UserFactorType' + id: + description: ID of the Factor + type: string + readOnly: true + lastUpdated: + description: Timestamp indicating when the Factor was last updated + type: string + format: date-time + readOnly: true + profile: + type: object + description: Specific attributes related to the Factor + provider: + $ref: '#/components/schemas/UserFactorProvider' + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: Name of the Factor vendor. This is usually the same as the provider. type: string + example: OKTA + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' WellKnownAppAuthenticatorConfiguration: type: object properties: appAuthenticatorEnrollEndpoint: type: string + description: The authenticator enrollment endpoint authenticatorId: type: string description: The unique identifier of the app authenticator createdDate: type: string + description: Timestamp when the Authenticator was created format: date-time key: - type: string + $ref: '#/components/schemas/AuthenticatorKeyEnum' lastUpdated: type: string + description: Timestamp when the Authenticator was last modified format: date-time name: type: string description: The authenticator display name orgId: type: string + description: The `id` of the Okta Org settings: type: object properties: userVerification: - type: string - $ref: '#/components/schemas/UserVerificationEnum' + $ref: '#/components/schemas/CustomAppUserVerificationEnum' supportedMethods: type: array items: $ref: '#/components/schemas/SupportedMethods' type: type: string + description: The type of Authenticator enum: - app WellKnownOrgMetadata: @@ -32239,6 +68176,40 @@ components: omEnabled: type: boolean description: Whether the legacy Okta Mobile application is enabled for the org + WellKnownSSFMetadata: + title: Shared Signals Framework Metadata + description: Metadata about Okta as a transmitter and relevant information for configuration. + type: object + properties: + configuration_endpoint: + type: string + format: uri + description: The URL of the SSF Stream configuration endpoint + example: https://{yourOktaDomain}/api/v1/ssf/stream + delivery_methods_supported: + type: array + items: + type: string + format: uri + description: An array of supported SET delivery methods + example: + - https://schemas.openid.net/secevent/risc/delivery-method/push + - urn:ietf:rfc:8935 + issuer: + type: string + description: The issuer used in Security Event Tokens. This value is set as `iss` in the claim. + example: https://{yourOktaDomain} + jwks_uri: + type: string + description: The URL of the JSON Web Key Set (JWKS) that contains the signing keys for validating the signatures of Security Event Tokens (SETs) + format: uri + example: https://{yourOktaDomain}/oauth2/v1/keys + WidgetGeneration: + description: The generation of the Sign-in Widget + type: string + enum: + - G2 + - G3 WsFederationApplication: x-okta-defined-as: name: template_wsfed @@ -32250,9 +68221,14 @@ components: $ref: '#/components/schemas/ApplicationCredentials' name: type: string - default: template_wsfed + description: '`template_wsfed` is the key name for a WS-Federated app instance with a SAML 2.0 token' + enum: + - template_wsfed settings: $ref: '#/components/schemas/WsFederationApplicationSettings' + required: + - name + - settings WsFederationApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' @@ -32265,28 +68241,221 @@ components: properties: attributeStatements: type: string + description: You can federate user attributes such as Okta profile fields, LDAP, Active Directory, and Workday values. The SP uses the federated WS-Fed attribute values accordingly. audienceRestriction: type: string + description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP. authnContextClassRef: type: string + description: Identifies the SAML authentication context class for the assertion's authentication statement groupFilter: type: string + description: A regular expression that filters for the User Groups you want included with the `groupName` attribute. If the matching User Group has a corresponding AD group, then the attribute statement includes the value of the attribute specified by `groupValueFormat`. If the matching User Group doesn't contain a corresponding AD group, then the `groupName` is used in the attribute statement. groupName: type: string + description: The group name to include in the WS-Fed response attribute statement. This property is used in conjunction with the `groupFilter` property. Groups that are filtered through the `groupFilter` expression are included with the `groupName` in the attribute statement. Any users that belong to the group you've filtered are included in the WS-Fed response attribute statement. groupValueFormat: type: string + description: Specifies the WS-Fed assertion