From 662d39e0d07625ad9afcca26a2a3d9220b3bc05f Mon Sep 17 00:00:00 2001 From: Tien Nguyen Date: Fri, 9 Feb 2024 10:34:01 -0500 Subject: [PATCH] prep release v4 --- .circleci/config.yml | 10 +- .generator/config.yaml | 6 +- ...anagement-APIs-oasv3-enum-inheritance.yaml | 2446 +- ...gement-APIs-oasv3-noEnums-inheritance.yaml | 25024 ++++++++++++---- .generator/templates/api_application_test.go | 17 +- .generator/templates/api_idp_test.go | 6 +- .generator/templates/api_policy_test.go | 11 +- .generator/templates/api_user_schema_test.go | 4 +- .generator/templates/api_user_test.go | 10 +- .generator/templates/test_helpers.go | 20 +- .github/workflows/prepareReleaseBranch.yml | 6 +- .travis.yml | 32 - CHANGELOG.md | 3 + MIGRATING.md | 6 +- Makefile | 8 +- 15 files changed, 21392 insertions(+), 6217 deletions(-) delete mode 100644 .travis.yml diff --git a/.circleci/config.yml b/.circleci/config.yml index 4e2f36b52..7622477c8 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -20,18 +20,16 @@ jobs: name: "test stage" command: make test - test-v3: + test-v4: docker: - image: cimg/go:1.19.4 steps: - checkout - run: go version + - platform-orb/step-load-dependencies - run: name: "test stage" - command: | - cd okta/v3 - go mod download - go test -failfast -race ./ -test.v + command: make v4-test # Invoke jobs via workflows # See: https://circleci.com/docs/2.0/configuration-reference/#workflows @@ -44,7 +42,7 @@ workflows: - test-v2: requires: - cache-secrets - # - test-v3: + # - test-v4: # requires: # - cache-secrets # See OKTA-624790 diff --git a/.generator/config.yaml b/.generator/config.yaml index aba5cef74..43c3b9033 100644 --- a/.generator/config.yaml +++ b/.generator/config.yaml @@ -1,14 +1,14 @@ generatorName: go templateDir: ./.generator/templates -outputDir: ./okta/v3 +outputDir: ./okta/v4 gitUserId: okta gitRepoId: okta-sdk-golang -versionName: v3 +versionName: v4 additionalProperties: enumClassPrefix: true generateInterfaces: true packageName: okta - packageVersion: 3.0.19 + packageVersion: 4.0.0 useOneOfDiscriminatorLookup: true disallowAdditionalPropertiesIfNotPresent: false files: diff --git a/.generator/okta-management-APIs-oasv3-enum-inheritance.yaml b/.generator/okta-management-APIs-oasv3-enum-inheritance.yaml index 373b33fdf..a32e8f7e5 100644 --- a/.generator/okta-management-APIs-oasv3-enum-inheritance.yaml +++ b/.generator/okta-management-APIs-oasv3-enum-inheritance.yaml @@ -72,6 +72,9 @@ tags: |
Feature
| Apps supported | Description | | -------------------- | -------------- | ----------- | | `USER_PROVISIONING` | `org2org` | Similar to the app **Provisioning** > **To App** setting in the Admin Console, this feature configures the **Create Users**, **Update User Attributes**, **Deactivate Users**, and **Sync Password** settings. | + + > **Note:** You can't use the `USER_PROVISIONING` feature in an Okta Developer-Edition org because the `org2org` app isn't available in developer orgs. + > If you need to test this feature in your Developer-Edition org, contact your Okta account team. - name: ApplicationGrants x-displayName: Application Grants description: | @@ -85,9 +88,15 @@ tags: - name: ApplicationLogos x-displayName: Application Logos description: Provides a resource to manage the application instance logo + - name: ApplicationOktaApplicationSettings + x-displayName: Okta Application Settings + description: The Okta Application Settings API provides operations to manage settings for Okta applications. - name: ApplicationPolicies x-displayName: Application Policies description: Provides a resource to manage authentication policies associated with an application + - name: ApplicationSSO + x-displayName: Application SSO + description: Provides a Single Sign-On (SSO) resource for an application - name: ApplicationTokens x-displayName: Application Tokens description: | @@ -100,7 +109,7 @@ tags: description: Application user operations - name: AttackProtection x-displayName: Attack Protection - description: The Attack Protection API provides operations to configure the User Lockout Settings in your org to prevent brute-force attacks. + description: The Attack Protection API provides operations to configure the User Lockout Settings and the Authenticator Settings in your org to protect against password abuse. - name: Authenticator x-displayName: Authenticators description: |- @@ -124,7 +133,24 @@ tags: * Custom App - name: AuthorizationServer x-displayName: Authorization Servers - description: Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them. + description: |- + Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them. + + **Work with the Default Authorization Server** + + Okta provides a pre-configured Custom Authorization Server with the name `default`. This Default Authorization Server includes a basic access policy and rule, which you can edit to control access. It allows you to specify `default` instead of the `authorizationServerId` in requests to it: + + `https://${yourOktaDomain}/api/v1/authorizationServers/default` + + vs + + `https://${yourOktaDomain}/api/v1/authorizationServers/${authorizationServerId}` for other Custom Authorization Servers + - name: AuthorizationServerAssoc + x-displayName: Authorization Server Associated Servers + description: Associated authorization servers allow you to designate a trusted authorization server that you associate with another authorization server. This type of association provides a way to configure [token exchange](https://developer.okta.com/docs/guides/set-up-token-exchange/main/#trusted-servers) between other authorization servers under the same Okta tenant. + - name: AuthorizationServerClaims + x-displayName: Authorization Server Claims + description: Provides operations to manage custom token claims for the given `authServerId` and `claimId` - name: Behavior x-displayName: Behavior Rules description: The Behavior Rules API provides operations to manage the behavior detection rules for your organization. @@ -173,7 +199,7 @@ tags: description: The Email Domains API provides operations to manage email domains for your organization. - name: EmailServer x-displayName: Email Servers - description: The Email Servers API provides operations to manage custom SMTP servers for your organization. This is an Early Access feature. To enable it, contact [Okta Support](https://support.okta.com/help/s/). + description: The Email Servers API allows you to configure a custom external email provider to send email notifications. By default, notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. Adding a custom email provider gives you more control over your email delivery. - name: EventHook x-displayName: Event Hooks description: |- @@ -413,7 +439,7 @@ tags: description: |- The Okta UI Schema API allows you to control how inputs appear on an enrollment form. The UI Schema API is only available as a part of Okta Identity Engine. - If you’re not sure which solution you’re using, check the footer on any page of the Admin Console. The version number is appended with E for Identity Engine orgs and C for Classic Engine orgs. + If you're not sure which solution you're using, check the footer on any page of the Admin Console. The version number is appended with E for Identity Engine orgs and C for Classic Engine orgs. - name: User x-displayName: Users description: The User API provides operations to manage users in your organization. @@ -423,6 +449,9 @@ tags: - name: UserType x-displayName: User Types description: The User Types API provides operations to manage User Types. + - name: WebAuthnPreregistration + x-displayName: WebAuthnPreregistration + description: The WebAuthn Preregistration API provides a flow to initiate and set up WebAuthn Preregistration authenticator enrollments through third-party providers. paths: /.well-known/app-authenticator-configuration: get: @@ -1245,7 +1274,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/ProvisioningConnection' + oneOf: + - $ref: '#/components/schemas/ProvisioningConnectionToken' + - $ref: '#/components/schemas/ProvisioningConnectionOauth' + - $ref: '#/components/schemas/ProvisioningConnectionUnknown' + discriminator: &ref_21 + propertyName: authScheme + mapping: + TOKEN: '#/components/schemas/ProvisioningConnectionToken' + OAUTH2: '#/components/schemas/ProvisioningConnectionOauth' + UNKNOWN: '#/components/schemas/ProvisioningConnectionUnknown' examples: ProvisioningConnectionResponseExample: $ref: '#/components/examples/ProvisioningConnectionTokenResponseEx' @@ -1278,7 +1316,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/ProvisioningConnectionRequest' + oneOf: + - $ref: '#/components/schemas/ProvisioningConnectionTokenRequest' + - $ref: '#/components/schemas/ProvisioningConnectionOauthRequest' examples: ProvisioningConnectionTokenExample: $ref: '#/components/examples/ProvisioningConnectionTokenRequestEx' @@ -2243,6 +2283,72 @@ paths: isGenerallyAvailable: false SKUs: - Okta Identity Engine + /api/v1/apps/{appId}/sso/saml/metadata: + parameters: + - $ref: '#/components/parameters/pathAppId' + get: + summary: Preview the application SAML metadata + description: Previews the SSO SAML metadata for an application + operationId: previewSAMLmetadataForApplication + responses: + '200': + description: OK + content: + text/xml: + schema: + type: string + description: SAML metadata in XML + examples: + previewSAML: + summary: SAML metadata example + value: | + + + + + + + MIIDqDCCApCgAwIBAgIGAVGNO4qeMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEG + A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU + MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJ + ARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODUwMDhaFw0xNzEyMTAxODUxMDdaMIGUMQswCQYD + VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG + A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEc + MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC + ggEBALAakG48bgcTWHdwmVLHig0mkiRejxIVm3wbzrNSJcBruTq2zCYZ1rGfVxTYON8kJqvkXPmv + kzWKhpEkvhubL+mx29XpXY0AsNIfgcm5xIV56yhXSvlMdqzGo3ciRwoACaF+ClNLxmXK9UTZD89B + bVVGCG5AEvja0eCQ0GYsO5i9aSI5aTroab8Aew31PuWl/RGQWmjVy8+7P4wwkKKJNKCpxMYDlhfa + WRp0zwUSbUCO0qEyeAYdZx6CLES4FGrDi/7D6G+ewWC+kbz1tL1XpF2Dcg3+IOlHrV6VWzz3rG39 + v9zFIncjvoQJFDGWhpqGqcmXvgH0Ze3SVcVF01T+bK0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA + AHmnSZ4imjNrIf9wxfQIcqHXEBoJ+oJtd59cw1Ur/YQY9pKXxoglqCQ54ZmlIf4GghlcZhslLO+m + NdkQVwSmWMh6KLxVM18/xAkq8zyKbMbvQnTjFB7x45bgokwbjhivWqrB5LYHHCVN7k/8mKlS4eCK + Ci6RGEmErjojr4QN2xV0qAqP6CcGANgpepsQJCzlWucMFKAh0x9Kl8fmiQodfyLXyrebYsVnLrMf + jxE1b6dg4jKvv975tf5wreQSYZ7m//g3/+NnuDKkN/03HqhV7hTNi1fyctXk8I5Nwgyr+pT5LT2k + YoEdncuy+GQGzE9yLOhC4HNfHQXpqp2tMPdRlw== + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + + + + + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSO + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/tokens: parameters: - $ref: '#/components/parameters/pathAppId' @@ -2948,21 +3054,25 @@ paths: /api/v1/authorizationServers: get: summary: List all Authorization Servers - description: Lists all authorization servers + description: Lists all custom authorization servers in the org operationId: listAuthorizationServers parameters: - name: q in: query + description: Searches the `name` and `audiences` of authorization servers for matching values + example: customasone schema: type: string - name: limit in: query + description: 'Specifies the number of authorization server results on a page. Maximum value: 200' schema: type: integer format: int32 default: 200 - name: after in: query + description: Specifies the pagination cursor for the next page of authorization servers. Treat as an opaque value and obtain through the next link relationship. schema: type: string responses: @@ -2974,6 +3084,9 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServer' + examples: + ListAuthServers: + $ref: '#/components/examples/ListAuthServersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -2999,6 +3112,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAuthServer: + $ref: '#/components/examples/CreateAuthServerBody' required: true responses: '201': @@ -3007,6 +3123,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAuthServer: + $ref: '#/components/examples/CreateAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3038,6 +3157,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + RetrieveAuthServer: + $ref: '#/components/examples/RetrieveAuthServerResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3065,6 +3187,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + ReplaceAuthServer: + $ref: '#/components/examples/ReplaceAuthServerBody' required: true responses: '200': @@ -3073,6 +3198,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + ReplaceAuthServer: + $ref: '#/components/examples/ReplaceAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3121,18 +3249,19 @@ paths: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: - summary: List all Associated Authorization Servers - description: Lists all associated authorization servers by trusted type for the given `authServerId` + summary: List all associated Authorization Servers + description: Lists all associated Authorization Servers by trusted type for the given `authServerId` operationId: listAssociatedServersByTrustedType parameters: - name: trusted in: query - description: Searches trusted authorization servers when true, or searches untrusted authorization servers when false + description: Searches trusted authorization servers when `true` or searches untrusted authorization servers when `false` schema: type: boolean - name: q in: query - description: Searches the name or audience of the associated authorization servers + description: Searches for the name or audience of the associated authorization servers + example: customasone schema: type: string - name: limit @@ -3156,6 +3285,9 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServer' + examples: + ListAssocAuthServer: + $ref: '#/components/examples/ListAssocAuthServerResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3167,15 +3299,15 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerAssoc x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management post: - summary: Create the Associated Authorization Servers - description: Creates the trusted relationships between the given authorization server and other authorization servers + summary: Create an associated Authorization Server + description: Creates trusted relationships between the given authorization server and other authorization servers operationId: createAssociatedServers x-codegen-request-body-name: associatedServerMediated requestBody: @@ -3183,6 +3315,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AssociatedServerMediated' + examples: + CreateAssocAuthServer: + $ref: '#/components/examples/CreateAssocAuthServerBody' required: true responses: '200': @@ -3193,6 +3328,9 @@ paths: type: array items: $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAssocAuthServer: + $ref: '#/components/examples/CreateAssocAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3206,7 +3344,7 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerAssoc x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false @@ -3217,8 +3355,8 @@ paths: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathAssociatedServerId' delete: - summary: Delete an Associated Authorization Server - description: Deletes an associated authorization server + summary: Delete an associated Authorization Server + description: Deletes an associated Authorization Server operationId: deleteAssociatedServer responses: '204': @@ -3235,7 +3373,7 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerAssoc x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false @@ -3245,8 +3383,8 @@ paths: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: - summary: List all Custom Token Claims - description: Lists all custom token claims + summary: List all custom token Claims + description: Lists all custom token Claims defined for a specified custom authorization server operationId: listOAuth2Claims responses: '200': @@ -3257,6 +3395,9 @@ paths: type: array items: $ref: '#/components/schemas/OAuth2Claim' + examples: + ListCustomTokenClaims: + $ref: '#/components/examples/ListCustomTokenClaimsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3268,15 +3409,15 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management post: - summary: Create a Custom Token Claim - description: Creates a custom token claim + summary: Create a custom token Claim + description: Creates a custom token Claim for a custom authorization server operationId: createOAuth2Claim x-codegen-request-body-name: oAuth2Claim requestBody: @@ -3284,6 +3425,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + CreateCustomTokenClaim: + $ref: '#/components/examples/CreateCustomTokenClaimBody' required: true responses: '201': @@ -3292,6 +3436,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + CreateCustomTokenClaim: + $ref: '#/components/examples/CreateCustomTokenClaimResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3305,7 +3452,7 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false @@ -3316,8 +3463,8 @@ paths: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathClaimId' get: - summary: Retrieve a Custom Token Claim - description: Retrieves a custom token claim + summary: Retrieve a custom token Claim + description: Retrieves a custom token Claim by the specified `claimId` operationId: getOAuth2Claim responses: '200': @@ -3326,6 +3473,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + RetrieveCustomTokenClaim: + $ref: '#/components/examples/RetrieveCustomTokenClaimResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -3337,15 +3487,15 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management put: - summary: Replace a Custom Token Claim - description: Replaces a custom token claim + summary: Replace a custom token Claim + description: Replaces a custom token Claim specified by the `claimId` operationId: replaceOAuth2Claim x-codegen-request-body-name: oAuth2Claim requestBody: @@ -3353,6 +3503,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + ReplaceCustomTokenClaim: + $ref: '#/components/examples/ReplaceCustomTokenClaimBody' required: true responses: '200': @@ -3361,6 +3514,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + ReplaceCustomTokenClaim: + $ref: '#/components/examples/ReplaceCustomTokenClaimResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -3374,15 +3530,15 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management delete: - summary: Delete a Custom Token Claim - description: Deletes a custom token claim + summary: Delete a custom token Claim + description: Deletes a custom token Claim specified by the `claimId` operationId: deleteOAuth2Claim responses: '204': @@ -3399,7 +3555,7 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false @@ -5500,7 +5656,10 @@ paths: - $ref: '#/components/parameters/pathTemplateName' get: summary: List all Email Customizations - description: Lists all customizations of an email template + description: | + Lists all customizations of an email template + + If Custom languages for Okta Email Templates is enabled, all existing customizations are retrieved, including customizations for additional languages. If disabled, only customizations for Okta-supported languages are returned. operationId: listEmailCustomizations parameters: - $ref: '#/components/parameters/queryAfter' @@ -5534,7 +5693,10 @@ paths: isGenerallyAvailable: true post: summary: Create an Email Customization - description: Creates a new email customization + description: | + Creates a new Email Customization + + If Custom languages for Okta Email Templates is enabled, you can create a customization for any BCP47 language in addition to the Okta-supported languages. operationId: createEmailCustomization x-codegen-request-body-name: instance requestBody: @@ -5585,7 +5747,10 @@ paths: isGenerallyAvailable: true delete: summary: Delete all Email Customizations - description: Deletes all customizations for an email template + description: | + Deletes all customizations for an email template + + If Custom languages for Okta Email Templates is enabled, all customizations are deleted, including customizations for additional languages. If disabled, only customizations in Okta-supported languages are deleted. operationId: deleteAllCustomizations responses: '204': @@ -5613,7 +5778,10 @@ paths: - $ref: '#/components/parameters/pathCustomizationId' get: summary: Retrieve an Email Customization - description: Retrieves an email customization by its unique identifier + description: | + Retrieves an email customization by its unique identifier + + If Custom languages for Okta Email Templates is disabled, requests to retrieve an additional language customization by ID result in a `404 Not Found` error response. operationId: getEmailCustomization responses: '200': @@ -5642,7 +5810,10 @@ paths: isGenerallyAvailable: true put: summary: Replace an Email Customization - description: Replaces an existing email customization using the property values provided + description: | + Replaces an email customization using property values + + If Custom languages for Okta Email Templates is disabled, requests to update a customization for an additional language return a `404 Not Found` error response. operationId: replaceEmailCustomization x-codegen-request-body-name: instance requestBody: @@ -5696,7 +5867,10 @@ paths: isGenerallyAvailable: true delete: summary: Delete an Email Customization - description: Deletes an email customization by its unique identifier + description: | + Deletes an Email Customization by its unique identifier + + If Custom languages for Okta Email Templates is disabled, deletion of an existing additional language customization by ID doesn't register. operationId: deleteEmailCustomization responses: '204': @@ -5733,7 +5907,10 @@ paths: - $ref: '#/components/parameters/pathCustomizationId' get: summary: Retrieve a Preview of an Email Customization - description: Retrieves a preview of an email customization. All variable references (e.g., `${user.profile.firstName}`) are populated using the current user's context. + description: | + Retrieves a Preview of an Email Customization. All variable references are populated from the current user's context. For example, `${user.profile.firstName}`. + + If Custom languages for Okta Email Templates is disabled, requests for the preview of an additional language customization by ID return a `404 Not Found` error response. operationId: getCustomizationPreview responses: '200': @@ -5766,7 +5943,12 @@ paths: - $ref: '#/components/parameters/pathTemplateName' get: summary: Retrieve an Email Template Default Content - description: Retrieves an email template's default content + description: | + Retrieves an email template's default content + + Defaults to the current user's language given the following: + - Custom languages for Okta Email Templates is enabled + - An additional language is specified for the `language` parameter operationId: getEmailDefaultContent parameters: - $ref: '#/components/parameters/queryLanguage' @@ -5800,8 +5982,13 @@ paths: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: - summary: Retrieve a Preview of the Email Template Default Content - description: Retrieves a preview of an email template's default content. All variable references (e.g., `${user.profile.firstName}`) are populated using the current user's context. + summary: Retrieve a Preview of the Email Template default content + description: | + Retrieves a preview of an Email Template's default content. All variable references are populated using the current user's context. For example, `${user.profile.firstName}`. + + Defaults to the current user's language given the following: + - Custom languages for Okta Email Templates is enabled + - An additional language is specified for the `language` parameter operationId: getEmailDefaultPreview parameters: - $ref: '#/components/parameters/queryLanguage' @@ -5910,6 +6097,7 @@ paths: description: |- Sends a test email to the current user’s primary and secondary email addresses. The email content is selected based on the following priority: 1. The email customization for the language specified in the `language` query parameter. + If Custom languages for Okta Email Templates is enabled and the `language` parameter is an additional language, the test email uses the customization corresponding to the language. 2. The email template's default customization. 3. The email template’s default content, translated to the current user's language. operationId: sendTestEmail @@ -6551,6 +6739,18 @@ paths: $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest' WindowsWithThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest' required: true responses: '200': @@ -6575,6 +6775,18 @@ paths: $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' WindowsWithThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -6622,6 +6834,18 @@ paths: $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' WindowsWithThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6665,6 +6889,18 @@ paths: $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest' WindowsWithThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest' required: true responses: '200': @@ -6689,6 +6925,18 @@ paths: $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' WindowsWithThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -7527,7 +7775,7 @@ paths: tags: - EmailServer x-okta-lifecycle: - lifecycle: EA + lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine @@ -7560,7 +7808,7 @@ paths: tags: - EmailServer x-okta-lifecycle: - lifecycle: EA + lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine @@ -7591,7 +7839,7 @@ paths: tags: - EmailServer x-okta-lifecycle: - lifecycle: EA + lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine @@ -7626,7 +7874,7 @@ paths: tags: - EmailServer x-okta-lifecycle: - lifecycle: EA + lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine @@ -7650,7 +7898,7 @@ paths: tags: - EmailServer x-okta-lifecycle: - lifecycle: EA + lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine @@ -7684,7 +7932,7 @@ paths: tags: - EmailServer x-okta-lifecycle: - lifecycle: EA + lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine @@ -8169,6 +8417,81 @@ paths: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true + /api/v1/first-party-app-settings/{appName}: + parameters: + - $ref: '#/components/parameters/pathFirstPartyAppName' + get: + summary: Retrieve the Okta app settings + description: Retrieves the settings for the first party Okta app + operationId: getFirstPartyAppSettings + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationOktaApplicationSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Okta app settings + description: Replaces the settings for the first party Okta app + operationId: replaceFirstPartyAppSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationOktaApplicationSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups: get: summary: List all Groups @@ -13761,7 +14084,7 @@ paths: items: oneOf: &ref_12 - $ref: '#/components/schemas/AccessPolicy' - - $ref: '#/components/schemas/IdentityProviderPolicy' + - $ref: '#/components/schemas/IdpDiscoveryPolicy' - $ref: '#/components/schemas/MultifactorEnrollmentPolicy' - $ref: '#/components/schemas/OktaSignOnPolicy' - $ref: '#/components/schemas/PasswordPolicy' @@ -13770,7 +14093,7 @@ paths: propertyName: type mapping: ACCESS_POLICY: '#/components/schemas/AccessPolicy' - IDP_DISCOVERY: '#/components/schemas/IdentityProviderPolicy' + IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicy' MFA_ENROLL: '#/components/schemas/MultifactorEnrollmentPolicy' OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' PASSWORD: '#/components/schemas/PasswordPolicy' @@ -14233,6 +14556,7 @@ paths: - $ref: '#/components/schemas/ProfileEnrollmentPolicyRule' - $ref: '#/components/schemas/AuthorizationServerPolicyRule' - $ref: '#/components/schemas/OktaSignOnPolicyRule' + - $ref: '#/components/schemas/IdpDiscoveryPolicyRule' discriminator: &ref_15 propertyName: type mapping: @@ -14241,6 +14565,7 @@ paths: PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicyRule' RESOURCE_ACCESS: '#/components/schemas/AuthorizationServerPolicyRule' SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule' + IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicyRule' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -14274,6 +14599,12 @@ paths: $ref: '#/components/examples/sspr-enabled-sso-step-up' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up' + Enable2FAPreciseAuth: + $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints' required: true @@ -14292,6 +14623,12 @@ paths: $ref: '#/components/examples/sspr-enabled-sso-step-up-response' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up-response' + Enable2FAPreciseAuth: + $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing-response' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' '400': @@ -17550,6 +17887,9 @@ paths: summary: List all Groups description: Lists all groups of which the user is a member operationId: listUserGroups + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success @@ -17803,6 +18143,13 @@ paths: summary: Reset all Factors description: Resets all factors for the specified user. All MFA factor enrollments returned to the unenrolled state. The user's status remains ACTIVE. This link is present only if the user is currently enrolled in one or more MFA factors. operationId: resetFactors + parameters: + - name: removeRecoveryEnrollment + description: 'If `true`, removes the phone number as both a recovery method and a Factor. Supported Factors: `sms` and `call`' + in: query + schema: + type: boolean + default: false responses: '200': description: OK @@ -19253,6 +19600,122 @@ paths: /integrations/api/v1/submissions/{submissionId}/testing: parameters: - $ref: '#/components/parameters/pathSubmissionId' + /webauthn-registration/api/v1/activate: + post: + summary: Activate a Preregistered WebAuthn Factor + description: Activates a preregistered WebAuthn Factor. As part of this operation, Okta first decrypts and verifies the Factor PIN and enrollment data sent by the fulfillment provider. + operationId: activatePreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment Activation Request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationResponse' + '400': + description: PIN or Cred Requests Generation Failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorPinOrCredResponsesProcessingFailure' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /webauthn-registration/api/v1/enroll: + post: + summary: Enroll a Preregistered WebAuthn Factor + description: Enrolls a preregistered WebAuthn Factor. This WebAuthn Factor has a longer challenge timeout period to accommodate the fulfillment request process. As part of this operation, Okta generates EC key-pairs used to encrypt the Factor PIN and enrollment data sent by the fulfillment provider. + operationId: enrollPreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment Initialization Request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationResponse' + '400': + description: PIN or Cred Requests Generation Failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorPinOrCredRequestsGenerationFailure' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /webauthn-registration/api/v1/initiate-fulfillment-request: + post: + summary: Generate a Fulfillment Request + description: Generates a fulfillment request by sending a WebAuthn Preregistration event to start the flow. The Okta Workflows WebAuthn preregistration integration uses this to populate the fulfillment request. + operationId: generateFulfillmentRequest + x-codegen-request-body-name: body + requestBody: + description: Fulfillment Request + content: + application/json: + schema: + $ref: '#/components/schemas/FulfillmentRequest' + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true components: examples: APIDevicesListAllResponse: @@ -19469,7 +19932,9 @@ components: - GET _embedded: users: - - created: '2021-10-01T16:52:41.000Z' + - managementStatus: MANAGED + created: '2021-10-01T16:52:41.000Z' + screenLockType: BIOMETRIC user: id: 00u17vh0q8ov8IU881d7 realmId: 00u17vh0q8ov8IU8T0g5 @@ -20331,6 +20796,106 @@ components: type: HEADER key: Authorization value: my-shared-secret + CreateAssocAuthServerBody: + summary: Create a trusted relationship between authorization servers + value: + - trusted: '{authorizationServerId}' + CreateAssocAuthServerResponse: + summary: Create a trusted relationship between authorization servers + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: CUSTOM_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - DELETE + CreateAuthServerBody: + summary: Create a custom authorization server + value: + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - api://default + CreateAuthServerResponse: + summary: Create a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST CreateBrandRequest: value: name: My Awesome Brand @@ -20359,6 +20924,44 @@ components: hints: allow: - GET + CreateCustomTokenClaimBody: + summary: Create a custom token Claim + value: + - alwaysIncludeInToken: true + claimType: IDENTITY + conditions: + scopes: + - profile + group_filter_type: CONTAINS + name: Support + status: ACTIVE + system: false + value: Support + valueType: GROUPS + CreateCustomTokenClaimResponse: + summary: Create a custom token Claim response + value: + - id: '{claimId}' + name: Support + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Support + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE CreateEmailDomainRequest: value: displayName: Admin @@ -20735,6 +21338,63 @@ components: - DELETE - GET - PUT + DeviceAssuranceAndroidWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with dynamic version requirement request + value: + name: Device Assurance Android + osVersion: + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 0 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceAndroidWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance Android + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 0 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest: x-okta-lifecycle: lifecycle: GA @@ -20837,6 +21497,53 @@ components: - DELETE - GET - PUT + DeviceAssuranceIosWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with dynamic version requirement request + value: + name: Device Assurance iOS + osVersion: + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + latestSecurityPatch: true + jailbreak: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + DeviceAssuranceIosWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance iOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + latestSecurityPatch: true + jailbroken: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT DeviceAssuranceMacOSRequest: summary: macOS request value: @@ -20880,6 +21587,63 @@ components: - DELETE - GET - PUT + DeviceAssuranceMacOSWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with dynamic version requirement request + value: + name: Device Assurance macOS + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceMacOSWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest: x-okta-lifecycle: lifecycle: GA @@ -21007,6 +21771,71 @@ components: - DELETE - GET - PUT + DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 and Windows 10 dynamic version requirements request + value: + name: Device Assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 1 + latestSecurityPatch: true + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 and Windows 10 dynamic version requirements response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 1 + latestSecurityPatch: true + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest: x-okta-lifecycle: lifecycle: GA @@ -21104,6 +21933,126 @@ components: - DELETE - GET - PUT + DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version request + value: + name: Device Assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 1 + - majorVersionConstraint: WINDOWS_10 + minimum: 10.0.19045.0 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 1 + - majorVersionConstraint: WINDOWS_10 + minimum: 10.0.19045.0 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 minimum version and a Windows 10 dynamic version requirement request + value: + name: Device Assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + minimum: 10.0.22000.0 + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: NOT_ALLOWED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 minimum version and Windows 10 dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + minimum: 10.0.22000.0 + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: NOT_ALLOWED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT DeviceResponse: value: id: guo8jx5vVoxfvJeLb0w4 @@ -21410,6 +22359,24 @@ components: errorLink: E0000028 errorId: sampleiCF-l7mr9XqM1NQ errorCauses: [] + ErrorPinOrCredRequestsGenerationFailure: + summary: PIN or Cred Requests Generation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: pinRequest|credRequests' + errorLink: E0000001 + errorId: oaehk3rssXQmOWDRsaFfxe8A + errorCauses: + errorSummary: There was a problem generating the pinRequest|credRequests. + ErrorPinOrCredResponsesProcessingFailure: + summary: PIN or Cred Response Processing Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: pinResponse|credResponses' + errorLink: E0000001 + errorId: oaehk3rssXQmOWDRsaFfxe8B + errorCauses: + errorSummary: There was a problem generating the pinResponse|credResponses. ErrorPushProviderUsedByCustomAppAuthenticator: value: errorCode: E0000187 @@ -21662,6 +22629,95 @@ components: client: href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} title: Client name + ListAssocAuthServerResponse: + summary: List associated Authorization Servers + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: CUSTOM_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: DYNAMIC + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - DELETE + ListAuthServersResponse: + summary: List all custom authorization servers in your org + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST ListBrandsResponse: value: - id: bnd114iNkrcN6aR680g4 @@ -21688,6 +22744,29 @@ components: hints: allow: - GET + ListCustomTokenClaimsResponse: + summary: List all custom token Claims for an authorization server + value: + - id: '{claimId}' + name: sub + status: ACTIVE + claimType: RESOURCE + valueType: EXPRESSION + value: '(appuser != null) ? appuser.userName : app.clientId' + conditions: + scopes: + - profile + system: true + alwaysIncludeInToken: true + apiResourceId: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE ListEmailCustomizationResponse: value: - language: en @@ -21917,6 +22996,7 @@ components: isDefault: false profile: name: Car Co + realmType: PARTNER _links: self: rel: self @@ -23093,6 +24173,121 @@ components: type: HEADER key: Authorization value: my-shared-secret + ReplaceAuthServerBody: + summary: Replace a custom authorization server + value: + name: New Authorization Server + description: Authorization Server description + audiences: + - api://default + credentials: + signing: + rotationMode: AUTO + use: sig + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + ReplaceAuthServerResponse: + summary: Replace a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + ReplaceCustomTokenClaimBody: + summary: Replace a custom token Claim + value: + - alwaysIncludeInToken: true + claimType: IDENTITY + conditions: + scopes: + - profile + group_filter_type: CONTAINS + name: Knowledge_Base + status: ACTIVE + system: false + value: Knowledge Base + valueType: GROUPS + ReplaceCustomTokenClaimResponse: + summary: Replace a custom token Claim response + value: + - id: '{claimId}' + name: Knowledge_Base + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Knowledge Base + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE ReplaceKeyResponse: summary: Replace a key response example value: @@ -23710,6 +24905,69 @@ components: hints: allow: - POST + RetrieveAuthServerResponse: + summary: Retrieve a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST RetrieveCurrentSessionResponse: summary: Retrieve current session value: @@ -23744,6 +25002,30 @@ components: - GET href: https://{yourOktaDomain}/api/v1/users/me name: User Name + RetrieveCustomTokenClaimResponse: + summary: Retrieve a custom token Claim response + value: + - id: '{claimId}' + name: Support + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Support + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE RetrieveFeaturesResponse: summary: Retrieve a feature by ID value: @@ -24244,26 +25526,62 @@ components: lastUpdated: '2023-08-24T14:15:22.000Z' lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR lastPublished: '2023-09-01T13:23:45.000Z' - TestInfoBase: - summary: Submission Testing Information example + TestInfoOidcRequest: + summary: OIDC SSO Submission Testing Information request + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + oidcTestConfiguration: + jit: false + spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init + TestInfoOidcResponse: + summary: OIDC SSO Submission Testing Information response + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + oidcTestConfiguration: + idp: true + sp: true + jit: false + spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init + TestInfoSamlRequest: + summary: SAML SSO Submission Testing Information request value: testAccount: url: https://example.com/strawberry/login username: test@example.com password: sUperP@ssw0rd - instructions: Just open URL and input credentials + instructions: Go to your app URL from a browser and enter your credentials escalationSupportContact: strawberry.support@example.com samlTestConfiguration: idp: true sp: true jit: false spInitiateUrl: https://test.example.com/strawberry/saml/sp-init - spInitiateDescription: Just open URL and provide your username - oidcTestConfiguration: + spInitiateDescription: Go to the app URL from a browser and enter your username + TestInfoSamlResponse: + summary: SAML SSO Submission Testing Information response + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + samlTestConfiguration: idp: true sp: true jit: false - spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init + spInitiateUrl: https://test.example.com/strawberry/saml/sp-init + spInitiateDescription: Go to the app URL from a browser and enter your username ThreatInsightResponseExample: summary: ThreatInsight response value: @@ -24647,6 +25965,106 @@ components: hints: allow: - POST + idp-discovery-dynamic-routing-rule: + summary: IdP discovery policy - Dynamic routing rule + description: This routing rule uses a dynamic Identity Provider. + value: + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + idp-discovery-dynamic-routing-rule-response: + summary: IdP discovery policy - Dynamic routing rule + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + idp-discovery-specific-routing-rule: + summary: IdP discovery policy - Specific routing rule + description: This routing rule uses a specific Identity Provider. + value: + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY + idp-discovery-specific-routing-rule-response: + summary: IdP discovery policy - Specific routing rule + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY inactiveAPIServiceIntegrationInstanceSecretResponse: summary: Deactivate Secret response example value: @@ -24820,8 +26238,8 @@ components: system: false type: PASSWORD sspr-enabled-sq-step-up: - summary: Password policy - SSPR with security question as step up - description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are initial authenticators, and the secondary authentication is a security question. + summary: Password policy - SSPR with security question as step-up auth + description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are the initial authenticators, and the secondary authentication is a security question. value: name: SSPR Rule priority: 1 @@ -25144,6 +26562,62 @@ components: access: ALLOW system: false type: PASSWORD + twofa-enabled-disallow-password-allow-phishing: + summary: Authentication policy - 2FA with granular authentication + description: This two-factor authentication policy uses a rule to disallow passwords and require phishing resistance for possession authenticators for authentication. + value: + name: Passwordless 2FA + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + possession: + deviceBound: REQUIRED + phishingREsistant: REQUIRED + type: ACCESS_POLICY + twofa-enabled-disallow-password-allow-phishing-response: + summary: Authentication policy - 2FA with granular authentication + description: The rule from a two-factor authentication policy that disallows passwords and requires phishing resistance + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: Passwordless 2FA + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: false + possession: + deviceBound: REQUIRED + phishingREsistant: REQUIRED + required: true + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT parameters: UISchemaId: name: id @@ -25153,6 +26627,13 @@ components: schema: type: string example: uis4a7liocgcRgcxZ0g7 + authenticatorEnrollmentId: + name: authenticatorEnrollmentId + in: path + required: true + description: ID for a WebAuthn Preregistration Factor in Okta + schema: + type: string pathApiServiceId: name: apiServiceId in: path @@ -25252,6 +26733,14 @@ components: required: true schema: type: string + pathCredentialKeyId: + name: keyId + description: '`id` of the certificate key' + in: path + required: true + schema: + type: string + example: P7jXpG-LG2ObNgY9C0Mn2uf4InCQTmRZMDCZoVNxdrk pathCsrId: name: csrId description: '`id` of the CSR' @@ -25686,7 +27175,7 @@ components: example: l7FbDVqS8zHSy65uJD85 pathSubmissionId: name: submissionId - description: Submission ID + description: OIN Integration ID in: path required: true schema: @@ -25779,7 +27268,7 @@ components: in: query schema: type: string - description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination) for more information. + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination). queryAppAfter: name: after in: query @@ -26158,15 +27647,67 @@ components: AccessPolicyConstraint: type: object properties: + authenticationMethods: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + description:
This property specifies the precise authenticator and method for authentication. + type: array + items: + $ref: '#/components/schemas/AuthenticationMethodObject' + excludedAuthenticationMethods: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + description:
This property specifies the precise authenticator and method to exclude from authentication. + items: + $ref: '#/components/schemas/AuthenticationMethodObject' methods: + description: The Authenticator methods that are permitted items: type: string + enum: + - PASSWORD + - SECURITY_QUESTION + - SMS + - VOICE + - EMAIL + - PUSH + - SIGNED_NONCE + - OTP + - TOTP + - WEBAUTHN + - DUO + - IDP + - CERT type: array reauthenticateIn: + description: The duration after which the user must re-authenticate regardless of user activity. This re-authentication interval overrides the Verification Method object's `reauthenticateIn` interval. The supported values use ISO 8601 period format for recurring time intervals (for example, `PT1H`). type: string + required: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + description:
This property indicates whether the knowledge or possession factor is required by the assurance. It's optional in the request, but is always returned in the response. By default, this field is `true`. If the knowledge or possession constraint has values for`excludedAuthenticationMethods` the `required` value is false. + type: boolean types: + description: The Authenticator types that are permitted items: type: string + enum: + - SECURITY_KEY + - PHONE + - EMAIL + - PASSWORD + - SECURITY_QUESTION + - APP + - FEDERATED type: array AccessPolicyConstraints: type: object @@ -26424,9 +27965,11 @@ components: properties: id: type: string + description: ID of the app readOnly: true name: type: string + description: Name of the app type type: $ref: '#/components/schemas/AppAndInstanceType' AppAndInstancePolicyRuleCondition: @@ -26441,6 +27984,7 @@ components: items: $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' AppAndInstanceType: + description: Type of app type: string enum: - APP @@ -26750,6 +28294,9 @@ components: type: string client_secret: type: string + pkce_required: + type: boolean + description: Require Proof Key for Code Exchange (PKCE) for additional verification token_endpoint_auth_method: $ref: '#/components/schemas/OAuthEndpointAuthenticationMethod' ApplicationCredentialsScheme: @@ -27052,6 +28599,51 @@ components: description: A list of the authorization server IDs items: type: string + AttackProtectionAuthenticatorSettings: + type: object + properties: + verifyKnowledgeSecondWhen2faRequired: + type: boolean + description: If true, requires users to verify a possession factor before verifying a knowledge factor when the assurance requires two-factor authentication (2FA). + default: false + AuthServerLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + claims: + allOf: + - description: Link to the authorization server claims + - $ref: '#/components/schemas/HrefObject' + deactivate: + allOf: + - $ref: '#/components/schemas/HrefObjectDeactivateLink' + metadata: + description: Link to the authorization server metadata + type: array + items: + $ref: '#/components/schemas/HrefObject' + policies: + allOf: + - description: Link to the authorization server policies + - $ref: '#/components/schemas/HrefObject' + rotateKey: + allOf: + - description: Link to the authorization server key rotation + - $ref: '#/components/schemas/HrefObject' + scopes: + allOf: + - description: Link to the authorization server scopes + - $ref: '#/components/schemas/HrefObject' + AuthenticationMethodObject: + type: object + properties: + key: + type: string + description: A label that identifies the authenticator + method: + type: string + description: Specifies the method used for the authenticator AuthenticationProvider: description: |- Specifies the authentication provider that validates the user's password credential. The user's current provider @@ -27342,6 +28934,7 @@ components: properties: audiences: type: array + description: The recipients that the tokens are intended for. This becomes the `aud` claim in an access token. Okta currently supports only one audience. items: type: string created: @@ -27352,29 +28945,46 @@ components: $ref: '#/components/schemas/AuthorizationServerCredentials' description: type: string + description: The description of the custom authorization server id: type: string + description: The ID of the custom authorization server readOnly: true issuer: type: string + description: The complete URL for the custom authorization server. This becomes the `iss` claim in an access token. issuerMode: - $ref: '#/components/schemas/IssuerMode' + type: string + description: |- + Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL. + + `issuerMode` is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses. + + When set to `ORG_URL`, then in responses, `issuer` is the Okta org domain URL: `https://${yourOktaDomain}`. + + When set to `CUSTOM_URL`, then in responses, `issuer` is the custom domain URL configured in the administration user interface. + + When set to `DYNAMIC`, then in responses, `issuer` is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain. + + After you configure a custom URL domain, all new custom authorization servers use `CUSTOM_URL` by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use `DYNAMIC` by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled. lastUpdated: type: string format: date-time readOnly: true name: type: string + description: The name of the custom authorization server status: $ref: '#/components/schemas/LifecycleStatus' _links: - $ref: '#/components/schemas/LinksSelf' + $ref: '#/components/schemas/AuthServerLinks' AuthorizationServerCredentials: type: object properties: signing: $ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig' AuthorizationServerCredentialsRotationMode: + description: The Key rotation mode for the authorization server type: string enum: - AUTO @@ -27384,12 +28994,16 @@ components: properties: kid: type: string + description: The ID of the JSON Web Key used for signing tokens issued by the authorization server + readOnly: true lastRotated: type: string + description: The timestamp when the authorization server started using the `kid` for signing tokens format: date-time readOnly: true nextRotation: type: string + description: The timestamp when the authorization server changes the Key for signing tokens. This is only returned when `rotationMode` is set to `AUTO`. format: date-time readOnly: true rotationMode: @@ -27397,6 +29011,7 @@ components: use: $ref: '#/components/schemas/AuthorizationServerCredentialsUse' AuthorizationServerCredentialsUse: + description: How the key is used type: string enum: - sig @@ -27406,7 +29021,12 @@ components: - type: object properties: conditions: - $ref: '#/components/schemas/PolicyRuleConditions' + $ref: '#/components/schemas/AuthorizationServerPolicyConditions' + AuthorizationServerPolicyConditions: + type: object + properties: + clients: + $ref: '#/components/schemas/ClientPolicyCondition' AuthorizationServerPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' @@ -27424,18 +29044,16 @@ components: token: $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleAction' AuthorizationServerPolicyRuleConditions: - allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - - type: object - properties: - clients: - $ref: '#/components/schemas/ClientPolicyCondition' - grantTypes: - $ref: '#/components/schemas/GrantTypePolicyRuleCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - scopes: - $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' + type: object + properties: + clients: + $ref: '#/components/schemas/ClientPolicyCondition' + grantTypes: + $ref: '#/components/schemas/GrantTypePolicyRuleCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + scopes: + $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' AutoLoginApplication: allOf: - $ref: '#/components/schemas/Application' @@ -28024,10 +29642,12 @@ components: minimum: type: string ClientPolicyCondition: + description: Specifies which clients are included in the Policy type: object properties: include: type: array + description: Which clients are included in the Policy items: type: string ClientPrivilegesSetting: @@ -28153,7 +29773,15 @@ components: profile: $ref: '#/components/schemas/UserProfile' type: - $ref: '#/components/schemas/UserType' + type: object + description: |- + The ID of the user type. Add this value if you want to create a user with a non-default [user type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/). + The user type determines which [schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can + only be assigned a different user type by an administrator through a full replacement (`PUT`) operation. + properties: + id: + type: string + description: The ID of the user type required: - profile Csr: @@ -28466,7 +30094,7 @@ components: jailbreak: type: boolean osVersion: - $ref: '#/components/schemas/OSVersionFourComponents' + $ref: '#/components/schemas/OSVersion' screenLockType: type: object properties: @@ -28499,7 +30127,7 @@ components: jailbreak: type: boolean osVersion: - $ref: '#/components/schemas/OSVersionThreeComponents' + $ref: '#/components/schemas/OSVersion' screenLockType: type: object properties: @@ -28520,7 +30148,7 @@ components: items: $ref: '#/components/schemas/DiskEncryptionTypeDesktop' osVersion: - $ref: '#/components/schemas/OSVersionThreeComponents' + $ref: '#/components/schemas/OSVersion' screenLockType: type: object properties: @@ -28554,6 +30182,24 @@ components: $ref: '#/components/schemas/DiskEncryptionTypeDesktop' osVersion: $ref: '#/components/schemas/OSVersionFourComponents' + osVersionConstraints: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + type: array + description: | +
Specifies the Windows version requirements for the assurance policy. Each requirement must correspond to a different major version (Windows 11 or Windows 10). If a requirement isn't specified for a major version, then devices on that major version satisfy the condition. + + There are two types of OS requirements: + * **Static**: A specific Windows version requirement that doesn't change until you update the policy. A static OS Windows requirement is specified with `majorVersionConstraint` and `minimum`. + * **Dynamic**: A Windows version requirement that is relative to the latest major release and security patch. A dynamic OS Windows requirement is specified with `majorVersionConstraint` and `dynamicVersionRequirement`. + + > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. The `osVersionConstraints` property is only supported for the Windows platform. You can't specify both `osVersion.minimum` and `osVersionConstraints` properties at the same time. + items: + $ref: '#/components/schemas/OSVersionConstraint' + minItems: 1 + maxItems: 2 screenLockType: type: object properties: @@ -28912,15 +30558,65 @@ components: type: integer unit: type: string + ECKeyJWK: + description: Elliptic Curve Key in JWK format, currently used during enrollment to encrypt fulfillment requests to Yubico, or during activation to verify Yubico's JWS objects in fulfillment responses. The currently agreed protocol uses P-384. + type: object + properties: + crv: + type: string + enum: + - P-384 + kid: + type: string + description: The unique identifier of the key + kty: + type: string + enum: + - EC + description: The type of public key + use: + type: string + description: The intended use for the key. The ECKeyJWK is always `enc` because Okta uses it to encrypt requests to Yubico. + enum: + - enc + x: + type: string + description: The public x coordinate for the elliptic curve point + 'y': + type: string + description: The public y coordinate for the elliptic curve point + required: + - x + - 'y' + - kty + - crv + - use + - kid EmailContent: type: object properties: body: type: string - description: The email's HTML body. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + description: | + The HTML body of the email. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + + Not required if Custom languages for Okta Email Templates is enabled. A `null` body is replaced with a default value from one of the following in priority order: + + 1. An existing default email customization, if one exists + 2. Okta-provided translated content for the specified language, if one exists + 3. Okta-provided translated content for the brand locale, if it's set + 4. Okta-provided content in English subject: type: string - description: The email's subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + description: | + The email subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + + Not required if Custom languages for Okta Email Templates is enabled. A `null` subject is replaced with a default value from one of the following in priority order: + + 1. An existing default email customization, if one exists + 2. Okta-provided translated content for the specified language, if one exists + 3. Okta-provided translated content for the brand locale, if it's set + 4. Okta-provided content in English required: - subject - body @@ -29183,6 +30879,93 @@ components: - LOGO_ON_FULL_WHITE_BACKGROUND - OKTA_DEFAULT - WHITE_LOGO_BACKGROUND + EnrollmentActivationRequest: + description: Enrollment Initialization Request + type: object + properties: + credResponses: + description: List of credential responses from the fulfillment provider + type: array + items: + $ref: '#/components/schemas/WebAuthnCredResponse' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + pinResponseJwe: + description: Encrypted JWE of PIN response from the fulfillment provider + type: string + serial: + description: Serial number of the YubiKey + type: string + userId: + description: ID of an existing Okta user + type: string + version: + description: Firmware version of the YubiKey + type: string + yubicoSigningJwks: + description: List of usable signing keys from Yubico (in JWKS format) used to verify the JWS inside the JWE + type: array + items: + $ref: '#/components/schemas/ECKeyJWK' + EnrollmentActivationResponse: + description: Enrollment Initialization Response + type: object + properties: + authenticatorEnrollmentIds: + description: List of IDs for preregistered WebAuthn Factors in Okta + type: array + items: + type: string + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + EnrollmentInitializationRequest: + description: Enrollment Initialization Request + type: object + properties: + enrollmentRpIds: + description: List of Relying Party hostnames to register on the YubiKey. + type: array + items: + type: string + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + yubicoTransportKeyJWK: + $ref: '#/components/schemas/ECKeyJWK' + EnrollmentInitializationResponse: + description: Yubico Transport Key in the form of a JWK, used to encrypt our fulfillment request to Yubico. The currently agreed protocol uses P-384. + type: object + properties: + credRequests: + description: List of credential requests for the fulfillment provider + type: array + items: + $ref: '#/components/schemas/WebAuthnCredRequest' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + pinRequestJwe: + description: Encrypted JWE of PIN request for the fulfillment provider + type: string + userId: + description: ID of an existing Okta user + type: string Error: title: Error type: object @@ -29535,6 +31318,33 @@ components: resetPasswordUrl: type: string readOnly: true + FulfillmentData: + description: Fulfillment provider details + type: object + properties: + customizationId: + description: ID for the set of custom configurations of the requested Factor + type: string + inventoryProductId: + description: ID for the specific inventory bucket of the requested Factor + type: string + productId: + description: ID for the make and model of the requested Factor + type: string + FulfillmentRequest: + description: Fulfillment Request + type: object + properties: + fulfillmentData: + $ref: '#/components/schemas/FulfillmentData' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string GoogleApplicationSettings: allOf: - $ref: '#/components/schemas/OINBaseSignOnModeApplicationSettings' @@ -29565,10 +31375,12 @@ components: - REVOKED readOnly: true GrantTypePolicyRuleCondition: + description: Array of grant types that this condition includes. Determines the mechanism that Okta uses to authorize the creation of the tokens. type: object properties: include: type: array + description: Array of grant types thagt this condition includes. items: type: string Group: @@ -29619,14 +31431,17 @@ components: users: $ref: '#/components/schemas/HrefObject' GroupCondition: + description: Specifies a set of Groups whose Users are to be included or excluded type: object properties: exclude: type: array + description: Groups to be excluded items: type: string include: type: array + description: Groups to be included items: type: string GroupOwner: @@ -29667,14 +31482,17 @@ components: - GROUP - USER GroupPolicyRuleCondition: + description: Specifies a set of Groups whose Users are to be included or excluded type: object properties: exclude: type: array + description: Groups to be excluded items: type: string include: type: array + description: Groups to be included items: type: string GroupProfile: @@ -30125,6 +31943,9 @@ components: type: string client_secret: type: string + pkce_required: + type: boolean + description: Require Proof Key for Code Exchange (PKCE) for additional verification IdentityProviderCredentialsSigning: type: object properties: @@ -30151,16 +31972,13 @@ components: - OCSP IdentityProviderPolicy: allOf: - - $ref: '#/components/schemas/Policy' - type: object properties: accountLink: $ref: '#/components/schemas/PolicyAccountLink' - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' mapAMRClaims: type: boolean - description: Enable mapping AMR from IdP to Okta to downstream apps + description:
Enable mapping AMR from IdP to Okta to downstream apps default: false x-okta-lifecycle: lifecycle: EA @@ -30283,21 +32101,75 @@ components: userName: type: string maxLength: 100 + IdpDiscoveryPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + IdpDiscoveryPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + $ref: '#/components/schemas/IdpPolicyRuleAction' + conditions: + $ref: '#/components/schemas/IdpDiscoveryPolicyRuleCondition' + IdpDiscoveryPolicyRuleCondition: + allOf: + - type: object + properties: + app: + $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + userIdentifier: + $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' + platform: + $ref: '#/components/schemas/PlatformPolicyRuleCondition' IdpPolicyRuleAction: type: object properties: - providers: - items: - $ref: '#/components/schemas/IdpPolicyRuleActionProvider' - type: array + idp: + type: object + properties: + providers: + items: + $ref: '#/components/schemas/IdpPolicyRuleActionProvider' + type: array + description: List of configured Identity Providers that a given Rule can route to. Ability to define multiple providers is a part of the Okta Identity Engine. This allows users to choose a Provider when they sign in. Contact support for information on the Identity Engine. + idpSelectionType: + description: Determines whether the rule should use expression language or a specific IdP + $ref: '#/components/schemas/IdpSelectionType' + matchCriteria: + items: + $ref: '#/components/schemas/IdpPolicyRuleActionMatchCriteria' + type: array + description: Required if `idpSelectionType` is set to `DYNAMIC` + IdpPolicyRuleActionMatchCriteria: + type: object + properties: + propertyName: + type: string + description: The IdP property that the evaluated string should match to + providerExpression: + type: string + description: | + You can provide an Okta Expression Language expression with the Login Context that's evaluated with the IdP. For example, the value `login.identifier` refers to the user's username. If the user is signing in with the username `john.doe@mycompany.com`, the expression `login.identifier.substringAfter(@))` is evaluated to the domain name of the user, for example: `mycompany.com`. IdpPolicyRuleActionProvider: type: object properties: id: - readOnly: true type: string - type: + description: IdP types of `OKTA`, `AgentlessDSSO`, and `IWA` don't require an ID. + name: type: string + description: Provider `name` in Okta. Optional. Supported in `IDENTITY ENGINE`. + type: + $ref: '#/components/schemas/IdentityProviderType' + IdpSelectionType: + type: string + enum: + - DYNAMIC + - SPECIFIC IframeEmbedScopeAllowedApps: type: string enum: @@ -30539,41 +32411,67 @@ components: type: object properties: alg: + description: 'The algorithm used with the Key. Valid value: `RS256`' type: string created: $ref: '#/components/schemas/createdProperty' e: + description: RSA key value (public exponent) for Key binding type: string + readOnly: true expiresAt: + description: Timestamp when the certificate expires type: string format: date-time + readOnly: true key_ops: + description: Identifies the operation(s) for which the key is intended to be used type: array items: type: string kid: + description: Unique identifier for the certificate type: string + readOnly: true kty: + description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`' type: string + readOnly: true lastUpdated: type: string format: date-time + $ref: '#/components/schemas/lastUpdatedProperty' 'n': + description: RSA modulus value that is used by both the public and private keys and provides a link between them type: string status: + description: |- + An `ACTIVE` Key is used to sign tokens issued by the authorization server. Supported values: `ACTIVE`, `NEXT`, or `EXPIRED`
+ A `NEXT` Key is the next Key that the authorization server uses to sign tokens when Keys are rotated. The `NEXT` Key might not be listed if it hasn't been generated yet. + An `EXPIRED` Key is the previous Key that the authorization server used to sign tokens. The `EXPIRED` Key might not be listed if no Key has expired or the expired Key was deleted. type: string use: + description: 'Acceptable use of the certificate. Valid value: `sig`' type: string + readOnly: true x5c: + description: X.509 certificate chain that contains a chain of one or more certificates type: array items: type: string + readOnly: true x5t: + description: X.509 certificate SHA-1 thumbprint, which is the base64url-encoded SHA-1 thumbprint (digest) of the DER encoding of an X.509 certificate type: string + readOnly: true x5t#S256: + description: X.509 certificate SHA-256 thumbprint, which is the base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of an X.509 certificate type: string + readOnly: true x5u: + description: A URI that refers to a resource for the X.509 public key certificate or certificate chain corresponding to the key used to digitally sign the JWS (JSON Web Signature) type: string + readOnly: true _links: $ref: '#/components/schemas/LinksSelf' JwkUse: @@ -31517,6 +33415,7 @@ components: properties: alwaysIncludeInToken: type: boolean + description: Specifies whether to include Claims in the token. The value is always `TRUE` for access token Claims. If the value is set to `FALSE` for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the `authorization_code`. The client instead uses the access token to get Claims from the `/userinfo` endpoint. claimType: $ref: '#/components/schemas/OAuth2ClaimType' conditions: @@ -31525,20 +33424,25 @@ components: $ref: '#/components/schemas/OAuth2ClaimGroupFilterType' id: type: string + description: ID of the Claim readOnly: true name: type: string + description: Name of the Claim status: $ref: '#/components/schemas/LifecycleStatus' system: + description: When `true`, indicates that Okta created the Claim type: boolean value: + description: Specifies the value of the Claim. This value must be a string literal if `valueType` is `GROUPS`, and the string literal is matched with the selected `group_filter_type`. The value must be an Okta EL expression if `valueType` is `EXPRESSION`. type: string valueType: $ref: '#/components/schemas/OAuth2ClaimValueType' _links: $ref: '#/components/schemas/LinksSelf' OAuth2ClaimConditions: + description: Specifies the scopes for the Claim type: object properties: scopes: @@ -31546,18 +33450,31 @@ components: items: type: string OAuth2ClaimGroupFilterType: + description: |- + Specifies the type of group filter if `valueType` is `GROUPS` + + If `valueType` is `GROUPS`, then the groups returned are filtered according to the value of `group_filter_type`. + + If you have complex filters for Groups, you can [create a Groups allowlist](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/) to put them all in a Claim. type: string enum: - CONTAINS - EQUALS - REGEX - STARTS_WITH + x-enumDescriptions: + STARTS_WITH: Group names start with `value` (not case-sensitive). For example, if `value` is `group1`, then `group123` and `Group123` are included. + EQUALS: Group name is the same as `value` (not case-sensitive). For example, if `value` is `group1`, then `group1` and `Group1` are included, but `group123` isn't. + CONTAINS: Group names contain `value` (not case-sensitive). For example, if `value` is `group1`, then `MyGroup123` and `group1` are included. + REGEX: Group names match the regular expression in `value` (case-sensitive). For example if `value` is `/^[a-z0-9_-]{3,16}$/`, then any Group name that has at least three letters, no more than 16, and contains lowercase letters, a hyphen, or numbers is a match. OAuth2ClaimType: + description: Specifies whether the Claim is for an access token (`RESOURCE`) or an ID token (`IDENTITY`) type: string enum: - IDENTITY - RESOURCE OAuth2ClaimValueType: + description: Specifies whether the Claim is an Okta Expression Language (EL) expression (`EXPRESSION`), a set of groups (`GROUPS`), or a system claim (`SYSTEM`) type: string enum: - EXPRESSION @@ -31567,15 +33484,18 @@ components: type: object properties: client_id: + description: Unique key for the client application. The `client_id` is immutable type: string readOnly: true client_name: + description: Human-readable string name of the client application type: string readOnly: true client_uri: type: string readOnly: true logo_uri: + description: URL string that references a logo for the client consent dialog (not the sign-in dialog) type: string readOnly: true _links: @@ -31795,6 +33715,7 @@ components: - ALL_CLIENTS - NO_CLIENTS OAuth2ScopesMediationPolicyRuleCondition: + description: Array of scopes that the condition includes type: object properties: include: @@ -32013,6 +33934,91 @@ components: type: array items: $ref: '#/components/schemas/SamlAttributeStatement' + OSVersion: + description: | + Specifies the OS requirement for the policy. + + There are two types of OS requirements: + + * **Static**: A specific OS version requirement that doesn't change until you update the policy. A static OS requirement is specified with the `osVersion.minimum` property. + * **Dynamic**: An OS version requirement that is relative to the latest major OS release and security patch. A dynamic OS requirement is specified with the `osVersion.dynamicVersionRequirement` property. + > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. You can't specify both `osVersion.minimum` and `osVersion.dynamicVersionRequirement` properties at the same time. + type: object + properties: + dynamicVersionRequirement: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + description:
Contains the necessary properties for a dynamic version requirement + type: object + properties: + type: + type: string + description: Indicates the type of the dynamic OS version requirement + enum: + - MINIMUM + - EXACT + - EXACT_ANY_SUPPORTED + x-enumDescriptions: + MINIMUM: The device version must be equal to or newer than the dynamically determined version. `distanceFromLatestMajor` must be specified for this type. + EXACT: The device version must be on the same major version as the dynamically determined version. `distanceFromLatestMajor` must be specified for this type. + EXACT_ANY_SUPPORTED: The device version must be on a major version which is supported. You can't specify `distanceFromLatestMajor` for this type. + distanceFromLatestMajor: + description: Indicates the distance from the latest major version + type: integer + minimum: 0 + maximum: 1 + latestSecurityPatch: + description: Indicates whether the device needs to be on the latest security patch + type: boolean + minimum: + description: The device version must be equal to or newer than the specified version string (maximum of three components for iOS and macOS, and maximum of four components for Android) + type: string + example: 12.4.5 + OSVersionConstraint: + type: object + properties: + dynamicVersionRequirement: + type: object + description: Contains the necessary properties for a dynamic Windows version requirement + properties: + type: + type: string + description: Indicates the type of the dynamic Windows version requirement + enum: + - MINIMUM + - EXACT + - EXACT_ANY_SUPPORTED + - NOT_ALLOWED + x-enumDescriptions: + MINIMUM: The device version must be equal to or newer than the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type. + EXACT: The device version must be on the same major version as the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type. + EXACT_ANY_SUPPORTED: The device version must be on a Windows major version which is supported. You can't specify `distanceFromLatestMajor` for this type. + NOT_ALLOWED: The device version isn't allowed. You can't specify `distanceFromLatestMajor` or `latestSecurityPatch` for this type. + distanceFromLatestMajor: + description: Indicates the distance from the latest Windows major version + type: integer + minimum: 0 + maximum: 1 + latestSecurityPatch: + description: Indicates whether the policy requires Windows devices to be on the latest security patch + type: boolean + majorVersionConstraint: + type: string + description: Indicates the Windows major version + enum: + - WINDOWS_11 + - WINDOWS_10 + x-enumDescriptions: + WINDOWS_11: The device is on Windows 11 + WINDOWS_10: The device is on Windows 10 or an older Windows version + minimum: + description: The Windows device version must be equal to or newer than the specified version + type: string + example: 12.4.5.9 + required: + - majorVersionConstraint OSVersionFourComponents: description: Current version of the operating system (maximum of four components in the versioning scheme) type: object @@ -32083,7 +34089,7 @@ components: doc: type: string format: uri - description: The URL to your customer-facing instructions for configuring your OIDC integration + description: The URL to your customer-facing instructions for configuring your OIDC integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines). example: https://example.com/strawberry/help/oidcSetup initiateLoginUri: type: string @@ -32957,6 +34963,21 @@ components: type: array items: $ref: '#/components/schemas/Permission' + PinRequest: + description: Pin Request + type: object + properties: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta + type: string + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string PipelineType: description: The authentication pipeline of the org. `idx` means the org is using the Identity Engine, while `v1` means the org is using the Classic authentication pipeline. type: string @@ -33014,27 +35035,36 @@ components: type: object properties: created: + description: Timestamp when the Policy was created type: string format: date-time readOnly: true description: + description: Policy description type: string id: + description: Policy ID type: string readOnly: true lastUpdated: + description: Timestamp when the Policy was last updated type: string format: date-time readOnly: true name: + description: Policy name type: string priority: + description: Specifies the order in which this Policy is evaluated in relation to the other policies in a custom authorization server. type: integer status: + description: Specifies whether requests have access to this Policy $ref: '#/components/schemas/LifecycleStatus' system: + description: Specifies whether Okta created the Policy type: boolean type: + description: Indicates that the Policy is an authorization server policy (`OAUTH_AUTHORIZATION_POLICY`) $ref: '#/components/schemas/PolicyType' _embedded: type: object @@ -33178,11 +35208,13 @@ components: items: type: string PolicyNetworkConnection: + description: Network selection mode type: string enum: - ANYWHERE - ZONE PolicyPeopleCondition: + description: Identifies Users and Groups that are used together type: object properties: groups: @@ -33210,24 +35242,30 @@ components: properties: created: type: string + description: Timestamp when the rule was created format: date-time readOnly: true nullable: true id: type: string + description: Identifier for the rule lastUpdated: type: string + description: Timestamp when the rule was last modified format: date-time readOnly: true nullable: true name: type: string + description: Name of the rule priority: type: integer + description: Priority of the rule status: $ref: '#/components/schemas/LifecycleStatus' system: type: boolean + description: Specifies whether Okta created the Policy Rule (`system=true`). You can't delete Policy Rules that have `system` set to `true`. default: false type: $ref: '#/components/schemas/PolicyRuleType' @@ -33301,6 +35339,7 @@ components: userStatus: $ref: '#/components/schemas/UserStatusPolicyRuleCondition' PolicyRuleType: + description: Rule type type: string enum: - ACCESS_POLICY @@ -33333,6 +35372,7 @@ components: - USERNAME - USERNAME_OR_EMAIL PolicyType: + description: All Okta orgs contain only one IdP Discovery Policy with an immutable default Rule routing to your org's sign-in page. Creating or replacing a policy with `IDP_DISCOVERY` type isn't supported. type: string enum: - ACCESS_POLICY @@ -33364,12 +35404,39 @@ components: properties: deviceBound: type: string + description: Indicates if device-bound Factors are required. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL hardwareProtection: type: string + description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL phishingResistant: type: string + description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL userPresence: type: string + description: Indicates if the user needs to approve an Okta Verify prompt or provide biometrics (meets NIST AAL2 requirements). This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: REQUIRED + userVerification: + type: string + description: Indicates the user interaction requirement (PIN or biometrics) to ensure verification of a possession factor + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL PreRegistrationInlineHook: type: object properties: @@ -33735,8 +35802,6 @@ components: properties: authScheme: $ref: '#/components/schemas/ProvisioningConnectionAuthScheme' - profile: - $ref: '#/components/schemas/ProvisioningConnectionProfile' status: $ref: '#/components/schemas/ProvisioningConnectionStatus' _links: @@ -33744,6 +35809,7 @@ components: required: - authScheme - status + discriminator: *ref_21 ProvisioningConnectionAuthScheme: description: Defines the method of authentication type: string @@ -33755,6 +35821,20 @@ components: TOKEN: A token is used to authenticate with the app. OAUTH2: OAuth 2.0 is used to authenticate with the app. UNKNOWN: The authentication scheme used by the app isn't supported, or the app doesn't support provisioning. + ProvisioningConnectionOauth: + allOf: + - $ref: '#/components/schemas/ProvisioningConnection' + - type: object + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionProfileOauth' + ProvisioningConnectionOauthRequest: + type: object + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionProfileOauth' + required: + - profile ProvisioningConnectionProfile: description: | The profile used to configure the connection method of authentication and the credentials. @@ -33763,8 +35843,8 @@ components: properties: authScheme: $ref: '#/components/schemas/ProvisioningConnectionAuthScheme' - token: - type: string + required: + - authScheme ProvisioningConnectionProfileOauth: description: | The app provisioning connection profile used to configure the method of authentication and the credentials. @@ -33778,7 +35858,6 @@ components: description: Unique client identifier for the OAuth 2.0 service app from the target org required: - authScheme - - clientId ProvisioningConnectionProfileOauthSettings: title: Generic description: Specific settings aren't defined for generic OAuth 2.0 provisioning connections @@ -33804,13 +35883,6 @@ components: allOf: - $ref: '#/components/schemas/ProvisioningConnectionProfile' - type: object - ProvisioningConnectionRequest: - type: object - properties: - profile: - $ref: '#/components/schemas/ProvisioningConnectionProfile' - required: - - profile ProvisioningConnectionStatus: description: Provisioning connection status default: DISABLED @@ -33823,6 +35895,27 @@ components: DISABLED: The provisioning connection is disabled. ENABLED: The provisioning connection is enabled. UNKNOWN: Provisioning isn't supported by the app, or the authentication method is unknown. + ProvisioningConnectionToken: + allOf: + - $ref: '#/components/schemas/ProvisioningConnection' + - type: object + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionProfileToken' + ProvisioningConnectionTokenRequest: + type: object + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionProfileToken' + required: + - profile + ProvisioningConnectionUnknown: + allOf: + - $ref: '#/components/schemas/ProvisioningConnection' + - type: object + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionProfileUnknown' ProvisioningDeprovisionedAction: type: string enum: @@ -33979,6 +36072,17 @@ components: name: type: string description: Name of a Realm + realmType: + type: string + description: An optional parameter to specify type of a Realm (Only applicable for Partner use-case) + enum: + - PARTNER + - OTHER + x-enumDescriptions: + PARTNER: Realm with external partner portal + OTHER: Other + required: + - name RecoveryQuestionCredential: description: |- Specifies a secret question and answer that's validated (case insensitive) when a user forgets their @@ -34559,7 +36663,7 @@ components: acs: type: array minItems: 1 - description: 'List of Assertion Consumer Service (ACS) URLs. The default ACS URL is required and is indicated by a null index value. You can use the org properties you defined in the `config` array as variables in the URL. For example: `https://${org.subdomain}.example.com/saml/login`' + description: 'List of Assertion Consumer Service (ACS) URLs. The default ACS URL is required and is indicated by a null `index` value. You can use the org-level variables you defined in the `config` array in the URL. For example: `https://${org.subdomain}.example.com/saml/login`' items: type: object properties: @@ -34567,7 +36671,7 @@ components: type: number minimum: 0 maximum: 65535 - description: Index of ACS URL + description: Index of ACS URL. You can't reuse the same index in the ACS URL array. example: 0 url: type: string @@ -34578,11 +36682,11 @@ components: doc: type: string format: uri - description: The URL to your customer-facing instructions for configuring your SAML integration + description: The URL to your customer-facing instructions for configuring your SAML integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines). example: https://example.com/strawberry/help/samlSetup entityId: type: string - description: Globally unique name for your SAML entity. For instance, your Identity Provider (IdP) or Service Provider (SP). + description: Globally unique name for your SAML entity. For instance, your Identity Provider (IdP) or Service Provider (SP) URL. example: https://${org.subdomain}.example.com required: - acs @@ -35213,7 +37317,7 @@ components: type: string pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ Sso: - description: Supported SSO protocol configurations. You must configure at least one protocol. + description: 'Supported SSO protocol configurations. You must configure at least one protocol: `oidc` or `saml`' type: object properties: oidc: @@ -35280,39 +37384,39 @@ components: properties: config: type: array - description: 'List of org-level properties used to set up the per-tenant configuration for your customers. For example the `subdomain` property can be used in the ACS URL: `https://${org.subdomain}.example.com/saml/login`.' + description: 'List of org-level variables for the customer per-tenant configuration. For example, a `subdomain` variable can be used in the ACS URL: `https://${org.subdomain}.example.com/saml/login`' items: type: object properties: label: type: string - description: Display name of org property in the Admin Console. + description: Display name of the variable in the Admin Console example: Subdomain name: type: string maxLength: 1024 minLength: 1 - description: Name of the org property + description: Name of the variable example: subdomain description: type: string maxLength: 1024 minLength: 1 - description: A general description of your application and value of the Okta integration + description: A general description of your application and the benefits provided to your customers example: Your one source for in-season strawberry deals. Okta's Strawberry Central integration allow users to securely access those sweet deals. id: type: string - description: ID of a Submission + description: OIN Integration ID readOnly: true example: acme_submissionapp_1 lastPublished: type: string - description: Timestamp when the Submission was last published + description: Timestamp when the OIN Integration was last published readOnly: true example: '2023-08-24T14:15:22.000Z' lastUpdated: type: string - description: Timestamp when the Submission object was last updated + description: Timestamp when the OIN Integration instance was last updated readOnly: true example: '2023-08-24T14:15:22.000Z' lastUpdatedBy: @@ -35323,7 +37427,7 @@ components: logo: type: string format: uri - description: URL to an uploaded application logo. This logo appears next to your app integration name in the OIN catalog. + description: URL to an uploaded application logo. This logo appears next to your app integration name in the OIN catalog. You must first [Upload an OIN Integration logo](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/uploadSubmissionLogo) to obtain the logo URL before you can specify this value. example: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 name: type: string @@ -35335,7 +37439,7 @@ components: $ref: '#/components/schemas/Sso' status: type: string - description: Status of the Submission + description: Status of the OIN Integration submission readOnly: true example: New Subscription: @@ -35444,11 +37548,11 @@ components: properties: idp: type: boolean - description: Indicates if your integration supports IdP-initiated sign-in flows + description: Read only.
Indicates if your integration supports IdP-initiated sign-in flows. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) is specified, this property is set to `true`. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) isn't set for the integration submission, this property is set to `false` readOnly: true sp: type: boolean - description: Indicates if your integration supports SP-initiated sign-in flows + description: Read only.