attribute value for filtered groups. This attribute is only applied to Active Directory groups. + enum: + - windowsDomainQualifiedName + - samAccountName + - dn nameIDFormat: type: string + description: The username format that you send in the WS-Fed response realm: type: string + description: The uniform resource identifier (URI) of the WS-Fed app that's used to share resources securely within a domain. It's the identity that's sent to the Okta IdP when signing in. See [Realm name](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_Configure_Okta_Template_WS_Federation#Realm). siteURL: type: string + description: Launch URL for the web app usernameAttribute: type: string + description: Specifies additional username attribute statements to include in the WS-Fed assertion + enum: + - username + - upn + - upnAndUsername + - none wReplyOverride: type: boolean + description: Enables a web app to override the `wReplyURL` URL with a reply parameter. wReplyURL: type: string + description: The WS-Fed SP endpoint where your users sign in + example: http://test.acme.com/example-post-sign/ + required: + - audienceRestriction + - groupValueFormat + - wReplyURL + - nameIDFormat + - authnContextClassRef + - siteURL + - usernameAttribute + X5c: + description: Base64-encoded X.509 certificate chain with DER encoding + items: + type: string + example: MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + type: array + ZoomUsApplication: + title: Zoom + x-tags: + - Application + x-okta-defined-as: + name: zoomus + example: + name: zoomus + label: Sample Zoom App + signOnMode: SAML_2_0 + settings: + app: + subDomain: my-zoom-subdomain + description: | + Schema for the Zoom app (key name: `zoomus`) + + To create a Zoom app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Zoom app only supports `SAML_2_0` sign-on mode. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + type: string + enum: + - zoomus + example: zoomus + signOnMode: + enum: + - SAML_2_0 + settings: + $ref: '#/components/schemas/ZoomUsApplicationSettings' + ZoomUsApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/ZoomUsApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + ZoomUsApplicationSettingsApplication: + description: Zoom app instance properties + type: object + properties: + subDomain: + type: string + description: Your Zoom subdomain + required: + - subDomain + ZscalerbyzApplication: + title: Zscaler 2.0 + x-tags: + - Application + x-okta-defined-as: + name: zscalerbyz + example: + name: zscalerbyz + label: Sample Zscaler 2.0 App + signOnMode: SAML_2_0 + description: | + Schema for the Zscaler 2.0 app (key name: `zscalerbyz`) + + To create a Zscaler 2.0 app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. + > **Note:** The Zscaler 2.0 app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes. + allOf: + - $ref: '#/components/schemas/OINApplication' + - type: object + - required: + - name + - label + - settings + properties: + name: + type: string + enum: + - zscalerbyz + example: zscalerbyz + signOnMode: + enum: + - BROWSER_PLUGIN + - SAML_2_0 + settings: + $ref: '#/components/schemas/ZscalerbyzApplicationSettings' + ZscalerbyzApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/ZscalerbyzApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + ZscalerbyzApplicationSettingsApplication: + description: Zscaler app instance properties + type: object + properties: + siteDomain: + type: string + description: Your Zscaler domain + _embedded: + description: The Public Key Details are defined in the `_embedded` property of the Key object. + type: object + properties: + alg: + description: Algorithm used in the key + type: string + nullable: false + readOnly: true + e: + description: RSA key value (exponent) for key binding + type: string + nullable: false + readOnly: true + kid: + description: Unique identifier for the certificate + type: string + uniqueItems: true + nullable: false + readOnly: true + kty: + description: Cryptographic algorithm family for the certificate's keypair + type: string + nullable: false + readOnly: true + 'n': + description: RSA key value (modulus) for key binding + type: string + nullable: false + readOnly: true + use: + description: Acceptable use of the certificate + type: string + nullable: true + readOnly: true + appLink: + type: object + properties: + login: + $ref: '#/components/schemas/HrefObjectAppLink' + logo: + $ref: '#/components/schemas/HrefObjectLogoLink' + readOnly: true + createdProperty: + description: Timestamp when the object was created + format: date-time + example: '2017-03-28T01:11:10.000Z' + type: string + readOnly: true enabledPagesType: title: enabledPages type: string @@ -32298,6 +68467,70 @@ components: SIGN_IN: User sign-in page SSPR: Self-service Password Recovery page SSR: Self-service Registration page + lastUpdatedProperty: + format: date-time + description: Timestamp when the object was last updated + type: string + readOnly: true + orgBillingContactType: + description: Org billing contact + type: object + properties: + contactType: + $ref: '#/components/schemas/OrgContactType' + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org billing Contact Type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + billing: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the org billing [Contact Type User](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource + orgGeneralSettingLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + type: object + properties: + contacts: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Contacts](/openapi/okta-management/management/tag/OrgSettingContact/) resource + logo: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the org logo + oktaCommunication: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Communication Settings](/openapi/okta-management/management/tag/OrgSettingCommunication/) resource + oktaSupport: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Support Settings](/openapi/okta-management/management/tag/OrgSettingSupport/) resource + preferences: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Org Preferences](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/getOrgPreferences) resource + uploadLogo: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the [Upload Org Logo](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/uploadOrgLogo) resource + readOnly: true + orgTechnicalContactType: + description: Org technical contact + type: object + properties: + contactType: + $ref: '#/components/schemas/OrgContactType' + _links: + type: object + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org technical Contact Type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification + readOnly: true + properties: + technical: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the org technical [Contact Type User](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource postAPIServiceIntegrationInstance: allOf: - $ref: '#/components/schemas/APIServiceIntegrationInstance' @@ -32324,6 +68557,94 @@ components: required: - type - grantedScopes + profile: + description: Specific profile properties for the privileged account + additionalProperties: + type: object + properties: {} + type: object + readOnly: true + subject: + nullable: false + type: object + properties: + format: + type: string + description: The user identifier + nullable: false + writeOnly: true + enum: + - opaque + id: + type: string + description: ID of the user + writeOnly: true + nullable: false + userLink: + type: object + properties: + user: + $ref: '#/components/schemas/HrefObjectUserLink' + schemas-JsonWebKey: + description: A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON representation of a cryptographic key. Okta can use these keys to verify the signature of a JWT when provided for the `private_key_jwt` client authentication method or for a signed authorize request object. Okta supports both RSA and Elliptic Curve (EC) keys. + type: object + properties: + alg: + $ref: '#/components/schemas/SigningAlgorithm' + kid: + type: string + description: The unique identifier of the key + kty: + $ref: '#/components/schemas/JsonWebKeyType' + status: + $ref: '#/components/schemas/JsonWebKeyStatus' + use: + $ref: '#/components/schemas/JsonWebKeyUse' + discriminator: + propertyName: kty + mapping: + EC: '#/components/schemas/JsonWebKeyEC' + RSA: '#/components/schemas/JsonWebKeyRsa' + JsonWebKeyEC: + allOf: + - $ref: '#/components/schemas/schemas-JsonWebKey' + - type: object + properties: + x: + type: string + description: The public x coordinate for the elliptic curve point + 'y': + type: string + description: The public y coordinate for the elliptic curve point + JsonWebKeyRsa: + allOf: + - $ref: '#/components/schemas/schemas-JsonWebKey' + - type: object + properties: + e: + type: string + description: The key exponent of a RSA key + 'n': + type: string + description: The modulus of the RSA key + JsonWebKeyType: + description: The type of public key + type: string + enum: + - EC + - RSA + JsonWebKeyStatus: + description: The status of the public key + type: string + enum: + - ACTIVE + - INACTIVE + JsonWebKeyUse: + description: The intended use of the public key + type: string + enum: + - enc + - sig securitySchemes: apiToken: description: 'Pass the API token as the Authorization header value prefixed with SSWS: `Authorization: SSWS {API Token}`' @@ -32338,87 +68659,113 @@ components: authorizationUrl: /oauth2/v1/authorize tokenUrl: /oauth2/v1/token scopes: - okta.agentPools.manage: Allows the app to create and manage agent pools in your Okta organization. - okta.agentPools.read: Allows the app to read agent pools in your Okta organization. - okta.apiTokens.manage: Allows the app to manage API Tokens in your Okta organization. - okta.apiTokens.read: Allows the app to read API Tokens in your Okta organization. - okta.appGrants.manage: Allows the app to create and manage grants in your Okta organization. - okta.appGrants.read: Allows the app to read grants in your Okta organization. - okta.apps.manage: Allows the app to create and manage Apps in your Okta organization. - okta.apps.read: Allows the app to read information about Apps in your Okta organization. - okta.authenticators.manage: Allows the app to manage all authenticators (e.g. enrollments, reset). - okta.authenticators.read: Allows the app to read org authenticators information. - okta.authorizationServers.manage: Allows the app to create and manage Authorization Servers in your Okta organization. - okta.authorizationServers.read: Allows the app to read information about Authorization Servers in your Okta organization. - okta.behaviors.manage: Allows the app to create and manage behavior detection rules in your Okta organization. - okta.behaviors.read: Allows the app to read behavior detection rules in your Okta organization. - okta.brands.manage: Allows the app to create and manage Brands and Themes in your Okta organization. - okta.brands.read: Allows the app to read information about Brands and Themes in your Okta organization. - okta.captchas.manage: Allows the app to create and manage CAPTCHAs in your Okta organization. - okta.captchas.read: Allows the app to read information about CAPTCHAs in your Okta organization. - okta.deviceAssurance.manage: Allows the app to manage device assurances. - okta.deviceAssurance.read: Allows the app to read device assurances. - okta.devices.manage: Allows the app to manage device status transitions and delete a device. - okta.devices.read: Allows the app to read the existing device's profile and search devices. - okta.domains.manage: Allows the app to manage custom Domains for your Okta organization. - okta.domains.read: Allows the app to read information about custom Domains for your Okta organization. - okta.emailDomains.manage: Allows the app to manage Email Domains for your Okta organization. - okta.emailDomains.read: Allows the app to read information about Email Domains for your Okta organization. - okta.emailServers.manage: Allows the app to manage Email Servers for your Okta organization. - okta.emailServers.read: Allows the app to read information about Email Servers for your Okta organization. - okta.eventHooks.manage: Allows the app to create and manage Event Hooks in your Okta organization. - okta.eventHooks.read: Allows the app to read information about Event Hooks in your Okta organization. - okta.features.manage: Allows the app to create and manage Features in your Okta organization. - okta.features.read: Allows the app to read information about Features in your Okta organization. - okta.groups.manage: Allows the app to manage existing groups in your Okta organization. - okta.groups.read: Allows the app to read information about groups and their members in your Okta organization. + okta.agentPools.manage: Allows the app to create and manage agent pools in your Okta organization + okta.agentPools.read: Allows the app to read agent pools in your Okta organization + okta.apiTokens.manage: Allows the app to manage API Tokens in your Okta organization + okta.apiTokens.read: Allows the app to read API Tokens in your Okta organization + okta.appGrants.manage: Allows the app to create and manage grants in your Okta organization + okta.appGrants.read: Allows the app to read grants in your Okta organization + okta.apps.manage: Allows the app to create and manage Apps in your Okta organization + okta.apps.read: Allows the app to read information about Apps in your Okta organization + okta.authenticators.manage: Allows the app to manage all authenticators. For example, enrollments or resets. + okta.authenticators.manage.self: Allows the app to manage a user's own authenticators. For example, enrollments or resets. + okta.authenticators.read: Allows the app to read org authenticators information + okta.authorizationServers.manage: Allows the app to create and manage Authorization Servers in your Okta organization + okta.authorizationServers.read: Allows the app to read information about Authorization Servers in your Okta organization + okta.behaviors.manage: Allows the app to create and manage behavior detection rules in your Okta organization + okta.behaviors.read: Allows the app to read behavior detection rules in your Okta organization + okta.brands.manage: Allows the app to create and manage Brands and Themes in your Okta