Indicates if your integration supports SP-initiated sign-in flows and is always set to `true` for OIDC SSO readOnly: true jit: type: boolean @@ -35483,8 +37587,8 @@ components: spInitiateDescription: type: string maxLength: 2048 - description: Instructions on how to sign in to your app using the SP-initiated flow - example: Just open URL and provide your username + description: Instructions on how to sign in to your app using the SP-initiated flow (required if `sp = true`) + example: Go to your app URL from a browser and enter your username required: - spInitiateUrl testAccount: @@ -35511,7 +37615,7 @@ components: type: string maxLength: 2048 description: Additional instructions to test the app integration, including instructions for obtaining test accounts - example: Just open URL and input credentials + example: Go to your app URL from a browser and enter your credentials required: - url - username @@ -35634,12 +37738,15 @@ components: properties: accessTokenLifetimeMinutes: type: integer + description: Lifetime of the access token in minutes. The minimum is five minutes. The maximum is one day. inlineHook: $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook' refreshTokenLifetimeMinutes: type: integer + description: Lifetime of the refresh token is the minimum access token lifetime. refreshTokenWindowMinutes: type: integer + description: Timeframe when the refresh token is valid. The minimum is 10 minutes. The maximum is five years (2,628,000 minutes). TokenAuthorizationServerPolicyRuleActionInlineHook: type: object properties: @@ -35888,9 +37995,24 @@ components: readOnly: true nullable: true transitioningToStatus: - $ref: '#/components/schemas/UserStatus' + type: string + description: The target status of an in-progress asynchronous status transition. This property is only returned if the user's state is transitioning. + readOnly: true + nullable: true + enum: + - ACTIVE + - DEPROVISIONED + - PROVISIONED type: - $ref: '#/components/schemas/UserType' + type: object + description: |- + The user type that determines the schema for the user's profile. The `type` property is a map that identifies + the User Type (see [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType)). + Currently it contains a single element, `id`. It can be specified when creating a new user, and may be updated by an administrator on a full replace of an existing user (but not a partial update). + properties: + id: + type: string + description: The ID of the user type _embedded: type: object description: If specified, includes embedded resources related to the user @@ -36000,13 +38122,16 @@ components: enum: - DEVICE_BASED UserCondition: + description: Specifies a set of Users to be included or excluded type: object properties: exclude: + description: Users to be excluded type: array items: type: string include: + description: Users to be included type: array items: type: string @@ -36459,13 +38584,16 @@ components: items: $ref: '#/components/schemas/UserBlock' UserIdentifierConditionEvaluatorPattern: + description: Used in the User Identifier Condition object. Specifies the details of the patterns to match against. type: object properties: matchType: $ref: '#/components/schemas/UserIdentifierMatchType' value: type: string + description: The regex expression of a simple match string UserIdentifierMatchType: + description: The type of pattern. For regex, use `EXPRESSION`. type: string enum: - CONTAINS @@ -36507,21 +38635,25 @@ components: preventBruteForceLockoutFromUnknownDevices: type: boolean description: Prevents brute-force lockout from unknown devices for the password authenticator. + default: false UserNextLogin: type: string enum: - changePassword UserPolicyRuleCondition: + description: Specifies a set of Users to be included or excluded type: object properties: exclude: type: array + description: Users to be excluded items: type: string inactivity: $ref: '#/components/schemas/InactivityPolicyRuleCondition' include: type: array + description: Users to be included items: type: string lifecycleExpiration: @@ -36631,6 +38763,7 @@ components: nickName: type: string description: The casual way to address the user in real life + nullable: true organization: type: string description: Name of the the user's organization @@ -37091,6 +39224,63 @@ components: - ANY - BUILT_IN - ROAMING + WebAuthnCredRequest: + description: Credential request object for the initialized credential, along with the enrollment and key identifiers to associate with the credential + type: object + properties: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta + type: string + credRequestJwe: + description: Encrypted JWE of credential request for the fulfillment provider + type: string + keyId: + description: ID for the Okta response key-pair used to encrypt and decrypt credential requests and responses + type: string + WebAuthnCredResponse: + description: Credential response object for enrolled credential details, along with enrollment and key identifiers to associate the credential + type: object + properties: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta + type: string + credResponseJWE: + description: Encrypted JWE of credential response from the fulfillment provider + type: string + WebAuthnPreregistrationFactor: + description: User Factor variant used for WebAuthn Preregistration Factors + type: object + properties: + created: + description: Timestamp indicating when the Factor was enrolled + type: string + format: date-time + readOnly: true + factorType: + $ref: '#/components/schemas/UserFactorType' + id: + description: ID of the Factor + type: string + readOnly: true + lastUpdated: + description: Timestamp indicating when the Factor was last updated + type: string + format: date-time + readOnly: true + profile: + type: object + description: Specific attributes related to the Factor + provider: + $ref: '#/components/schemas/UserFactorProvider' + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: Name of the Factor vendor. This is usually the same as the provider. + type: string + example: OKTA + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' WellKnownAppAuthenticatorConfiguration: type: object properties: @@ -37389,4 +39579,4 @@ components: okta.userTypes.manage: Allows the app to manage user types in your Okta organization. okta.userTypes.read: Allows the app to read user types in your Okta organization. okta.users.manage: Allows the app to create new users and to manage all users' profile and credentials information. - okta.users.read: Allows the app to read the existing users' profiles and credentials. + okta.users.read: Allows the app to read the existing users' profiles and credentials. \ No newline at end of file diff --git a/.generator/okta-management-APIs-oasv3-noEnums-inheritance.yaml b/.generator/okta-management-APIs-oasv3-noEnums-inheritance.yaml index 342175a05..4e1e7734d 100644 --- a/.generator/okta-management-APIs-oasv3-noEnums-inheritance.yaml +++ b/.generator/okta-management-APIs-oasv3-noEnums-inheritance.yaml @@ -10,14 +10,14 @@ info: license: name: Apache-2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html - version: 4.0.0 + version: 5.1.0 x-logo: url: logo.svg backgroundColor: transparent altText: Okta Developer externalDocs: description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html + url: https://developer.okta.com/docs/reference/core-okta-api/#design-principles servers: - url: https://{yourOktaDomain} variables: @@ -28,15 +28,88 @@ tags: - name: AgentPools x-displayName: Agent Pools description: The Agent Pools API provides operation to manage the update settings of the agents for your organization. + - name: ApiServiceIntegrations + x-displayName: API Service Integrations + description: | + This API provides operations to manage API service integration instances in your organization. + + For a current list of available API service integrations, see the [Okta Integration Network catalog](https://www.okta.com/integrations/?capability=api). + + See [Add an API Service Integration](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-api-service-integration) for corresponding admin instructions using the Admin Console. + If you want to build an API service integration, see [API service integrations in the OIN](https://developer.okta.com/docs/guides/oin-api-service-overview/). - name: ApiToken x-displayName: API Tokens description: The API Tokens API provides operations to manage SSWS API tokens for your organization. - name: Application x-displayName: Applications description: The Applications API provides operations to manage applications and/or assignments to users or groups for your organization. + - name: ApplicationConnections + x-displayName: Application Connections + description: | + The Application Connections API provides operations for configuring connections to an app. + + Currently, only the Okta Org2Org app provisioning connection is supported in this API. + - name: ApplicationCredentials + x-displayName: Application Credentials + description: | + Specifies credentials and scheme for the application's `signOnMode` + + ### Application Key Credential + The application Key Credential object defines a [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc7517) for a signature or encryption credential for an application. + + > **Notes:** + > * To update the app, you can provide just the Signing Credential object instead of the entire Application Credential object. + > * Currently only the X.509 JWK format is supported for applications with the `SAML_2_0` sign-on mode. + - name: ApplicationFeatures + x-displayName: Application Features + description: | + The Application Features API supports operations to configure app feature settings. + + You must have app provisioning enabled to configure provisioning features. See [Update the default Provisioning Connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication). + + The following available provisioning feature is supported by the indicated app: + + |
Feature
| Apps supported | Description | + | -------------------- | -------------- | ----------- | + | `USER_PROVISIONING` | `org2org` | Similar to the app **Provisioning** > **To App** setting in the Admin Console, this feature configures the **Create Users**, **Update User Attributes**, **Deactivate Users**, and **Sync Password** settings. | + + > **Note:** You can't use the `USER_PROVISIONING` feature in an Okta Developer-Edition org because the `org2org` app isn't available in developer orgs. + > If you need to test this feature in your Developer-Edition org, contact your Okta account team. + - name: ApplicationGrants + x-displayName: Application Grants + description: | + The Application Grants API provides a set of operations to manage scope consent grants for an app. + + A scope consent grant represents an app's permission to include specific Okta scopes in OAuth 2.0 Bearer tokens. + If the app doesn't have permission to grant consent for a particular Okta scope, token requests that contain the scope are denied. + - name: ApplicationGroups + x-displayName: Application Groups + description: Groups assigned to an application + - name: ApplicationLogos + x-displayName: Application Logos + description: Provides a resource to manage the application instance logo + - name: ApplicationOktaApplicationSettings + x-displayName: Okta Application Settings + description: The Okta Application Settings API provides operations to manage settings for Okta applications. + - name: ApplicationPolicies + x-displayName: Application Policies + description: Provides a resource to manage authentication policies associated with an application + - name: ApplicationSSO + x-displayName: Application SSO + description: Provides a Single Sign-On (SSO) resource for an application + - name: ApplicationTokens + x-displayName: Application Tokens + description: | + Resource to manage OAuth 2.0 tokens for an app + > **Note:** To configure refresh tokens for an app, see + > [grant_types](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/settings/oauthClient/grant_types&t=request) + > and [refresh_token](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/settings/oauthClient/refresh_token&t=request). + - name: ApplicationUsers + x-displayName: Application Users + description: Application user operations - name: AttackProtection x-displayName: Attack Protection - description: The Attack Protection API provides operations to configure the User Lockout Settings in your org to prevent brute-force attacks. + description: The Attack Protection API provides operations to configure the User Lockout Settings and the Authenticator Settings in your org to protect against password abuse. - name: Authenticator x-displayName: Authenticators description: |- @@ -57,10 +130,27 @@ tags: * Email * WebAuthn * Duo - * Custom App Early Access + * Custom App - name: AuthorizationServer x-displayName: Authorization Servers - description: Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them. + description: |- + Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them. + + **Work with the Default Authorization Server** + + Okta provides a pre-configured Custom Authorization Server with the name `default`. This Default Authorization Server includes a basic access policy and rule, which you can edit to control access. It allows you to specify `default` instead of the `authorizationServerId` in requests to it: + + `https://${yourOktaDomain}/api/v1/authorizationServers/default` + + vs + + `https://${yourOktaDomain}/api/v1/authorizationServers/${authorizationServerId}` for other Custom Authorization Servers + - name: AuthorizationServerAssoc + x-displayName: Authorization Server Associated Servers + description: Associated authorization servers allow you to designate a trusted authorization server that you associate with another authorization server. This type of association provides a way to configure [token exchange](https://developer.okta.com/docs/guides/set-up-token-exchange/main/#trusted-servers) between other authorization servers under the same Okta tenant. + - name: AuthorizationServerClaims + x-displayName: Authorization Server Claims + description: Provides operations to manage custom token claims for the given `authServerId` and `claimId` - name: Behavior x-displayName: Behavior Rules description: The Behavior Rules API provides operations to manage the behavior detection rules for your organization. @@ -72,14 +162,15 @@ tags: The vendor implementations supported by Okta are both invisible. They each run risk-analysis software in the background during user sign in to determine the likelihood that the user is a bot. This risk analysis is based on the settings that you configure with the provider that you choose. Before you configure your org to use CAPTCHA, sign in to the vendor of your choice or sign up for an account. For more details, refer to [CAPTCHA integration](https://help.okta.com/okta_help.htm?type=oie&id=csh-captcha). + - name: CustomDomain + x-displayName: Custom Domains + description: The Custom Domains API provides operations to manage custom domains for your organization. - name: Customization x-displayName: Customizations description: |- The Brands API allows you to customize the look and feel of pages and templates, such as the Okta-hosted sign-in page, error pages, email templates, and the Okta End-User Dashboard. - Each org starts off with Okta's default branding. You can upload your own assets (colors, background image, logo, and favicon) to replace Okta's default brand assets. You can then publish these assets directly to your pages and templates. - - >**Important:** Despite being called the Brands API (due to conventions around REST API naming), each org can currently contain only one brand and one theme. We will likely allow multiple brands and themes per org at some point in the future, so stay tuned! + Each new org contains Okta default branding. You can upload your own assets (colors, background image, logo, and favicon) to replace the default assets and publish these assets directly to your pages and templates. - name: Device x-displayName: Devices description: |- @@ -88,6 +179,7 @@ tags: The Devices API supports the following **Device Operations**: * Get, Delete Device objects. * Perform lifecycle transitions on the Device objects. + Device lifecycle is defined as transitions of the Device Status by the associated operations. The Device object follows a predefined lifecycle transition flow. Device Lifecycle operations are idempotent and its calls are synchronous. The Devices API supports the following **Authorization Schemes**: * SSWS - [API tokens](https://developer.okta.com/docs/reference/core-okta-api/#authentication) @@ -97,17 +189,17 @@ tags: > 1. Admins - Enable Okta FastPass. See [Enable FastPass](https://help.okta.com/okta_help.htm?type=oie&id=ext-fp-enable) > 2. End users with existing mobile Okta Verify enrollments - After you upgrade your org to Okta Identity Engine, direct end users with existing Okta Verify enrollments to use [FastPass](https://help.okta.com/okta_help.htm?type=oie&id=csh-fp-main). - > End users with a new enrollment in Okta Verify on an Okta Identity Engine org have a device record created in the device inventory by default. + > **Note:** End users with a new enrollment in Okta Verify on an Okta Identity Engine org have a device record created in the device inventory by default. See [Device Registration](https://help.okta.com/okta_help.htm?type=oie&id=csh-device-registration), [Login Using Okta Verify](https://help.okta.com/okta_help.htm?type=eu&id=ext-ov-user-overview). - name: DeviceAssurance x-displayName: Device Assurance Policies description: The Device Assurance Policies API provides operations to manage device assurance policies in your organization. - - name: Domain - x-displayName: Domains - description: The Domains API provides operations to manage custom domains for your organization. - name: EmailDomain x-displayName: Email Domains - description: The Email Domains API provides operations to manage custom domains for your organization. + description: The Email Domains API provides operations to manage email domains for your organization. + - name: EmailServer + x-displayName: Email Servers + description: The Email Servers API allows you to configure a custom external email provider to send email notifications. By default, notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. Adding a custom email provider gives you more control over your email delivery. - name: EventHook x-displayName: Event Hooks description: |- @@ -116,6 +208,8 @@ tags: For general information on event hooks and how to create and use them, see [Event hooks](https://developer.okta.com/docs/concepts/event-hooks/). The following documentation is only for the management API, which provides a CRUD interface for registering event hooks. For a step-by-step guide on implementing an example event hook, see the [Event hook](https://developer.okta.com/docs/guides/event-hook-implementation/) guide. + + When you create an event hook, you need to specify which events you want to subscribe to. To see the list of event types currently eligible for use in event hooks, use the [Event Types](https://developer.okta.com/docs/reference/api/event-types/#catalog) catalog and search with the parameter `event-hook-eligible`. - name: Feature x-displayName: Features description: |- @@ -199,6 +293,8 @@ tags: The Okta Network Zones API provides operations to manage Zones in your organization. There are two usage Zone types: Policy Network Zones and Blocklist Network Zones. Policy Network Zones are used to guide policy decisions. Blocklist Network Zones are used to deny access from certain IP addresses, locations, proxy types, or Autonomous System Numbers (ASNs) before policy evaluation. A default system Policy Network Zone is provided in your Okta org. You can use the Network Zones API to modify the default Policy Network Zone or to create a custom Policy or Blocklist Network Zone. When you create your custom Zone, you can specify if the Zone is an IP Zone or a Dynamic Zone. An IP Zone allows you to define network perimeters around a set of IPs, whereas a Dynamic Zone allows you to define network perimeters around location, IP type, and ASNs. + + > **Note:** To create multiple network zones, including Dynamic Zones, you must enable Adaptive MFA. - name: OrgSetting x-displayName: Org Settings description: The Org Settings API provides operations to manage your org account settings such as contact information, granting Okta Support access, and more. @@ -213,10 +309,14 @@ tags: description: The Principal Rate Limits API provides operations to manage Principal Rate Limits for your organization. - name: ProfileMapping x-displayName: Profile Mappings - description: The Mappings API provides operations to manage the mapping of properties between an Okta User's and an App User's Profile properties using [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language). More information on Okta User and App User Profiles can be found in Okta's [User profiles](https://developer.okta.com/docs/concepts/user-profiles/#what-is-the-okta-universal-directory). + description: The Mappings API provides operations to manage the mapping of Profile properties between an Okta User and an App User using [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language). More information on Okta User and App User Profiles can be found in Okta's [User profiles](https://developer.okta.com/docs/concepts/user-profiles/#what-is-the-okta-universal-directory). - name: PushProvider x-displayName: Push Providers description: The Push Providers API provides operations to manage Push Providers for your organization. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] - name: RateLimitSettings x-displayName: Rate Limit Settings description: The Rate Limit Settings APIs provide operations to manage settings and configurations surrounding rate limiting in your Okta organization. @@ -225,10 +325,10 @@ tags: description: The Resource Sets API provides operations to manage Resource Sets as custom collections of resources. You can use Resource Sets to assign Custom Roles to administrators who are scoped to the designated resources. See [Supported Resources](https://developer.okta.com/docs/concepts/role-assignment/#supported-resources). - name: RiskEvent x-displayName: Risk Events - description: The Risk Events API provides the ability for third-party Risk Providers to send Risk Events to Okta. See [Third-party risk provider integration overview](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. + description: The Risk Events API provides the ability for third-party risk providers to send risk events to Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. - name: RiskProvider x-displayName: Risk Providers - description: The Risk Providers API provides the ability to manage the Risk Providers within Okta. See [Third-party risk provider integration overview](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. + description: The Risk Providers API provides the ability to manage the Risk Providers within Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta. - name: Role x-displayName: Roles description: |- @@ -315,9 +415,15 @@ tags: - name: ThreatInsight x-displayName: ThreatInsight description: |- - [Okta ThreatInsight](https://help.okta.com/okta_help.htm?id=ext_threatinsight) maintains a constantly evolving list of IPs that exhibit suspicious behaviors suggestive of malicious activity. Authentication requests associated with an IP in this list can be logged in [System Log](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog) and blocked. The Okta ThreatInsight Configuration API provides operations to manage your ThreatInsight configuration. + [Okta ThreatInsight](https://help.okta.com/okta_help.htm?id=ext_threatinsight) maintains a + constantly evolving list of IP addresses that consistently exhibit malicious activity. + Authentication requests that are associated with an IP in this list can be logged to the + [System Log](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog) and blocked. + ThreatInsight also covers non-authentication requests in limited capacity depending on the attack patterns of these malicious IPs. + + The ThreatInsight API provides operations to manage your org ThreatInsight configuration. - In order to prevent abuse, Okta ThreatInsight works in a limited capacity for free trial editions. Please contact Okta support if fully functional Okta ThreatInsight is required. + > **Note:** To prevent abuse, Okta ThreatInsight works in a limited capacity for free trial edition orgs. Please contact Okta support if fully functional Okta ThreatInsight is required. - name: TrustedOrigin x-displayName: Trusted Origins description: |- @@ -328,6 +434,12 @@ tags: You can also configure Trusted Origins to allow iFrame embedding of Okta resources, such as Okta sign-in pages and the Okta End-User Dashboard, within that origin. This is an Early Access feature. To enable it, contact [Okta Support](https://support.okta.com/help/s/). > **Note:** This Early Access feature is supported for Okta domains only. It isn't currently supported for custom domains. + - name: UISchema + x-displayName: UI Schema + description: |- + The Okta UI Schema API allows you to control how inputs appear on an enrollment form. The UI Schema API is only available as a part of Okta Identity Engine. + + If you're not sure which solution you're using, check the footer on any page of the Admin Console. The version number is appended with E for Identity Engine orgs and C for Classic Engine orgs. - name: User x-displayName: Users description: The User API provides operations to manage users in your organization. @@ -337,7 +449,42 @@ tags: - name: UserType x-displayName: User Types description: The User Types API provides operations to manage User Types. + - name: WebAuthnPreregistration + x-displayName: WebAuthnPreregistration + description: The WebAuthn Preregistration API provides a flow to initiate and set up WebAuthn Preregistration authenticator enrollments through third-party providers. paths: + /.well-known/app-authenticator-configuration: + get: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Retrieve the Well-Known App Authenticator Configuration + description: Retrieves the well-known app authenticator configuration, which includes an app authenticator's settings, supported methods and various other configuration details + operationId: getWellKnownAppAuthenticatorConfiguration + parameters: + - name: oauthClientId + in: query + description: Filters app authenticator configurations by `oauthClientId` + required: true + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/WellKnownAppAuthenticatorConfiguration' + '400': + $ref: '#/components/responses/ErrorMissingRequiredParameter400' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: [] + tags: + - Authenticator /.well-known/okta-organization: get: summary: Retrieve the Well-Known Org Metadata @@ -360,6 +507,10 @@ paths: security: [] tags: - OrgSetting + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools: get: summary: List all Agent Pools @@ -388,13 +539,17 @@ paths: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates: + parameters: + - $ref: '#/components/parameters/pathPoolId' get: summary: List all Agent Pool updates description: Lists all agent pool updates operationId: listAgentPoolsUpdates parameters: - - $ref: '#/components/parameters/pathPoolId' - $ref: '#/components/parameters/queryScheduled' responses: '200': @@ -417,12 +572,13 @@ paths: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Agent Pool update description: Creates an Agent pool update \n For user flow 2 manual update, starts the update immediately. \n For user flow 3, schedules the update based on the configured update window and delay. operationId: createAgentPoolsUpdate - parameters: - - $ref: '#/components/parameters/pathPoolId' requestBody: content: application/json: @@ -450,6 +606,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/settings: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -476,6 +635,9 @@ paths: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update an Agent Pool update settings description: Updates an agent pool update settings @@ -507,6 +669,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -534,6 +699,9 @@ paths: - okta.agentPools.read tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update an Agent Pool update by id description: Updates Agent pool update and return latest agent pool update @@ -565,6 +733,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Agent Pool update description: Deletes Agent pool update @@ -584,6 +755,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/activate: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -611,6 +785,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/deactivate: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -638,6 +815,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/pause: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -665,6 +845,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/resume: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -692,6 +875,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/retry: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -719,6 +905,9 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/stop: parameters: - $ref: '#/components/parameters/pathPoolId' @@ -746,19 +935,14 @@ paths: - okta.agentPools.manage tags: - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/api-tokens: get: summary: List all API Token Metadata description: Lists all the metadata of the active API tokens operationId: listApiTokens - parameters: - - $ref: '#/components/parameters/queryAfter' - - $ref: '#/components/parameters/queryLimit' - - name: q - in: query - description: Finds a token that matches the name or clientName. - schema: - type: string responses: '200': description: OK @@ -781,6 +965,9 @@ paths: - okta.apiTokens.read tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/api-tokens/current: delete: summary: Revoke the Current API Token @@ -797,6 +984,9 @@ paths: - apiToken: [] tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/api-tokens/{apiTokenId}: parameters: - $ref: '#/components/parameters/pathApiTokenId' @@ -826,6 +1016,9 @@ paths: - okta.apiTokens.read tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke an API Token description: Revokes an API token by `apiTokenId` @@ -845,6 +1038,9 @@ paths: - okta.apiTokens.manage tags: - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps: get: summary: List all Applications @@ -921,6 +1117,9 @@ paths: - okta.apps.read tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Application description: Creates a new application to your Okta organization @@ -964,17 +1163,17 @@ paths: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}: + parameters: + - $ref: '#/components/parameters/pathAppId' get: summary: Retrieve an Application description: Retrieves an application from your Okta organization by `id` operationId: getApplication parameters: - - name: appId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -999,16 +1198,13 @@ paths: - okta.apps.read tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Application description: Replaces an application operationId: replaceApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string x-codegen-request-body-name: application requestBody: content: @@ -1039,16 +1235,13 @@ paths: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Application description: Deletes an inactive application operationId: deleteApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -1065,24 +1258,35 @@ paths: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default: + parameters: + - $ref: '#/components/parameters/pathAppId' get: summary: Retrieve the default Provisioning Connection - description: Retrieves the default Provisioning Connection for application + description: Retrieves the default Provisioning Connection for an app operationId: getDefaultProvisioningConnectionForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/ProvisioningConnection' + oneOf: + - $ref: '#/components/schemas/ProvisioningConnectionToken' + - $ref: '#/components/schemas/ProvisioningConnectionOauth' + - $ref: '#/components/schemas/ProvisioningConnectionUnknown' + discriminator: &ref_21 + propertyName: authScheme + mapping: + TOKEN: '#/components/schemas/ProvisioningConnectionToken' + OAUTH2: '#/components/schemas/ProvisioningConnectionOauth' + UNKNOWN: '#/components/schemas/ProvisioningConnectionUnknown' + examples: + ProvisioningConnectionResponseExample: + $ref: '#/components/examples/ProvisioningConnectionTokenResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1094,26 +1298,32 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update the default Provisioning Connection - description: Updates the default provisioning connection for application + description: Updates the default Provisioning Connection for an app operationId: updateDefaultProvisioningConnectionForApplication parameters: - - in: path - name: appId - required: true - schema: - type: string - in: query name: activate schema: type: boolean + description: Activates the Provisioning Connection requestBody: content: application/json: schema: - $ref: '#/components/schemas/ProvisioningConnectionRequest' + oneOf: + - $ref: '#/components/schemas/ProvisioningConnectionTokenRequest' + - $ref: '#/components/schemas/ProvisioningConnectionOauthRequest' + examples: + ProvisioningConnectionTokenExample: + $ref: '#/components/examples/ProvisioningConnectionTokenRequestEx' + ProvisioningConnectionOauthExample: + $ref: '#/components/examples/ProvisioningConnectionOauthRequestEx' required: true responses: '201': @@ -1122,6 +1332,11 @@ paths: application/json: schema: $ref: '#/components/schemas/ProvisioningConnection' + examples: + ProvisioningConnectionTokenExample: + $ref: '#/components/examples/ProvisioningConnectionTokenResponseEx' + ProvisioningConnectionOauthExample: + $ref: '#/components/examples/ProvisioningConnectionOauthResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1135,18 +1350,17 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAppId' post: summary: Activate the default Provisioning Connection - description: Activates the default Provisioning Connection for an application + description: Activates the default Provisioning Connection for an app operationId: activateDefaultProvisioningConnectionForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string responses: '204': description: No Content @@ -1161,18 +1375,17 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAppId' post: - summary: Deactivate the default Provisioning Connection for an Application - description: Deactivates the default Provisioning Connection for an application + summary: Deactivate the default Provisioning Connection + description: Deactivates the default Provisioning Connection for an app operationId: deactivateDefaultProvisioningConnectionForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string responses: '204': description: No Content @@ -1187,18 +1400,17 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs: + parameters: + - $ref: '#/components/parameters/pathAppId' get: summary: List all Certificate Signing Requests description: Lists all Certificate Signing Requests for an application operationId: listCsrsForApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -1219,17 +1431,14 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationCredentials + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Generate a Certificate Signing Request description: Generates a new key pair and returns the Certificate Signing Request for it operationId: generateCsrForApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string x-codegen-request-body-name: metadata requestBody: content: @@ -1257,23 +1466,18 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationCredentials + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs/{csrId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathCsrId' get: summary: Retrieve a Certificate Signing Request description: Retrieves a certificate signing request for the app by `id` operationId: getCsrForApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: csrId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -1292,22 +1496,14 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationCredentials + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke a Certificate Signing Request description: Revokes a certificate signing request and deletes the key pair from the application operationId: revokeCsrFromApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: csrId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -1323,23 +1519,18 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationCredentials + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs/{csrId}/lifecycle/publish: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathCsrId' post: summary: Publish a Certificate Signing Request description: Publishes a certificate signing request for the app with a signed X.509 certificate and adds it into the application key credentials operationId: publishCsrFromApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: csrId - in: path - required: true - schema: - type: string requestBody: required: true content: @@ -1378,18 +1569,17 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationCredentials + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys: + parameters: + - $ref: '#/components/parameters/pathAppId' get: summary: List all Key Credentials description: Lists all key credentials for an application operationId: listApplicationKeys - parameters: - - name: appId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -1410,18 +1600,18 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationCredentials + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys/generate: + parameters: + - $ref: '#/components/parameters/pathAppId' post: summary: Generate a Key Credential description: Generates a new X.509 certificate for an application key credential operationId: generateApplicationKey parameters: - - name: appId - in: path - required: true - schema: - type: string - name: validityYears in: query schema: @@ -1444,23 +1634,18 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationCredentials + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys/{keyId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathKeyId' get: summary: Retrieve a Key Credential description: Retrieves a specific application key credential by kid operationId: getApplicationKey - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: keyId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -1479,23 +1664,19 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationCredentials + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys/{keyId}/clone: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathKeyId' post: summary: Clone a Key Credential description: Clones a X.509 certificate for an application key credential from a source application to target application. operationId: cloneApplicationKey parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: keyId - in: path - required: true - schema: - type: string - name: targetAid in: query description: Unique key of the target Application @@ -1520,18 +1701,20 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationCredentials + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/features: + parameters: + - $ref: '#/components/parameters/pathAppId' get: summary: List all Features - description: Lists all features for an application + description: | + Lists all features for an application + > **Note:** This request returns an error if provisioning isn't enabled for the application. + > To set up provisioning, see [Update the default Provisioning Connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication). operationId: listFeaturesForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string responses: '200': description: Success @@ -1539,8 +1722,27 @@ paths: application/json: schema: items: - $ref: '#/components/schemas/ApplicationFeature' + oneOf: &ref_2 + - $ref: '#/components/schemas/UserProvisioningApplicationFeature' + - $ref: '#/components/schemas/InboundProvisioningApplicationFeature' + discriminator: &ref_3 + propertyName: name + mapping: + USER_PROVISIONING: '#/components/schemas/UserProvisioningApplicationFeature' + INBOUND_PROVISIONING: '#/components/schemas/InboundProvisioningApplicationFeature' type: array + examples: + ListAppFeatureResponse: + $ref: '#/components/examples/AppFeatureListResponseEx' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ListAppFeatureAPIValidationFailed: + $ref: '#/components/examples/ErrorAppFeatureAPIValidationFailed' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1552,30 +1754,29 @@ paths: - oauth2: - okta.apps.read tags: - - Application - /api/v1/apps/{appId}/features/{name}: + - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}/features/{featureName}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathFeatureName' get: summary: Retrieve a Feature description: Retrieves a Feature object for an application operationId: getFeatureForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: name - required: true - schema: - type: string responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/ApplicationFeature' + oneOf: *ref_2 + discriminator: *ref_3 + examples: + AppFeatureResponse: + $ref: '#/components/examples/AppFeatureResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1587,27 +1788,25 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Update a Feature - description: Updates a Feature object for an application + description: | + Updates a Feature object for an application + > **Note:** This endpoint supports partial updates. operationId: updateFeatureForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: name - required: true - schema: - type: string requestBody: content: application/json: schema: - $ref: '#/components/schemas/CapabilitiesObject' + oneOf: + - $ref: '#/components/schemas/CapabilitiesObject' + examples: + UpdateAppFeatureEx: + $ref: '#/components/examples/UpdateAppFeatureRequestEx' required: true responses: '200': @@ -1615,7 +1814,11 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/ApplicationFeature' + oneOf: *ref_2 + discriminator: *ref_3 + examples: + UpdateAppFeatureEx: + $ref: '#/components/examples/UpdateAppFeatureResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1629,22 +1832,19 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/grants: + parameters: + - $ref: '#/components/parameters/pathAppId' get: - summary: List all Scope Consent Grants - description: Lists all scope consent grants for the application + summary: List all app Grants + description: Lists all scope consent Grants for the app operationId: listScopeConsentGrants parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/queryAppExpand' responses: '200': description: Success @@ -1654,6 +1854,9 @@ paths: type: array items: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + ListAppGrantsExample: + $ref: '#/components/examples/ListAppGrantsEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1662,24 +1865,26 @@ paths: $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] + - oauth2: + - okta.appGrants.read tags: - - Application + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Grant Consent to Scope - description: Grants consent for the application to request an OAuth 2.0 Okta scope + summary: Grant consent to scope + description: Grants consent for the app to request an OAuth 2.0 Okta scope operationId: grantConsentToScope - parameters: - - name: appId - in: path - required: true - schema: - type: string x-codegen-request-body-name: oAuth2ScopeConsentGrant requestBody: content: application/json: schema: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsPostEx' required: true responses: '201': @@ -1688,6 +1893,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -1698,28 +1906,23 @@ paths: $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] + - oauth2: + - okta.appGrants.manage tags: - - Application + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/grants/{grantId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathGrantId' get: - summary: Retrieve a Scope Consent Grant - description: Retrieves a single scope consent grant for the application + summary: Retrieve an app Grant + description: Retrieves a single scope consent Grant object for the app operationId: getScopeConsentGrant parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: grantId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/queryAppExpand' responses: '200': description: Success @@ -1727,6 +1930,9 @@ paths: application/json: schema: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -1735,23 +1941,17 @@ paths: $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] + - oauth2: + - okta.appGrants.read tags: - - Application + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Revoke a Scope Consent Grant - description: Revokes permission for the application to request the given scope + summary: Revoke an app Grant + description: Revokes permission for the app to grant the given scope operationId: revokeScopeConsentGrant - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: grantId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -1764,19 +1964,21 @@ paths: $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] + - oauth2: + - okta.appGrants.manage tags: - - Application + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/groups: + parameters: + - $ref: '#/components/parameters/pathAppId' get: summary: List all Assigned Groups description: Lists all group assignments for an application operationId: listApplicationGroupAssignments parameters: - - name: appId - in: path - required: true - schema: - type: string - name: q in: query schema: @@ -1817,8 +2019,14 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/groups/{groupId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathGroupId' get: summary: Retrieve an Assigned Group description: Retrieves an application group assignment @@ -1856,7 +2064,10 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Assign a Group description: Assigns a group to an application @@ -1899,7 +2110,10 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unassign a Group description: Unassigns a group from an application @@ -1930,18 +2144,17 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAppId' post: summary: Activate an Application description: Activates an inactive application operationId: activateApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -1958,17 +2171,16 @@ paths: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAppId' post: summary: Deactivate an Application description: Deactivates an active application operationId: deactivateApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -1985,17 +2197,23 @@ paths: - okta.apps.manage tags: - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/logo: + parameters: + - $ref: '#/components/parameters/pathAppId' post: - summary: Upload a Logo - description: Uploads a logo for the application. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size. For best results use landscape orientation, a transparent background, and a minimum size of 420px by 120px to prevent upscaling. + summary: Upload an application Logo + description: | + Uploads a logo for the app instance. + If the app already has a logo, this operation replaces the previous logo. + + The logo is visible in the Admin Console as an icon for your app instance. + If you have one `appLink` object configured, this logo also appears in the End-User Dashboard as an icon for your app. + > **Note:** If you have multiple `appLink` objects, use the Admin Console to add logos for each app link. + > You can't use the API to add logos for multiple app links. operationId: uploadApplicationLogo - parameters: - - in: path - name: appId - required: true - schema: - type: string requestBody: content: multipart/form-data: @@ -2005,11 +2223,16 @@ paths: file: type: string format: binary + description: | + The image file containing the logo. + + The file must be in PNG, JPG, SVG, or GIF format, and less than one MB in size. + For best results, use an image with a transparent background and a square dimension of 200 x 200 pixels to prevent upscaling. required: - file responses: '201': - description: Created + description: Content Created '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2023,23 +2246,23 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationLogos + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/policies/{policyId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathPolicyId' put: - summary: Assign an Application to a Policy - description: Assigns an application to a policy identified by `policyId`. If the application was previously assigned to another policy, this removes that assignment. + summary: Assign an application to a Policy + description: |- + Assigns an application to an [authentication policy](/openapi/okta-management/management/tag/Policy/), identified by `policyId`. + If the application was previously assigned to another policy, this operation replaces that assignment with the updated policy identified by `policyId`. + + > **Note:** When you [merge duplicate authentication policies](https://help.okta.com/okta_help.htm?type=oie&id=ext-merge-auth-policies), + the policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email. operationId: assignApplicationPolicy - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: policyId - required: true - schema: - type: string responses: '204': description: No Content @@ -2054,32 +2277,93 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationPolicies + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/apps/{appId}/sso/saml/metadata: + parameters: + - $ref: '#/components/parameters/pathAppId' + get: + summary: Preview the application SAML metadata + description: Previews the SSO SAML metadata for an application + operationId: previewSAMLmetadataForApplication + responses: + '200': + description: OK + content: + text/xml: + schema: + type: string + description: SAML metadata in XML + examples: + previewSAML: + summary: SAML metadata example + value: | + + + + + + + MIIDqDCCApCgAwIBAgIGAVGNO4qeMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEG + A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU + MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJ + ARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODUwMDhaFw0xNzEyMTAxODUxMDdaMIGUMQswCQYD + VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG + A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEc + MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC + ggEBALAakG48bgcTWHdwmVLHig0mkiRejxIVm3wbzrNSJcBruTq2zCYZ1rGfVxTYON8kJqvkXPmv + kzWKhpEkvhubL+mx29XpXY0AsNIfgcm5xIV56yhXSvlMdqzGo3ciRwoACaF+ClNLxmXK9UTZD89B + bVVGCG5AEvja0eCQ0GYsO5i9aSI5aTroab8Aew31PuWl/RGQWmjVy8+7P4wwkKKJNKCpxMYDlhfa + WRp0zwUSbUCO0qEyeAYdZx6CLES4FGrDi/7D6G+ewWC+kbz1tL1XpF2Dcg3+IOlHrV6VWzz3rG39 + v9zFIncjvoQJFDGWhpqGqcmXvgH0Ze3SVcVF01T+bK0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA + AHmnSZ4imjNrIf9wxfQIcqHXEBoJ+oJtd59cw1Ur/YQY9pKXxoglqCQ54ZmlIf4GghlcZhslLO+m + NdkQVwSmWMh6KLxVM18/xAkq8zyKbMbvQnTjFB7x45bgokwbjhivWqrB5LYHHCVN7k/8mKlS4eCK + Ci6RGEmErjojr4QN2xV0qAqP6CcGANgpepsQJCzlWucMFKAh0x9Kl8fmiQodfyLXyrebYsVnLrMf + jxE1b6dg4jKvv975tf5wreQSYZ7m//g3/+NnuDKkN/03HqhV7hTNi1fyctXk8I5Nwgyr+pT5LT2k + YoEdncuy+GQGzE9yLOhC4HNfHQXpqp2tMPdRlw== + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + + + + + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSO + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/tokens: + parameters: + - $ref: '#/components/parameters/pathAppId' get: - summary: List all OAuth 2.0 Tokens - description: Lists all tokens for the application + summary: List all application refresh Tokens + description: | + Lists all refresh tokens for an app + + > **Note:** The results are [paginated](/#pagination) according to the `limit` parameter. + > If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). operationId: listOAuth2TokensForApplication parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string - - name: after - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: 20 + - $ref: '#/components/parameters/queryAppExpand' + - $ref: '#/components/parameters/queryAppAfter' + - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success @@ -2088,7 +2372,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/OAuth2Token' + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + getOAuth2TokenForApplicationListExample: + $ref: '#/components/examples/OAuth2RefreshTokenResponseListEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2100,17 +2387,14 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Revoke all OAuth 2.0 Tokens - description: Revokes all tokens for the specified application + summary: Revoke all application Tokens + description: Revokes all OAuth 2.0 refresh tokens for the specified app. Any access tokens issued with these refresh tokens are also revoked, but access tokens issued without a refresh token aren't affected. operationId: revokeOAuth2TokensForApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -2126,34 +2410,30 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/tokens/{tokenId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathTokenId' get: - summary: Retrieve an OAuth 2.0 Token - description: Retrieves a token for the specified application + summary: Retrieve an application Token + description: Retrieves a refresh token for the specified app operationId: getOAuth2TokenForApplication parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string - - name: expand - in: query - schema: - type: string + - $ref: '#/components/parameters/queryAppExpand' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2Token' + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + getOAuth2TokenForApplicationExample: + $ref: '#/components/examples/OAuth2RefreshTokenResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2165,22 +2445,14 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Revoke an OAuth 2.0 Token - description: Revokes the specified token for the specified application + summary: Revoke an application Token + description: Revokes the specified token for the specified app operationId: revokeOAuth2TokenForApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -2196,18 +2468,18 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/users: + parameters: + - $ref: '#/components/parameters/pathAppId' get: - summary: List all Assigned Users - description: Lists all assigned [application users](#application-user-model) for an application + summary: List all assigned Users + description: Lists all assigned users for an app operationId: listApplicationUsers parameters: - - name: appId - in: path - required: true - schema: - type: string - name: q in: query schema: @@ -2256,17 +2528,22 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Assign a User - description: Assigns an user to an application with [credentials](#application-user-credentials-object) and an app-specific [profile](#application-user-profile-object). Profile mappings defined for the application are first applied before applying any profile properties specified in the request. + description: |- + Assigns a user to an app with credentials and an app-specific [profile](/openapi/okta-management/management/tag/Application/#tag/Application/operation/assignUserToApplication!c=200&path=profile&t=response). + Profile mappings defined for the app are applied first before applying any profile properties that are specified in the request. + + > **Notes:** + > * You need to specify the `id` and omit the `credentials` parameter in the request body only for + `signOnMode` or authentication schemes (`credentials.scheme`) that don't require credentials. + > * You can only specify profile properties that aren't defined by profile mappings when Universal Directory is enabled. + > * If your SSO app requires a profile but doesn't have provisioning enabled, you need to add a profile to the request body. operationId: assignUserToApplication - parameters: - - name: appId - in: path - required: true - schema: - type: string x-codegen-request-body-name: appUser requestBody: content: @@ -2294,23 +2571,19 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps/{appId}/users/{userId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathUserId' get: - summary: Retrieve an Assigned User - description: Retrieves a specific user assignment for application by `id` + summary: Retrieve an assigned User + description: Retrieves a specific user assignment for app by `id` operationId: getApplicationUser parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -2333,22 +2606,14 @@ paths: - oauth2: - okta.apps.read tags: - - Application + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Update an Application Profile for Assigned User + summary: Update an App Profile for an assigned User description: Updates a user's profile for an application operationId: updateApplicationUser - parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string x-codegen-request-body-name: appUser requestBody: content: @@ -2376,22 +2641,15 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Unassign a User + summary: Unassign an App User description: Unassigns a user from an application operationId: unassignUserFromApplication parameters: - - name: appId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string - name: sendEmail in: query schema: @@ -2413,12 +2671,17 @@ paths: - oauth2: - okta.apps.manage tags: - - Application + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/authenticators: get: summary: List all Authenticators description: Lists all authenticators operationId: listAuthenticators + parameters: + - $ref: '#/components/parameters/queryExpandAuthenticator' responses: '200': description: Success @@ -2429,7 +2692,7 @@ paths: $ref: '#/components/schemas/Authenticator' type: array examples: - Org Authenticators: + OrgAuthenticatorsEx: $ref: '#/components/examples/AuthenticatorsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' @@ -2441,9 +2704,14 @@ paths: - okta.authenticators.read tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: summary: Create an Authenticator - description: Creates an authenticator. You can use this operation as part of the "Create a custom