organization + okta.brands.read: Allows the app to read information about Brands and Themes in your Okta organization + okta.captchas.manage: Allows the app to create and manage CAPTCHAs in your Okta organization + okta.captchas.read: Allows the app to read information about CAPTCHAs in your Okta organization + okta.deviceAssurance.manage: Allows the app to manage device assurances + okta.deviceAssurance.read: Allows the app to read device assurances + okta.deviceChecks.manage: Allows the app to manage device checks + okta.deviceChecks.read: Allows the app to read device checks + okta.devices.manage: Allows the app to manage device status transitions and delete a device + okta.devices.read: Allows the app to read the existing device's profile and search devices + okta.directories.groups.manage: Allows the app to manage AD/LDAP Groups for your Okta organization + okta.domains.manage: Allows the app to manage custom Domains for your Okta organization + okta.domains.read: Allows the app to read information about custom Domains for your Okta organization + okta.dr.manage: Allows the app to manage disaster recovery + okta.dr.read: Allows the app to read the disaster recovery status + okta.emailDomains.manage: Allows the app to manage Email Domains for your Okta organization + okta.emailDomains.read: Allows the app to read information about Email Domains for your Okta organization + okta.emailServers.manage: Allows the app to manage Email Servers for your Okta organization + okta.emailServers.read: Allows the app to read information about Email Servers for your Okta organization + okta.eventHooks.manage: Allows the app to create and manage Event Hooks in your Okta organization + okta.eventHooks.read: Allows the app to read information about Event Hooks in your Okta organization + okta.features.manage: Allows the app to create and manage Features in your Okta organization + okta.features.read: Allows the app to read information about Features in your Okta organization + okta.groups.manage: Allows the app to manage existing groups in your Okta organization + okta.groups.read: Allows the app to read information about groups and their members in your Okta organization okta.identitySources.manage: Allows the custom identity sources to manage user entities in your Okta organization okta.identitySources.read: Allows to read session information for custom identity sources in your Okta organization - okta.idps.manage: Allows the app to create and manage Identity Providers in your Okta organization. - okta.idps.read: Allows the app to read information about Identity Providers in your Okta organization. - okta.inlineHooks.manage: Allows the app to create and manage Inline Hooks in your Okta organization. - okta.inlineHooks.read: Allows the app to read information about Inline Hooks in your Okta organization. - okta.linkedObjects.manage: Allows the app to manage linked object definitions in your Okta organization. - okta.linkedObjects.read: Allows the app to read linked object definitions in your Okta organization. - okta.logStreams.manage: Allows the app to create and manage log streams in your Okta organization. - okta.logStreams.read: Allows the app to read information about log streams in your Okta organization. - okta.logs.read: Allows the app to read information about System Log entries in your Okta organization. - okta.networkZones.manage: Allows the app to create and manage Network Zones in your Okta organization. - okta.networkZones.read: Allows the app to read Network Zones in your Okta organization. - okta.oauthIntegrations.manage: Allows the app to create and manage API service Integration instances in your Okta organization. - okta.oauthIntegrations.read: Allows the app to read API service Integration instances in your Okta organization. - okta.orgs.manage: Allows the app to manage organization-specific details for your Okta organization. - okta.orgs.read: Allows the app to read organization-specific details about your Okta organization. - okta.policies.manage: Allows the app to manage policies in your Okta organization. - okta.policies.read: Allows the app to read information about policies in your Okta organization. - okta.principalRateLimits.manage: Allows the app to create and manage Principal Rate Limits in your Okta organization. - okta.principalRateLimits.read: Allows the app to read information about Principal Rate Limits in your Okta organization. - okta.profileMappings.manage: Allows the app to manage user profile mappings in your Okta organization. - okta.profileMappings.read: Allows the app to read user profile mappings in your Okta organization. - okta.pushProviders.manage: Allows the app to create and manage push notification providers such as APNs and FCM. - okta.pushProviders.read: Allows