authenticator" flow. See the [Custom authenticator integration guide](https://developer.okta.com/docs/guides/authenticators-custom-authenticator/android/main/). + description: Creates an authenticator operationId: createAuthenticator parameters: - in: query @@ -2470,17 +2738,20 @@ paths: - okta.authenticators.manage tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/authenticators/{authenticatorId}: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' get: summary: Retrieve an Authenticator description: Retrieves an authenticator from your Okta organization by `authenticatorId` operationId: getAuthenticator parameters: - - in: path - name: authenticatorId - required: true - schema: - type: string + - $ref: '#/components/parameters/queryExpandAuthenticator' responses: '200': $ref: '#/components/responses/AuthenticatorResponse' @@ -2496,16 +2767,15 @@ paths: - okta.authenticators.read tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine put: summary: Replace an Authenticator - description: Replaces an authenticator + description: Replaces the properties for an Authenticator identified by `authenticatorId` operationId: replaceAuthenticator - parameters: - - in: path - name: authenticatorId - required: true - schema: - type: string x-codegen-request-body-name: authenticator requestBody: $ref: '#/components/requestBodies/AuthenticatorRequestBody' @@ -2526,17 +2796,18 @@ paths: - okta.authenticators.manage tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' post: summary: Activate an Authenticator description: Activates an authenticator by `authenticatorId` operationId: activateAuthenticator - parameters: - - in: path - name: authenticatorId - required: true - schema: - type: string responses: '200': $ref: '#/components/responses/AuthenticatorResponse' @@ -2552,17 +2823,18 @@ paths: - okta.authenticators.manage tags: - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' post: summary: Deactivate an Authenticator description: Deactivates an authenticator by `authenticatorId` operationId: deactivateAuthenticator - parameters: - - in: path - name: authenticatorId - required: true - schema: - type: string responses: '200': $ref: '#/components/responses/AuthenticatorResponse' @@ -2578,26 +2850,18 @@ paths: - okta.authenticators.manage tags: - Authenticator - /api/v1/authorizationServers: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}/methods: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' get: - summary: List all Authorization Servers - description: Lists all authorization servers - operationId: listAuthorizationServers - parameters: - - name: q - in: query - schema: - type: string - - name: limit - in: query - schema: - type: integer - format: int32 - default: 200 - - name: after - in: query - schema: - type: string + summary: List all Methods of an Authenticator + description: Lists all Methods of an Authenticator identified by `authenticatorId` + operationId: listAuthenticatorMethods responses: '200': description: Success @@ -2606,10 +2870,226 @@ paths: schema: type: array items: - $ref: '#/components/schemas/AuthorizationServer' + oneOf: &ref_4 + - $ref: '#/components/schemas/AuthenticatorMethodSimple' + - $ref: '#/components/schemas/AuthenticatorMethodPush' + - $ref: '#/components/schemas/AuthenticatorMethodSignedNonce' + - $ref: '#/components/schemas/AuthenticatorMethodTotp' + - $ref: '#/components/schemas/AuthenticatorMethodOtp' + - $ref: '#/components/schemas/AuthenticatorMethodWebAuthn' + - $ref: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' + discriminator: &ref_5 + propertyName: type + mapping: + sms: '#/components/schemas/AuthenticatorMethodSimple' + voice: '#/components/schemas/AuthenticatorMethodSimple' + email: '#/components/schemas/AuthenticatorMethodSimple' + push: '#/components/schemas/AuthenticatorMethodPush' + signed_nonce: '#/components/schemas/AuthenticatorMethodSignedNonce' + totp: '#/components/schemas/AuthenticatorMethodTotp' + otp: '#/components/schemas/AuthenticatorMethodOtp' + password: '#/components/schemas/AuthenticatorMethodSimple' + webauthn: '#/components/schemas/AuthenticatorMethodWebAuthn' + security_question: '#/components/schemas/AuthenticatorMethodSimple' + idp: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' + duo: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' + cert: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' '403': $ref: '#/components/responses/ErrorAccessDenied403' - '429': + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.read + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}/methods/{methodType}: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + - $ref: '#/components/parameters/pathMethodType' + get: + summary: Retrieve a Method + description: Retrieves a Method identified by `methodType` of an Authenticator identified by `authenticatorId` + operationId: getAuthenticatorMethod + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: *ref_4 + discriminator: *ref_5 + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.read + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a Method + description: Replaces a Method of `methodType` for an Authenticator identified by `authenticatorId` + operationId: replaceAuthenticatorMethod + requestBody: + content: + application/json: + schema: + oneOf: *ref_4 + discriminator: *ref_5 + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: *ref_4 + discriminator: *ref_5 + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + - $ref: '#/components/parameters/pathMethodType' + post: + summary: Activate an Authenticator Method + description: Activates a Method for an Authenticator identified by `authenticatorId` and `methodType` + operationId: activateAuthenticatorMethod + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: *ref_4 + discriminator: *ref_5 + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + - $ref: '#/components/parameters/pathMethodType' + post: + summary: Deactivate an Authenticator Method + description: Deactivates a Method for an Authenticator identified by `authenticatorId` and `methodType` + operationId: deactivateAuthenticatorMethod + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: *ref_4 + discriminator: *ref_5 + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}/policies/{mappingId}: + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + - $ref: '#/components/parameters/pathPolicyMappingId' + /api/v1/authorizationServers: + get: + summary: List all Authorization Servers + description: Lists all custom authorization servers in the org + operationId: listAuthorizationServers + parameters: + - name: q + in: query + description: Searches the `name` and `audiences` of authorization servers for matching values + example: customasone + schema: + type: string + - name: limit + in: query + description: 'Specifies the number of authorization server results on a page. Maximum value: 200' + schema: + type: integer + format: int32 + default: 200 + - name: after + in: query + description: Specifies the pagination cursor for the next page of authorization servers. Treat as an opaque value and obtain through the next link relationship. + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthorizationServer' + examples: + ListAuthServers: + $ref: '#/components/examples/ListAuthServersResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] @@ -2617,6 +3097,11 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: summary: Create an Authorization Server description: Creates an authorization server @@ -2627,6 +3112,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAuthServer: + $ref: '#/components/examples/CreateAuthServerBody' required: true responses: '201': @@ -2635,6 +3123,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAuthServer: + $ref: '#/components/examples/CreateAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2647,17 +3138,18 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: summary: Retrieve an Authorization Server description: Retrieves an authorization server operationId: getAuthorizationServer - parameters: - - name: authServerId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -2665,6 +3157,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + RetrieveAuthServer: + $ref: '#/components/examples/RetrieveAuthServerResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2677,22 +3172,24 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: summary: Replace an Authorization Server description: Replaces an authorization server operationId: replaceAuthorizationServer - parameters: - - name: authServerId - in: path - required: true - schema: - type: string x-codegen-request-body-name: authorizationServer requestBody: content: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + ReplaceAuthServer: + $ref: '#/components/examples/ReplaceAuthServerBody' required: true responses: '200': @@ -2701,6 +3198,9 @@ paths: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' + examples: + ReplaceAuthServer: + $ref: '#/components/examples/ReplaceAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2715,16 +3215,15 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: summary: Delete an Authorization Server description: Deletes an authorization server operationId: deleteAuthorizationServer - parameters: - - name: authServerId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -2741,15 +3240,40 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/claims: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/associatedServers: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: - summary: List all Custom Token Claims - description: Lists all custom token claims - operationId: listOAuth2Claims + summary: List all associated Authorization Servers + description: Lists all associated Authorization Servers by trusted type for the given `authServerId` + operationId: listAssociatedServersByTrustedType parameters: - - name: authServerId - in: path - required: true + - name: trusted + in: query + description: Searches trusted authorization servers when `true` or searches untrusted authorization servers when `false` + schema: + type: boolean + - name: q + in: query + description: Searches for the name or audience of the associated authorization servers + example: customasone + schema: + type: string + - name: limit + in: query + description: Specifies the number of results for a page + schema: + type: integer + format: int32 + default: 200 + - name: after + in: query + description: Specifies the pagination cursor for the next page of the associated authorization servers schema: type: string responses: @@ -2760,7 +3284,10 @@ paths: schema: type: array items: - $ref: '#/components/schemas/OAuth2Claim' + $ref: '#/components/schemas/AuthorizationServer' + examples: + ListAssocAuthServer: + $ref: '#/components/examples/ListAssocAuthServerResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2772,31 +3299,38 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: - summary: Create a Custom Token Claim - description: Creates a custom token claim - operationId: createOAuth2Claim - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: oAuth2Claim + summary: Create an associated Authorization Server + description: Creates trusted relationships between the given authorization server and other authorization servers + operationId: createAssociatedServers + x-codegen-request-body-name: associatedServerMediated requestBody: content: application/json: schema: - $ref: '#/components/schemas/OAuth2Claim' + $ref: '#/components/schemas/AssociatedServerMediated' + examples: + CreateAssocAuthServer: + $ref: '#/components/examples/CreateAssocAuthServerBody' required: true responses: - '201': + '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2Claim' + type: array + items: + $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAssocAuthServer: + $ref: '#/components/examples/CreateAssocAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2810,30 +3344,60 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/claims/{claimId}: + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/associatedServers/{associatedServerId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathAssociatedServerId' + delete: + summary: Delete an associated Authorization Server + description: Deletes an associated Authorization Server + operationId: deleteAssociatedServer + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/claims: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: - summary: Retrieve a Custom Token Claim - description: Retrieves a custom token claim - operationId: getOAuth2Claim - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: claimId - in: path - required: true - schema: - type: string + summary: List all custom token Claims + description: Lists all custom token Claims defined for a specified custom authorization server + operationId: listOAuth2Claims responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OAuth2Claim' + type: array + items: + $ref: '#/components/schemas/OAuth2Claim' + examples: + ListCustomTokenClaims: + $ref: '#/components/examples/ListCustomTokenClaimsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -2845,36 +3409,36 @@ paths: - oauth2: - okta.authorizationServers.read tags: - - AuthorizationServer - put: - summary: Replace a Custom Token Claim - description: Replaces a custom token claim - operationId: replaceOAuth2Claim - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: claimId - in: path - required: true - schema: - type: string + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + post: + summary: Create a custom token Claim + description: Creates a custom token Claim for a custom authorization server + operationId: createOAuth2Claim x-codegen-request-body-name: oAuth2Claim requestBody: content: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + CreateCustomTokenClaim: + $ref: '#/components/examples/CreateCustomTokenClaimBody' required: true responses: - '200': + '201': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' + examples: + CreateCustomTokenClaim: + $ref: '#/components/examples/CreateCustomTokenClaimResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -2888,22 +3452,94 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}/claims/{claimId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathClaimId' + get: + summary: Retrieve a custom token Claim + description: Retrieves a custom token Claim by the specified `claimId` + operationId: getOAuth2Claim + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Claim' + examples: + RetrieveCustomTokenClaim: + $ref: '#/components/examples/RetrieveCustomTokenClaimResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + put: + summary: Replace a custom token Claim + description: Replaces a custom token Claim specified by the `claimId` + operationId: replaceOAuth2Claim + x-codegen-request-body-name: oAuth2Claim + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Claim' + examples: + ReplaceCustomTokenClaim: + $ref: '#/components/examples/ReplaceCustomTokenClaimBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Claim' + examples: + ReplaceCustomTokenClaim: + $ref: '#/components/examples/ReplaceCustomTokenClaimResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: - summary: Delete a Custom Token Claim - description: Deletes a custom token claim + summary: Delete a custom token Claim + description: Deletes a custom token Claim specified by the `claimId` operationId: deleteOAuth2Claim - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: claimId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -2919,18 +3555,19 @@ paths: - oauth2: - okta.authorizationServers.manage tags: - - AuthorizationServer + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/clients: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all Clients description: Lists all clients operationId: listOAuth2ClientsForAuthorizationServer - parameters: - - name: authServerId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -2952,22 +3589,20 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathClientId' get: summary: List all Refresh Tokens for a Client description: Lists all refresh tokens for a client operationId: listRefreshTokensForAuthorizationServerAndClient parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -3003,21 +3638,15 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: summary: Revoke all Refresh Tokens for a Client description: Revokes all refresh tokens for a client operationId: revokeRefreshTokensForAuthorizationServerAndClient - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -3034,27 +3663,21 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathTokenId' get: summary: Retrieve a Refresh Token for a Client description: Retrieves a refresh token for a client operationId: getRefreshTokenForAuthorizationServerAndClient parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -3078,26 +3701,15 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: summary: Revoke a Refresh Token for a Client description: Revokes a refresh token for a client operationId: revokeRefreshTokenForAuthorizationServerAndClient - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -3114,17 +3726,18 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/credentials/keys: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all Credential Keys description: Lists all credential keys operationId: listAuthorizationServerKeys - parameters: - - name: authServerId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -3146,17 +3759,18 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' post: summary: Rotate all Credential Keys description: Rotates all credential keys operationId: rotateAuthorizationServerKeys - parameters: - - name: authServerId - in: path - required: true - schema: - type: string x-codegen-request-body-name: use requestBody: content: @@ -3187,17 +3801,18 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' post: summary: Activate an Authorization Server description: Activates an authorization server operationId: activateAuthorizationServer - parameters: - - name: authServerId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -3214,17 +3829,18 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' post: summary: Deactivate an Authorization Server description: Deactivates an authorization server operationId: deactivateAuthorizationServer - parameters: - - name: authServerId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -3241,17 +3857,18 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all Policies description: Lists all policies operationId: listAuthorizationServerPolicies - parameters: - - name: authServerId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -3273,16 +3890,15 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: summary: Create a Policy description: Creates a policy operationId: createAuthorizationServerPolicy - parameters: - - name: authServerId - in: path - required: true - schema: - type: string x-codegen-request-body-name: policy requestBody: content: @@ -3311,22 +3927,19 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' get: summary: Retrieve a Policy description: Retrieves a policy operationId: getAuthorizationServerPolicy - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -3346,21 +3959,15 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: summary: Replace a Policy description: Replaces a policy operationId: replaceAuthorizationServerPolicy - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string x-codegen-request-body-name: policy requestBody: content: @@ -3389,21 +3996,15 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: summary: Delete a Policy description: Deletes a policy operationId: deleteAuthorizationServerPolicy - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -3420,22 +4021,19 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' post: summary: Activate a Policy description: Activates an authorization server policy operationId: activateAuthorizationServerPolicy - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -3452,22 +4050,19 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' post: summary: Deactivate a Policy description: Deactivates an authorization server policy operationId: deactivateAuthorizationServerPolicy - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -3484,22 +4079,19 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' get: summary: List all Policy Rules description: Lists all policy rules for the specified Custom Authorization Server and Policy operationId: listAuthorizationServerPolicyRules - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: authServerId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -3521,21 +4113,15 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: summary: Create a Policy Rule description: Creates a policy rule for the specified Custom Authorization Server and Policy operationId: createAuthorizationServerPolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: authServerId - in: path - required: true - schema: - type: string x-codegen-request-body-name: policyRule requestBody: content: @@ -3564,27 +4150,20 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' get: summary: Retrieve a Policy Rule description: Retrieves a policy rule by `ruleId` operationId: getAuthorizationServerPolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: authServerId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -3604,26 +4183,15 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: summary: Replace a Policy Rule description: Replaces the configuration of the Policy Rule defined in the specified Custom Authorization Server and Policy operationId: replaceAuthorizationServerPolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: authServerId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string x-codegen-request-body-name: policyRule requestBody: content: @@ -3652,26 +4220,15 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: summary: Delete a Policy Rule description: Deletes a Policy Rule defined in the specified Custom Authorization Server and Policy operationId: deleteAuthorizationServerPolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: authServerId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -3688,27 +4245,20 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' post: summary: Activate a Policy Rule description: Activates an authorization server policy rule operationId: activateAuthorizationServerPolicyRule - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -3725,27 +4275,20 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' post: summary: Deactivate a Policy Rule description: Deactivates an authorization server policy rule operationId: deactivateAuthorizationServerPolicyRule - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -3762,17 +4305,19 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/scopes: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all Custom Token Scopes description: Lists all custom token scopes operationId: listOAuth2Scopes parameters: - - name: authServerId - in: path - required: true - schema: - type: string - name: q in: query schema: @@ -3812,16 +4357,15 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management post: summary: Create a Custom Token Scope description: Creates a custom token scope operationId: createOAuth2Scope - parameters: - - name: authServerId - in: path - required: true - schema: - type: string x-codegen-request-body-name: oAuth2Scope requestBody: content: @@ -3850,22 +4394,19 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/authorizationServers/{authServerId}/scopes/{scopeId}: + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathScopeId' get: summary: Retrieve a Custom Token Scope description: Retrieves a custom token scope operationId: getOAuth2Scope - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: scopeId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -3885,21 +4426,15 @@ paths: - okta.authorizationServers.read tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management put: summary: Replace a Custom Token Scope description: Replaces a custom token scope operationId: replaceOAuth2Scope - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: scopeId - in: path - required: true - schema: - type: string x-codegen-request-body-name: oAuth2Scope requestBody: content: @@ -3928,21 +4463,15 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management delete: summary: Delete a Custom Token Scope description: Deletes a custom token scope operationId: deleteOAuth2Scope - parameters: - - name: authServerId - in: path - required: true - schema: - type: string - - name: scopeId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -3959,6 +4488,11 @@ paths: - okta.authorizationServers.manage tags: - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management /api/v1/behaviors: get: summary: List all Behavior Detection Rules @@ -3972,12 +4506,12 @@ paths: schema: type: array items: - oneOf: &ref_2 + oneOf: &ref_6 - $ref: '#/components/schemas/BehaviorRuleAnomalousLocation' - $ref: '#/components/schemas/BehaviorRuleAnomalousIP' - $ref: '#/components/schemas/BehaviorRuleAnomalousDevice' - $ref: '#/components/schemas/BehaviorRuleVelocity' - discriminator: &ref_3 + discriminator: &ref_7 propertyName: type mapping: ANOMALOUS_LOCATION: '#/components/schemas/BehaviorRuleAnomalousLocation' @@ -3994,6 +4528,9 @@ paths: - okta.behaviors.read tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Behavior Detection Rule description: Creates a new behavior detection rule @@ -4003,8 +4540,8 @@ paths: content: application/json: schema: - oneOf: *ref_2 - discriminator: *ref_3 + oneOf: *ref_6 + discriminator: *ref_7 examples: BehaviorRuleRequest: $ref: '#/components/examples/BehaviorRuleRequest' @@ -4038,6 +4575,9 @@ paths: - okta.behaviors.manage tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/behaviors/{behaviorId}: parameters: - $ref: '#/components/parameters/pathBehaviorId' @@ -4051,8 +4591,8 @@ paths: content: application/json: schema: - oneOf: *ref_2 - discriminator: *ref_3 + oneOf: *ref_6 + discriminator: *ref_7 '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4072,6 +4612,9 @@ paths: - okta.behaviors.read tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Behavior Detection Rule description: Replaces a Behavior Detection Rule by `behaviorId` @@ -4081,8 +4624,8 @@ paths: content: application/json: schema: - oneOf: *ref_2 - discriminator: *ref_3 + oneOf: *ref_6 + discriminator: *ref_7 examples: BehaviorRuleRequest: $ref: '#/components/examples/BehaviorRuleRequest' @@ -4093,8 +4636,8 @@ paths: content: application/json: schema: - oneOf: *ref_2 - discriminator: *ref_3 + oneOf: *ref_6 + discriminator: *ref_7 examples: BehaviorRuleReSponse: $ref: '#/components/examples/BehaviorRuleResponse' @@ -4126,6 +4669,9 @@ paths: - okta.behaviors.manage tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Behavior Detection Rule description: Deletes a Behavior Detection Rule by `behaviorId` @@ -4152,21 +4698,24 @@ paths: - okta.behaviors.manage tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/behaviors/{behaviorId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathBehaviorId' post: summary: Activate a Behavior Detection Rule description: Activates a behavior detection rule operationId: activateBehaviorDetectionRule - parameters: - - $ref: '#/components/parameters/pathBehaviorId' responses: '200': description: Success content: application/json: schema: - oneOf: *ref_2 - discriminator: *ref_3 + oneOf: *ref_6 + discriminator: *ref_7 examples: BehaviorRuleReSponse: $ref: '#/components/examples/BehaviorRuleResponse' @@ -4182,21 +4731,24 @@ paths: - okta.behaviors.manage tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/behaviors/{behaviorId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathBehaviorId' post: summary: Deactivate a Behavior Detection Rule description: Deactivates a behavior detection rule operationId: deactivateBehaviorDetectionRule - parameters: - - $ref: '#/components/parameters/pathBehaviorId' responses: '200': description: Success content: application/json: schema: - oneOf: *ref_2 - discriminator: *ref_3 + oneOf: *ref_6 + discriminator: *ref_7 examples: BehaviorRuleReSponse: $ref: '#/components/examples/BehaviorRuleResponse' @@ -4212,7 +4764,15 @@ paths: - okta.behaviors.manage tags: - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands: + parameters: + - $ref: '#/components/parameters/queryExpandBrand' + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + - $ref: '#/components/parameters/queryFilter' get: summary: List all Brands description: Lists all the brands in your org @@ -4225,7 +4785,7 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Brand' + $ref: '#/components/schemas/BrandWithEmbedded' examples: Get brands response: $ref: '#/components/examples/ListBrandsResponse' @@ -4239,9 +4799,12 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Brand - description: Creates new brand in your org + description: Creates a new brand in your org operationId: createBrand requestBody: content: @@ -4273,9 +4836,13 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}: parameters: - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/queryExpandBrand' get: summary: Retrieve a Brand description: Retrieves a brand by `brandId` @@ -4286,7 +4853,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Brand' + $ref: '#/components/schemas/BrandWithEmbedded' examples: Get brand response: $ref: '#/components/examples/GetBrandResponse' @@ -4302,6 +4869,9 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Brand description: Replaces a brand by `brandId` @@ -4340,9 +4910,12 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a brand - description: Deletes a brand by its unique identifier + description: Deletes a brand by `brandId` operationId: deleteBrand responses: '204': @@ -4370,6 +4943,9 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/domains: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4396,81 +4972,16 @@ paths: - okta.brands.read tags: - Customization - post: - summary: Link a Brand to a Domain - description: Links a brand to a domain by `domainId` - operationId: linkBrandDomain - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/CreateBrandDomainRequest' - examples: - Create brand request: - $ref: '#/components/examples/CreateBrandDomainRequest' - responses: - '201': - description: Created - content: - application/json: - schema: - $ref: '#/components/schemas/BrandDomain' - examples: - Link a brand with a domain: - $ref: '#/components/examples/LinkBrandDomain' - '400': - $ref: '#/components/responses/ErrorApiValidationFailed400' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '409': - description: Conflict - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - Cannot link default brand with a domain: - $ref: '#/components/examples/ErrorLinkDefaultBrand' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.brands.manage - tags: - - Customization - /api/v1/brands/{brandId}/domains/{domainId}: - parameters: - - $ref: '#/components/parameters/pathBrandId' - - $ref: '#/components/parameters/pathDomainId' - delete: - summary: Unlink a Brand from a Domain - description: Unlinks a brand and domain by their identifiers - operationId: unlinkBrandDomain - responses: - '204': - description: Successfully unlinked the domain from the brand - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.brands.manage - tags: - - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/queryExpandPageRoot' get: - summary: Retrieve the Error Page - description: Retrieves the error page + summary: Retrieve the Error Page Sub-Resources + description: Retrieves the error page sub-resources. The `expand` query parameter specifies which sub-resources to include in the response. operationId: getErrorPage responses: '200': @@ -4491,12 +5002,15 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error/customized: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the Customized Error Page - description: Retrieves the customized error page + description: Retrieves the customized error page. The customized error page appears in your live environment. operationId: getCustomizedErrorPage responses: '200': @@ -4509,7 +5023,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/CustomizablePage' + $ref: '#/components/schemas/ErrorPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4522,15 +5036,18 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Customized Error Page - description: Replaces the customized error page + description: Replaces the customized error page. The customized error page appears in your live environment. operationId: replaceCustomizedErrorPage requestBody: content: application/json: schema: - $ref: '#/components/schemas/CustomizablePage' + $ref: '#/components/schemas/ErrorPage' required: true responses: '200': @@ -4543,7 +5060,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/CustomizablePage' + $ref: '#/components/schemas/ErrorPage' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -4558,13 +5075,16 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Reset the Customized Error Page - description: Resets the customized error page - operationId: resetCustomizedErrorPage + summary: Delete the Customized Error Page + description: Deletes the customized error page. As a result, the default error page appears in your live environment. + operationId: deleteCustomizedErrorPage responses: '204': - description: Successfully reset the customized error page. + description: Successfully deleted the customized error page. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' @@ -4578,12 +5098,15 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error/default: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the Default Error Page - description: Retrieves the default error page + description: Retrieves the default error page. The default error page appears when no customized error page exists. operationId: getDefaultErrorPage responses: '200': @@ -4591,7 +5114,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/CustomizablePage' + $ref: '#/components/schemas/ErrorPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4604,12 +5127,15 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error/preview: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the Preview Error Page Preview - description: Retrieves the preview error page + description: Retrieves the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`. operationId: getPreviewErrorPage responses: '200': @@ -4622,7 +5148,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/CustomizablePage' + $ref: '#/components/schemas/ErrorPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -4635,15 +5161,18 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Preview Error Page - description: Replaces the preview error page + description: Replaces the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`. operationId: replacePreviewErrorPage requestBody: content: application/json: schema: - $ref: '#/components/schemas/CustomizablePage' + $ref: '#/components/schemas/ErrorPage' required: true responses: '200': @@ -4656,7 +5185,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/CustomizablePage' + $ref: '#/components/schemas/ErrorPage' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -4671,13 +5200,16 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Reset the Preview Error Page - description: Resets the preview error page - operationId: resetPreviewErrorPage + summary: Delete the Preview Error Page + description: Deletes the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`. + operationId: deletePreviewErrorPage responses: '204': - description: Successfully reset the preview error page. + description: Successfully deleted the preview error page. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' @@ -4691,13 +5223,16 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/queryExpandPageRoot' get: - summary: Retrieve the Sign-in Page - description: Retrieves the sign-in page + summary: Retrieve the Sign-in Page Sub-Resources + description: Retrieves the sign-in page sub-resources. The `expand` query parameter specifies which sub-resources to include in the response. operationId: getSignInPage responses: '200': @@ -4718,12 +5253,15 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/customized: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the Customized Sign-in Page - description: Retrieves the customized sign-in page + description: Retrieves the customized sign-in page. The customized sign-in page appears in your live environment. operationId: getCustomizedSignInPage responses: '200': @@ -4749,9 +5287,12 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Customized Sign-in Page - description: Replaces the customized sign-in page + description: Replaces the customized sign-in page. The customized sign-in page appears in your live environment. operationId: replaceCustomizedSignInPage requestBody: content: @@ -4785,13 +5326,16 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Reset the Customized Sign-in Page - description: Resets the customized sign-in page - operationId: resetCustomizedSignInPage + summary: Delete the Customized Sign-in Page + description: Deletes the customized sign-in page. As a result, the default sign-in page appears in your live environment. + operationId: deleteCustomizedSignInPage responses: '204': - description: Successfully reset the sign-in page. + description: Successfully deleted the sign-in page. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' @@ -4805,12 +5349,15 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/default: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the Default Sign-in Page - description: Retrieves the default sign-in page + description: Retrieves the default sign-in page. The default sign-in page appears when no customized sign-in page exists. operationId: getDefaultSignInPage responses: '200': @@ -4831,12 +5378,15 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/preview: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the Preview Sign-in Page Preview - description: Retrieves the preview sign-in page + description: Retrieves the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`. operationId: getPreviewSignInPage responses: '200': @@ -4862,9 +5412,12 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Preview Sign-in Page - description: Replaces the preview sign-in page + description: Replaces the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`. operationId: replacePreviewSignInPage requestBody: content: @@ -4898,13 +5451,16 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Reset the Preview Sign-in Page - description: Resets the preview sign-in page - operationId: resetPreviewSignInPage + summary: Delete the Preview Sign-in Page + description: Deletes the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`. + operationId: deletePreviewSignInPage responses: '204': - description: Successfully reset the preview sign-in page. + description: Successfully deleted the preview sign-in page. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' @@ -4918,12 +5474,15 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/widget-versions: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: List all Sign-in Widget Versions - description: Lists all sign-in widget versions + description: Lists all sign-in widget versions supported by the current org operationId: listAllSignInWidgetVersions responses: '200': @@ -4947,6 +5506,9 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-out/customized: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -4973,6 +5535,9 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Sign-out Page Settings description: Replaces the sign-out page settings @@ -5004,6 +5569,9 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5044,6 +5612,9 @@ paths: - okta.templates.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5076,13 +5647,19 @@ paths: - okta.templates.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/customizations: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: summary: List all Email Customizations - description: Lists all customizations of an email template + description: | + Lists all customizations of an email template + + If Custom languages for Okta Email Templates is enabled, all existing customizations are retrieved, including customizations for additional languages. If disabled, only customizations for Okta-supported languages are returned. operationId: listEmailCustomizations parameters: - $ref: '#/components/parameters/queryAfter' @@ -5111,9 +5688,15 @@ paths: - okta.templates.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Email Customization - description: Creates a new email customization + description: | + Creates a new Email Customization + + If Custom languages for Okta Email Templates is enabled, you can create a customization for any BCP47 language in addition to the Okta-supported languages. operationId: createEmailCustomization x-codegen-request-body-name: instance requestBody: @@ -5159,9 +5742,15 @@ paths: - okta.templates.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete all Email Customizations - description: Deletes all customizations for an email template + description: | + Deletes all customizations for an email template + + If Custom languages for Okta Email Templates is enabled, all customizations are deleted, including customizations for additional languages. If disabled, only customizations in Okta-supported languages are deleted. operationId: deleteAllCustomizations responses: '204': @@ -5179,6 +5768,9 @@ paths: - okta.templates.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5186,7 +5778,10 @@ paths: - $ref: '#/components/parameters/pathCustomizationId' get: summary: Retrieve an Email Customization - description: Retrieves an email customization by its unique identifier + description: | + Retrieves an email customization by its unique identifier + + If Custom languages for Okta Email Templates is disabled, requests to retrieve an additional language customization by ID result in a `404 Not Found` error response. operationId: getEmailCustomization responses: '200': @@ -5210,9 +5805,15 @@ paths: - okta.templates.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Email Customization - description: Replaces an existing email customization using the property values provided + description: | + Replaces an email customization using property values + + If Custom languages for Okta Email Templates is disabled, requests to update a customization for an additional language return a `404 Not Found` error response. operationId: replaceEmailCustomization x-codegen-request-body-name: instance requestBody: @@ -5261,9 +5862,15 @@ paths: - okta.templates.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Email Customization - description: Deletes an email customization by its unique identifier + description: | + Deletes an Email Customization by its unique identifier + + If Custom languages for Okta Email Templates is disabled, deletion of an existing additional language customization by ID doesn't register. operationId: deleteEmailCustomization responses: '204': @@ -5290,6 +5897,9 @@ paths: - okta.templates.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}/preview: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5297,7 +5907,10 @@ paths: - $ref: '#/components/parameters/pathCustomizationId' get: summary: Retrieve a Preview of an Email Customization - description: Retrieves a preview of an email customization. All variable references (e.g., `${user.profile.firstName}`) are populated using the current user's context. + description: | + Retrieves a Preview of an Email Customization. All variable references are populated from the current user's context. For example, `${user.profile.firstName}`. + + If Custom languages for Okta Email Templates is disabled, requests for the preview of an additional language customization by ID return a `404 Not Found` error response. operationId: getCustomizationPreview responses: '200': @@ -5321,13 +5934,21 @@ paths: - okta.templates.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/default-content: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: summary: Retrieve an Email Template Default Content - description: Retrieves an email template's default content + description: | + Retrieves an email template's default content + + Defaults to the current user's language given the following: + - Custom languages for Okta Email Templates is enabled + - An additional language is specified for the `language` parameter operationId: getEmailDefaultContent parameters: - $ref: '#/components/parameters/queryLanguage' @@ -5353,13 +5974,21 @@ paths: - okta.templates.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/default-content/preview: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: - summary: Retrieve a Preview of the Email Template Default Content - description: Retrieves a preview of an email template's default content. All variable references (e.g., `${user.profile.firstName}`) are populated using the current user's context. + summary: Retrieve a Preview of the Email Template default content + description: | + Retrieves a preview of an Email Template's default content. All variable references are populated using the current user's context. For example, `${user.profile.firstName}`. + + Defaults to the current user's language given the following: + - Custom languages for Okta Email Templates is enabled + - An additional language is specified for the `language` parameter operationId: getEmailDefaultPreview parameters: - $ref: '#/components/parameters/queryLanguage' @@ -5385,6 +6014,9 @@ paths: - okta.templates.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/settings: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5415,6 +6047,9 @@ paths: - okta.templates.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Email Template Settings description: Replaces an email template's settings @@ -5450,6 +6085,9 @@ paths: - okta.templates.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/test: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5459,6 +6097,7 @@ paths: description: |- Sends a test email to the current user’s primary and secondary email addresses. The email content is selected based on the following priority: 1. The email customization for the language specified in the `language` query parameter. + If Custom languages for Okta Email Templates is enabled and the `language` parameter is an additional language, the test email uses the customization corresponding to the language. 2. The email template's default customization. 3. The email template’s default content, translated to the current user's language. operationId: sendTestEmail @@ -5480,6 +6119,9 @@ paths: - okta.templates.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/themes: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5508,6 +6150,9 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5535,6 +6180,9 @@ paths: - okta.brands.read tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Theme description: Replaces a theme for a brand @@ -5567,6 +6215,9 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}/background-image: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5609,6 +6260,9 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete the Background Image description: Deletes a Theme background image @@ -5629,6 +6283,9 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}/favicon: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5671,6 +6328,9 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete the Favicon description: Deletes a Theme favicon. The theme will use the default Okta favicon. @@ -5691,6 +6351,9 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}/logo: parameters: - $ref: '#/components/parameters/pathBrandId' @@ -5733,6 +6396,9 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete the Logo description: Deletes a Theme logo. The theme will use the default Okta logo. @@ -5753,9 +6419,12 @@ paths: - okta.brands.manage tags: - Customization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/captchas: get: - summary: List all CAPTCHA instances + summary: List all CAPTCHA Instances description: Lists all CAPTCHA instances with pagination support. A subset of CAPTCHA instances can be returned that match a supported filter expression or query. operationId: listCaptchaInstances responses: @@ -5777,9 +6446,14 @@ paths: - okta.captchas.read tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: summary: Create a CAPTCHA instance - description: Creates a new CAPTCHA instance. In the current release, we only allow one CAPTCHA instance per org. + description: Creates a new CAPTCHA instance. Currently, an org can only configure a single CAPTCHA instance. operationId: createCaptchaInstance x-codegen-request-body-name: instance requestBody: @@ -5826,12 +6500,17 @@ paths: - okta.captchas.manage tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/captchas/{captchaId}: parameters: - $ref: '#/components/parameters/pathCaptchaId' get: summary: Retrieve a CAPTCHA Instance - description: Retrieves a CAPTCHA instance by `captchaId` + description: Retrieves the properties of a specified CAPTCHA instance operationId: getCaptchaInstance responses: '200': @@ -5857,9 +6536,14 @@ paths: - okta.captchas.read tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: - summary: Update a CAPTCHA instance - description: Partially updates a CAPTCHA instance by `captchaId` + summary: Update a CAPTCHA Instance + description: Partially updates the properties of a specified CAPTCHA instance operationId: updateCaptchaInstance x-codegen-request-body-name: instance requestBody: @@ -5899,9 +6583,14 @@ paths: - okta.captchas.manage tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine put: - summary: Replace a CAPTCHA instance - description: Replaces a CAPTCHA instance by `captchaId` + summary: Replace a CAPTCHA Instance + description: Replaces the properties for a specified CAPTCHA instance operationId: replaceCaptchaInstance x-codegen-request-body-name: instance requestBody: @@ -5941,9 +6630,16 @@ paths: - okta.captchas.manage tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: summary: Delete a CAPTCHA Instance - description: Deletes a CAPTCHA instance by `captchaId`. If the CAPTCHA instance is currently being used in the org, the delete will not be allowed. + description: |- + Deletes a specified CAPTCHA instance + > **Note:** If your CAPTCHA instance is still associated with your org, the request fails. You must first update your Org-wide CAPTCHA settings to remove the CAPTCHA instance. operationId: deleteCaptchaInstance responses: '204': @@ -5970,6 +6666,11 @@ paths: - okta.captchas.manage tags: - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/device-assurances: get: summary: List all Device Assurance Policies @@ -5983,7 +6684,20 @@ paths: schema: type: array items: - $ref: '#/components/schemas/DeviceAssurance' + oneOf: &ref_8 + - $ref: '#/components/schemas/DeviceAssuranceWindowsPlatform' + - $ref: '#/components/schemas/DeviceAssuranceMacOSPlatform' + - $ref: '#/components/schemas/DeviceAssuranceChromeOSPlatform' + - $ref: '#/components/schemas/DeviceAssuranceIOSPlatform' + - $ref: '#/components/schemas/DeviceAssuranceAndroidPlatform' + discriminator: &ref_9 + propertyName: platform + mapping: + WINDOWS: '#/components/schemas/DeviceAssuranceWindowsPlatform' + MACOS: '#/components/schemas/DeviceAssuranceMacOSPlatform' + CHROMEOS: '#/components/schemas/DeviceAssuranceChromeOSPlatform' + IOS: '#/components/schemas/DeviceAssuranceIOSPlatform' + ANDROID: '#/components/schemas/DeviceAssuranceAndroidPlatform' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -5994,6 +6708,11 @@ paths: - okta.deviceAssurance.read tags: - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: summary: Create a Device Assurance Policy description: Creates a new Device Assurance Policy @@ -6003,16 +6722,35 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/DeviceAssurance' + oneOf: *ref_8 + discriminator: *ref_9 examples: - ANDROID: + Android: $ref: '#/components/examples/DeviceAssuranceAndroidRequest' - MACOS: + iOS: + $ref: '#/components/examples/DeviceAssuranceIosRequest' + MacOS: $ref: '#/components/examples/DeviceAssuranceMacOSRequest' - WINDOWS: + Windows: $ref: '#/components/examples/DeviceAssuranceWindowsRequest' - IOS: - $ref: '#/components/examples/DeviceAssuranceIosRequest' + ChromeOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest' + MacOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest' + WindowsWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest' required: true responses: '200': @@ -6020,10 +6758,35 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/DeviceAssurance' + oneOf: *ref_8 + discriminator: *ref_9 examples: - DeviceAssuranceResponse: - $ref: '#/components/examples/DeviceAssuranceResponse' + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidResponse' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosResponse' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSResponse' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsResponse' + ChromeOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse' + MacOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' + WindowsWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -6036,23 +6799,53 @@ paths: - okta.deviceAssurance.manage tags: - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/device-assurances/{deviceAssuranceId}: + parameters: + - $ref: '#/components/parameters/pathDeviceAssuranceId' get: summary: Retrieve a Device Assurance Policy description: Retrieves a Device Assurance Policy by `deviceAssuranceId` operationId: getDeviceAssurancePolicy - parameters: - - $ref: '#/components/parameters/pathDeviceAssuranceId' responses: '200': description: OK content: application/json: schema: - $ref: '#/components/schemas/DeviceAssurance' + oneOf: *ref_8 + discriminator: *ref_9 examples: - DeviceAssuranceResponse: - $ref: '#/components/examples/DeviceAssuranceResponse' + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidResponse' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosResponse' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSResponse' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsResponse' + ChromeOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse' + MacOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' + WindowsWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6065,21 +6858,49 @@ paths: - okta.deviceAssurance.read tags: - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine put: summary: Replace a Device Assurance Policy description: Replaces a Device Assurance Policy by `deviceAssuranceId` operationId: replaceDeviceAssurancePolicy - parameters: - - $ref: '#/components/parameters/pathDeviceAssuranceId' x-codegen-request-body-name: deviceAssurance requestBody: content: application/json: schema: - $ref: '#/components/schemas/DeviceAssurance' + oneOf: *ref_8 + discriminator: *ref_9 examples: - DeviceAssuranceResponse: - $ref: '#/components/examples/DeviceAssuranceResponse' + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidRequest' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosRequest' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSRequest' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsRequest' + ChromeOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest' + MacOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest' + WindowsWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest' required: true responses: '200': @@ -6087,10 +6908,35 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/DeviceAssurance' + oneOf: *ref_8 + discriminator: *ref_9 examples: - DeviceAssuranceResponse: - $ref: '#/components/examples/DeviceAssuranceResponse' + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidResponse' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosResponse' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSResponse' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsResponse' + ChromeOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse' + MacOSWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse' + WindowsWithThirdPartySignalProviders: + $ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse' + AndroidWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' + iOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' + MacOSWithDynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' + WindowsWithDynamicVersionRequirements: + $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -6105,12 +6951,15 @@ paths: - okta.deviceAssurance.manage tags: - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: summary: Delete a Device Assurance Policy description: Deletes a Device Assurance Policy by `deviceAssuranceId`. If the Device Assurance Policy is currently being used in the org Authentication Policies, the delete will not be allowed. operationId: deleteDeviceAssurancePolicy - parameters: - - $ref: '#/components/parameters/pathDeviceAssuranceId' responses: '204': description: No Content @@ -6126,7 +6975,7 @@ paths: schema: $ref: '#/components/schemas/Error' examples: - Cannot delete device assurance policy in use by authentication policies: + ErrorDeviceAssuranceInUse: $ref: '#/components/examples/ErrorDeviceAssuranceInUse' '429': $ref: '#/components/responses/ErrorTooManyRequests429' @@ -6136,28 +6985,43 @@ paths: - okta.deviceAssurance.manage tags: - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices: get: summary: List all Devices description: |- Lists all devices with pagination support. - - A subset of Devices can be returned that match a supported search criteria using the `search` query parameter. - + You can return a subset of Devices that match a supported search criteria using the `search` query parameter. Searches for devices based on the properties specified in the `search` parameter conforming SCIM filter specifications (case-insensitive). This data is eventually consistent. The API returns different results depending on specified queries in the request. Empty list is returned if no objects match `search` request. - > **Note:** Listing devices with `search` should not be used as a part of any critical flows—such as authentication or updates—to prevent potential data loss. `search` results may not reflect the latest information, as this endpoint uses a search index which may not be up-to-date with recent updates to the object.
Don't use search results directly for record updates, as the data might be stale and therefore overwrite newer data, resulting in data loss.
Use an `id` lookup for records that you update to ensure your results contain the latest data. - - This operation equires [URL encoding](http://en.wikipedia.org/wiki/Percent-encoding). For example, `search=profile.displayName eq "Bob"` is encoded as `search=profile.displayName%20eq%20%22Bob%22`. + This operation requires [URL encoding](https://www.w3.org/TR/html4/interact/forms.html#h-17.13.4.1). For example, `search=profile.displayName eq "Bob"` is encoded as `search=profile.displayName%20eq%20%22Bob%22`. operationId: listDevices parameters: - - $ref: '#/components/parameters/queryAfter' - - $ref: '#/components/parameters/queryLimit' + - name: after + in: query + schema: + type: string + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination) for more information. + example: 200u3des4afA47rYJu1d7 + - name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 200 + example: 20 + description: A limit on the number of objects to return (recommend `20`) - name: search in: query - description: SCIM filter expression that filters the results. Searches include all Device `profile` properties, as well as the Device `id`, `status` and `lastUpdated` properties. + description: A SCIM filter expression that filters the results. Searches include all Device `profile` properties and the Device `id`, `status`, and `lastUpdated` properties. schema: type: string + example: lastUpdated gt "2019-06-01T09:00:00.000Z" examples: Devices that have a `status` of `ACTIVE`: value: status eq "ACTIVE" @@ -6171,6 +7035,25 @@ paths: value: profile.platform eq "WINDOWS" Devices whose `sid` starts with `S-1`: value: profile.sid sw "S-1" + - name: expand + in: query + description: Includes associated user details and management status for the device in the `_embedded` attribute + schema: + type: string + example: userSummary + enum: + - user + - userSummary + x-enumDescriptions: + user: Lists full details for associated users + userSummary: Lists summaries for associated users + examples: + UserFullDetails: + summary: Get a detailed list of associated users + value: user + UserSummaries: + summary: Get the list of associated user summaries + value: userSummary responses: '200': description: OK @@ -6179,7 +7062,14 @@ paths: schema: type: array items: - $ref: '#/components/schemas/Device' + $ref: '#/components/schemas/DeviceList' + examples: + APIDevicesResponseUserSummaryExample: + type: array + $ref: '#/components/examples/APIDevicesListAllUserSummaryResponse' + APIDevicesResponseExample: + type: array + $ref: '#/components/examples/APIDevicesListAllResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -6190,6 +7080,11 @@ paths: - okta.devices.read tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices/{deviceId}: parameters: - $ref: '#/components/parameters/pathDeviceId' @@ -6205,7 +7100,7 @@ paths: schema: $ref: '#/components/schemas/Device' examples: - Example Response: + APIDevicesResponseExample: $ref: '#/components/examples/DeviceResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' @@ -6219,9 +7114,17 @@ paths: - okta.devices.read tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: summary: Delete a Device - description: Deletes a device by `deviceId` + description: |- + Deletes (permanently) a device by `deviceId` if it has a status of `DEACTIVATED`. You can transition the device to `DEACTIVATED` status using the [Deactivate a Device](#tag/Device/operation/deactivateDevice) endpoint. + This request is destructive and deletes all of the profile data related to the device. Once deleted, device data can't be recovered. However, reenrollment creates a new device record. + > **Note:** Attempts to delete a device that isn't in a `DEACTIVATED` state raise an error. operationId: deleteDevice responses: '204': @@ -6246,12 +7149,19 @@ paths: - okta.devices.manage tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathDeviceId' post: summary: Activate a Device - description: Activates a device by `deviceId` + description: |- + Activates a Device by setting its status to ACTIVE by `deviceId`. + Activated devices are used to create and delete Device user links. operationId: activateDevice responses: '204': @@ -6268,12 +7178,23 @@ paths: - okta.devices.manage tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathDeviceId' post: summary: Deactivate a Device - description: Deactivates a device by `deviceId` + description: |- + Deactivates a Device by setting its status to DEACTIVATED by `deviceId`. + Deactivation causes a Device to lose all device user links. + Set the Device status to DEACTIVATED before deleting it. + > **Note:** When deactivating a Device, keep in mind the following: + - Device deactivation is a destructive operation for device factors and client certificates. Device reenrollment using Okta Verify allows end users to set up new factors on the device. + - Device deletion removes the device record from Okta. Reenrollment creates a new device record. operationId: deactivateDevice responses: '204': @@ -6290,12 +7211,21 @@ paths: - okta.devices.manage tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/suspend: parameters: - $ref: '#/components/parameters/pathDeviceId' post: summary: Suspend a Device - description: Suspends a device by `deviceId` + description: |- + Suspends a Device by setting its status to SUSPENDED. + Use suspended devices to create and delete device user links. + You can only unsuspend or deactivate suspended devices. + > **Note:** SUSPENDED status is meant to be temporary, so it isn't destructive. operationId: suspendDevice responses: '204': @@ -6312,12 +7242,19 @@ paths: - okta.devices.manage tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/unsuspend: parameters: - $ref: '#/components/parameters/pathDeviceId' post: summary: Unsuspend a Device - description: Unsuspends a device by `deviceId` + description: |- + Unsuspends a Device by returning its `status` to ACTIVE. + >**Note:** Only devices with a SUSPENDED status can be unsuspended. operationId: unsuspendDevice responses: '204': @@ -6334,11 +7271,53 @@ paths: - okta.devices.manage tags: - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/devices/{deviceId}/users: + parameters: + - $ref: '#/components/parameters/pathDeviceId' + get: + summary: List all Users for a Device + description: Lists all Users for a Device by `deviceId` + operationId: listDeviceUsers + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/DeviceUser' + examples: + APIDevicesListAllUsersResponseExample: + summary: List all users for a specific device + $ref: '#/components/examples/APIDevicesListAllUsersResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devices.read + tags: + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/domains: get: - summary: List all Domains - description: Lists all verified custom Domains for the org - operationId: listDomains + summary: List all Custom Domains + description: Lists all verified custom domains for the org + operationId: listCustomDomains responses: '200': description: Success @@ -6355,17 +7334,20 @@ paths: - oauth2: - okta.domains.read tags: - - Domain + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a Domain - description: Creates your domain - operationId: createDomain + summary: Create a Custom Domain + description: Creates your custom domain + operationId: createCustomDomain x-codegen-request-body-name: domain requestBody: content: application/json: schema: - $ref: '#/components/schemas/Domain' + $ref: '#/components/schemas/DomainRequest' required: true responses: '200': @@ -6385,18 +7367,17 @@ paths: - oauth2: - okta.domains.manage tags: - - Domain + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/domains/{domainId}: + parameters: + - $ref: '#/components/parameters/pathDomainId' get: - summary: Retrieve a Domain - description: Retrieves a Domain by `id` - operationId: getDomain - parameters: - - name: domainId - in: path - required: true - schema: - type: string + summary: Retrieve a Custom Domain + description: Retrieves a custom domain by `domainId` + operationId: getCustomDomain responses: '200': description: Success @@ -6415,17 +7396,14 @@ paths: - oauth2: - okta.domains.read tags: - - Domain + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - summary: Replace a Domain's brandId - description: Replaces a Domain by `id` - operationId: replaceDomain - parameters: - - name: domainId - in: path - required: true - schema: - type: string + summary: Replace a Custom Domain's Brand + description: Replaces a custom domain's brand + operationId: replaceCustomDomain requestBody: content: application/json: @@ -6452,17 +7430,14 @@ paths: - oauth2: - okta.domains.manage tags: - - Domain + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: - summary: Delete a Domain - description: Deletes a Domain by `id` - operationId: deleteDomain - parameters: - - name: domainId - in: path - required: true - schema: - type: string + summary: Delete a Custom Domain + description: Deletes a custom domain by `domainId` + operationId: deleteCustomDomain responses: '204': description: No Content @@ -6478,18 +7453,17 @@ paths: - oauth2: - okta.domains.manage tags: - - Domain + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/domains/{domainId}/certificate: + parameters: + - $ref: '#/components/parameters/pathDomainId' put: - summary: Upsert the Certificate - description: Creates or replaces the certificate for the domain + summary: Upsert the Custom Domain's Certificate + description: Upserts (creates or renews) the `MANUAL` certificate for the custom domain. If the `certificateSourceType` in the domain is `OKTA_MANAGED`, it becomes `MANUAL` and Okta no longer manages and renews certificates for this domain since a user-managed certificate has been provided. operationId: upsertCertificate - parameters: - - name: domainId - in: path - required: true - schema: - type: string x-codegen-request-body-name: certificate requestBody: content: @@ -6514,18 +7488,17 @@ paths: - oauth2: - okta.domains.manage tags: - - Domain + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/domains/{domainId}/verify: + parameters: + - $ref: '#/components/parameters/pathDomainId' post: - summary: Verify a Domain - description: Verifies the Domain by `id` + summary: Verify a Custom Domain + description: Verifies the custom domain and validity of DNS records by `domainId`. Furthermore, if the `certificateSourceType` in the domain is `OKTA_MANAGED`, then an attempt is made to obtain and install a certificate. After a certificate is obtained and installed by Okta, Okta manages the certificate including certificate renewal. operationId: verifyDomain - parameters: - - name: domainId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -6544,11 +7517,16 @@ paths: - oauth2: - okta.domains.manage tags: - - Domain + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/email-domains: + parameters: + - $ref: '#/components/parameters/queryExpandEmailDomain' get: - summary: List all email domains - description: Lists all the email domains in your org + summary: List all Email Domains + description: Lists all the Email Domains in your org operationId: listEmailDomains responses: '200': @@ -6556,7 +7534,12 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/EmailDomainListResponse' + type: array + items: + $ref: '#/components/schemas/EmailDomainResponseWithEmbedded' + examples: + List email domain response: + $ref: '#/components/examples/EmailDomainResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -6564,12 +7547,15 @@ paths: security: - apiToken: [] - oauth2: - - okta.email-domains.read + - okta.emailDomains.read tags: - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Email Domain - description: Creates a custom email domain + description: Creates an Email Domain in your org operationId: createEmailDomain x-codegen-request-body-name: emailDomain requestBody: @@ -6577,6 +7563,9 @@ paths: application/json: schema: $ref: '#/components/schemas/EmailDomain' + examples: + Create email domain request: + $ref: '#/components/examples/CreateEmailDomainRequest' required: true responses: '200': @@ -6585,32 +7574,53 @@ paths: application/json: schema: $ref: '#/components/schemas/EmailDomainResponse' + examples: + Create email domain response: + $ref: '#/components/examples/EmailDomainResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: Conflict + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Email domain already exists: + $ref: '#/components/examples/ErrorEmailDomainAlreadyExists' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - - okta.email-domains.manage + - okta.emailDomains.manage tags: - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/email-domains/{emailDomainId}: + parameters: + - $ref: '#/components/parameters/pathEmailDomainId' + - $ref: '#/components/parameters/queryExpandEmailDomain' get: - summary: Retrieve a Email Domain + summary: Retrieve an Email Domain description: Retrieves an Email Domain by `emailDomainId` operationId: getEmailDomain - parameters: - - $ref: '#/components/parameters/pathEmailDomainId' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/EmailDomainResponse' + $ref: '#/components/schemas/EmailDomainResponseWithEmbedded' + examples: + Retrieve email domain response: + $ref: '#/components/examples/EmailDomainResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6620,21 +7630,25 @@ paths: security: - apiToken: [] - oauth2: - - okta.email-domains.read + - okta.emailDomains.read tags: - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Email Domain - description: Replaces an email domain by `emailDomainId` + description: Replaces associated username and sender display name by `emailDomainId` operationId: replaceEmailDomain - parameters: - - $ref: '#/components/parameters/pathEmailDomainId' x-codegen-request-body-name: updateEmailDomain requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateEmailDomain' + examples: + Update email domain request: + $ref: '#/components/examples/UpdateEmailDomainRequest' required: true responses: '200': @@ -6643,6 +7657,9 @@ paths: application/json: schema: $ref: '#/components/schemas/EmailDomainResponse' + examples: + Update email domain response: + $ref: '#/components/examples/UpdatedEmailDomainResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -6654,19 +7671,29 @@ paths: security: - apiToken: [] - oauth2: - - okta.email-domains.manage + - okta.emailDomains.manage tags: - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Email Domain description: Deletes an Email Domain by `emailDomainId` operationId: deleteEmailDomain - parameters: - - $ref: '#/components/parameters/pathEmailDomainId' responses: '204': description: No Content content: {} + '400': + description: Unable to delete custom email domain due to mail provider specific restrictions + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Email domain in use: + $ref: '#/components/examples/ErrorEmailDomainInUse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6676,25 +7703,40 @@ paths: security: - apiToken: [] - oauth2: - - okta.email-domains.manage + - okta.emailDomains.manage tags: - EmailDomain - /api/v1/email-domains/{emailDomainId}/brands: - get: - summary: List all brands linked to an email domain - description: Lists all brands linked to an email domain - operationId: listEmailDomainBrands - parameters: - - $ref: '#/components/parameters/pathEmailDomainId' + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/email-domains/{emailDomainId}/verify: + parameters: + - $ref: '#/components/parameters/pathEmailDomainId' + post: + summary: Verify an Email Domain + description: Verifies an Email Domain by `emailDomainId` + operationId: verifyEmailDomain responses: '200': - description: OK + description: Success content: application/json: schema: - type: array - items: - $ref: '#/components/schemas/Brand' + $ref: '#/components/schemas/EmailDomainResponse' + examples: + Verified email domain response: + $ref: '#/components/examples/VerifiedEmailDomainResponse' + '400': + description: Email domain could not be verified by mail provider + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Email domain could not be verified: + $ref: '#/components/examples/ErrorEmailDomainNotVerified' + Email domain invalid status: + $ref: '#/components/examples/ErrorEmailDomainInvalidStatus' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6704,23 +7746,86 @@ paths: security: - apiToken: [] - oauth2: - - okta.email-domains.read + - okta.emailDomains.manage tags: - EmailDomain - /api/v1/email-domains/{emailDomainId}/verify: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/email-servers: + get: + summary: List all enrolled SMTP servers + description: Lists all the enrolled custom SMTP server configurations + operationId: listEmailServers + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.read + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: - summary: Verify an Email Domain - description: Verifies an Email Domain by `emailDomainId` - operationId: verifyEmailDomain - parameters: - - $ref: '#/components/parameters/pathEmailDomainId' + summary: Create a custom SMTP server + description: Creates a custom email SMTP server configuration for your org + operationId: createEmailServer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerPost' + responses: + '201': + description: Successfully enrolled server credentials + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.manage + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/email-servers/{emailServerId}: + parameters: + - $ref: '#/components/parameters/pathEmailServerId' + get: + summary: Retrieve an SMTP Server configuration + description: Retrieves the specified custom SMTP server configuration + operationId: getEmailServer responses: '200': - description: Success + description: OK content: application/json: schema: - $ref: '#/components/schemas/EmailDomainResponse' + $ref: '#/components/schemas/EmailServerListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6730,9 +7835,107 @@ paths: security: - apiToken: [] - oauth2: - - okta.email-domains.manage + - okta.emailServers.read tags: - - EmailDomain + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + patch: + summary: Update an SMTP Server configuration + description: Updates the specified custom SMTP server configuration + operationId: updateEmailServer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerRequest' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.manage + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete an SMTP Server configuration + description: Deletes the specified custom SMTP server configuration + operationId: deleteEmailServer + responses: + '204': + description: No content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.manage + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/email-servers/{emailServerId}/test: + parameters: + - $ref: '#/components/parameters/pathEmailServerId' + post: + summary: Test an SMTP Server configuration + description: Tests the specified custom SMTP Server configuration + operationId: testEmailServer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailTestAddresses' + responses: + '204': + description: No content + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.manage + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/eventHooks: get: summary: List all Event Hooks @@ -6747,6 +7950,9 @@ paths: type: array items: $ref: '#/components/schemas/EventHook' + examples: + RetrieveAllEventHooks: + $ref: '#/components/examples/RetrieveAllEventHooks' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -6757,9 +7963,23 @@ paths: - okta.eventHooks.read tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Event Hook - description: Creates an event hook + description: |- + Creates a new event hook for your organization in `ACTIVE` status. You pass an event hook object in the JSON payload + of your request. That object represents the set of required information about the event hook you're registering, including: + * The URI of your external service + * The [events](https://developer.okta.com/docs/reference/api/event-types/) in Okta you want to subscribe to + * An optional event hook filter that can reduce the number of event hook calls. This is a self-service Early Access (EA) feature. + See [Create an event hook filter](https://developer.okta.com/docs/concepts/event-hooks/#create-an-event-hook-filter). + + Additionally, you can specify a secret API key for Okta to pass to your external service endpoint for security verification. Note that the API key you set here is unrelated to the Okta API token + you must supply when making calls to Okta APIs. Optionally, you can specify extra headers that Okta passes to your external + service with each call. + Your external service must use a valid HTTPS endpoint. operationId: createEventHook x-codegen-request-body-name: eventHook requestBody: @@ -6767,6 +7987,11 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + CreateAnEventHook: + $ref: '#/components/examples/CreateAnEventHook' + CreateAnEventHookWithFilter: + $ref: '#/components/examples/CreateAnEventHookWithFilter' required: true responses: '200': @@ -6775,6 +8000,11 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + CreateAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' + CreateAnEventHookWithFilter: + $ref: '#/components/examples/RetrieveAnEventHookWithFilter' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -6787,17 +8017,16 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}: + parameters: + - $ref: '#/components/parameters/pathEventHookId' get: summary: Retrieve an Event Hook description: Retrieves an event hook operationId: getEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -6805,6 +8034,9 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + RetrieveAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6817,22 +8049,26 @@ paths: - okta.eventHooks.read tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Event Hook - description: Replaces an event hook + description: |- + Replaces an event hook. Okta validates the new properties before replacing the existing values. + Some event hook properties are immutable and can't be updated. Refer to the parameter description in the request body schema. + + >**Note:** Updating the `channel` property requires you to verify the hook again. operationId: replaceEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string x-codegen-request-body-name: eventHook requestBody: content: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + ReplaceAnEventHook: + $ref: '#/components/examples/ReplaceAnEventHookWithFilter' required: true responses: '200': @@ -6841,6 +8077,9 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + ReplaceAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHookWithFilter' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -6855,16 +8094,15 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Event Hook - description: Deletes an event hook + description: |- + Deletes the event hook that matches the provided `id`. After deletion, the event hook is unrecoverable. + As a safety precaution, you can only delete event hooks with a status of `INACTIVE`. operationId: deleteEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -6881,17 +8119,16 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathEventHookId' post: summary: Activate an Event Hook - description: Activates an event hook + description: Activates the event hook that matches the provided `id` operationId: activateEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -6899,6 +8136,9 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + ActivateAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6911,17 +8151,16 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathEventHookId' post: summary: Deactivate an Event Hook - description: Deactivates an event hook + description: Deactivates the event hook that matches the provided `id` operationId: deactivateEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -6929,6 +8168,9 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + DeactivateAnEventHook: + $ref: '#/components/examples/RetrieveADeactivatedEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6941,17 +8183,22 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}/lifecycle/verify: + parameters: + - $ref: '#/components/parameters/pathEventHookId' post: summary: Verify an Event Hook - description: Verifies an event hook + description: |- + Verifies that the event hook matches the provided `eventHookId`. To verify ownership, your endpoint must send information back to Okta in JSON format. See [Event hooks](https://developer.okta.com/docs/concepts/event-hooks/#one-time-verification-request). + + Only `ACTIVE` and `VERIFIED` event hooks can receive events from Okta. + + If a response is not received within 3 seconds, the outbound request times out. One retry is attempted after a timeout or error response. + If a successful response still isn't received, this operation returns a 400 error with more information about the failure. operationId: verifyEventHook - parameters: - - name: eventHookId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -6959,6 +8206,11 @@ paths: application/json: schema: $ref: '#/components/schemas/EventHook' + examples: + VerifyAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -6971,10 +8223,13 @@ paths: - okta.eventHooks.manage tags: - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/features: get: summary: List all Features - description: Lists all features + description: Lists all self-service features for your org operationId: listFeatures responses: '200': @@ -6985,6 +8240,10 @@ paths: type: array items: $ref: '#/components/schemas/Feature' + examples: + FeaturesList: + summary: List all self-service features for your org + $ref: '#/components/examples/ListFeaturesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -6995,17 +8254,16 @@ paths: - okta.features.read tags: - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/features/{featureId}: + parameters: + - $ref: '#/components/parameters/pathFeatureId' get: summary: Retrieve a Feature - description: Retrieves a feature + description: Retrieves a feature by ID operationId: getFeature - parameters: - - name: featureId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -7013,6 +8271,10 @@ paths: application/json: schema: $ref: '#/components/schemas/Feature' + examples: + FeaturesRetrieve: + summary: Retrieve a Feature by ID + $ref: '#/components/examples/RetrieveFeaturesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7025,17 +8287,19 @@ paths: - okta.features.read tags: - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/features/{featureId}/dependencies: + parameters: + - $ref: '#/components/parameters/pathFeatureId' get: - summary: List all Dependencies - description: Lists all dependencies + summary: List all dependencies + description: |- + Lists all feature dependencies for a specified feature. + + A feature's dependencies are the features that it requires to be enabled in order for itself to be enabled. operationId: listFeatureDependencies - parameters: - - name: featureId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -7045,6 +8309,10 @@ paths: type: array items: $ref: '#/components/schemas/Feature' + examples: + FeaturesDependenciesList: + summary: List all Dependencies + $ref: '#/components/examples/ListFeatureDependenciesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7057,17 +8325,19 @@ paths: - okta.features.read tags: - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/features/{featureId}/dependents: + parameters: + - $ref: '#/components/parameters/pathFeatureId' get: - summary: List all Dependents - description: Lists all dependents + summary: List all dependents + description: |- + Lists all feature dependents for the specified feature. + + A feature's dependents are the features that need to be disabled in order for the feature itself to be disabled. operationId: listFeatureDependents - parameters: - - name: featureId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -7077,6 +8347,10 @@ paths: type: array items: $ref: '#/components/schemas/Feature' + examples: + FeaturesDependentsList: + summary: List all feature dependents for the specified feature + $ref: '#/components/examples/ListFeatureDependentsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7089,24 +8363,32 @@ paths: - okta.features.read tags: - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/features/{featureId}/{lifecycle}: + parameters: + - $ref: '#/components/parameters/pathFeatureId' + - $ref: '#/components/parameters/pathLifecycle' post: - summary: Update a Feature Lifecycle - description: Updates a feature lifecycle + summary: Update a Feature lifecycle + description: |- + Updates a feature's lifecycle status. Use this endpoint to enable or disable a feature for your org. + + Use the `mode=force` parameter to override dependency restrictions for a particular feature. Normally, you can't enable a feature if it has one or more dependencies that aren't enabled. + + When you use the `mode=force` parameter while enabling a feature, Okta first tries to enable any disabled features that this feature may have as dependencies. If you don't pass the `mode=force` parameter and the feature has dependencies that need to be enabled before the feature is enabled, a 400 error is returned. + + When you use the `mode=force` parameter while disabling a feature, Okta first tries to disable any enabled features that this feature may have as dependents. If you don't pass the `mode=force` parameter and the feature has dependents that need to be disabled before the feature is disabled, a 400 error is returned. + + The following chart shows the different state transitions for a feature. + + ![State transitions of a feature](../../../../../images/features/update-ssfeat-flowchart.png '#width=500px;') operationId: updateFeatureLifecycle parameters: - - name: featureId - in: path - required: true - schema: - type: string - - name: lifecycle - in: path - required: true - schema: - type: string - - name: mode - in: query + - name: mode + in: query + description: Indicates if you want to force enable or disable a feature. Supported value is `force`. schema: type: string responses: @@ -7116,6 +8398,10 @@ paths: application/json: schema: $ref: '#/components/schemas/Feature' + examples: + FeaturesUpdate: + summary: Update the feature lifecycle status + $ref: '#/components/examples/UpdateFeatureLifecycleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7128,6 +8414,84 @@ paths: - okta.features.manage tags: - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/first-party-app-settings/{appName}: + parameters: + - $ref: '#/components/parameters/pathFirstPartyAppName' + get: + summary: Retrieve the Okta app settings + description: Retrieves the settings for the first party Okta app + operationId: getFirstPartyAppSettings + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationOktaApplicationSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Okta app settings + description: Replaces the settings for the first party Okta app + operationId: replaceFirstPartyAppSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationOktaApplicationSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups: get: summary: List all Groups @@ -7166,6 +8530,20 @@ paths: description: Searches for groups with a supported filtering expression for all attributes except for _embedded, _links, and objectClass schema: type: string + - name: sortBy + in: query + description: Specifies field to sort by and can be any single property (for search queries only). + schema: + type: string + example: lastUpdated + - name: sortOrder + in: query + description: |- + Specifies sort order `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` is not present. + Groups with the same value for the `sortBy` parameter are ordered by `id`. + schema: + type: string + default: asc responses: '200': description: Success @@ -7185,6 +8563,9 @@ paths: - okta.groups.read tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Group description: Creates a new group with `OKTA_GROUP` type @@ -7215,6 +8596,9 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/rules: get: summary: List all Group Rules @@ -7263,6 +8647,9 @@ paths: - okta.groups.read tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Group Rule description: Creates a group rule to dynamically add users to the specified group if they match the condition @@ -7293,17 +8680,17 @@ paths: - okta.groups.manage tags: - Group - /api/v1/groups/rules/{ruleId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/rules/{groupRuleId}: + parameters: + - $ref: '#/components/parameters/pathGroupRuleId' get: summary: Retrieve a Group Rule - description: Retrieves a specific group rule by `ruleId` + description: Retrieves a specific group rule by `groupRuleId` operationId: getGroupRule parameters: - - name: ruleId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -7327,16 +8714,13 @@ paths: - okta.groups.read tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Group Rule description: Replaces a group rule. Only `INACTIVE` rules can be updated. operationId: replaceGroupRule - parameters: - - name: ruleId - in: path - required: true - schema: - type: string x-codegen-request-body-name: groupRule requestBody: content: @@ -7365,16 +8749,14 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a group Rule - description: Deletes a specific group rule by `ruleId` + description: Deletes a specific group rule by `groupRuleId` operationId: deleteGroupRule parameters: - - name: ruleId - in: path - required: true - schema: - type: string - name: removeUsers in: query description: Indicates whether to keep or remove users from groups assigned by this rule. @@ -7396,17 +8778,16 @@ paths: - okta.groups.manage tags: - Group - /api/v1/groups/rules/{ruleId}/lifecycle/activate: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/rules/{groupRuleId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathGroupRuleId' post: summary: Activate a Group Rule - description: Activates a specific group rule by `ruleId` + description: Activates a specific group rule by `groupRuleId` operationId: activateGroupRule - parameters: - - name: ruleId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -7423,17 +8804,16 @@ paths: - okta.groups.manage tags: - Group - /api/v1/groups/rules/{ruleId}/lifecycle/deactivate: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/rules/{groupRuleId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathGroupRuleId' post: summary: Deactivate a Group Rule - description: Deactivates a specific group rule by `ruleId` + description: Deactivates a specific group rule by `groupRuleId` operationId: deactivateGroupRule - parameters: - - name: ruleId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -7450,17 +8830,16 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' get: summary: Retrieve a Group description: Retrieves a group by `groupId` operationId: getGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -7480,16 +8859,13 @@ paths: - okta.groups.read tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Group description: Replaces the profile for a group with `OKTA_GROUP` type operationId: replaceGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string x-codegen-request-body-name: group requestBody: content: @@ -7518,16 +8894,13 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Group description: Deletes a group with `OKTA_GROUP` type operationId: deleteGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -7544,17 +8917,17 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/apps: + parameters: + - $ref: '#/components/parameters/pathGroupId' get: summary: List all Assigned Applications description: Lists all applications that are assigned to a group operationId: listAssignedApplicationsForGroup parameters: - - name: groupId - in: path - required: true - schema: - type: string - name: after in: query description: Specifies the pagination cursor for the next page of apps @@ -7589,17 +8962,17 @@ paths: - okta.groups.read tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/owners: + parameters: + - $ref: '#/components/parameters/pathGroupId' get: summary: List all Group Owners description: Lists all owners for a specific group operationId: listGroupOwners parameters: - - name: groupId - in: path - required: true - schema: - type: string - name: filter in: query description: SCIM Filter expression for group owners. Allows to filter owners by type. @@ -7626,6 +8999,11 @@ paths: type: array items: $ref: '#/components/schemas/GroupOwner' + examples: + ListsOneOwnerOfaGroup: + $ref: '#/components/examples/ListsOwnerOneResponse' + ListsMultipleOwnersOfaGroup: + $ref: '#/components/examples/ListsOwnersMultipleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -7638,6 +9016,9 @@ paths: - okta.groups.read tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Assign a Group Owner description: Assigns a group owner @@ -7652,7 +9033,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/GroupOwner' + $ref: '#/components/schemas/AssignGroupOwnerRequestBody' + examples: + AssignAGroupOwner: + $ref: '#/components/examples/AssignGroupOwnerRequest' required: true responses: '201': @@ -7661,6 +9045,9 @@ paths: application/json: schema: $ref: '#/components/schemas/GroupOwner' + examples: + AssignAGroupOwner: + $ref: '#/components/examples/AssignGroupOwnerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -7675,22 +9062,17 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/owners/{ownerId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathOwnerId' delete: summary: Delete a Group Owner description: Deletes a group owner from a specific group operationId: deleteGroupOwner - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: ownerId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -7707,17 +9089,17 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/roles: + parameters: + - $ref: '#/components/parameters/pathGroupId' get: summary: List all Assigned Roles of Group description: Lists all assigned roles of group identified by `groupId` operationId: listGroupAssignedRoles parameters: - - name: groupId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -7743,16 +9125,14 @@ paths: - okta.roles.read tags: - RoleAssignment + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Assign a Role to a Group description: Assigns a role to a group operationId: assignRoleToGroup parameters: - - name: groupId - in: path - required: true - schema: - type: string - name: disableNotifications in: query description: Setting this to `true` grants the group third-party admin status @@ -7789,22 +9169,17 @@ paths: - okta.roles.manage tags: - RoleAssignment + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/roles/{roleId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleId' get: summary: Retrieve a Role assigned to Group description: Retrieves a role identified by `roleId` assigned to group identified by `groupId` operationId: getGroupAssignedRole - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -7824,21 +9199,13 @@ paths: - okta.roles.read tags: - RoleAssignment + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unassign a Role from a Group description: Unassigns a role identified by `roleId` assigned to group identified by `groupId` operationId: unassignRoleFromGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -7855,22 +9222,18 @@ paths: - okta.roles.manage tags: - RoleAssignment + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleId' get: summary: List all Application Targets for an Application Administrator Role description: Lists all App targets for an `APP_ADMIN` Role assigned to a Group. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID. operationId: listApplicationTargetsForApplicationAdministratorRoleForGroup parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - name: after in: query schema: @@ -7902,27 +9265,18 @@ paths: - okta.roles.read tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathAppName' put: summary: Assign an Application Target to Administrator Role description: Assigns an application target to administrator role operationId: assignAppTargetToAdminRoleForGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -7939,26 +9293,13 @@ paths: - okta.roles.manage tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unassign an Application Target from Application Administrator Role description: Unassigns an application target from application administrator role operationId: unassignAppTargetToAdminRoleForGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -7975,32 +9316,19 @@ paths: - okta.roles.manage tags: - RoleTarget - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}/{applicationId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}/{appId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathAppName' + - $ref: '#/components/parameters/pathAppId' put: summary: Assign an Application Instance Target to Application Administrator Role description: Assigns App Instance Target to App Administrator Role given to a Group operationId: assignAppInstanceTargetToAppAdminRoleForGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string - - name: applicationId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -8017,31 +9345,13 @@ paths: - okta.roles.manage tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unassign an Application Instance Target from an Application Administrator Role description: Unassigns an application instance target from application administrator role operationId: unassignAppInstanceTargetToAppAdminRoleForGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string - - name: applicationId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -8058,22 +9368,18 @@ paths: - okta.roles.manage tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/roles/{roleId}/targets/groups: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleId' get: summary: List all Group Targets for a Group Role description: Lists all group targets for a group role operationId: listGroupTargetsForGroupRole parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - name: after in: query schema: @@ -8105,27 +9411,18 @@ paths: - okta.roles.read tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/roles/{roleId}/targets/groups/{targetGroupId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathTargetGroupId' put: summary: Assign a Group Target to a Group Role description: Assigns a group target to a group role operationId: assignGroupTargetToGroupAdminRole - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: targetGroupId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -8142,26 +9439,13 @@ paths: - okta.roles.manage tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unassign a Group Target from a Group Role description: Unassigns a group target from a group role operationId: unassignGroupTargetFromGroupAdminRole - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: targetGroupId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -8178,17 +9462,17 @@ paths: - okta.roles.manage tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/users: + parameters: + - $ref: '#/components/parameters/pathGroupId' get: summary: List all Member Users description: Lists all users that are a member of a group operationId: listGroupUsers parameters: - - name: groupId - in: path - required: true - schema: - type: string - name: after in: query description: Specifies the pagination cursor for the next page of users @@ -8222,22 +9506,17 @@ paths: - okta.groups.read tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/groups/{groupId}/users/{userId}: + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathUserId' put: summary: Assign a User description: Assigns a user to a group with 'OKTA_GROUP' type operationId: assignUserToGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -8254,21 +9533,13 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unassign a User description: Unassigns a user from a group with 'OKTA_GROUP' type operationId: unassignUserFromGroup - parameters: - - name: groupId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -8285,6 +9556,9 @@ paths: - okta.groups.manage tags: - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/hook-keys: get: summary: List all keys @@ -8299,6 +9573,9 @@ paths: type: array items: $ref: '#/components/schemas/HookKey' + examples: + ResponseExample: + $ref: '#/components/examples/ListAllKeysResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -8309,9 +9586,17 @@ paths: - okta.inlineHooks.read tags: - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a key - description: Creates a key + description: | + Creates a key for use with other parts of the application, such as inline hooks + + Use the key name to access this key for inline hook operations. + + The total number of keys that you can create in an Okta org is limited to 50. operationId: createHookKey x-codegen-request-body-name: keyRequest requestBody: @@ -8327,6 +9612,9 @@ paths: application/json: schema: $ref: '#/components/schemas/HookKey' + examples: + ResponseExample: + $ref: '#/components/examples/CreateHookKeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -8339,17 +9627,16 @@ paths: - okta.inlineHooks.manage tags: - HookKey - /api/v1/hook-keys/public/{keyId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/hook-keys/public/{publicKeyId}: + parameters: + - $ref: '#/components/parameters/pathPublicKeyId' get: summary: Retrieve a public key description: Retrieves a public key by `keyId` operationId: getPublicKey - parameters: - - name: keyId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -8357,6 +9644,9 @@ paths: application/json: schema: $ref: '#/components/schemas/JsonWebKey' + examples: + ResponseExample: + $ref: '#/components/examples/RetrievePublicKeyResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -8369,17 +9659,16 @@ paths: - okta.inlineHooks.read tags: - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/hook-keys/{hookKeyId}: + parameters: + - $ref: '#/components/parameters/pathHookKeyId' get: summary: Retrieve a key description: Retrieves a key by `hookKeyId` operationId: getHookKey - parameters: - - name: hookKeyId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -8387,6 +9676,9 @@ paths: application/json: schema: $ref: '#/components/schemas/HookKey' + examples: + ResponseExample: + $ref: '#/components/examples/RetrieveKeyResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -8399,16 +9691,18 @@ paths: - okta.inlineHooks.read tags: - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a key - description: Replaces a key by `hookKeyId` + description: | + Replaces a key by `hookKeyId` + + This request replaces existing properties after passing validation. + + Note: The only parameter that you can update is the name of the key, which must be unique at all times. operationId: replaceHookKey - parameters: - - name: hookKeyId - in: path - required: true - schema: - type: string x-codegen-request-body-name: keyRequest requestBody: content: @@ -8423,6 +9717,9 @@ paths: application/json: schema: $ref: '#/components/schemas/HookKey' + examples: + ResponseExample: + $ref: '#/components/examples/ReplaceKeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -8437,16 +9734,16 @@ paths: - okta.inlineHooks.manage tags: - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a key - description: Deletes a key by `hookKeyId`. Once deleted, the Hook Key is unrecoverable. As a safety precaution, unused keys are eligible for deletion. + description: | + Deletes a key by `hookKeyId`. After being deleted, the key is unrecoverable. + + As a safety precaution, only keys that aren't being used are eligible for deletion. operationId: deleteHookKey - parameters: - - name: hookKeyId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -8463,10 +9760,57 @@ paths: - okta.inlineHooks.manage tags: - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/assignees/users: + get: + summary: List all Users with Role Assignments + description: Lists all users with Role Assignments + operationId: listUsersWithRoleAssignments + parameters: + - name: after + in: query + schema: + type: string + - name: limit + in: query + description: Specifies the number of results returned. Defaults to `100`. + schema: + type: integer + format: int32 + default: 100 + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RoleAssignedUsers' + examples: + User List: + $ref: '#/components/examples/RoleAssignedUsersResponseExample' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignment + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/resource-sets: get: summary: List all Resource Sets - description: Lists all resource sets with pagination support + description: Lists all Resource Sets with pagination support operationId: listResourceSets parameters: - $ref: '#/components/parameters/queryAfter' @@ -8490,16 +9834,19 @@ paths: - okta.roles.read tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Resource Set - description: Creates a new resource set + description: Creates a new Resource Set operationId: createResourceSet x-codegen-request-body-name: instance requestBody: content: application/json: schema: - $ref: '#/components/schemas/ResourceSet' + $ref: '#/components/schemas/CreateResourceSetRequest' examples: Example Request: $ref: '#/components/examples/ResourceSetRequest' @@ -8533,12 +9880,15 @@ paths: - okta.roles.manage tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetId}: parameters: - $ref: '#/components/parameters/pathResourceSetId' get: summary: Retrieve a Resource Set - description: Retrieves a resource set by `resourceSetId` + description: Retrieves a Resource Set by `resourceSetId` operationId: getResourceSet responses: '200': @@ -8562,9 +9912,12 @@ paths: - okta.roles.read tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Resource Set - description: Replaces a resource set by `resourceSetId` + description: Replaces a Resource Set by `resourceSetId` operationId: replaceResourceSet x-codegen-request-body-name: instance requestBody: @@ -8600,6 +9953,9 @@ paths: - okta.roles.manage tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Resource Set description: Deletes a role by `resourceSetId` @@ -8627,12 +9983,15 @@ paths: - okta.roles.manage tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetId}/bindings: parameters: - $ref: '#/components/parameters/pathResourceSetId' get: summary: List all Bindings - description: Lists all resource set bindings with pagination support + description: Lists all Resource Set bindings with pagination support operationId: listBindings parameters: - $ref: '#/components/parameters/queryAfter' @@ -8658,9 +10017,12 @@ paths: - okta.roles.read tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Resource Set Binding - description: Creates a new resource set binding + description: Creates a new Resource Set binding operationId: createResourceSetBinding x-codegen-request-body-name: instance requestBody: @@ -8703,13 +10065,16 @@ paths: - okta.roles.manage tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}: parameters: - $ref: '#/components/parameters/pathResourceSetId' - $ref: '#/components/parameters/pathRoleIdOrLabel' get: summary: Retrieve a Binding - description: Retrieves a resource set binding by `resourceSetId` and `roleIdOrLabel` + description: Retrieves a Resource Set binding by `resourceSetId` and `roleIdOrLabel` operationId: getBinding responses: '200': @@ -8733,9 +10098,12 @@ paths: - okta.roles.read tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Binding - description: Deletes a resource set binding by `resourceSetId` and `roleIdOrLabel` + description: Deletes a Resource Set binding by `resourceSetId` and `roleIdOrLabel` operationId: deleteBinding responses: '204': @@ -8760,13 +10128,16 @@ paths: - okta.roles.manage tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}/members: parameters: - $ref: '#/components/parameters/pathResourceSetId' - $ref: '#/components/parameters/pathRoleIdOrLabel' get: summary: List all Members of a binding - description: Lists all members of a resource set binding with pagination support + description: Lists all members of a Resource Set binding with pagination support operationId: listMembersOfBinding parameters: - $ref: '#/components/parameters/queryAfter' @@ -8792,9 +10163,12 @@ paths: - okta.roles.read tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true patch: summary: Add more Members to a binding - description: Adds more members to a resource set binding + description: Adds more members to a Resource Set binding operationId: addMembersToBinding x-codegen-request-body-name: instance requestBody: @@ -8837,6 +10211,9 @@ paths: - okta.roles.manage tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}/members/{memberId}: parameters: - $ref: '#/components/parameters/pathResourceSetId' @@ -8868,6 +10245,9 @@ paths: - okta.roles.read tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unassign a Member from a binding description: Unassigns a member identified by `memberId` from a binding @@ -8896,12 +10276,15 @@ paths: - okta.roles.manage tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetId}/resources: parameters: - $ref: '#/components/parameters/pathResourceSetId' get: - summary: List all Resources of a resource set - description: Lists all resources that make up the resource set + summary: List all Resources of a Resource Set + description: Lists all resources that make up the Resource Set operationId: listResourceSetResources responses: '200': @@ -8925,9 +10308,12 @@ paths: - okta.roles.read tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true patch: - summary: Add more Resource to a resource set - description: Adds more resources to a resource set + summary: Add more Resource to a Resource Set + description: Adds more resources to a Resource Set operationId: addResourceSetResource x-codegen-request-body-name: instance requestBody: @@ -8970,13 +10356,16 @@ paths: - okta.roles.manage tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetId}/resources/{resourceId}: parameters: - $ref: '#/components/parameters/pathResourceSetId' - $ref: '#/components/parameters/pathResourceId' delete: - summary: Delete a Resource from a resource set - description: Deletes a resource identified by `resourceId` from a resource set + summary: Delete a Resource from a Resource Set + description: Deletes a resource identified by `resourceId` from a Resource Set operationId: deleteResourceSetResource responses: '204': @@ -9001,6 +10390,9 @@ paths: - okta.roles.manage tags: - ResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/roles: get: summary: List all Roles @@ -9028,6 +10420,9 @@ paths: - okta.roles.read tags: - Role + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Role description: Creates a new role @@ -9037,7 +10432,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/IamRole' + $ref: '#/components/schemas/CreateIamRoleRequest' examples: Example Request: $ref: '#/components/examples/RoleRequest' @@ -9071,6 +10466,9 @@ paths: - okta.roles.manage tags: - Role + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/roles/{roleIdOrLabel}: parameters: - $ref: '#/components/parameters/pathRoleIdOrLabel' @@ -9100,6 +10498,9 @@ paths: - okta.roles.read tags: - Role + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Role description: Replaces a role by `roleIdOrLabel` @@ -9109,7 +10510,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/IamRole' + $ref: '#/components/schemas/UpdateIamRoleRequest' examples: Example Request: $ref: '#/components/examples/RoleRequest' @@ -9138,6 +10539,9 @@ paths: - okta.roles.manage tags: - Role + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Role description: Deletes a role by `roleIdOrLabel` @@ -9165,6 +10569,9 @@ paths: - okta.roles.manage tags: - Role + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/roles/{roleIdOrLabel}/permissions: parameters: - $ref: '#/components/parameters/pathRoleIdOrLabel' @@ -9194,6 +10601,9 @@ paths: - okta.roles.read tags: - Role + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/iam/roles/{roleIdOrLabel}/permissions/{permissionType}: parameters: - $ref: '#/components/parameters/pathRoleIdOrLabel' @@ -9224,11 +10634,26 @@ paths: - okta.roles.read tags: - Role + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Permission description: Creates a permission specified by `permissionType` to the role operationId: createRolePermission x-codegen-request-body-name: instance + requestBody: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' + examples: + Example Request: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExample' + required: false responses: '204': description: No Content @@ -9246,6 +10671,50 @@ paths: - okta.roles.manage tags: - Role + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Replace a Permission + description: Replaces a permission specified by `permissionType` in the role + operationId: replaceRolePermission + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' + examples: + Example Request: + $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExample' + required: false + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/Permission' + examples: + Example