the app to read push notification providers such as APNs and FCM. - okta.rateLimits.manage: Allows the app to create and manage rate limits in your Okta organization. - okta.rateLimits.read: Allows the app to read information about rate limits in your Okta organization. - okta.realms.manage: Allows the app to create new realms and to manage their details. - okta.realms.read: Allows the app to read the existing realms and their details. - okta.riskEvents.manage: Allows the app to publish risk events to your Okta organization. - okta.riskProviders.manage: Allows the app to create and manage risk provider integrations in your Okta organization. - okta.riskProviders.read: Allows the app to read all risk provider integrations in your Okta organization. - okta.roles.manage: Allows the app to manage administrative role assignments for users in your Okta organization. - okta.roles.read: Allows the app to read administrative role assignments for users in your Okta organization. - okta.schemas.manage: Allows the app to create and manage Schemas in your Okta organization. - okta.schemas.read: Allows the app to read information about Schemas in your Okta organization. - okta.sessions.manage: Allows the app to manage all sessions in your Okta organization. - okta.sessions.read: Allows the app to read all sessions in your Okta organization. - okta.templates.manage: Allows the app to manage all custom templates in your Okta organization. - okta.templates.read: Allows the app to read all custom templates in your Okta organization. - okta.threatInsights.manage: Allows the app to manage all ThreatInsight configurations in your Okta organization. - okta.threatInsights.read: Allows the app to read all ThreatInsight configurations in your Okta organization. - okta.trustedOrigins.manage: Allows the app to manage all Trusted Origins in your Okta organization. - okta.trustedOrigins.read: Allows the app to read all Trusted Origins in your Okta organization. - okta.uischemas.manage: Allows the app to manage all the UI Schemas in your Okta organization. - okta.uischemas.read: Allows the app to read all the UI Schemas in your Okta organization. - okta.userTypes.manage: Allows the app to manage user types in your Okta organization. - okta.userTypes.read: Allows the app to read user types in your Okta organization. - okta.users.manage: Allows the app to create new users and to manage all users' profile and credentials information. - okta.users.read: Allows the app to read the existing users' profiles and credentials. + okta.idps.manage: Allows the app to create and manage Identity Providers in your Okta organization + okta.idps.read: Allows the app to read information about Identity Providers in your Okta organization + okta.inlineHooks.manage: Allows the app to create and manage Inline Hooks in your Okta organization + okta.inlineHooks.read: Allows the app to read information about Inline Hooks in your Okta organization + okta.linkedObjects.manage: Allows the app to manage linked object definitions in your Okta organization + okta.linkedObjects.read: Allows the app to read linked object definitions in your Okta organization + okta.logStreams.manage: Allows the app to create and manage log streams in your Okta organization + okta.logStreams.read: Allows the app to read information about log streams in your Okta organization + okta.logs.read: Allows the app to read information about System Log entries in your Okta organization + okta.manifests.manage: Allows the app to manage OIN submissions in your Okta organization + okta.manifests.read: Allows the app to read OIN submissions in your Okta organization + okta.networkZones.manage: Allows the app to create and manage Network Zones in your Okta organization + okta.networkZones.read: Allows the app to read Network Zones in your Okta organization + okta.oauthIntegrations.manage: Allows the app to create and manage API service Integration instances in your Okta organization + okta.oauthIntegrations.read: Allows the app to read API service Integration instances in your Okta organization + okta.orgs.manage: Allows the app to manage organization-specific details for your Okta organization + okta.orgs.read: Allows the app to read organization-specific details about your Okta organization + okta.personal.adminSettings.manage: Allows the app to manage the personal admin settings for the signed-in user + okta.personal.adminSettings.read: Allows the app to read the personal admin settings for the signed-in user + okta.policies.manage: Allows the app to manage policies in your Okta organization + okta.policies.read: Allows the app to read information about policies in your Okta organization + okta.principalRateLimits.manage: Allows the app to create and manage Principal Rate Limits in your