Response: + $ref: '#/components/examples/PermissionResponseWithConditions' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - Role delete: summary: Delete a Permission description: Deletes a permission from a role by `permissionType` @@ -9273,13 +10742,16 @@ paths: - okta.roles.manage tags: - Role + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/identity-sources/{identitySourceId}/sessions: + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' get: summary: List all Identity Source Sessions description: Lists all identity source sessions for the given identity source instance operationId: listIdentitySourceSessions - parameters: - - $ref: '#/components/parameters/pathIdentitySourceId' responses: '200': description: Success @@ -9290,8 +10762,8 @@ paths: items: $ref: '#/components/schemas/IdentitySourceSession' examples: - Sessions List: - $ref: '#/components/examples/ListSessionsResponse' + sessionsList: + $ref: '#/components/examples/ListSessionsResponseForGetSessions' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -9304,12 +10776,14 @@ paths: - okta.identitySources.read tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] post: summary: Create an Identity Source Session description: Creates an identity source session for the given identity source instance operationId: createIdentitySourceSession - parameters: - - $ref: '#/components/parameters/pathIdentitySourceId' responses: '200': description: Success @@ -9334,14 +10808,18 @@ paths: - okta.identitySources.manage tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}: + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' get: summary: Retrieve an Identity Source Session description: Retrieves an identity source session for a given identity source id and session id operationId: getIdentitySourceSession - parameters: - - $ref: '#/components/parameters/pathIdentitySourceId' - - $ref: '#/components/parameters/pathSessionId' responses: '200': description: Success @@ -9364,13 +10842,14 @@ paths: - okta.identitySources.read tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] delete: summary: Delete an Identity Source Session description: Deletes an identity source session for a given `identitySourceId` and `sessionId` operationId: deleteIdentitySourceSession - parameters: - - $ref: '#/components/parameters/pathIdentitySourceId' - - $ref: '#/components/parameters/pathSessionId' responses: '204': description: No Content @@ -9386,14 +10865,18 @@ paths: - okta.identitySources.manage tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-delete: + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the data to be deleted in Okta description: Uploads entities that need to be deleted in Okta from the identity source for the given session operationId: uploadIdentitySourceDataForDelete - parameters: - - $ref: '#/components/parameters/pathIdentitySourceId' - - $ref: '#/components/parameters/pathSessionId' requestBody: content: application/json: @@ -9416,14 +10899,18 @@ paths: - okta.identitySources.manage tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-upsert: + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the data to be upserted in Okta description: Uploads entities that need to be upserted in Okta from the identity source for the given session operationId: uploadIdentitySourceDataForUpsert - parameters: - - $ref: '#/components/parameters/pathIdentitySourceId' - - $ref: '#/components/parameters/pathSessionId' requestBody: content: application/json: @@ -9446,14 +10933,18 @@ paths: - okta.identitySources.manage tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/start-import: + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Start the import from the Identity Source description: Starts the import from the identity source described by the uploaded bulk operations operationId: startImportFromIdentitySource - parameters: - - $ref: '#/components/parameters/pathIdentitySourceId' - - $ref: '#/components/parameters/pathSessionId' responses: '200': description: Success @@ -9478,6 +10969,10 @@ paths: - okta.identitySources.manage tags: - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/idps: get: summary: List all Identity Providers @@ -9525,6 +11020,9 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Identity Provider description: Creates a new identity provider integration @@ -9555,6 +11053,9 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/credentials/keys: get: summary: List all Credential Keys @@ -9592,6 +11093,9 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an X.509 Certificate Public Key description: Creates a new X.509 certificate credential to the IdP key store. @@ -9622,17 +11126,16 @@ paths: - okta.idps.manage tags: - IdentityProvider - /api/v1/idps/credentials/keys/{keyId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/credentials/keys/{idpKeyId}: + parameters: + - $ref: '#/components/parameters/pathIdpKeyId' get: summary: Retrieve an Credential Key description: Retrieves a specific IdP Key Credential by `kid` operationId: getIdentityProviderKey - parameters: - - name: keyId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -9652,16 +11155,13 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Signing Credential Key description: Deletes a specific IdP Key Credential by `kid` if it is not currently being used by an Active or Inactive IdP operationId: deleteIdentityProviderKey - parameters: - - name: keyId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -9678,17 +11178,16 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}: + parameters: + - $ref: '#/components/parameters/pathIdpId' get: summary: Retrieve an Identity Provider description: Retrieves an identity provider integration by `idpId` operationId: getIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -9708,16 +11207,13 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Identity Provider description: Replaces an identity provider integration by `idpId` operationId: replaceIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string x-codegen-request-body-name: identityProvider requestBody: content: @@ -9746,16 +11242,13 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Identity Provider description: Deletes an identity provider integration by `idpId` operationId: deleteIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -9772,17 +11265,16 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/csrs: + parameters: + - $ref: '#/components/parameters/pathIdpId' get: summary: List all Certificate Signing Requests description: Lists all Certificate Signing Requests for an IdP operationId: listCsrsForIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -9804,16 +11296,13 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Generate a Certificate Signing Request description: Generates a new key pair and returns a Certificate Signing Request for it operationId: generateCsrForIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string x-codegen-request-body-name: metadata requestBody: content: @@ -9842,22 +11331,17 @@ paths: - okta.idps.manage tags: - IdentityProvider - /api/v1/idps/{idpId}/credentials/csrs/{csrId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathIdpCsrId' get: summary: Retrieve a Certificate Signing Request description: Retrieves a specific Certificate Signing Request model by id operationId: getCsrForIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: csrId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -9877,21 +11361,13 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke a Certificate Signing Request description: Revokes a certificate signing request and deletes the key pair from the IdP operationId: revokeCsrForIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: csrId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -9908,22 +11384,17 @@ paths: - okta.idps.manage tags: - IdentityProvider - /api/v1/idps/{idpId}/credentials/csrs/{csrId}/lifecycle/publish: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}/lifecycle/publish: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathIdpCsrId' post: summary: Publish a Certificate Signing Request description: Publishes a certificate signing request with a signed X.509 certificate and adds it into the signing key credentials for the IdP operationId: publishCsrForIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: csrId - in: path - required: true - schema: - type: string requestBody: required: true content: @@ -9963,17 +11434,16 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/keys: + parameters: + - $ref: '#/components/parameters/pathIdpId' get: summary: List all Signing Credential Keys description: Lists all signing key credentials for an IdP operationId: listIdentityProviderSigningKeys - parameters: - - name: idpId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -9995,17 +11465,17 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/keys/generate: + parameters: + - $ref: '#/components/parameters/pathIdpId' post: summary: Generate a new Signing Credential Key description: Generates a new X.509 certificate for an IdP signing key credential to be used for signing assertions sent to the IdP operationId: generateIdentityProviderSigningKey parameters: - - name: idpId - in: path - required: true - schema: - type: string - name: validityYears in: query description: expiry of the IdP Key Credential @@ -10032,22 +11502,17 @@ paths: - okta.idps.manage tags: - IdentityProvider - /api/v1/idps/{idpId}/credentials/keys/{keyId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/keys/{idpKeyId}: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathIdpKeyId' get: summary: Retrieve a Signing Credential Key description: Retrieves a specific IdP Key Credential by `kid` operationId: getIdentityProviderSigningKey - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: keyId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -10067,22 +11532,18 @@ paths: - okta.idps.read tags: - IdentityProvider - /api/v1/idps/{idpId}/credentials/keys/{keyId}/clone: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/{idpId}/credentials/keys/{idpKeyId}/clone: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathIdpKeyId' post: summary: Clone a Signing Credential Key description: Clones a X.509 certificate for an IdP signing key credential from a source IdP to target IdP operationId: cloneIdentityProviderKey parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: keyId - in: path - required: true - schema: - type: string - name: targetIdpId in: query required: true @@ -10107,17 +11568,16 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathIdpId' post: summary: Activate an Identity Provider description: Activates an inactive IdP operationId: activateIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -10137,17 +11597,16 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathIdpId' post: summary: Deactivate an Identity Provider description: Deactivates an active IdP operationId: deactivateIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -10167,17 +11626,16 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/users: + parameters: + - $ref: '#/components/parameters/pathIdpId' get: summary: List all Users description: Lists all users linked to the identity provider operationId: listIdentityProviderApplicationUsers - parameters: - - name: idpId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -10199,22 +11657,17 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/users/{userId}: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathUserId' get: summary: Retrieve a User description: Retrieves a linked IdP user by ID operationId: getIdentityProviderApplicationUser - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -10234,21 +11687,13 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Link a User to a Social IdP description: Links an Okta user to an existing Social Identity Provider. This does not support the SAML2 Identity Provider Type operationId: linkUserToIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string x-codegen-request-body-name: userIdentityProviderLinkRequest requestBody: content: @@ -10277,21 +11722,13 @@ paths: - okta.users.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unlink a User from IdP description: Unlinks the link between the Okta user and the IdP user operationId: unlinkUserFromIdentityProvider - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -10308,22 +11745,17 @@ paths: - okta.idps.manage tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/idps/{idpId}/users/{userId}/credentials/tokens: + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathUserId' get: summary: List all Tokens from a OIDC Identity Provider description: Lists the tokens minted by the Social Authentication Provider when the user authenticates with Okta via Social Auth operationId: listSocialAuthTokens - parameters: - - name: idpId - in: path - required: true - schema: - type: string - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -10345,6 +11777,9 @@ paths: - okta.idps.read tags: - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/inlineHooks: get: summary: List all Inline Hooks @@ -10374,6 +11809,9 @@ paths: - okta.inlineHooks.read tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an Inline Hook description: Creates an inline hook @@ -10404,17 +11842,16 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}: + parameters: + - $ref: '#/components/parameters/pathInlineHookId' get: summary: Retrieve an Inline Hook description: Retrieves an inline hook by `inlineHookId` operationId: getInlineHook - parameters: - - name: inlineHookId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -10434,16 +11871,13 @@ paths: - okta.inlineHooks.read tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an Inline Hook description: Replaces an inline hook by `inlineHookId` operationId: replaceInlineHook - parameters: - - name: inlineHookId - in: path - required: true - schema: - type: string x-codegen-request-body-name: inlineHook requestBody: content: @@ -10472,16 +11906,13 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an Inline Hook description: Deletes an inline hook by `inlineHookId`. Once deleted, the Inline Hook is unrecoverable. As a safety precaution, only Inline Hooks with a status of INACTIVE are eligible for deletion. operationId: deleteInlineHook - parameters: - - name: inlineHookId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -10498,17 +11929,16 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/execute: + parameters: + - $ref: '#/components/parameters/pathInlineHookId' post: summary: Execute an Inline Hook description: Executes the inline hook by `inlineHookId` using the request body as the input. This will send the provided data through the Channel and return a response if it matches the correct data contract. This execution endpoint should only be used for testing purposes. operationId: executeInlineHook - parameters: - - name: inlineHookId - in: path - required: true - schema: - type: string x-codegen-request-body-name: payloadData requestBody: content: @@ -10537,17 +11967,16 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathInlineHookId' post: summary: Activate an Inline Hook description: Activates the inline hook by `inlineHookId` operationId: activateInlineHook - parameters: - - name: inlineHookId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -10567,17 +11996,16 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathInlineHookId' post: summary: Deactivate an Inline Hook description: Deactivates the inline hook by `inlineHookId` operationId: deactivateInlineHook - parameters: - - name: inlineHookId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -10597,24 +12025,23 @@ paths: - okta.inlineHooks.manage tags: - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/logStreams: get: summary: List all Log Streams - description: Lists all log streams. You can request a paginated list or a subset of Log Streams that match a supported filter expression. + description: Lists all Log Stream objects in your org. You can request a paginated list or a subset of Log Streams that match a supported filter expression. operationId: listLogStreams parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' - name: filter in: query - description: SCIM filter expression that filters the results. This expression only supports the `eq` operator on either the `status` or `type`. + description: An expression that [filters](/#filter) the returned objects. You can only use the `eq` operator on either the `status` or `type` properties in the filter expression. schema: type: string - examples: - Filter on type for AWS EventBridge: - value: type eq "aws_eventbridge" - Filter on status for `ACTIVE` Log Streams: - value: status eq "ACTIVE" + example: type eq "aws_eventbridge" responses: '200': description: OK @@ -10623,14 +12050,17 @@ paths: schema: type: array items: - oneOf: &ref_4 + oneOf: &ref_10 - $ref: '#/components/schemas/LogStreamAws' - $ref: '#/components/schemas/LogStreamSplunk' - discriminator: &ref_5 + discriminator: &ref_11 propertyName: type mapping: aws_eventbridge: '#/components/schemas/LogStreamAws' splunk_cloud_logstreaming: '#/components/schemas/LogStreamSplunk' + examples: + ExampleGetAllResponse: + $ref: '#/components/examples/LogStreamGetAllResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -10641,20 +12071,24 @@ paths: - okta.logStreams.read tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] post: summary: Create a Log Stream - description: Creates a new log stream + description: Creates a new Log Stream object operationId: createLogStream x-codegen-request-body-name: instance requestBody: content: application/json: schema: - oneOf: *ref_4 - discriminator: *ref_5 + oneOf: *ref_10 + discriminator: *ref_11 examples: - Example Request: - $ref: '#/components/examples/LogStreamRequest' + LogStreamPostRequestExample: + $ref: '#/components/examples/LogStreamPostRequest' required: true responses: '200': @@ -10662,11 +12096,11 @@ paths: content: application/json: schema: - oneOf: *ref_4 - discriminator: *ref_5 + oneOf: *ref_10 + discriminator: *ref_11 examples: - Example Response: - $ref: '#/components/examples/LogStreamResponse' + LogStreamPostResponseExample: + $ref: '#/components/examples/LogStreamPostResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -10686,12 +12120,16 @@ paths: - okta.logStreams.manage tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/logStreams/{logStreamId}: parameters: - $ref: '#/components/parameters/pathLogStreamId' get: summary: Retrieve a Log Stream - description: Retrieves a log stream by `logStreamId` + description: Retrieves a Log Stream object by ID operationId: getLogStream responses: '200': @@ -10699,11 +12137,11 @@ paths: content: application/json: schema: - oneOf: *ref_4 - discriminator: *ref_5 + oneOf: *ref_10 + discriminator: *ref_11 examples: - Example Response: - $ref: '#/components/examples/LogStreamResponse' + LogStreamGetRequestExample: + $ref: '#/components/examples/LogStreamPostResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10716,20 +12154,39 @@ paths: - okta.logStreams.read tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] put: summary: Replace a Log Stream - description: Replaces a log stream by `logStreamId` + description: |- + Replaces the Log Stream object properties for a given ID. + + This operation is typically used to update the configuration of a Log Stream. + Depending on the type of Log Stream you want to update, certain properties can't be modified after the Log Stream is initially created. + Use the [Retrieve the Log Stream Schema for the schema type](/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/getLogStreamSchema) request to determine which properties you can update for the specific Log Stream type. + Log Stream properties with the `"writeOnce" : true` attribute can't be updated after creation. + You must still specify these `writeOnce` properties in the request body with the original values in the PUT request. + + > **Note:** You don't have to specify properties that have both the `"writeOnce": true` and the `"writeOnly": true` attributes in the PUT request body. These property values are ignored even if you add them in the PUT request body. operationId: replaceLogStream x-codegen-request-body-name: instance requestBody: content: application/json: schema: - oneOf: *ref_4 - discriminator: *ref_5 + oneOf: + - $ref: '#/components/schemas/LogStreamAwsPutSchema' + - $ref: '#/components/schemas/LogStreamSplunkPutSchema' + discriminator: &ref_20 + propertyName: type + mapping: + aws_eventbridge: '#/components/schemas/LogStreamAwsPutSchema' + splunk_cloud_logstreaming: '#/components/schemas/LogStreamSplunkPutSchema' examples: - Example Request: - $ref: '#/components/examples/LogStreamRequest' + LogStreamPutRequestExample: + $ref: '#/components/examples/LogStreamPutRequest' required: true responses: '200': @@ -10737,11 +12194,11 @@ paths: content: application/json: schema: - oneOf: *ref_4 - discriminator: *ref_5 + oneOf: *ref_10 + discriminator: *ref_11 examples: - Example Response: - $ref: '#/components/examples/LogStreamResponse' + LogStreamPostResponseExample: + $ref: '#/components/examples/LogStreamPutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -10756,9 +12213,13 @@ paths: - okta.logStreams.manage tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] delete: summary: Delete a Log Stream - description: Deletes a log stream by `logStreamId` + description: Deletes a Log Stream object from your org by ID operationId: deleteLogStream responses: '204': @@ -10783,6 +12244,10 @@ paths: - okta.logStreams.manage tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/logStreams/{logStreamId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathLogStreamId' @@ -10796,11 +12261,11 @@ paths: content: application/json: schema: - oneOf: *ref_4 - discriminator: *ref_5 + oneOf: *ref_10 + discriminator: *ref_11 examples: - Example Response: - $ref: '#/components/examples/LogStreamResponse' + LogStreamActivateResponseExample: + $ref: '#/components/examples/LogStreamActivateResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10813,6 +12278,10 @@ paths: - okta.logStreams.manage tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/logStreams/{logStreamId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathLogStreamId' @@ -10826,11 +12295,11 @@ paths: content: application/json: schema: - oneOf: *ref_4 - discriminator: *ref_5 + oneOf: *ref_10 + discriminator: *ref_11 examples: - Example Response: - $ref: '#/components/examples/LogStreamResponse' + LogStreamDeactivateResponseExample: + $ref: '#/components/examples/LogStreamDeactivateResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10843,6 +12312,10 @@ paths: - okta.logStreams.manage tags: - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/logs: get: summary: List all System Log Events @@ -10900,31 +12373,43 @@ paths: - okta.logs.read tags: - SystemLog + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/mappings: get: summary: List all Profile Mappings - description: Lists all profile mappings with pagination + description: |- + Lists all profile mappings in your organization with [pagination](https://developer.okta.com/docs/api/#pagination). You can return a subset of profile mappings that match a supported `sourceId` and/or `targetId`. + The results are [paginated](/#pagination) according to the limit parameter. If there are multiple pages of results, the Link header contains a `next` link that should be treated as an opaque value (follow it, don't parse it). + + The response is a collection of profile mappings that include a subset of the profile mapping object's parameters. The profile mapping object describes + the properties mapping between an Okta User and an App User Profile using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). operationId: listProfileMappings parameters: - name: after in: query + description: Mapping `id` that specifies the pagination cursor for the next page of mappings schema: type: string - name: limit in: query + description: Specifies the number of results per page (maximum 200) schema: type: integer format: int32 - default: -1 + default: 20 - name: sourceId in: query + description: The UserType or App Instance `id` that acts as the source of expressions in a mapping. If this parameter is included, all returned mappings have this as their `source.id`. schema: type: string - name: targetId in: query + description: The UserType or App Instance `id` that acts as the target of expressions in a mapping. If this parameter is included, all returned mappings have this as their `target.id`. schema: type: string - default: '' responses: '200': description: Success @@ -10933,7 +12418,11 @@ paths: schema: type: array items: - $ref: '#/components/schemas/ProfileMapping' + $ref: '#/components/schemas/ListProfileMappings' + examples: + MappingList: + summary: List all Profile Mappings response + $ref: '#/components/examples/ListMappingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -10944,17 +12433,17 @@ paths: - okta.profileMappings.read tags: - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/mappings/{mappingId}: + parameters: + - $ref: '#/components/parameters/pathMappingId' get: summary: Retrieve a Profile Mapping description: Retrieves a single Profile Mapping referenced by its ID operationId: getProfileMapping - parameters: - - name: mappingId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -10962,6 +12451,10 @@ paths: application/json: schema: $ref: '#/components/schemas/ProfileMapping' + examples: + MappingRetrieve: + summary: Retrieve a single Profile Mapping + $ref: '#/components/examples/RetrieveMappingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -10974,22 +12467,27 @@ paths: - okta.profileMappings.read tags: - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] post: summary: Update a Profile Mapping - description: Updates an existing Profile Mapping by adding, updating, or removing one or many Property Mappings + description: Updates an existing profile mapping by adding, updating, or removing one or many property mappings operationId: updateProfileMapping - parameters: - - name: mappingId - in: path - required: true - schema: - type: string x-codegen-request-body-name: profileMapping requestBody: content: application/json: schema: - $ref: '#/components/schemas/ProfileMapping' + $ref: '#/components/schemas/ProfileMappingRequest' + examples: + Addpropertymapping: + $ref: '#/components/examples/AddMappingBody' + Updatepropertymapping: + $ref: '#/components/examples/UpdateMappingBody' + Removepropertymapping: + $ref: '#/components/examples/RemoveMappingBody' required: true responses: '200': @@ -10998,6 +12496,16 @@ paths: application/json: schema: $ref: '#/components/schemas/ProfileMapping' + examples: + Addpropertymapping: + summary: Update an existing profile mapping by adding one or more properties + $ref: '#/components/examples/AddMappingResponse' + Updatepropertymapping: + summary: Update an existing profile mapping by updating one or more properties + $ref: '#/components/examples/UpdateMappingResponse' + Removepropertymapping: + summary: Update an existing profile mapping by removing one or more properties + $ref: '#/components/examples/RemoveMappingResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11012,47 +12520,25 @@ paths: - okta.profileMappings.manage tags: - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/meta/layouts/apps/{appName}: - get: - summary: Retrieve the UI Layout for an Application - description: Retrieves the UI layout for an application by `appName` - operationId: getApplicationLayout - parameters: - - name: appName - in: path - required: true - schema: - type: string - responses: - '200': - description: successful operation - content: - application/json: - schema: - $ref: '#/components/schemas/ApplicationLayout' - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - apiToken: [] - - oauth2: - - okta.schemas.read - tags: - - Schema - /api/v1/meta/schemas/apps/{appInstanceId}/default: + parameters: + - $ref: '#/components/parameters/pathAppName' + /api/v1/meta/layouts/apps/{appName}/sections/{section}/{operation}: + parameters: + - $ref: '#/components/parameters/pathAppName' + - $ref: '#/components/parameters/pathSection' + - $ref: '#/components/parameters/pathOperation' + /api/v1/meta/schemas/apps/{appId}/default: + parameters: + - $ref: '#/components/parameters/pathAppId' get: summary: Retrieve the default Application User Schema for an Application description: Retrieves the Schema for an App User operationId: getApplicationUserSchema - parameters: - - name: appInstanceId - in: path - required: true - schema: - type: string responses: '200': description: successful operation @@ -11072,16 +12558,13 @@ paths: - okta.schemas.read tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update the default Application User Schema for an Application description: Partially updates on the User Profile properties of the Application User Schema operationId: updateApplicationUserProfile - parameters: - - name: appInstanceId - in: path - required: true - schema: - type: string x-codegen-request-body-name: body requestBody: content: @@ -11116,6 +12599,9 @@ paths: - okta.schemas.manage tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/schemas/group/default: get: summary: Retrieve the default Group Schema @@ -11142,6 +12628,9 @@ paths: - okta.schemas.read tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update the default Group Schema description: Updates the default group schema. This updates, adds, or removes one or more custom Group Profile properties in the schema. @@ -11176,6 +12665,9 @@ paths: - okta.schemas.manage tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/schemas/logStream: get: summary: List the Log Stream Schemas @@ -11203,13 +12695,13 @@ paths: - okta.logStreams.read tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/meta/schemas/logStream/{logStreamType}: parameters: - - name: logStreamType - in: path - required: true - schema: - $ref: '#/components/schemas/LogStreamType' + - $ref: '#/components/parameters/pathLogStreamType' get: summary: Retrieve the Log Stream Schema for the schema type description: Retrieves the schema for a Log Stream type. The `logStreamType` element in the URL specifies the Log Stream type, which is either `aws_eventbridge` or `splunk_cloud_logstreaming`. Use the `aws_eventbridge` literal to retrieve the AWS EventBridge type schema, and use the `splunk_cloud_logstreaming` literal retrieve the Splunk Cloud type schema. @@ -11238,6 +12730,10 @@ paths: - okta.logStreams.read tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/meta/schemas/user/linkedObjects: get: summary: List all Linked Object Definitions @@ -11262,6 +12758,9 @@ paths: - okta.linkedObjects.read tags: - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Linked Object Definition description: Creates a linked object definition @@ -11292,13 +12791,12 @@ paths: - okta.linkedObjects.manage tags: - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/schemas/user/linkedObjects/{linkedObjectName}: parameters: - - name: linkedObjectName - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/pathLinkedObjectName' get: summary: Retrieve a Linked Object Definition description: Retrieves a linked object definition @@ -11322,6 +12820,9 @@ paths: - okta.linkedObjects.read tags: - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Linked Object Definition description: Deletes a linked object definition @@ -11342,13 +12843,12 @@ paths: - okta.linkedObjects.manage tags: - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/schemas/user/{schemaId}: parameters: - - name: schemaId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/pathSchemaId' get: summary: Retrieve a User Schema description: Retrieves the schema for a Schema Id @@ -11375,6 +12875,9 @@ paths: - okta.schemas.read tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update a User Schema description: Partially updates on the User Profile properties of the user schema @@ -11413,6 +12916,9 @@ paths: - okta.schemas.manage tags: - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/types/user: get: summary: List all User Types @@ -11427,6 +12933,9 @@ paths: type: array items: $ref: '#/components/schemas/UserType' + examples: + ListsAllUserTypes: + $ref: '#/components/examples/ListsAllUserTypes' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -11437,9 +12946,14 @@ paths: - okta.userTypes.read tags: - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a User Type - description: Creates a new User Type. A default User Type is automatically created along with your org, and you may add another 9 User Types for a maximum of 10. + description: |- + Creates a new User Type. Okta automatically creates a `default` User Type for your org. You may add up to nine additional User Types. + > **Note**: New User Types are based on the current default schema template. Modifications to this schema do not automatically propagate to previously created User Types. operationId: createUserType x-codegen-request-body-name: userType requestBody: @@ -11447,6 +12961,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserType' + examples: + CreateUserRequest: + $ref: '#/components/examples/CreateUserRequest' required: true responses: '200': @@ -11455,6 +12972,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserType' + examples: + CreateUserResponse: + $ref: '#/components/examples/CreateUserResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11467,16 +12987,15 @@ paths: - okta.userTypes.manage tags: - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/meta/types/user/{typeId}: parameters: - - name: typeId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/pathTypeId' get: summary: Retrieve a User Type - description: Retrieves a User Type by ID. The special identifier `default` may be used to fetch the default User Type. + description: Retrieves a User Type by ID. Use `default` to fetch the default User Type. operationId: getUserType responses: '200': @@ -11485,6 +13004,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserType' + examples: + GetUserResponse: + $ref: '#/components/examples/GetUserResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -11497,16 +13019,24 @@ paths: - okta.userTypes.read tags: - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update a User Type - description: Updates an existing User Type + description: |- + Updates an existing User Type. + > **Note**: You can only update the `displayName` and `description` elements. The `name` of an existing User Type can't be changed. operationId: updateUserType x-codegen-request-body-name: userType requestBody: content: application/json: schema: - $ref: '#/components/schemas/UserType' + $ref: '#/components/schemas/UserTypePostRequest' + examples: + UpdateUserTypePostRequest: + $ref: '#/components/examples/UpdateUserTypePostRequest' required: true responses: '200': @@ -11515,6 +13045,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserType' + examples: + UpdateUserTypePutRequest: + $ref: '#/components/examples/UpdateUserTypePostResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11529,17 +13062,24 @@ paths: - okta.userTypes.manage tags: - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a User Type - description: Replaces an existing user type + description: |- + Replaces an existing User Type. + > **Note**: The `name` of an existing User Type can't be changed, but must be part of the request body. You can only replace the `displayName` and `description` elements. operationId: replaceUserType x-codegen-request-body-name: userType requestBody: content: application/json: schema: - $ref: '#/components/schemas/UserType' - required: true + $ref: '#/components/schemas/UserTypePutRequest' + examples: + ReplaceUserTypePutRequest: + $ref: '#/components/examples/ReplaceUserTypePutRequest' responses: '200': description: Success @@ -11547,6 +13087,9 @@ paths: application/json: schema: $ref: '#/components/schemas/UserType' + examples: + ReplaceUserTypePutResponse: + $ref: '#/components/examples/ReplaceUserTypePutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11561,9 +13104,14 @@ paths: - okta.userTypes.manage tags: - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a User Type - description: Deletes a User Type permanently. This operation is not permitted for the default type, nor for any User Type that has existing users + description: |- + Deletes a User Type permanently. + > **Note**: You can't delete the default User Type or a User Type that is currently assigned to users. operationId: deleteUserType responses: '204': @@ -11581,19 +13129,27 @@ paths: - okta.userTypes.manage tags: - UserType - /api/v1/org: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/meta/uischemas: get: - summary: Retrieve the Org Settings - description: Retrieves the org settings - operationId: getOrgSettings - parameters: [] + summary: List all UI Schemas + description: Lists all UI Schemas in your org + operationId: listUISchemas responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OrgSetting' + type: array + items: + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UIISchemaList: + summary: Lists all UI Schemas response + $ref: '#/components/examples/ListUISchemaResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -11601,25 +13157,38 @@ paths: security: - apiToken: [] - oauth2: - - okta.orgs.read + - okta.uischemas.read tags: - - OrgSetting + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: - summary: Update the Org Settings - description: Partially updates the org settings depending on provided fields - operationId: updateOrgSettings + summary: Create a UI Schema + description: Creates an input for an enrollment form + operationId: createUISchema + x-codegen-request-body-name: uischemabody requestBody: content: application/json: schema: - $ref: '#/components/schemas/OrgSetting' + $ref: '#/components/schemas/CreateUISchema' + examples: + UISchemaCreate: + $ref: '#/components/examples/CreateUISchemaBody' + required: true responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/OrgSetting' + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UISchemaCreate: + $ref: '#/components/examples/CreateUISchemaResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -11629,12 +13198,179 @@ paths: security: - apiToken: [] - oauth2: - - okta.orgs.manage + - okta.uischemas.manage tags: - - OrgSetting - put: - summary: Replace the Org Settings - description: Replaces the settings of your organization + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/meta/uischemas/{id}: + parameters: + - $ref: '#/components/parameters/UISchemaId' + get: + summary: Retrieve a UI Schema + description: Retrieves a UI Schema by `id` + operationId: getUISchema + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UISchemaRetrieve: + summary: Retrieves a UI Schema response + $ref: '#/components/examples/RetrieveUISchemaResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.uischemas.read + tags: + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a UI Schema + description: Replaces a UI Schema by `id` + operationId: replaceUISchemas + x-codegen-request-body-name: updateUISchemaBody + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateUISchema' + examples: + UISchemaPUT: + $ref: '#/components/examples/CreateUISchemaBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UISchemaUpdate: + $ref: '#/components/examples/CreateUISchemaResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.uischemas.manage + tags: + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a UI Schema + description: Deletes a UI Schema by `id` + operationId: deleteUISchemas + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.uischemas.manage + tags: + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/org: + get: + summary: Retrieve the Org Settings + description: Retrieves the org settings + operationId: getOrgSettings + parameters: [] + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update the Org Settings + description: Partially updates the org settings depending on provided fields + operationId: updateOrgSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgSetting' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgSetting' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Org Settings + description: Replaces the settings of your organization operationId: replaceOrgSettings x-codegen-request-body-name: orgSetting requestBody: @@ -11662,6 +13398,121 @@ paths: - okta.orgs.manage tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/captcha: + get: + summary: Retrieve the Org-wide CAPTCHA Settings + description: |- + Retrieves the CAPTCHA settings object for your organization. + > **Note**: If the current organization hasn't configured CAPTCHA Settings, the request returns an empty object. + operationId: getOrgCaptchaSettings + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgCAPTCHASettings' + examples: + configured: + $ref: '#/components/examples/OrgCAPTCHASettingsConfigured' + empty: + $ref: '#/components/examples/OrgCAPTCHASettingsEmpty' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.read + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the Org-wide CAPTCHA Settings + description: |- + Replaces the CAPTCHA settings object for your organization. + > **Note**: You can disable CAPTCHA for your organization by setting `captchaId` and `enabledPages` to `null`. + operationId: replacesOrgCaptchaSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgCAPTCHASettings' + examples: + Update: + $ref: '#/components/examples/OrgCAPTCHASettingsUpdate' + Disable: + $ref: '#/components/examples/OrgCAPTCHASettingsDisable' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgCAPTCHASettings' + examples: + Update: + $ref: '#/components/examples/OrgCAPTCHASettingsUpdated' + Disable: + $ref: '#/components/examples/OrgCAPTCHASettingsDisabled' + '400': + description: Bad Request + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorCAPTCHAOrgWideSettingNull' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.manage + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete the Org-wide CAPTCHA Settings + description: Deletes the CAPTCHA settings object for your organization + operationId: deleteOrgCaptchaSettings + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.manage + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/org/contacts: get: summary: Retrieve the Org Contact Types @@ -11687,17 +13538,16 @@ paths: - okta.orgs.read tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/contacts/{contactType}: + parameters: + - $ref: '#/components/parameters/pathContactType' get: summary: Retrieve the User of the Contact Type description: Retrieves the URL of the User associated with the specified Contact Type operationId: getOrgContactUser - parameters: - - in: path - name: contactType - required: true - schema: - type: string responses: '200': description: Success @@ -11717,16 +13567,13 @@ paths: - okta.orgs.read tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the User of the Contact Type description: Replaces the User associated with the specified Contact Type operationId: replaceOrgContactUser - parameters: - - in: path - name: contactType - required: true - schema: - type: string x-codegen-request-body-name: orgContactUser requestBody: content: @@ -11755,6 +13602,9 @@ paths: - okta.orgs.manage tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/email/bounces/remove-list: post: summary: Remove Emails from Email Provider Bounce List @@ -11799,6 +13649,9 @@ paths: - okta.orgs.manage tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/logo: post: summary: Upload the Org Logo @@ -11832,6 +13685,60 @@ paths: - okta.apps.manage tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/orgSettings/thirdPartyAdminSetting: + get: + summary: Retrieve the Org Third-Party Admin setting + description: Retrieves the Third-Party Admin setting + operationId: getThirdPartyAdminSetting + parameters: [] + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ThirdPartyAdminSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update the Org Third-Party Admin setting + description: Updates the Third-Party Admin setting + operationId: updateThirdPartyAdminSetting + parameters: [] + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ThirdPartyAdminSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/preferences: get: summary: Retrieve the Org Preferences @@ -11855,6 +13762,9 @@ paths: - okta.orgs.read tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/preferences/hideEndUserFooter: post: summary: Update the Preference to Hide the Okta Dashboard Footer @@ -11878,6 +13788,9 @@ paths: - okta.orgs.manage tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/preferences/showEndUserFooter: post: summary: Update the Preference to Show the Okta Dashboard Footer @@ -11901,6 +13814,9 @@ paths: - okta.orgs.manage tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication: get: summary: Retrieve the Okta Communication Settings @@ -11924,6 +13840,9 @@ paths: - okta.orgs.read tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication/optIn: post: summary: Opt in all Users to Okta Communication emails @@ -11947,6 +13866,9 @@ paths: - okta.orgs.manage tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication/optOut: post: summary: Opt out all Users from Okta Communication emails @@ -11970,6 +13892,9 @@ paths: - okta.orgs.manage tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport: get: summary: Retrieve the Okta Support Settings @@ -11993,6 +13918,9 @@ paths: - okta.orgs.read tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/extend: post: summary: Extend Okta Support Access @@ -12016,6 +13944,9 @@ paths: - okta.orgs.manage tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/grant: post: summary: Grant Okta Support Access to your Org @@ -12039,6 +13970,9 @@ paths: - okta.orgs.manage tags: - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/revoke: post: summary: Revoke Okta Support Access @@ -12062,49 +13996,105 @@ paths: - okta.orgs.manage tags: - OrgSetting - /api/v1/policies: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/settings/clientPrivilegesSetting: get: - summary: List all Policies - description: Lists all policies with the specified type - operationId: listPolicies - parameters: - - name: type - in: query - required: true - schema: - type: string - - name: status - in: query - schema: - type: string - - name: expand - in: query - schema: - type: string - default: '' + summary: Retrieve the Org settings to assign the Super Admin role + description: Retrieves the Org settings to assign the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) by default to a public client app + operationId: getClientPrivilegesSetting + parameters: [] responses: '200': description: Success content: application/json: schema: - type: array - items: - oneOf: &ref_6 - - $ref: '#/components/schemas/AccessPolicy' - - $ref: '#/components/schemas/IdentityProviderPolicy' - - $ref: '#/components/schemas/MultifactorEnrollmentPolicy' - - $ref: '#/components/schemas/AuthorizationServerPolicy' + $ref: '#/components/schemas/ClientPrivilegesSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Assign the Super Admin role to a public client app + description: Assigns the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) by default to a public client app + operationId: assignClientPrivilegesSetting + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ClientPrivilegesSetting' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ClientPrivilegesSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSetting + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies: + get: + summary: List all Policies + description: Lists all policies with the specified type + operationId: listPolicies + parameters: + - name: type + in: query + required: true + schema: + type: string + - name: status + in: query + schema: + type: string + - name: expand + in: query + schema: + type: string + default: '' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + oneOf: &ref_12 + - $ref: '#/components/schemas/AccessPolicy' + - $ref: '#/components/schemas/IdpDiscoveryPolicy' + - $ref: '#/components/schemas/MultifactorEnrollmentPolicy' - $ref: '#/components/schemas/OktaSignOnPolicy' - $ref: '#/components/schemas/PasswordPolicy' - $ref: '#/components/schemas/ProfileEnrollmentPolicy' - discriminator: &ref_7 + discriminator: &ref_13 propertyName: type mapping: ACCESS_POLICY: '#/components/schemas/AccessPolicy' - IDP_DISCOVERY: '#/components/schemas/IdentityProviderPolicy' + IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicy' MFA_ENROLL: '#/components/schemas/MultifactorEnrollmentPolicy' - OAUTH_AUTHORIZATION_POLICY: '#/components/schemas/AuthorizationServerPolicy' OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' PASSWORD: '#/components/schemas/PasswordPolicy' PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy' @@ -12118,6 +14108,9 @@ paths: - okta.policies.read tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Policy description: Creates a policy @@ -12133,8 +14126,8 @@ paths: content: application/json: schema: - oneOf: *ref_6 - discriminator: *ref_7 + oneOf: *ref_12 + discriminator: *ref_13 required: true responses: '200': @@ -12142,8 +14135,8 @@ paths: content: application/json: schema: - oneOf: *ref_6 - discriminator: *ref_7 + oneOf: *ref_12 + discriminator: *ref_13 '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12156,17 +14149,65 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/simulate: + parameters: + - $ref: '#/components/parameters/simulateParameter' + post: + summary: Create a Policy Simulation + description: |- + Creates a policy or policy rule simulation. The access simulation evaluates policy and policy rules based on the existing policy rule configuration. + The evaluation result simulates what the real-world authentication flow is and what policy rules have been applied or matched to the authentication flow. + operationId: createPolicySimulation + x-codegen-request-body-name: simulatePolicy + requestBody: + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/SimulatePolicyBody' + examples: + SimulatePolicy: + $ref: '#/components/examples/SimulatePolicyBody' + required: true + responses: + '204': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SimulatePolicyResponse' + examples: + SimulatePolicy: + $ref: '#/components/examples/SimulatePolicyResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/policies/{policyId}: + parameters: + - $ref: '#/components/parameters/pathPolicyId' get: summary: Retrieve a Policy description: Retrieves a policy operationId: getPolicy parameters: - - name: policyId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -12178,8 +14219,8 @@ paths: content: application/json: schema: - oneOf: *ref_6 - discriminator: *ref_7 + oneOf: *ref_12 + discriminator: *ref_13 '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12192,23 +14233,20 @@ paths: - okta.policies.read tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Policy - description: Replaces a policy + description: Replaces the properties of a Policy identified by `policyId` operationId: replacePolicy - parameters: - - name: policyId - in: path - required: true - schema: - type: string x-codegen-request-body-name: policy requestBody: content: application/json: schema: - oneOf: *ref_6 - discriminator: *ref_7 + oneOf: *ref_12 + discriminator: *ref_13 required: true responses: '200': @@ -12216,8 +14254,8 @@ paths: content: application/json: schema: - oneOf: *ref_6 - discriminator: *ref_7 + oneOf: *ref_12 + discriminator: *ref_13 '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12232,16 +14270,13 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Policy description: Deletes a policy operationId: deletePolicy - parameters: - - name: policyId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -12257,25 +14292,60 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/app: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + get: + deprecated: true + summary: List all Applications mapped to a Policy + description: |- + Lists all applications mapped to a policy identified by `policyId` + + > **Note:** Use [List all resources mapped to a Policy](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyMappings) to list all applications mapped to a policy. + operationId: listPolicyApps + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + oneOf: *ref_0 + discriminator: *ref_1 + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/clone: + parameters: + - $ref: '#/components/parameters/pathPolicyId' post: - summary: Clone an existing policy + summary: Clone an existing Policy description: Clones an existing policy operationId: clonePolicy - parameters: - - name: policyId - in: path - required: true - schema: - type: string responses: '200': description: Success content: application/json: schema: - oneOf: *ref_6 - discriminator: *ref_7 + oneOf: *ref_12 + discriminator: *ref_13 '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12290,17 +14360,18 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/policies/{policyId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathPolicyId' post: summary: Activate a Policy description: Activates a policy operationId: activatePolicy - parameters: - - name: policyId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -12317,17 +14388,16 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathPolicyId' post: summary: Deactivate a Policy description: Deactivates a policy operationId: deactivatePolicy - parameters: - - name: policyId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -12344,17 +14414,16 @@ paths: - okta.policies.manage tags: - Policy - /api/v1/policies/{policyId}/rules: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/mappings: + parameters: + - $ref: '#/components/parameters/pathPolicyId' get: - summary: List all Policy Rules - description: Lists all policy rules - operationId: listPolicyRules - parameters: - - name: policyId - in: path - required: true - schema: - type: string + summary: List all resources mapped to a Policy + description: Lists all resources mapped to a Policy identified by `policyId` + operationId: listPolicyMappings responses: '200': description: Success @@ -12363,20 +14432,7 @@ paths: schema: type: array items: - oneOf: &ref_8 - - $ref: '#/components/schemas/AccessPolicyRule' - - $ref: '#/components/schemas/PasswordPolicyRule' - - $ref: '#/components/schemas/ProfileEnrollmentPolicyRule' - - $ref: '#/components/schemas/AuthorizationServerPolicyRule' - - $ref: '#/components/schemas/OktaSignOnPolicyRule' - discriminator: &ref_9 - propertyName: type - mapping: - ACCESS_POLICY: '#/components/schemas/AccessPolicyRule' - PASSWORD: '#/components/schemas/PasswordPolicyRule' - PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicyRule' - RESOURCE_ACCESS: '#/components/schemas/AuthorizationServerPolicyRule' - SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule' + $ref: '#/components/schemas/PolicyMapping' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12389,23 +14445,18 @@ paths: - okta.policies.read tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - summary: Create a Policy Rule - description: Creates a policy rule - operationId: createPolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: policyRule + summary: Map a resource to a Policy + description: Maps a resource to a Policy identified by `policyId` + operationId: mapResourceToPolicy requestBody: content: application/json: schema: - oneOf: *ref_8 - discriminator: *ref_9 + $ref: '#/components/schemas/PolicyMappingRequest' required: true responses: '200': @@ -12413,8 +14464,7 @@ paths: content: application/json: schema: - oneOf: *ref_8 - discriminator: *ref_9 + $ref: '#/components/schemas/PolicyMapping' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12429,30 +14479,24 @@ paths: - okta.policies.manage tags: - Policy - /api/v1/policies/{policyId}/rules/{ruleId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/mappings/{mappingId}: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathPolicyMappingId' get: - summary: Retrieve a Policy Rule - description: Retrieves a policy rule - operationId: getPolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string + summary: Retrieve a policy resource Mapping + description: Retrieves a resource Mapping for a Policy identified by `policyId` and `mappingId` + operationId: getPolicyMapping responses: '200': description: Success content: application/json: schema: - oneOf: *ref_8 - discriminator: *ref_9 + $ref: '#/components/schemas/PolicyMapping' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -12465,37 +14509,223 @@ paths: - okta.policies.read tags: - Policy - put: - summary: Replace a Policy Rule - description: Replaces a policy rules - operationId: replacePolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string - x-codegen-request-body-name: policyRule - requestBody: - content: - application/json: - schema: - oneOf: *ref_8 - discriminator: *ref_9 - required: true + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a policy resource Mapping + description: Deletes the resource Mapping for a Policy identified by `policyId` and `mappingId` + operationId: deletePolicyResourceMapping responses: - '200': - description: Success - content: - application/json: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/rules: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + get: + summary: List all Policy Rules + description: Lists all policy rules + operationId: listPolicyRules + responses: + '200': + description: Success + content: + application/json: schema: - oneOf: *ref_8 - discriminator: *ref_9 + type: array + items: + oneOf: &ref_14 + - $ref: '#/components/schemas/AccessPolicyRule' + - $ref: '#/components/schemas/PasswordPolicyRule' + - $ref: '#/components/schemas/ProfileEnrollmentPolicyRule' + - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + - $ref: '#/components/schemas/OktaSignOnPolicyRule' + - $ref: '#/components/schemas/IdpDiscoveryPolicyRule' + discriminator: &ref_15 + propertyName: type + mapping: + ACCESS_POLICY: '#/components/schemas/AccessPolicyRule' + PASSWORD: '#/components/schemas/PasswordPolicyRule' + PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicyRule' + RESOURCE_ACCESS: '#/components/schemas/AuthorizationServerPolicyRule' + SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule' + IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicyRule' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Policy Rule + description: Creates a policy rule + operationId: createPolicyRule + x-codegen-request-body-name: policyRule + requestBody: + content: + application/json: + schema: + oneOf: *ref_14 + discriminator: *ref_15 + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up' + Enable2FAPreciseAuth: + $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: *ref_14 + discriminator: *ref_15 + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-response' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-response' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-response' + Enable2FAPreciseAuth: + $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing-response' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/{policyId}/rules/{ruleId}: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' + get: + summary: Retrieve a Policy Rule + description: Retrieves a policy rule + operationId: getPolicyRule + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: *ref_14 + discriminator: *ref_15 + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-update' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-update' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-update' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a Policy Rule + description: Replaces the properties for a Policy Rule identified by `policyId` and `ruleId` + operationId: replacePolicyRule + x-codegen-request-body-name: policyRule + requestBody: + content: + application/json: + schema: + oneOf: *ref_14 + discriminator: *ref_15 + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-update' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-update' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-update' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: *ref_14 + discriminator: *ref_15 + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-response' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-response' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-response' + EnableSsprWithConstraints: + $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -12510,21 +14740,13 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Policy Rule - description: Deletes a policy rule + description: Deletes a Policy Rule identified by `policyId` and `ruleId` operationId: deletePolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -12541,22 +14763,17 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' post: summary: Activate a Policy Rule - description: Activates a policy rule + description: Activates a Policy Rule identified by `policyId` and `ruleId` operationId: activatePolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -12572,22 +14789,17 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' post: summary: Deactivate a Policy Rule - description: Deactivates a policy rule + description: Deactivates a Policy Rule identified by `policyId` and `ruleId` operationId: deactivatePolicyRule - parameters: - - name: policyId - in: path - required: true - schema: - type: string - - name: ruleId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -12603,6 +14815,9 @@ paths: - okta.policies.manage tags: - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/principal-rate-limits: get: summary: List all Principal Rate Limits @@ -12645,6 +14860,9 @@ paths: - okta.principalRateLimits.read tags: - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Principal Rate Limit description: Creates a new Principal Rate Limit entity. In the current release, we only allow one Principal Rate Limit entity per org and principal. @@ -12685,6 +14903,9 @@ paths: - okta.principalRateLimits.manage tags: - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/principal-rate-limits/{principalRateLimitId}: parameters: - $ref: '#/components/parameters/pathPrincipalRateLimitId' @@ -12714,6 +14935,9 @@ paths: - okta.principalRateLimits.read tags: - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Principal Rate Limit description: Replaces a principal rate limit entity by `principalRateLimitId` @@ -12754,6 +14978,9 @@ paths: - okta.principalRateLimits.manage tags: - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/push-providers: get: summary: List all Push Providers @@ -12773,10 +15000,10 @@ paths: schema: type: array items: - oneOf: &ref_10 + oneOf: &ref_16 - $ref: '#/components/schemas/APNSPushProvider' - $ref: '#/components/schemas/FCMPushProvider' - discriminator: &ref_11 + discriminator: &ref_17 propertyName: providerType mapping: APNS: '#/components/schemas/APNSPushProvider' @@ -12791,6 +15018,11 @@ paths: - okta.pushProviders.read tags: - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine post: summary: Create a Push Provider description: Creates a new push provider @@ -12800,8 +15032,8 @@ paths: content: application/json: schema: - oneOf: *ref_10 - discriminator: *ref_11 + oneOf: *ref_16 + discriminator: *ref_17 examples: APNs: $ref: '#/components/examples/PushProviderAPNsRequest' @@ -12814,8 +15046,8 @@ paths: content: application/json: schema: - oneOf: *ref_10 - discriminator: *ref_11 + oneOf: *ref_16 + discriminator: *ref_17 examples: APNs: $ref: '#/components/examples/PushProviderAPNsResponse' @@ -12833,21 +15065,26 @@ paths: - okta.pushProviders.manage tags: - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/push-providers/{pushProviderId}: + parameters: + - $ref: '#/components/parameters/pathPushProviderId' get: summary: Retrieve a Push Provider description: Retrieves a push provider by `pushProviderId` operationId: getPushProvider - parameters: - - $ref: '#/components/parameters/pathPushProviderId' responses: '200': description: OK content: application/json: schema: - oneOf: *ref_10 - discriminator: *ref_11 + oneOf: *ref_16 + discriminator: *ref_17 examples: APNs: $ref: '#/components/examples/PushProviderAPNsResponse' @@ -12865,19 +15102,22 @@ paths: - okta.pushProviders.read tags: - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine put: summary: Replace a Push Provider description: Replaces a push provider by `pushProviderId` operationId: replacePushProvider - parameters: - - $ref: '#/components/parameters/pathPushProviderId' x-codegen-request-body-name: pushProvider requestBody: content: application/json: schema: - oneOf: *ref_10 - discriminator: *ref_11 + oneOf: *ref_16 + discriminator: *ref_17 examples: APNs: $ref: '#/components/examples/PushProviderAPNsRequest' @@ -12890,8 +15130,8 @@ paths: content: application/json: schema: - oneOf: *ref_10 - discriminator: *ref_11 + oneOf: *ref_16 + discriminator: *ref_17 examples: APNs: $ref: '#/components/examples/PushProviderAPNsResponse' @@ -12911,12 +15151,15 @@ paths: - okta.pushProviders.manage tags: - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine delete: summary: Delete a Push Provider description: Deletes a push provider by `pushProviderId`. If the push provider is currently being used in the org by a custom authenticator, the delete will not be allowed. operationId: deletePushProvider - parameters: - - $ref: '#/components/parameters/pathPushProviderId' responses: '204': description: No Content @@ -12942,6 +15185,11 @@ paths: - okta.pushProviders.manage tags: - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/rate-limit-settings/admin-notifications: get: summary: Retrieve the Rate Limit Admin Notification Settings @@ -12969,6 +15217,9 @@ paths: - okta.rateLimits.read tags: - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Rate Limit Admin Notification Settings description: Replaces the Rate Limit Admin Notification Settings and returns the configured properties @@ -13009,6 +15260,9 @@ paths: - okta.rateLimits.manage tags: - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/rate-limit-settings/per-client: get: summary: Retrieve the Per-Client Rate Limit Settings @@ -13038,6 +15292,9 @@ paths: - okta.rateLimits.read tags: - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the Per-Client Rate Limit Settings description: Replaces the Per-Client Rate Limit Settings and returns the configured properties @@ -13082,10 +15339,88 @@ paths: - okta.rateLimits.manage tags: - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/rate-limit-settings/warning-threshold: + get: + summary: Retrieve the Rate Limit Warning Threshold Percentage + description: Retrieves the currently configured threshold for warning notifications when the API's rate limit is exceeded + operationId: getRateLimitSettingsWarningThreshold + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitWarningThresholdResponse' + examples: + ExampleThreshold: + $ref: '#/components/examples/RateLimitWarningThresholdValidExample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.read + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Rate Limit Warning Threshold Percentage + description: Replaces the Rate Limit Warning Threshold Percentage and returns the configured property + operationId: replaceRateLimitSettingsWarningThreshold + x-codegen-request-body-name: RateLimitWarningThreshold + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitWarningThresholdRequest' + examples: + ExampleThreshold: + $ref: '#/components/examples/RateLimitWarningThresholdValidExample' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitWarningThresholdResponse' + examples: + ExampleThreshold: + $ref: '#/components/examples/RateLimitWarningThresholdValidExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.manage + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/realms/{realmId}: + parameters: + - $ref: '#/components/parameters/pathRealmId' + /api/v1/resource-selectors/{resourceSelectorId}: + parameters: + - $ref: '#/components/parameters/pathResourceSelectorId' /api/v1/risk/events/ip: post: summary: Send multiple Risk Events - description: Sends multiple risk events to Okta. This API is intended for Risk Providers. This API has a rate limit of 30 requests per minute. The caller should include multiple Risk Events (up to a maximum of 20 events) in a single payload to reduce the number of API calls. If a client has more risk signals to send than what the API supports, we recommend prioritizing posting high risk signals. + description: |- + Sends multiple IP risk events to Okta. + This request is used by a third-party risk provider to send IP risk events to Okta. The third-party risk provider needs to be registered with Okta before they can send events to Okta. See [Risk Providers](/openapi/okta-management/management/tag/RiskProvider/). + This API has a rate limit of 30 requests per minute. You can include multiple risk events (up to a maximum of 20 events) in a single payload to reduce the number of API calls. Prioritize sending high risk signals if you have a burst of signals to send that would exceed the maximum request limits. operationId: sendRiskEvents x-codegen-request-body-name: instance requestBody: @@ -13096,8 +15431,8 @@ paths: items: $ref: '#/components/schemas/RiskEvent' examples: - Example Request: - $ref: '#/components/examples/RiskEventsRequest' + RiskEventsRequestExample: + $ref: '#/components/examples/RiskEventsRequestExample' required: true responses: '202': @@ -13121,10 +15456,14 @@ paths: - okta.riskEvents.manage tags: - RiskEvent + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] /api/v1/risk/providers: get: summary: List all Risk Providers - description: Lists all Risk Providers + description: Lists all Risk Provider objects operationId: listRiskProviders responses: '200': @@ -13135,6 +15474,9 @@ paths: type: array items: $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderList: + $ref: '#/components/examples/ListRiskProviderResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -13145,9 +15487,13 @@ paths: - okta.riskProviders.read tags: - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] post: summary: Create a Risk Provider - description: Creates a risk provider. A maximum of 3 providers can be created. By default, one risk provider is created by Okta. + description: Creates a Risk Provider object. A maximum of three Risk Provider objects can be created. operationId: createRiskProvider x-codegen-request-body-name: instance requestBody: @@ -13156,7 +15502,7 @@ paths: schema: $ref: '#/components/schemas/RiskProvider' examples: - Request Example: + RiskProviderRequestExample: $ref: '#/components/examples/RiskProviderRequest' required: true responses: @@ -13167,7 +15513,7 @@ paths: schema: $ref: '#/components/schemas/RiskProvider' examples: - Example Response: + RiskProviderPostResponseExample: $ref: '#/components/examples/RiskProviderResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' @@ -13188,12 +15534,16 @@ paths: - okta.riskProviders.manage tags: - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] /api/v1/risk/providers/{riskProviderId}: parameters: - $ref: '#/components/parameters/pathRiskProviderId' get: summary: Retrieve a Risk Provider - description: Retrieves a risk provider by `riskProviderId` + description: Retrieves a Risk Provider object by ID operationId: getRiskProvider responses: '200': @@ -13203,7 +15553,7 @@ paths: schema: $ref: '#/components/schemas/RiskProvider' examples: - Example Response: + RiskProviderGetResponseExample: $ref: '#/components/examples/RiskProviderResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' @@ -13217,9 +15567,13 @@ paths: - okta.riskProviders.read tags: - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] put: summary: Replace a Risk Provider - description: Replaces a risk provider by `riskProviderId` + description: Replaces the properties for a given Risk Provider object ID operationId: replaceRiskProvider x-codegen-request-body-name: instance requestBody: @@ -13228,8 +15582,8 @@ paths: schema: $ref: '#/components/schemas/RiskProvider' examples: - Request Example: - $ref: '#/components/examples/RiskProviderRequest' + RiskProviderPutRequestExample: + $ref: '#/components/examples/RiskProviderPutRequest' required: true responses: '200': @@ -13239,8 +15593,8 @@ paths: schema: $ref: '#/components/schemas/RiskProvider' examples: - Example Response: - $ref: '#/components/examples/RiskProviderResponse' + RiskProviderPutResponseExample: + $ref: '#/components/examples/RiskProviderPutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13255,9 +15609,13 @@ paths: - okta.riskProviders.manage tags: - RiskProvider + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] delete: summary: Delete a Risk Provider - description: Deletes a CAPTCHA instance by `riskProviderId` + description: Deletes a Risk Provider object by its ID operationId: deleteRiskProvider responses: '204': @@ -13282,17 +15640,17 @@ paths: - okta.riskProviders.manage tags: - RiskProvider - /api/v1/roles/{roleTypeOrRoleId}/subscriptions: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /api/v1/roles/{roleRef}/subscriptions: + parameters: + - $ref: '#/components/parameters/pathRoleRef' get: - summary: List all Subscriptions of a Custom Role - description: Lists all subscriptions of a Role identified by `roleType` or of a Custom Role identified by `roleId` - operationId: listRoleSubscriptions - parameters: - - in: path - name: roleTypeOrRoleId - required: true - schema: - type: string + summary: List all Subscriptions for a Role + description: Lists all subscriptions available to a specified Role + operationId: listSubscriptionsRole responses: '200': description: Success @@ -13314,22 +15672,17 @@ paths: - okta.roles.read tags: - Subscription - /api/v1/roles/{roleTypeOrRoleId}/subscriptions/{notificationType}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/roles/{roleRef}/subscriptions/{notificationType}: + parameters: + - $ref: '#/components/parameters/pathRoleRef' + - $ref: '#/components/parameters/pathNotificationType' get: - summary: List all Subscriptions of a Custom Role with a specific notification type - description: Lists all subscriptions with a specific notification type of a Role identified by `roleType` or of a Custom Role identified by `roleId` - operationId: listRoleSubscriptionsByNotificationType - parameters: - - in: path - name: roleTypeOrRoleId - required: true - schema: - type: string - - in: path - name: notificationType - required: true - schema: - type: string + summary: Retrieve a Subscription for a Role + description: Retrieves a subscription by `notificationType` for a specified Role + operationId: getSubscriptionsNotificationTypeRole responses: '200': description: Success @@ -13349,25 +15702,20 @@ paths: - okta.roles.read tags: - Subscription - /api/v1/roles/{roleTypeOrRoleId}/subscriptions/{notificationType}/subscribe: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/roles/{roleRef}/subscriptions/{notificationType}/subscribe: + parameters: + - $ref: '#/components/parameters/pathRoleRef' + - $ref: '#/components/parameters/pathNotificationType' post: - summary: Subscribe a Custom Role to a specific notification type - description: Subscribes a Role identified by `roleType` or of a Custom Role identified by `roleId` to a specific notification type. When you change the subscription status of a Role or Custom Role, it overrides the subscription of any individual user of that Role or Custom Role. - operationId: subscribeRoleSubscriptionByNotificationType - parameters: - - in: path - name: roleTypeOrRoleId - required: true - schema: - type: string - - in: path - name: notificationType - required: true - schema: - type: string + summary: Subscribe a Role to a Specific Notification Type + description: Subscribes a Role to a specified notification type. Changes to Role subscriptions override the subscription status of any individual users with the Role. + operationId: subscribeByNotificationTypeRole responses: '200': - description: Success + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13380,25 +15728,20 @@ paths: - okta.roles.manage tags: - Subscription - /api/v1/roles/{roleTypeOrRoleId}/subscriptions/{notificationType}/unsubscribe: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/roles/{roleRef}/subscriptions/{notificationType}/unsubscribe: + parameters: + - $ref: '#/components/parameters/pathRoleRef' + - $ref: '#/components/parameters/pathNotificationType' post: - summary: Unsubscribe a Custom Role from a specific notification type - description: Unsubscribes a Role identified by `roleType` or of a Custom Role identified by `roleId` from a specific notification type. When you change the subscription status of a Role or Custom Role, it overrides the subscription of any individual user of that Role or Custom Role. - operationId: unsubscribeRoleSubscriptionByNotificationType - parameters: - - in: path - name: roleTypeOrRoleId - required: true - schema: - type: string - - in: path - name: notificationType - required: true - schema: - type: string + summary: Unsubscribe a Role from a Specific Notification Type + description: Unsubscribes a Role from a specified notification type. Changes to Role subscriptions override the subscription status of any individual users with the Role. + operationId: unsubscribeByNotificationTypeRole responses: '200': - description: Success + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13411,10 +15754,13 @@ paths: - okta.roles.manage tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/sessions: post: - summary: Create a Session with Session Token - description: Creates a new session for a user with a valid session token. Use this API if, for example, you want to set the session cookie yourself instead of allowing Okta to set it, or want to hold the session ID in order to delete a session via the API instead of visiting the logout URL. + summary: Create a Session with session token + description: Creates a new Session for a user with a valid session token. Use this API if, for example, you want to set the session cookie yourself instead of allowing Okta to set it, or want to hold the session ID to delete a session through the API instead of visiting the logout URL. operationId: createSession x-codegen-request-body-name: createSessionRequest requestBody: @@ -13422,6 +15768,9 @@ paths: application/json: schema: $ref: '#/components/schemas/CreateSessionRequest' + examples: + SessionsCreate: + $ref: '#/components/examples/CreateSessionBody' required: true responses: '200': @@ -13430,6 +15779,10 @@ paths: application/json: schema: $ref: '#/components/schemas/Session' + examples: + SessionsCreate: + summary: Create a new Session with a valid session token + $ref: '#/components/examples/CreateSessionResponse' '400': description: Bad Request '403': @@ -13440,17 +15793,113 @@ paths: - apiToken: [] tags: - Session - /api/v1/sessions/{sessionId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/me: get: - summary: Retrieve a Session - description: Retrieves the details about a session - operationId: getSession + summary: Retrieve the current Session + description: |- + Retrieves Session information for the current user. Use this method in a browser-based application to determine if the user is signed in. + + > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation. + operationId: getCurrentSession parameters: - - name: sessionId - in: path - required: true + - in: header + name: Cookie + schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie + type: string + example: sid=abcde-123 or idx=abcde-123 + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + CurrentSessionsRetrieve: + summary: Retrieve current Session information + $ref: '#/components/examples/RetrieveCurrentSessionResponse' + '404': + description: Not Found + security: [] + tags: + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Close the current Session + description: |- + Closes the Session for the user who is currently signed in. Use this method in a browser-based application to sign out a user. + + > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation. + operationId: closeCurrentSession + parameters: + - in: header + name: Cookie + schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie + type: string + example: sid=abcde-123 or idx=abcde-123 + responses: + '204': + description: No Content + content: {} + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + security: [] + tags: + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/me/lifecycle/refresh: + post: + summary: Refresh the current Session + description: |- + Refreshes the Session for the current user + + > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation. + operationId: refreshCurrentSession + parameters: + - in: header + name: Cookie schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie type: string + example: sid=abcde-123 or idx=abcde-123 + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + CurrentSessionsRefresh: + summary: Refersh current Session + $ref: '#/components/examples/RefreshCurrentSessionResponse' + '404': + description: Not Found + security: [] + tags: + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/{sessionId}: + parameters: + - $ref: '#/components/parameters/pathSessionId' + get: + summary: Retrieve a Session + description: Retrieves information about the Session specified by the given session ID + operationId: getSession responses: '200': description: Success @@ -13458,6 +15907,10 @@ paths: application/json: schema: $ref: '#/components/schemas/Session' + examples: + SessionsRetrieve: + summary: Retrieve Session information for a single session ID + $ref: '#/components/examples/RetrieveSessionResponse' '400': description: Bad Request '403': @@ -13472,16 +15925,13 @@ paths: - okta.sessions.read tags: - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke a Session - description: Revokes a session + description: Revokes the specified Session operationId: revokeSession - parameters: - - name: sessionId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -13498,17 +15948,16 @@ paths: - okta.sessions.manage tags: - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/sessions/{sessionId}/lifecycle/refresh: + parameters: + - $ref: '#/components/parameters/pathSessionId' post: summary: Refresh a Session - description: Refreshes a session + description: Refreshes an existing Session using the `id` for that Session. A successful response contains the refreshed Session with an updated `expiresAt` timestamp. operationId: refreshSession - parameters: - - name: sessionId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -13516,6 +15965,10 @@ paths: application/json: schema: $ref: '#/components/schemas/Session' + examples: + SessionsRefresh: + summary: Refresh an existing Session using the session ID + $ref: '#/components/examples/RefreshSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13528,6 +15981,9 @@ paths: - okta.sessions.manage tags: - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/templates/sms: get: summary: List all SMS Templates @@ -13557,6 +16013,9 @@ paths: - okta.templates.read tags: - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create an SMS Template description: Creates a new custom SMS template @@ -13587,17 +16046,16 @@ paths: - okta.templates.manage tags: - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/templates/sms/{templateId}: + parameters: + - $ref: '#/components/parameters/pathTemplateId' get: summary: Retrieve an SMS Template description: Retrieves a specific template by `id` operationId: getSmsTemplate - parameters: - - name: templateId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -13617,16 +16075,13 @@ paths: - okta.templates.read tags: - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update an SMS Template description: Updates an SMS template operationId: updateSmsTemplate - parameters: - - name: templateId - in: path - required: true - schema: - type: string x-codegen-request-body-name: smsTemplate requestBody: content: @@ -13655,16 +16110,13 @@ paths: - okta.templates.manage tags: - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace an SMS Template description: Replaces the SMS template operationId: replaceSmsTemplate - parameters: - - name: templateId - in: path - required: true - schema: - type: string x-codegen-request-body-name: smsTemplate requestBody: content: @@ -13693,16 +16145,13 @@ paths: - okta.templates.manage tags: - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete an SMS Template description: Deletes an SMS template operationId: deleteSmsTemplate - parameters: - - name: templateId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -13719,10 +16168,13 @@ paths: - okta.templates.manage tags: - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/threats/configuration: get: summary: Retrieve the ThreatInsight Configuration - description: Retrieves current ThreatInsight configuration + description: Retrieves the ThreatInsight configuration for the org operationId: getCurrentConfiguration responses: '200': @@ -13731,6 +16183,9 @@ paths: application/json: schema: $ref: '#/components/schemas/ThreatInsightConfiguration' + examples: + ThreatInsightResponseEx: + $ref: '#/components/examples/ThreatInsightResponseExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -13741,9 +16196,12 @@ paths: - okta.threatInsights.read tags: - ThreatInsight + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Update the ThreatInsight Configuration - description: Updates ThreatInsight configuration + description: Updates the ThreatInsight configuration for the org operationId: updateConfiguration x-codegen-request-body-name: threatInsightConfiguration requestBody: @@ -13751,6 +16209,9 @@ paths: application/json: schema: $ref: '#/components/schemas/ThreatInsightConfiguration' + examples: + ThreatInsightUpdateEx: + $ref: '#/components/examples/ThreatInsightUpdateRequestExample' required: true responses: '200': @@ -13759,6 +16220,9 @@ paths: application/json: schema: $ref: '#/components/schemas/ThreatInsightConfiguration' + examples: + ThreatInsightUpdateEx: + $ref: '#/components/examples/ThreatInsightUpdateResponseExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13771,6 +16235,9 @@ paths: - okta.threatInsights.manage tags: - ThreatInsight + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/trustedOrigins: get: summary: List all Trusted Origins @@ -13814,6 +16281,9 @@ paths: - okta.trustedOrigins.read tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Trusted Origin description: Creates a trusted origin @@ -13844,17 +16314,16 @@ paths: - okta.trustedOrigins.manage tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/trustedOrigins/{trustedOriginId}: + parameters: + - $ref: '#/components/parameters/pathTrustedOriginId' get: summary: Retrieve a Trusted Origin description: Retrieves a trusted origin operationId: getTrustedOrigin - parameters: - - name: trustedOriginId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -13874,16 +16343,13 @@ paths: - okta.trustedOrigins.read tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Trusted Origin description: Replaces a trusted origin operationId: replaceTrustedOrigin - parameters: - - name: trustedOriginId - in: path - required: true - schema: - type: string x-codegen-request-body-name: trustedOrigin requestBody: content: @@ -13912,16 +16378,13 @@ paths: - okta.trustedOrigins.manage tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Trusted Origin description: Deletes a trusted origin operationId: deleteTrustedOrigin - parameters: - - name: trustedOriginId - in: path - required: true - schema: - type: string responses: '204': description: Success @@ -13938,17 +16401,16 @@ paths: - okta.trustedOrigins.manage tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathTrustedOriginId' post: summary: Activate a Trusted Origin description: Activates a trusted origin operationId: activateTrustedOrigin - parameters: - - name: trustedOriginId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -13968,17 +16430,16 @@ paths: - okta.trustedOrigins.manage tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathTrustedOriginId' post: summary: Deactivate a Trusted Origin description: Deactivates a trusted origin operationId: deactivateTrustedOrigin - parameters: - - name: trustedOriginId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -13998,6 +16459,9 @@ paths: - okta.trustedOrigins.manage tags: - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users: get: summary: List all Users @@ -14033,6 +16497,7 @@ paths: type: string - name: sortOrder in: query + description: Sorting is done in ASCII sort order (that is, by ASCII character value), but isn't case sensitive. schema: type: string responses: @@ -14045,7 +16510,7 @@ paths: items: $ref: '#/components/schemas/User' examples: - User List: + UserList: $ref: '#/components/examples/ListUsersResponse' '403': description: Forbidden @@ -14061,9 +16526,19 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a User - description: Creates a new user in your Okta organization with or without credentials + description: |- + Creates a new user in your Okta organization with or without credentials
+ > **Legal Disclaimer**
+ After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, + you agreed not to use Okta's service/product to spam and/or send unsolicited messages. + Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all + liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. operationId: createUser parameters: - name: activate @@ -14125,62 +16600,26 @@ paths: - okta.users.manage tags: - User - /api/v1/users/{associatedUserId}/linkedObjects/{primaryRelationshipName}/{primaryUserId}: - put: - summary: Create a Linked Object for two User - description: Creates a linked object for two users - operationId: setLinkedObjectForUser - parameters: - - name: associatedUserId - in: path - required: true - schema: - type: string - - name: primaryRelationshipName - in: path - required: true - schema: - type: string - - name: primaryUserId - in: path - required: true - schema: - type: string - responses: - '204': - description: Success - content: {} - '403': - $ref: '#/components/responses/ErrorAccessDenied403' - '404': - $ref: '#/components/responses/ErrorResourceNotFound404' - '429': - $ref: '#/components/responses/ErrorTooManyRequests429' - security: - - oauth2: - - okta.users.manage - tags: - - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}: + parameters: + - $ref: '#/components/parameters/pathUserId' get: summary: Retrieve a User description: Retrieves a user from your Okta organization operationId: getUser parameters: - - $ref: '#/components/parameters/pathUserId' - - name: expand - in: query - description: 'Specifies additional metadata to include in the response. Possible value: `blocks`' - required: false - schema: - type: string + - $ref: '#/components/parameters/queryUserExpand' responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/User' + $ref: '#/components/schemas/UserGetSingleton' '403': description: Forbidden content: @@ -14201,12 +16640,15 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true post: summary: Update a User description: Updates a user partially determined by the request parameters operationId: updateUser parameters: - - $ref: '#/components/parameters/pathUserId' - name: strict in: query schema: @@ -14251,12 +16693,15 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a User description: Replaces a user's profile and/or credentials using strict-update semantics operationId: replaceUser parameters: - - $ref: '#/components/parameters/pathUserId' - name: strict in: query schema: @@ -14267,7 +16712,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/UpdateUserRequest' + $ref: '#/components/schemas/User' required: true responses: '200': @@ -14302,12 +16747,15 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a User description: Deletes a user permanently. This operation can only be performed on users that have a `DEPROVISIONED` status. **This action cannot be recovered!**. Calling this on an `ACTIVE` user will transition the user to `DEPROVISIONED`. operationId: deleteUser parameters: - - $ref: '#/components/parameters/pathUserId' - name: sendEmail in: query schema: @@ -14344,17 +16792,17 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/appLinks: + parameters: + - $ref: '#/components/parameters/pathUserId' get: summary: List all Assigned Application Links description: Lists all appLinks for all direct or indirect (via group membership) assigned applications operationId: listAppLinks - parameters: - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -14376,13 +16824,17 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/blocks: + parameters: + - $ref: '#/components/parameters/pathUserId' get: summary: List all User Blocks description: Lists information about how the user is blocked from accessing their account operationId: listUserBlocks - parameters: - - $ref: '#/components/parameters/pathUserId' responses: '200': description: Success @@ -14409,17 +16861,17 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/clients: + parameters: + - $ref: '#/components/parameters/pathUserId' get: summary: List all Clients description: Lists all client resources for which the specified user has grants or tokens operationId: listUserClients - parameters: - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -14441,22 +16893,19 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/clients/{clientId}/grants: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathClientId' get: summary: List all Grants for a Client description: Lists all grants for a specified user and client operationId: listGrantsForUserAndClient parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -14492,21 +16941,14 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke all Grants for a Client description: Revokes all grants for the specified user and client operationId: revokeGrantsForUserAndClient - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -14523,22 +16965,19 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/clients/{clientId}/tokens: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathClientId' get: summary: List all Refresh Tokens for a Client description: Lists all refresh tokens issued for the specified User and Client operationId: listRefreshTokensForUserAndClient parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -14574,21 +17013,14 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke all Refresh Tokens for a Client description: Revokes all refresh tokens issued for the specified User and Client operationId: revokeTokensForUserAndClient - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -14605,27 +17037,20 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathTokenId' get: summary: Retrieve a Refresh Token for a Client description: Retrieves a refresh token issued for the specified User and Client operationId: getRefreshTokenForUserAndClient parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -14658,26 +17083,14 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke a Token for a Client description: Revokes the specified refresh token operationId: revokeTokenForUserAndClient - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: clientId - in: path - required: true - schema: - type: string - - name: tokenId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -14694,17 +17107,18 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/credentials/change_password: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Change Password description: Changes a user's password by validating the user's current password. This operation can only be performed on users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid password credential operationId: changePassword parameters: - - name: userId - in: path - required: true - schema: - type: string - name: strict in: query schema: @@ -14738,17 +17152,17 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/credentials/change_recovery_question: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Change Recovery Question description: Changes a user's recovery question & answer credential by validating the user's current password. This operation can only be performed on users in **STAGED**, **ACTIVE** or **RECOVERY** `status` that have a valid password credential operationId: changeRecoveryQuestion - parameters: - - name: userId - in: path - required: true - schema: - type: string x-codegen-request-body-name: userCredentials requestBody: content: @@ -14777,17 +17191,18 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/credentials/forgot_password: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Initiate Forgot Password description: Initiates the forgot password flow. Generates a one-time token (OTT) that can be used to reset a user's password. operationId: forgotPassword parameters: - - name: userId - in: path - required: true - schema: - type: string - name: sendEmail in: query required: false @@ -14813,17 +17228,18 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/credentials/forgot_password_recovery_question: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Reset Password with Recovery Question description: Resets the user's password to the specified password if the provided answer to the recovery question is correct operationId: forgotPasswordSetNewPassword parameters: - - name: userId - in: path - required: true - schema: - type: string - name: sendEmail in: query required: false @@ -14858,17 +17274,17 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors: + parameters: + - $ref: '#/components/parameters/pathUserId' get: - summary: List all Factors - description: Lists all the enrolled factors for the specified user + summary: List all enrolled Factors + description: Lists all enrolled Factors for the specified user operationId: listFactors - parameters: - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -14877,35 +17293,35 @@ paths: schema: type: array items: - oneOf: &ref_12 - - $ref: '#/components/schemas/CallUserFactor' - - $ref: '#/components/schemas/EmailUserFactor' - - $ref: '#/components/schemas/PushUserFactor' - - $ref: '#/components/schemas/SecurityQuestionUserFactor' - - $ref: '#/components/schemas/SmsUserFactor' - - $ref: '#/components/schemas/TokenUserFactor' - - $ref: '#/components/schemas/HardwareUserFactor' - - $ref: '#/components/schemas/CustomHotpUserFactor' - - $ref: '#/components/schemas/TotpUserFactor' - - $ref: '#/components/schemas/U2fUserFactor' - - $ref: '#/components/schemas/WebUserFactor' - - $ref: '#/components/schemas/WebAuthnUserFactor' - discriminator: &ref_13 + oneOf: &ref_18 + - $ref: '#/components/schemas/UserFactorCall' + - $ref: '#/components/schemas/UserFactorEmail' + - $ref: '#/components/schemas/UserFactorPush' + - $ref: '#/components/schemas/UserFactorSecurityQuestion' + - $ref: '#/components/schemas/UserFactorSMS' + - $ref: '#/components/schemas/UserFactorToken' + - $ref: '#/components/schemas/UserFactorHardware' + - $ref: '#/components/schemas/UserFactorCustomHOTP' + - $ref: '#/components/schemas/UserFactorTOTP' + - $ref: '#/components/schemas/UserFactorU2F' + - $ref: '#/components/schemas/UserFactorWeb' + - $ref: '#/components/schemas/UserFactorWebAuthn' + discriminator: &ref_19 propertyName: factorType mapping: - call: '#/components/schemas/CallUserFactor' - email: '#/components/schemas/EmailUserFactor' - push: '#/components/schemas/PushUserFactor' - question: '#/components/schemas/SecurityQuestionUserFactor' - sms: '#/components/schemas/SmsUserFactor' - token: '#/components/schemas/TokenUserFactor' - token:hardware: '#/components/schemas/HardwareUserFactor' - token:hotp: '#/components/schemas/CustomHotpUserFactor' - token:software:totp: '#/components/schemas/TotpUserFactor' - u2f: '#/components/schemas/U2fUserFactor' - web: '#/components/schemas/WebUserFactor' - webauthn: '#/components/schemas/WebAuthnUserFactor' - hotp: '#/components/schemas/CustomHotpUserFactor' + call: '#/components/schemas/UserFactorCall' + email: '#/components/schemas/UserFactorEmail' + push: '#/components/schemas/UserFactorPush' + question: '#/components/schemas/UserFactorSecurityQuestion' + sms: '#/components/schemas/UserFactorSMS' + token: '#/components/schemas/UserFactorToken' + token:hardware: '#/components/schemas/UserFactorHardware' + token:hotp: '#/components/schemas/UserFactorCustomHOTP' + token:software:totp: '#/components/schemas/UserFactorTOTP' + u2f: '#/components/schemas/UserFactorU2F' + web: '#/components/schemas/UserFactorWeb' + webauthn: '#/components/schemas/UserFactorWebAuthn' + hotp: '#/components/schemas/UserFactorCustomHOTP' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -14918,34 +17334,38 @@ paths: - okta.users.read tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Enroll a Factor - description: Enrolls a user with a supported factor + description: Enrolls a supported Factor for the specified user operationId: enrollFactor parameters: - - name: userId - in: path - required: true - schema: - type: string - name: updatePhone + description: If `true`, indicates that you'll update the `phoneNumber`. Only used for `sms` Factors that are pending activation. in: query schema: type: boolean default: false - name: templateId in: query - description: id of SMS template (only for SMS factor) + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). Only used by `sms` Factors. schema: type: string + example: cstk2flOtuCMDJK4b0g3 - name: tokenLifetimeSeconds + description: Defines how long the token remains valid in: query schema: type: integer format: int32 + minimum: 1 + maximum: 86400 default: 300 x-okta-added-version: 1.3.0 - name: activate + description: If `true`, the `sms` Factor is immediately activated as part of the enrollment. An activation text message isn't sent to the device. in: query schema: type: boolean @@ -14957,8 +17377,8 @@ paths: content: application/json: schema: - oneOf: *ref_12 - discriminator: *ref_13 + oneOf: *ref_18 + discriminator: *ref_19 required: true responses: '200': @@ -14966,8 +17386,8 @@ paths: content: application/json: schema: - oneOf: *ref_12 - discriminator: *ref_13 + oneOf: *ref_18 + discriminator: *ref_19 '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -14982,17 +17402,16 @@ paths: - okta.users.manage tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/catalog: + parameters: + - $ref: '#/components/parameters/pathUserId' get: - summary: List all Supported Factors - description: Lists all the supported factors that can be enrolled for the specified user + summary: List all supported Factors + description: Lists all the supported Factors that can be enrolled for the specified user operationId: listSupportedFactors - parameters: - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -15001,8 +17420,8 @@ paths: schema: type: array items: - oneOf: *ref_12 - discriminator: *ref_13 + oneOf: *ref_18 + discriminator: *ref_19 '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15015,26 +17434,32 @@ paths: - okta.users.read tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/questions: + parameters: + - $ref: '#/components/parameters/pathUserId' get: - summary: List all Supported Security Questions - description: Lists all available security questions for a user's `question` factor + summary: List all supported Security Questions + description: Lists all available Security Questions for the specified user operationId: listSupportedSecurityQuestions - parameters: - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: Success content: application/json: + example: + - question: disliked_food + questionText: What is the food you least liked as a child? + - question: name_of_first_plush_toy + questionText: What is the name of your first stuffed animal? + - question: first_award + questionText: What did you earn your first medal or award for? schema: type: array items: - $ref: '#/components/schemas/SecurityQuestion' + $ref: '#/components/schemas/UserFactorSecurityQuestionProfile' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15045,30 +17470,26 @@ paths: - apiToken: [] tags: - UserFactor + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' get: summary: Retrieve a Factor - description: Retrieves a factor for the specified user + description: Retrieves an existing Factor for the specified user operationId: getFactor - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: factorId - in: path - required: true - schema: - type: string responses: '200': description: Success content: application/json: schema: - oneOf: *ref_12 - discriminator: *ref_13 + oneOf: *ref_18 + discriminator: *ref_19 '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15081,22 +17502,19 @@ paths: - okta.users.read tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unenroll a Factor - description: Unenrolls an existing factor for the specified user, allowing the user to enroll a new factor + description: |- + Unenrolls an existing Factor for the specified user. This allows the user to enroll a new Factor. + + > **Note**: If you unenroll the `push` or the `signed_nonce` Factors, Okta also unenrolls any other `totp`, `signed_nonce`, or Okta Verify `push` Factors associated with the user. operationId: unenrollFactor parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: factorId - in: path - required: true - schema: - type: string - - name: removeEnrollmentRecovery + - name: removeRecoveryEnrollment + description: If `true`, removes the the phone number as both a recovery method and a Factor. Only used for `sms` and `call` Factors. in: query schema: type: boolean @@ -15117,37 +17535,88 @@ paths: - okta.users.manage tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' post: summary: Activate a Factor - description: Activates a factor. The `sms` and `token:software:totp` factor types require activation to complete the enrollment process. + description: |- + Activates a Factor. The `sms` and `token:software:totp` factor types require activation to complete the enrollment process. + + Okta enforces a rate limit of five activation attempts within five minutes. + After a user exceeds the rate limit, Okta returns an error message. operationId: activateFactor + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorActivateRequest' + required: false + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: *ref_18 + discriminator: *ref_19 + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/factors/{factorId}/resend: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + post: + summary: Resend a Factor enrollment + description: |- + Resends an `sms`, `call`, or `email` factor challenge as part of an enrollment flow. + + For `call` and `sms` factors, Okta enforces a rate limit of one OTP challenge per device every 30 seconds. You can configure your `sms` and `call` factors to use a third-party telephony provider. See the [Telephony inline hook reference](https://developer.okta.com/docs/reference/telephony-hook/). Okta round-robins between SMS providers with every resend request to help ensure delivery of an SMS and Call OTPs across different carriers. + + > **Note**: Resend operations aren't allowed after a factor exceeds the activation rate limit. See [Activate a Factor](./#tag/UserFactor/operation/activateFactor). + operationId: resendEnrollFactor parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: factorId - in: path - required: true + - name: templateId + in: query + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). Only used by `sms` Factors. schema: + example: cstk2flOtuCMDJK4b0g3 type: string - x-codegen-request-body-name: body requestBody: content: application/json: schema: - $ref: '#/components/schemas/ActivateFactorRequest' - required: false + oneOf: *ref_18 + discriminator: *ref_19 + required: true responses: '200': description: Success content: application/json: schema: - oneOf: *ref_12 - discriminator: *ref_13 + oneOf: *ref_18 + discriminator: *ref_19 '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -15162,34 +17631,25 @@ paths: - okta.users.manage tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}/transactions/{transactionId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + - $ref: '#/components/parameters/pathTransactionId' get: - summary: Retrieve a Factor Transaction Status - description: Retrieves the factors verification transaction status + summary: Retrieve a Factor transaction status + description: Retrieves the status of a `push` Factor verification transaction operationId: getFactorTransactionStatus - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: factorId - in: path - required: true - schema: - type: string - - name: transactionId - in: path - required: true - schema: - type: string responses: '200': description: Success content: application/json: schema: - $ref: '#/components/schemas/VerifyUserFactorResponse' + $ref: '#/components/schemas/UserFactorVerifyResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -15202,44 +17662,55 @@ paths: - okta.users.read tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}/verify: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' post: - summary: Verify an MFA Factor - description: Verifies an OTP for a `token` or `token:hardware` factor + summary: Verify a Factor + description: |- + Verifies an OTP for a Factor. Some Factors (`call`, `email`, `push`, `sms`, `u2f`, and `webauthn`) require Okta to issue a challenge to initiate the transaction. Do this by making a request without a body. After a challenge is issued, make another request to verify the Factor. + + **Note**: To verify a `push` factor, use the **poll** link returned when you issue the challenge. See [Retrieve a Factor Transaction Status](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/getFactorTransactionStatus). operationId: verifyFactor parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: factorId - in: path - required: true - schema: - type: string - name: templateId + description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). Only used by `sms` Factors. in: query schema: type: string + example: cstk2flOtuCMDJK4b0g3 - name: tokenLifetimeSeconds + description: Defines how long the token remains valid in: query schema: type: integer format: int32 + minimum: 1 + maximum: 86400 default: 300 x-okta-added-version: 1.3.0 - name: X-Forwarded-For + description: Public IP address for the user agent in: header schema: type: string x-okta-added-version: 1.11.0 - name: User-Agent + description: Type of user agent detected when the request is made in: header schema: type: string x-okta-added-version: 1.11.0 - name: Accept-Language + description: |- + Sets a two-letter language code that defines a localized message to send. Only used by the `sms` Factor. + + * If the language code doesn't exist in the SMS template, the message uses the default template. + * If the `templateId` doesn't exist, the message is sent using the default template. in: header schema: type: string @@ -15248,7 +17719,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/VerifyFactorRequest' + $ref: '#/components/schemas/UserFactorVerifyRequest' required: false responses: '200': @@ -15256,7 +17727,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/VerifyUserFactorResponse' + $ref: '#/components/schemas/UserFactorVerifyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -15271,17 +17742,17 @@ paths: - okta.users.manage tags: - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/grants: + parameters: + - $ref: '#/components/parameters/pathUserId' get: summary: List all User Grants description: Lists all grants for the specified user operationId: listUserGrants parameters: - - name: userId - in: path - required: true - schema: - type: string - name: scopeId in: query schema: @@ -15321,16 +17792,14 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke all User Grants description: Revokes all grants for a specified user operationId: revokeUserGrants - parameters: - - name: userId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -15347,22 +17816,19 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/grants/{grantId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathGrantId' get: summary: Retrieve a User Grant description: Retrieves a grant for the specified user operationId: getUserGrant parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: grantId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -15386,21 +17852,14 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Revoke a User Grant description: Revokes one grant for a specified user operationId: revokeUserGrant - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: grantId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -15417,17 +17876,20 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/groups: + parameters: + - $ref: '#/components/parameters/pathUserId' get: summary: List all Groups description: Lists all groups of which the user is a member operationId: listUserGroups parameters: - - name: userId - in: path - required: true - schema: - type: string + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success @@ -15449,17 +17911,17 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/idps: + parameters: + - $ref: '#/components/parameters/pathUserId' get: summary: List all Identity Providers description: Lists the IdPs associated with the user operationId: listUserIdentityProviders - parameters: - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -15481,17 +17943,30 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Activate a User - description: Activates a user. This operation can only be performed on users with a `STAGED` status. Activation of a user is an asynchronous operation. The user will have the `transitioningToStatus` property with a value of `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation. The user will have a status of `ACTIVE` when the activation process is complete. + description: |- + Activates a user. This operation can only be performed on users with a `STAGED` or `DEPROVISIONED` status. + Activation of a user is an asynchronous operation. The user will have the `transitioningToStatus` + property with a value of `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation. + The user will have a status of `ACTIVE` when the activation process is complete. + > **Multibrand and User activation**