Okta organization + okta.principalRateLimits.read: Allows the app to read information about Principal Rate Limits in your Okta organization + okta.privilegedAccounts.manage: Allows the app to create and manage Privileged Accounts in your Okta organization + okta.privilegedAccounts.read: Allows the app to read Privileged Accounts in your Okta organization + okta.privilegedResources.manage: Allows the app to create privileged resources and manage their details + okta.privilegedResources.read: Allows the app to read the details of existing privileged resources + okta.profileMappings.manage: Allows the app to manage user profile mappings in your Okta organization + okta.profileMappings.read: Allows the app to read user profile mappings in your Okta organization + okta.pushProviders.manage: Allows the app to create and manage push notification providers such as APNs and FCM + okta.pushProviders.read: Allows the app to read push notification providers such as APNs and FCM + okta.rateLimits.manage: Allows the app to create and manage rate limits in your Okta organization + okta.rateLimits.read: Allows the app to read information about rate limits in your Okta organization + okta.realmAssignments.manage: Allows a user to manage realm assignments + okta.realmAssignments.read: Allows a user to read realm assignments + okta.realms.manage: Allows the app to create new realms and to manage their details + okta.realms.read: Allows the app to read the existing realms and their details + okta.resourceSelectors.manage: Allows the app to manage resource selectors in your Okta org + okta.resourceSelectors.read: Allows the app to read resource selectors in your Okta org + okta.riskEvents.manage: Allows the app to publish risk events to your Okta organization + okta.riskProviders.manage: Allows the app to create and manage risk provider integrations in your Okta organization + okta.riskProviders.read: Allows the app to read all risk provider integrations in your Okta organization + okta.roles.manage: Allows the app to manage administrative role assignments for users in your Okta organization. Delegated admins with this permission can only manage user credential fields and not the credential values themselves. + okta.roles.read: Allows the app to read administrative role assignments for users in your Okta organization. Delegated admins with this permission can only manage user credential fields and not the credential values themselves. + okta.schemas.manage: Allows the app to create and manage Schemas in your Okta organization + okta.schemas.read: Allows the app to read information about Schemas in your Okta organization + okta.securityEventsProviders.manage: Allows the app to create and manage Security Events Providers in your Okta organization + okta.securityEventsProviders.read: Allows the app to read information about Security Events Providers in your Okta organization + okta.sessions.manage: Allows the app to manage all sessions in your Okta organization + okta.sessions.read: Allows the app to read all sessions in your Okta organization + okta.templates.manage: Allows the app to manage all custom templates in your Okta organization + okta.templates.read: Allows the app to read all custom templates in your Okta organization + okta.threatInsights.manage: Allows the app to manage all ThreatInsight configurations in your Okta organization + okta.threatInsights.read: Allows the app to read all ThreatInsight configurations in your Okta organization + okta.trustedOrigins.manage: Allows the app to manage all Trusted Origins in your Okta organization + okta.trustedOrigins.read: Allows the app to read all Trusted Origins in your Okta organization + okta.uischemas.manage: Allows the app to manage all the UI Schemas in your Okta organization + okta.uischemas.read: Allows the app to read all the UI Schemas in your Okta organization + okta.userRisk.manage: Allows the app to manage a user's risk in your Okta org + okta.userRisk.read: Allows the app to read a user's risk in your Okta org + okta.userTypes.manage: Allows the app to manage user types in your Okta org + okta.userTypes.read: Allows the app to read user types in your Okta org + okta.users.manage: Allows the app to create new users and to manage all users' profile and credentials information + okta.users.manage.self: Allows the app to manage the signed-in user's profile and credentials + okta.users.read: Allows the app to read the existing users' profiles and credentials + okta.users.read.self: Allows the app to read the signed-in user's profile and credentials + ssf.manage: Allows the app to create and manage Shared Signals Framework (SSF) in your Okta organization + ssf.read: Allows the app to read information about Shared Signals Framework (SSF) in your Okta organization