+ If you want to send a branded User Activation email, change the subdomain of your request to the custom domain that's associated with the brand. + For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains). +

+ > **Legal disclaimer**
+ After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, + you agreed not to use Okta's service/product to spam and/or send unsolicited messages. + Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all + liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. operationId: activateUser parameters: - - name: userId - in: path - required: true - schema: - type: string - name: sendEmail in: query description: Sends an activation email to the user if true @@ -15518,17 +17993,18 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Deactivate a User description: 'Deactivates a user. This operation can only be performed on users that do not have a `DEPROVISIONED` status. While the asynchronous operation (triggered by HTTP header `Prefer: respond-async`) is proceeding the user''s `transitioningToStatus` property is `DEPROVISIONED`. The user''s status is `DEPROVISIONED` when the deactivation process is complete.' operationId: deactivateUser parameters: - - name: userId - in: path - required: true - schema: - type: string - name: sendEmail in: query schema: @@ -15551,17 +18027,17 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/expire_password: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Expire Password description: Expires a user's password and transitions the user to the status of `PASSWORD_EXPIRED` so that the user is required to change their password at their next login operationId: expirePassword - parameters: - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -15581,17 +18057,25 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/expire_password_with_temp_password: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Expire Password and Set Temporary Password description: Expires a user's password and transitions the user to the status of `PASSWORD_EXPIRED` so that the user is required to change their password at their next login, and also sets the user's password to a temporary password returned in the response operationId: expirePasswordAndGetTemporaryPassword parameters: - - name: userId - in: path - required: true + - name: revokeSessions + description: When set to `true` (and the session is a user session), all user sessions are revoked except the current session. + in: query + required: false schema: - type: string + type: boolean + default: false responses: '200': description: Success @@ -15611,17 +18095,18 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/reactivate: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Reactivate a User description: Reactivates a user. This operation can only be performed on users with a `PROVISIONED` status. This operation restarts the activation workflow if for some reason the user activation was not completed when using the activationToken from [Activate User](#activate-user). operationId: reactivateUser parameters: - - name: userId - in: path - required: true - schema: - type: string - name: sendEmail in: query description: Sends an activation email to the user if true @@ -15647,17 +18132,24 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/reset_factors: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Reset all Factors description: Resets all factors for the specified user. All MFA factor enrollments returned to the unenrolled state. The user's status remains ACTIVE. This link is present only if the user is currently enrolled in one or more MFA factors. operationId: resetFactors parameters: - - name: userId - in: path - required: true + - name: removeRecoveryEnrollment + description: 'If `true`, removes the phone number as both a recovery method and a Factor. Supported Factors: `sms` and `call`' + in: query schema: - type: string + type: boolean + default: false responses: '200': description: OK @@ -15674,22 +18166,30 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/reset_password: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Generate a Reset Password Token description: Generates a one-time token (OTT) that can be used to reset a user's password. The OTT link can be automatically emailed to the user or returned to the API caller and distributed using a custom flow. operationId: generateResetPasswordToken parameters: - - name: userId - in: path - required: true - schema: - type: string - name: sendEmail in: query required: true schema: type: boolean + - name: revokeSessions + description: When set to `true` (and the session is a user session), all user sessions are revoked except the current session. + in: query + required: false + schema: + type: boolean + default: false responses: '200': description: Success @@ -15709,17 +18209,17 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/suspend: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Suspend a User description: Suspends a user. This operation can only be performed on users with an `ACTIVE` status. The user will have a status of `SUSPENDED` when the process is complete. operationId: suspendUser - parameters: - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: OK @@ -15736,17 +18236,17 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/unlock: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Unlock a User description: Unlocks a user with a `LOCKED_OUT` status or unlocks a user with an `ACTIVE` status that is blocked from unknown devices. Unlocked users have an `ACTIVE` status and can sign in with their current password. operationId: unlockUser - parameters: - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -15763,17 +18263,17 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/lifecycle/unsuspend: + parameters: + - $ref: '#/components/parameters/pathUserId' post: summary: Unsuspend a User description: Unsuspends a user and returns them to the `ACTIVE` state. This operation can only be performed on users that have a `SUSPENDED` status. operationId: unsuspendUser - parameters: - - name: userId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -15790,22 +18290,47 @@ paths: - okta.users.manage tags: - User - /api/v1/users/{userId}/linkedObjects/{relationshipName}: - get: - summary: List all Linked Objects - description: Lists all linked objects for a user, relationshipName can be a primary or associated relationship name + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/linkedObjects/{primaryRelationshipName}/{primaryUserId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathPrimaryRelationshipName' + - $ref: '#/components/parameters/pathPrimaryUserId' + put: + summary: Create a Linked Object for two Users + description: Creates a Linked Object for two users + operationId: setLinkedObjectForUser + responses: + '204': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - okta.users.manage + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/linkedObjects/{relationshipName}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRelationshipName' + get: + summary: List all Linked Objects + description: Lists all linked objects for a user, relationshipName can be a primary or associated relationship name operationId: listLinkedObjectsForUser parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: relationshipName - in: path - required: true - schema: - type: string - name: after in: query schema: @@ -15837,21 +18362,14 @@ paths: - okta.users.read tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Linked Object description: Deletes linked objects for a user, relationshipName can be ONLY a primary relationship name operationId: deleteLinkedObjectForUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: relationshipName - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -15868,17 +18386,18 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/roles: + parameters: + - $ref: '#/components/parameters/pathUserId' get: summary: List all Roles assigned to a User description: Lists all roles assigned to a user identified by `userId` operationId: listAssignedRolesForUser parameters: - - name: userId - in: path - required: true - schema: - type: string - name: expand in: query schema: @@ -15904,16 +18423,14 @@ paths: - okta.roles.read tags: - RoleAssignment + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Assign a Role to a User description: Assigns a role to a user identified by `userId` operationId: assignRoleToUser parameters: - - name: userId - in: path - required: true - schema: - type: string - name: disableNotifications description: Setting this to `true` grants the user third-party admin status in: query @@ -15947,22 +18464,17 @@ paths: - okta.roles.manage tags: - RoleAssignment + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleId' get: summary: Retrieve a Role assigned to a User description: Retrieves a role identified by `roleId` assigned to a user identified by `userId` operationId: getUserAssignedRole - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string responses: '200': description: Success @@ -15982,21 +18494,13 @@ paths: - okta.roles.read tags: - RoleAssignment + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unassign a Role from a User description: Unassigns a role identified by `roleId` from a user identified by `userId` operationId: unassignRoleFromUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -16013,22 +18517,18 @@ paths: - okta.roles.manage tags: - RoleAssignment + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleId' get: summary: List all Application Targets for Application Administrator Role description: Lists all App targets for an `APP_ADMIN` Role assigned to a User. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID. operationId: listApplicationTargetsForApplicationAdministratorRoleForUser parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - name: after in: query schema: @@ -16060,21 +18560,13 @@ paths: - okta.roles.read tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Assign all Apps as Target to Role description: Assigns all Apps as Target to Role operationId: assignAllAppsAsTargetToRoleForUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -16091,27 +18583,18 @@ paths: - okta.roles.manage tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathAppName' put: summary: Assign an Application Target to Administrator Role description: Assigns an application target to administrator role operationId: assignAppTargetToAdminRoleForUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -16128,26 +18611,13 @@ paths: - okta.roles.manage tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unassign an Application Target from an Application Administrator Role description: Unassigns an application target from application administrator role operationId: unassignAppTargetFromAppAdminRoleForUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -16164,32 +18634,19 @@ paths: - okta.roles.manage tags: - RoleTarget - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}/{applicationId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}/{appId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathAppName' + - $ref: '#/components/parameters/pathAppId' put: summary: Assign an Application Instance Target to an Application Administrator Role description: Assigns anapplication instance target to appplication administrator role operationId: assignAppInstanceTargetToAppAdminRoleForUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string - - name: applicationId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -16206,31 +18663,13 @@ paths: - okta.roles.manage tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unassign an Application Instance Target from an Application Administrator Role description: Unassigns an application instance target from an application administrator role operationId: unassignAppInstanceTargetFromAdminRoleForUser - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: appName - in: path - required: true - schema: - type: string - - name: applicationId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -16247,22 +18686,18 @@ paths: - okta.roles.manage tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleId}/targets/groups: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleId' get: summary: List all Group Targets for Role description: Lists all group targets for role operationId: listGroupTargetsForRole parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - name: after in: query schema: @@ -16294,27 +18729,18 @@ paths: - okta.roles.read tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleId}/targets/groups/{groupId}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleId' + - $ref: '#/components/parameters/pathGroupId' put: summary: Assign a Group Target to Role description: Assigns a Group Target to Role operationId: assignGroupTargetToUserRole - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: groupId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -16331,26 +18757,13 @@ paths: - okta.roles.manage tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Unassign a Group Target from Role description: Unassigns a Group Target from Role operationId: unassignGroupTargetFromUserAdminRole - parameters: - - name: userId - in: path - required: true - schema: - type: string - - name: roleId - in: path - required: true - schema: - type: string - - name: groupId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -16367,17 +18780,17 @@ paths: - okta.roles.manage tags: - RoleTarget + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/sessions: + parameters: + - $ref: '#/components/parameters/pathUserId' delete: summary: Revoke all User Sessions description: Revokes all active identity provider sessions of the user. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. operationId: revokeUserSessions parameters: - - name: userId - in: path - required: true - schema: - type: string - name: oauthTokens in: query description: Revoke issued OpenID Connect and OAuth refresh and access tokens @@ -16400,17 +18813,24 @@ paths: - okta.users.manage tags: - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions: + parameters: + - $ref: '#/components/parameters/pathUserId' get: - summary: List all Subscriptions - description: Lists all subscriptions of a user. Only lists subscriptions for current user. An AccessDeniedException message is sent if requests are made from other users. - operationId: listUserSubscriptions + summary: List all Subscriptions for a User + description: Lists all subscriptions available to a specified User. Returns an `AccessDeniedException` message if requests are made for another user. + operationId: listSubscriptionsUser parameters: - in: path name: userId required: true schema: type: string + description: The unique ID of the user responses: '200': description: Success @@ -16432,22 +18852,25 @@ paths: - okta.users.read tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions/{notificationType}: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathNotificationType' get: - summary: List all Subscriptions by type - description: Lists all the subscriptions of a User with a specific notification type. Only gets subscriptions for current user. An AccessDeniedException message is sent if requests are made from other users. - operationId: listUserSubscriptionsByNotificationType + summary: Retrieve a Subscription for a User + description: Retrieves a subscription by `notificationType` for a specified User. Returns an `AccessDeniedException` message if requests are made for another user. + operationId: getSubscriptionsNotificationTypeUser parameters: - in: path name: userId required: true schema: type: string - - in: path - name: notificationType - required: true - schema: - type: string + description: The unique ID of the user + - $ref: '#/components/parameters/pathNotificationType' responses: '200': description: Success @@ -16467,25 +18890,28 @@ paths: - okta.users.read tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions/{notificationType}/subscribe: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathNotificationType' post: - summary: Subscribe to a specific notification type - description: Subscribes a User to a specific notification type. Only the current User can subscribe to a specific notification type. An AccessDeniedException message is sent if requests are made from other users. - operationId: subscribeUserSubscriptionByNotificationType + summary: Subscribe a User to a Specific Notification Type + description: Subscribes the current user to a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. + operationId: subscribeByNotificationTypeUser parameters: - in: path name: userId required: true schema: type: string - - in: path - name: notificationType - required: true - schema: - type: string + description: The unique ID of the user + - $ref: '#/components/parameters/pathNotificationType' responses: '200': - description: Success + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -16498,25 +18924,28 @@ paths: - okta.users.manage tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions/{notificationType}/unsubscribe: + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathNotificationType' post: - summary: Unsubscribe from a specific notification type - description: Unsubscribes a User from a specific notification type. Only the current User can unsubscribe from a specific notification type. An AccessDeniedException message is sent if requests are made from other users. - operationId: unsubscribeUserSubscriptionByNotificationType + summary: Unsubscribe a User from a Specific Notification Type + description: Unsubscribes the current user from a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. + operationId: unsubscribeByNotificationTypeUser parameters: - in: path name: userId required: true schema: type: string - - in: path - name: notificationType - required: true - schema: - type: string + description: The unique ID of the user + - $ref: '#/components/parameters/pathNotificationType' responses: '200': - description: Success + description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -16529,6 +18958,9 @@ paths: - okta.users.manage tags: - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/zones: get: summary: List all Network Zones @@ -16543,18 +18975,21 @@ paths: - name: after in: query description: Specifies the pagination cursor for the next page of network zones + example: 200u7yq5goxNFTiMjW1d7 schema: type: string - name: limit in: query description: Specifies the number of results for a page + example: 5 schema: type: integer format: int32 default: -1 - name: filter in: query - description: Filters zones by usage or id expression + description: Filters zones by usage or ID expression + example: filter=%28id+eq+%22nzowc1U5Jh5xuAK0o0g3%22%29 schema: type: string responses: @@ -16566,6 +19001,11 @@ paths: type: array items: $ref: '#/components/schemas/NetworkZone' + examples: + RetrieveAllZonesWithFilter: + $ref: '#/components/examples/RetrieveAllZonesWithFilter' + RetrieveAllZones: + $ref: '#/components/examples/RetrieveAllZones' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': @@ -16576,6 +19016,9 @@ paths: - okta.networkZones.read tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: summary: Create a Network Zone description: |- @@ -16589,6 +19032,11 @@ paths: application/json: schema: $ref: '#/components/schemas/NetworkZone' + examples: + CreateIPPolicyNetworkZone: + $ref: '#/components/examples/CreateIPPolicyNetworkZone' + CreateIPPolicyBlocklistNetworkZone: + $ref: '#/components/examples/CreateIPPolicyBlockListNetworkZone' required: true responses: '200': @@ -16597,6 +19045,11 @@ paths: application/json: schema: $ref: '#/components/schemas/NetworkZone' + examples: + CreateIPPolicyNetworkZone: + $ref: '#/components/examples/CreateIPPolicyNetworkZoneResponse' + CreateIPPolicyBlocklistNetworkZone: + $ref: '#/components/examples/CreateIPPolicyBlockListNetworkZoneResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -16609,17 +19062,16 @@ paths: - okta.networkZones.manage tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/zones/{zoneId}: + parameters: + - $ref: '#/components/parameters/pathZoneId' get: summary: Retrieve a Network Zone description: Retrieves a network zone by `zoneId` operationId: getNetworkZone - parameters: - - name: zoneId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -16627,6 +19079,11 @@ paths: application/json: schema: $ref: '#/components/schemas/NetworkZone' + examples: + RetrieveNetworkZoneIP: + $ref: '#/components/examples/RetrieveNetworkZoneIP' + RetrieveNetworkZoneDynamic: + $ref: '#/components/examples/RetrieveNetworkZoneDynamic' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -16639,24 +19096,24 @@ paths: - okta.networkZones.read tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace a Network Zone description: |- Replaces a network zone by `zoneId`. The replaced network zone type must be the same as the existing type. You may replace the usage (`POLICY`, `BLOCKLIST`) of a network zone by updating the `usage` attribute. operationId: replaceNetworkZone - parameters: - - name: zoneId - in: path - required: true - schema: - type: string x-codegen-request-body-name: zone requestBody: content: application/json: schema: $ref: '#/components/schemas/NetworkZone' + examples: + ReplaceNetworkZone: + $ref: '#/components/examples/ReplaceNetworkZone' required: true responses: '200': @@ -16665,6 +19122,9 @@ paths: application/json: schema: $ref: '#/components/schemas/NetworkZone' + examples: + ReplaceNetworkZone: + $ref: '#/components/examples/ReplaceNetworkZoneResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -16679,16 +19139,13 @@ paths: - okta.networkZones.manage tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true delete: summary: Delete a Network Zone description: Deletes network zone by `zoneId` operationId: deleteNetworkZone - parameters: - - name: zoneId - in: path - required: true - schema: - type: string responses: '204': description: No Content @@ -16705,17 +19162,16 @@ paths: - okta.networkZones.manage tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/zones/{zoneId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathZoneId' post: summary: Activate a Network Zone description: Activates a network zone by `zoneId` operationId: activateNetworkZone - parameters: - - name: zoneId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -16723,6 +19179,9 @@ paths: application/json: schema: $ref: '#/components/schemas/NetworkZone' + examples: + ActivateNetworkZone: + $ref: '#/components/examples/ActivateNetworkZone' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -16735,17 +19194,16 @@ paths: - okta.networkZones.manage tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/zones/{zoneId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathZoneId' post: summary: Deactivate a Network Zone description: Deactivates a network zone by `zoneId` operationId: deactivateNetworkZone - parameters: - - name: zoneId - in: path - required: true - schema: - type: string responses: '200': description: Success @@ -16753,6 +19211,9 @@ paths: application/json: schema: $ref: '#/components/schemas/NetworkZone' + examples: + DeactivateNetworkZone: + $ref: '#/components/examples/DeactivateNetworkZone' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -16765,6 +19226,9 @@ paths: - okta.networkZones.manage tags: - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /attack-protection/api/v1/user-lockout-settings: get: summary: Retrieve the User Lockout Settings @@ -16789,6 +19253,9 @@ paths: - okta.orgs.read tags: - AttackProtection + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: summary: Replace the User Lockout Settings description: Replaces the User Lockout Settings for an org @@ -16826,442 +19293,4441 @@ paths: - okta.orgs.manage tags: - AttackProtection -components: - securitySchemes: - apiToken: - description: 'Pass the API token as the Authorization header value prefixed with SSWS: `Authorization: SSWS {API Token}`' - name: Authorization - type: apiKey - in: header - oauth2: - type: oauth2 - description: 'Pass the access_token as the value of the Authorization header: `Authorization: Bearer {access_token}`' - flows: - authorizationCode: - authorizationUrl: /oauth2/v1/authorize - tokenUrl: /oauth2/v1/token - scopes: - okta.agentPools.manage: Allows the app to create and manage agent pools in your Okta organization. - okta.agentPools.read: Allows the app to read agent pools in your Okta organization. - okta.apiToken.manage: Allows the app to manage API Tokens in your Okta organization. - okta.apiToken.read: Allows the app to read API Tokens in your Okta organization. - okta.apps.manage: Allows the app to create and manage Apps in your Okta organization. - okta.apps.read: Allows the app to read information about Apps in your Okta organization. - okta.authenticators.manage: Allows the app to manage all authenticators (e.g. enrollments, reset). - okta.authenticators.read: Allows the app to read org authenticators information. - okta.authorizationServers.manage: Allows the app to create and manage Authorization Servers in your Okta organization. - okta.authorizationServers.read: Allows the app to read information about Authorization Servers in your Okta organization. - okta.behaviors.manage: Allows the app to create and manage behavior detection rules in your Okta organization. - okta.behaviors.read: Allows the app to read behavior detection rules in your Okta organization. - okta.brands.manage: Allows the app to create and manage Brands and Themes in your Okta organization. - okta.brands.read: Allows the app to read information about Brands and Themes in your Okta organization. - okta.captchas.manage: Allows the app to create and manage CAPTCHAs in your Okta organization. - okta.captchas.read: Allows the app to read information about CAPTCHAs in your Okta organization. - okta.deviceAssurance.manage: Allows the app to manage device assurances. - okta.deviceAssurance.read: Allows the app to read device assurances. - okta.devices.manage: Allows the app to manage device status transitions and delete a device. - okta.devices.read: Allows the app to read the existing device's profile and search devices. - okta.domains.manage: Allows the app to manage custom Domains for your Okta organization. - okta.domains.read: Allows the app to read information about custom Domains for your Okta organization. - okta.eventHooks.manage: Allows the app to create and manage Event Hooks in your Okta organization. - okta.eventHooks.read: Allows the app to read information about Event Hooks in your Okta organization. - okta.groups.manage: Allows the app to manage existing groups in your Okta organization. - okta.groups.read: Allows the app to read information about groups and their members in your Okta organization. - okta.identitySources.manage: Allows the custom identity sources to manage user entities in your Okta organization - okta.identitySources.read: Allows to read session information for custom identity sources in your Okta organization - okta.idps.manage: Allows the app to create and manage Identity Providers in your Okta organization. - okta.idps.read: Allows the app to read information about Identity Providers in your Okta organization. - okta.inlineHooks.manage: Allows the app to create and manage Inline Hooks in your Okta organization. - okta.inlineHooks.read: Allows the app to read information about Inline Hooks in your Okta organization. - okta.linkedObjects.manage: Allows the app to manage linked object definitions in your Okta organization. - okta.linkedObjects.read: Allows the app to read linked object definitions in your Okta organization. - okta.logStreams.manage: Allows the app to create and manage log streams in your Okta organization. - okta.logStreams.read: Allows the app to read information about log streams in your Okta organization. - okta.logs.read: Allows the app to read information about System Log entries in your Okta organization. - okta.orgs.manage: Allows the app to manage organization-specific details for your Okta organization. - okta.orgs.read: Allows the app to read organization-specific details about your Okta organization. - okta.policies.manage: Allows the app to manage policies in your Okta organization. - okta.policies.read: Allows the app to read information about policies in your Okta organization. - okta.principalRateLimits.manage: Allows the app to create and manage Principal Rate Limits in your Okta organization. - okta.principalRateLimits.read: Allows the app to read information about Principal Rate Limits in your Okta organization. - okta.profileMappings.manage: Allows the app to manage user profile mappings in your Okta organization. - okta.profileMappings.read: Allows the app to read user profile mappings in your Okta organization. - okta.pushProviders.manage: Allows the app to create and manage push notification providers such as APNs and FCM. - okta.pushProviders.read: Allows the app to read push notification providers such as APNs and FCM. - okta.rateLimits.manage: Allows the app to create and manage rate limits in your Okta organization. - okta.rateLimits.read: Allows the app to read information about rate limits in your Okta organization. - okta.riskEvents.manage: Allows the app to publish risk events to your Okta organization. - okta.riskProviders.manage: Allows the app to create and manage risk provider integrations in your Okta organization. - okta.riskProviders.read: Allows the app to read all risk provider integrations in your Okta organization. - okta.roles.manage: Allows the app to manage administrative role assignments for users in your Okta organization. - okta.roles.read: Allows the app to read administrative role assignments for users in your Okta organization. - okta.schemas.manage: Allows the app to create and manage Schemas in your Okta organization. - okta.schemas.read: Allows the app to read information about Schemas in your Okta organization. - okta.sessions.manage: Allows the app to manage all sessions in your Okta organization. - okta.sessions.read: Allows the app to read all sessions in your Okta organization. - okta.templates.manage: Allows the app to manage all custom templates in your Okta organization. - okta.templates.read: Allows the app to read all custom templates in your Okta organization. - okta.trustedOrigins.manage: Allows the app to manage all Trusted Origins in your Okta organization. - okta.trustedOrigins.read: Allows the app to read all Trusted Origins in your Okta organization. - okta.userTypes.manage: Allows the app to manage user types in your Okta organization. - okta.userTypes.read: Allows the app to read user types in your Okta organization. - okta.users.manage: Allows the app to create new users and to manage all users' profile and credentials information. - okta.users.read: Allows the app to read the existing users' profiles and credentials. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services: + get: + summary: List all API Service Integration instances + description: Lists all API Service Integration instances with a pagination option + operationId: listApiServiceIntegrationInstances + parameters: + - $ref: '#/components/parameters/queryAfter' + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/APIServiceIntegrationInstance' + examples: + APIServiceIntegrationResponseExample: + $ref: '#/components/examples/APIServiceIntegrationListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.read + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an API Service Integration instance + description: Creates and authorizes an API Service Integration instance + operationId: createApiServiceIntegrationInstance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/postAPIServiceIntegrationInstanceRequest' + examples: + postAPIServiceIntegrationRequestExample: + $ref: '#/components/examples/postAPIServiceIntegrationRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/postAPIServiceIntegrationInstance' + examples: + APIServiceIntegrationResponseExample: + $ref: '#/components/examples/postAPIServiceIntegrationResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services/{apiServiceId}: + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + get: + summary: Retrieve an API Service Integration instance + description: Retrieves an API Service Integration instance by `id` + operationId: getApiServiceIntegrationInstance + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstance' + examples: + APIServiceIntegrationResponseExample: + $ref: '#/components/examples/APIServiceIntegrationResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.read + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an API Service Integration instance + description: Deletes an API Service Integration instance by `id`. This operation also revokes access to scopes that were previously granted to this API Service Integration instance. + operationId: deleteApiServiceIntegrationInstance + responses: + '204': + description: No Content + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets: + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + get: + summary: List all API Service Integration instance Secrets + description: Lists all client secrets for an API Service Integration instance by `apiServiceId` + operationId: listApiServiceIntegrationInstanceSecrets + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + APIServiceIntegrationResponseExample: + $ref: '#/components/examples/APIServiceIntegrationInstanceSecretListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.read + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an API Service Integration instance Secret + description: Creates an API Service Integration instance Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects. + operationId: createApiServiceIntegrationInstanceSecret + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + newAPIServiceIntegrationInstanceSecretResponse: + $ref: '#/components/examples/newAPIServiceIntegrationInstanceSecretResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}: + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + - $ref: '#/components/parameters/pathSecretId' + delete: + summary: Delete an API Service Integration instance Secret + description: Deletes an API Service Integration instance Secret by `secretId`. You can only delete an inactive Secret. + operationId: deleteApiServiceIntegrationInstanceSecret + responses: + '204': + description: No Content + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/activate: + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + - $ref: '#/components/parameters/pathSecretId' + post: + summary: Activate an API Service Integration instance Secret + description: Activates an API Service Integration instance Secret by `secretId` + operationId: activateApiServiceIntegrationInstanceSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + activeAPIServiceIntegrationInstanceSecretResponse: + $ref: '#/components/examples/activeAPIServiceIntegrationInstanceSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/deactivate: + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + - $ref: '#/components/parameters/pathSecretId' + post: + summary: Deactivate an API Service Integration instance Secret + description: Deactivates an API Service Integration instance Secret by `secretId` + operationId: deactivateApiServiceIntegrationInstanceSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + inactiveAPIServiceIntegrationInstanceSecretResponse: + $ref: '#/components/examples/inactiveAPIServiceIntegrationInstanceSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/submissions/{submissionId}: + parameters: + - $ref: '#/components/parameters/pathSubmissionId' + /integrations/api/v1/submissions/{submissionId}/submit: + parameters: + - $ref: '#/components/parameters/pathSubmissionId' + /integrations/api/v1/submissions/{submissionId}/testing: + parameters: + - $ref: '#/components/parameters/pathSubmissionId' + /webauthn-registration/api/v1/activate: + post: + summary: Activate a Preregistered WebAuthn Factor + description: Activates a preregistered WebAuthn Factor. As part of this operation, Okta first decrypts and verifies the Factor PIN and enrollment data sent by the fulfillment provider. + operationId: activatePreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment Activation Request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationResponse' + '400': + description: PIN or Cred Requests Generation Failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorPinOrCredResponsesProcessingFailure' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /webauthn-registration/api/v1/enroll: + post: + summary: Enroll a Preregistered WebAuthn Factor + description: Enrolls a preregistered WebAuthn Factor. This WebAuthn Factor has a longer challenge timeout period to accommodate the fulfillment request process. As part of this operation, Okta generates EC key-pairs used to encrypt the Factor PIN and enrollment data sent by the fulfillment provider. + operationId: enrollPreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment Initialization Request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationResponse' + '400': + description: PIN or Cred Requests Generation Failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorPinOrCredRequestsGenerationFailure' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /webauthn-registration/api/v1/initiate-fulfillment-request: + post: + summary: Generate a Fulfillment Request + description: Generates a fulfillment request by sending a WebAuthn Preregistration event to start the flow. The Okta Workflows WebAuthn preregistration integration uses this to populate the fulfillment request. + operationId: generateFulfillmentRequest + x-codegen-request-body-name: body + requestBody: + description: Fulfillment Request + content: + application/json: + schema: + $ref: '#/components/schemas/FulfillmentRequest' + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true +components: examples: + APIDevicesListAllResponse: + summary: List all devices with embedded users + value: + - id: guo4a5u7YAHhjXrMK0g4 + status: CREATED + created: '2019-10-02T18:03:07.000Z' + lastUpdated: '2019-10-02T18:03:07.000Z' + profile: + displayName: Example Device name 1 + platform: WINDOWS + serialNumber: XXDDRFCFRGF3M8MD6D + sid: S-1-11-111 + registered: true + secureHardwarePresent: false + diskEncryptionType: ALL_INTERNAL_VOLUMES + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 1 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g4 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users + hints: + allow: + - GET + _embedded: + users: [] + - id: guo4a5u7YAHhjXrMK0g5 + status: ACTIVE + created: '2023-06-21T23:24:02.000Z' + lastUpdated: '2023-06-21T23:24:02.000Z' + profile: + displayName: Example Device name 2 + platform: ANDROID + manufacturer: Google + model: Pixel 6 + osVersion: 13:2023-05-05 + registered: true + secureHardwarePresent: true + diskEncryptionType: USER + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 2 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g5 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users + hints: + allow: + - GET + _embedded: + users: + - managementStatus: MANAGED + created: '2021-10-01T16:52:41.000Z' + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + status: ACTIVE + created: '2020-08-12T06:46:50.000Z' + activated: '2020-08-12T06:46:50.000Z' + statusChanged: '2021-01-27T21:05:32.000Z' + lastLogin: '2021-10-14T09:04:48.000Z' + lastUpdated: '2021-01-27T21:05:32.000Z' + passwordChanged: '2020-08-12T06:46:50.000Z' + type: + id: oty7ut9Uu76oHVUZc0w4 + profile: + firstName: fname + lastName: lname + mobilePhone: null + secondEmail: null + login: email@email.com + email: email@email.com + credentials: + password: {} + recovery_question: + question: What is the food you least liked as a child? + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend + method: POST + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc7ut9Uu76oHVUZc0w4 + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password + method: POST + forgotPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password + method: POST + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/oty7ut9Uu76oHVUZc0w4 + changePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate + APIDevicesListAllUserSummaryResponse: + summary: List all devices with embedded user summaries + value: + - id: guo4a5u7YAHhjXrMK0g4 + status: CREATED + created: '2019-10-02T18:03:07.000Z' + lastUpdated: '2019-10-02T18:03:07.000Z' + profile: + displayName: Example Device name 1 + platform: WINDOWS + serialNumber: XXDDRFCFRGF3M8MD6D + sid: S-1-11-111 + registered: true + secureHardwarePresent: false + diskEncryptionType: ALL_INTERNAL_VOLUMES + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 1 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g4 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users + hints: + allow: + - GET + _embedded: + users: [] + - id: guo4a5u7YAHhjXrMK0g5 + status: ACTIVE + created: '2023-06-21T23:24:02.000Z' + lastUpdated: '2023-06-21T23:24:02.000Z' + profile: + displayName: Example Device name 2 + platform: ANDROID + manufacturer: Google + model: Pixel 6 + osVersion: 13:2023-05-05 + registered: true + secureHardwarePresent: true + diskEncryptionType: USER + resourceType: UDDevice + resourceDisplayName: + value: Example Device name 2 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g5 + _links: + activate: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users + hints: + allow: + - GET + _embedded: + users: + - managementStatus: MANAGED + created: '2021-10-01T16:52:41.000Z' + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + realmId: 00u17vh0q8ov8IU8T0g5 + profile: + firstName: fname + lastName: lname + login: email@email.com + email: email@email.com + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + APIDevicesListAllUsersResponse: + summary: Response example + value: + - created: '2021-08-20T17:13:35.000Z' + managementStatus: NOT_MANAGED + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + status: ACTIVE + created: '2021-08-20T16:08:25.000Z' + activated: null + statusChanged: '2021-08-20T16:39:41.000Z' + lastLogin: '2023-04-18T17:54:12.000Z' + lastUpdated: '2021-12-20T18:27:30.000Z' + passwordChanged: '2021-12-20T18:27:30.000Z' + type: + id: oty17vh0n2EHVnbYF1d7 + profile: + firstName: Bunk + lastName: Moreland + mobilePhone: null + secondEmail: null + login: bunk.moreland@example.com + email: bunk.moreland@example.com + credentials: + password: null + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend + method: POST + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc17vh0n2EHVnbYF1d7 + resetPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password + method: POST + forgotPassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password + method: POST + expirePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + resetFactors: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_factors + method: POST + type: + href: https://{yourOktaDomain}/api/v1/meta/types/user/oty17vh0n2EHVnbYF1d7 + changePassword: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password + method: POST + deactivate: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate + method: POST + APIServiceIntegrationInstanceSecretListResponse: + summary: Secrets list response example + value: + - id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: '***DhOW' + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: '***MQGQ' + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + APIServiceIntegrationListResponse: + summary: List response example + value: + - id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + APIServiceIntegrationResponse: + summary: Response example + value: + id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + ActivateNetworkZone: + summary: Activated Network Zone response + value: + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: LegacyIpZone + status: ACTIVE + usage: POLICY + created: '2019-05-17T18:44:31.000Z' + lastUpdated: '2019-05-21T13:50:49.000Z' + system: true + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + AddMappingBody: + summary: Update an existing profile mapping by adding one or more properties + value: + properties: + additionalProperties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.nickName + pushStatus: PUSH + AddMappingResponse: + summary: Update an existing profile mapping by adding one or more properties + value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.nickName + pushStatus: PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + AdminConsoleSettingsExample: + summary: Default Okta Admin Console Settings + value: + sessionMaxLifetimeMinutes: 720 + sessionIdleTimeoutMinutes: 15 + AllRulesOperationResponse: + value: + id: rre4mje4ez7B2a7B60g7 + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + ruleOperation: + numUserMoved: 50 + configuration: + id: ALL + name: All Rules + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez7B2a7B60g7 + method: GET ApiTokenListMetadataResponse: value: - - name: My API Token - userId: 00uabcdefg1234567890 - tokenWindow: P30D - id: 00Tabcdefg1234567890 - clientName: Okta API - expiresAt: 2021-12-11T20:38:10.000Z - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + - name: My API Token + userId: 00uabcdefg1234567890 + tokenWindow: P30D + id: 00Tabcdefg1234567890 + clientName: Okta API + expiresAt: '2021-12-11T20:38:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 + hints: + allow: + - GET + - name: Another API Token + userId: 00uabcdefg1234567890 + tokenWindow: PT5M + id: 00T1234567890abcdefg + clientName: Okta API + expiresAt: '2021-11-11T20:43:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 + hints: + allow: + - GET + ApiTokenMetadataResponse: + value: + name: My API Token + userId: 00uXXXXXXXXXXXXXXXXX + tokenWindow: P30D + id: 00Tabcdefg1234567890 + clientName: Okta API + expiresAt: '2021-12-11T20:38:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX + hints: + allow: + - GET + AppFeatureListResponseEx: + summary: List app Feature response + value: + - name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: DISABLED + update: + profile: + status: DISABLED + lifecycleDeactivate: + status: DISABLED + password: + status: DISABLED + seed: RANDOM + change: KEEP_EXISTING + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT + AppFeatureResponseEx: + summary: App Feature response + value: + name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: DISABLED + update: + profile: + status: DISABLED + lifecycleDeactivate: + status: DISABLED + password: + status: DISABLED + seed: RANDOM + change: KEEP_EXISTING + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT + AppGrantsEx: + summary: App Grants example + value: + id: oag91n9ruw3dsaXzP0h6 + status: ACTIVE + created: '2023-02-21T16:54:00.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-21T16:54:00.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.users.read + source: ADMIN + _embedded: + scope: + id: okta.users.read + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + AppGrantsPostEx: + summary: App Grants example + value: + issuer: '{yourOktaDomain}' + scopeId: okta.users.read + AppUserSchemaAddRequest: + value: + definitions: + custom: + id: '#custom' + type: object + properties: + twitterUserName: + title: Twitter username + description: User's username for twitter.com + type: string + required: false + minLength: 1 + maxLength: 20 + required: [] + AppUserSchemaResponse: + value: + id: https://{yourOktaDomain}/meta/schemas/apps/0oa25gejWwdXNnFH90g4/default + $schema: http://json-schema.org/draft-04/schema# + name: Example App + title: Example App User + lastUpdated: '2017-07-18T23:18:43.000Z' + created: '2017-07-18T22:35:30.000Z' + definitions: + base: + id: '#base' + type: object + properties: + userName: + title: Username + type: string + required: true + scope: NONE + maxLength: 100 + required: + - userName + custom: + id: '#custom' + type: object + properties: + twitterUserName: + title: Twitter username + description: User's username for twitter.com + type: string + scope: NONE + minLength: 1 + maxLength: 20 + required: [] + type: object + properties: + profile: + allOf: + - $ref: '#/definitions/base' + - $ref: '#/definitions/custom' + AssignGroupOwnerRequest: + summary: Assign a group owner request example + value: + id: 00u1cmc03xjzePoWD0h8 + type: USER + AssignGroupOwnerResponse: + summary: Assign a group owner response example + value: + id: 00u1cmc03xjzePoWD0h8 + type: USER + resolved: true + originId: null + originType: OKTA_DIRECTORY + displayName: Oliver Putnam + lastUpdated: Wed Mar 29 18:34:31 UTC 2023 + AuthenticatorRequestDuo: + value: + key: duo + name: Duo Security + provider: + type: DUO + configuration: + userNameTemplate: + template: oktaId + integrationKey: testIntegrationKey + secretKey: testSecretKey + host: https://api-xxxxxxxx.duosecurity.com + AuthenticatorResponseDuo: + value: + type: app + id: aut9gnvcjUHIWb37J0g4 + key: duo + status: ACTIVE + name: Duo Security + created: '2022-07-15T21:14:02.000Z' + lastUpdated: '2022-07-15T21:14:02.000Z' + settings: {} + provider: + type: DUO + configuration: + host: https://api-xxxxxxxx.duosecurity.com + userNameTemplate: + template: oktaId + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4 + hints: + allow: + - GET + - PUT + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/lifecycle/deactivate + hints: + allow: + - POST + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/methods + hints: + allow: + - GET + AuthenticatorResponseEmail: + value: + type: email + id: aut1nbsPHh7jNjjyP0g4 + key: okta_email + status: ACTIVE + name: Email + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-28T21:45:52.000Z' + settings: + allowedFor: any + tokenLifetimeInMinutes: 5 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorResponsePassword: + value: + type: password + id: aut1nbtrJKKA9m45a0g4 + key: okta_password + status: ACTIVE + name: Password + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods + hints: + allow: + - GET + AuthenticatorResponsePhone: + value: + type: phone + id: aut1nbuyD8m1ckAYc0g4 + key: phone_number + status: INACTIVE + name: Phone + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-29T00:21:29.000Z' + settings: + allowedFor: none + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods + hints: + allow: + - GET + activate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate + hints: + allow: + - POST + AuthenticatorResponseSecurityQuestion: + summary: Security Question + value: + type: security_question + id: aut1nbvIgEenhwE6c0g4 + key: security_question + status: ACTIVE + name: Security Question + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4 + hints: + allow: + - GET + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorResponseWebAuthn: + value: + type: security_key + id: aut1nd8PQhGcQtSxB0g4 + key: webauthn + status: ACTIVE + name: Security Key or Biometric + created: '2020-07-26T21:16:37.000Z' + lastUpdated: '2020-07-27T18:59:30.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorsResponse: + summary: Org Authenticators + value: + - value: + type: email + id: aut1nbsPHh7jNjjyP0g4 + key: okta_email + status: ACTIVE + name: Email + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-28T21:45:52.000Z' + settings: + allowedFor: any + tokenLifetimeInMinutes: 5 + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate + hints: + allow: + - POST + - value: + type: password + id: aut1nbtrJKKA9m45a0g4 + key: okta_password + status: ACTIVE + name: Password + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods + hints: + allow: + - GET + - value: + type: phone + id: aut1nbuyD8m1ckAYc0g4 + key: phone_number + status: INACTIVE + name: Phone + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-29T00:21:29.000Z' + settings: + allowedFor: none + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods + hints: + allow: + - GET + activate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate + hints: + allow: + - POST + - value: + type: security_key + id: aut1nd8PQhGcQtSxB0g4 + key: webauthn + status: ACTIVE + name: Security Key or Biometric + created: '2020-07-26T21:16:37.000Z' + lastUpdated: '2020-07-27T18:59:30.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 + hints: + allow: + - GET + - PUT + methods: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + hints: + allow: + - POST + BehaviorRuleRequest: + value: + name: My Behavior Rule + type: VELOCITY + BehaviorRuleResponse: + value: + id: abcd1234 + name: My Behavior Rule + type: VELOCITY + settings: + velocityKph: 805 + status: ACTIVE + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _link: + self: + href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234 + hints: + allow: + - GET + - POST + - PUT + - DELETE + CAPTCHAInstanceRequestHCaptcha: + value: + name: myHCaptcha + secretKey: xxxxxxxxxxx + siteKey: xxxxxxxxxxx + type: HCAPTCHA + CAPTCHAInstanceRequestReCaptcha: + value: + name: myReCaptcha + secretKey: xxxxxxxxxxx + siteKey: yyyyyyyyyyyyyyy + type: RECAPTCHA_V2 + CAPTCHAInstanceResponseHCaptcha: + value: + id: abcd1234 + name: myHCaptcha + siteKey: xxxxxxxxxxx + type: HCAPTCHA + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234 + hints: + allow: + - GET + - POST + - PUT + - DELETE + CAPTCHAInstanceResponseReCaptcha: + value: + id: abcd4567 + name: myReCaptcha + siteKey: yyyyyyyyyyyyyyy + type: RECAPTCHA_V2 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + hints: + allow: + - GET + - POST + - PUT + - DELETE + CreateAnEventHook: + summary: Create an event hook + value: + name: Event Hook Test + events: + type: EVENT_TYPE + items: + - group.user_membership.add + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + CreateAnEventHookWithFilter: + summary: Create an event hook with a filter + value: + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + CreateAssocAuthServerBody: + summary: Create a trusted relationship between authorization servers + value: + - trusted: '{authorizationServerId}' + CreateAssocAuthServerResponse: + summary: Create a trusted relationship between authorization servers + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: CUSTOM_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + use: sig + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - DELETE + CreateAuthServerBody: + summary: Create a custom authorization server + value: + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - api://default + CreateAuthServerResponse: + summary: Create a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + CreateBrandRequest: + value: + name: My Awesome Brand + CreateBrandResponse: + value: + id: bnd114iNkrcN6aR680g5 + removePoweredByOkta: false + customPrivacyPolicyUrl: null + name: My Awesome Brand + locale: en + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + isDefault: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5/themes + hints: + allow: + - GET + CreateCustomTokenClaimBody: + summary: Create a custom token Claim + value: + - alwaysIncludeInToken: true + claimType: IDENTITY + conditions: + scopes: + - profile + group_filter_type: CONTAINS + name: Support + status: ACTIVE + system: false + value: Support + valueType: GROUPS + CreateCustomTokenClaimResponse: + summary: Create a custom token Claim response + value: + - id: '{claimId}' + name: Support + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Support + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + CreateEmailDomainRequest: + value: + displayName: Admin + userName: admin + domain: example.com + brandId: bnd100iSrkcN6aR680g1 + validationSubdomain: mail + CreateHookKeyResponse: + summary: Create a key response example + value: + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + _embedded: + kty: RSA + alg: RSA + kid: 7fbc27fd-e3df-4522-86bf-1930110256ad + use: 'null' + e: AQAB + 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` + CreateIPPolicyBlockListNetworkZone: + summary: Create an IP Policy Blocklist Network Zone + value: + type: IP + name: newBlockListNetworkZone + status: ACTIVE + usage: BLOCKLIST + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: null + CreateIPPolicyBlockListNetworkZoneResponse: + summary: IP Policy Blocklist Network Zone Response + value: + type: IP + id: nzo1qasnPb1kqEq0e0g4 + name: newBlockListNetworkzone + status: ACTIVE + usage: BLOCKLIST + created: '2020-10-12T18:58:02.000Z' + lastUpdated: '2020-10-12T18:58:02.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4/lifecycle/deactivate + hints: + allow: + - POST + CreateIPPolicyNetworkZone: + summary: Create an IP Policy Network Zone + value: + type: IP + name: newNetworkZone + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: + - type: CIDR + value: 2.2.3.4/24 + - type: CIDR + value: 3.3.4.5/24 + CreateIPPolicyNetworkZoneResponse: + summary: IP Policy Network Zone Response + value: + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: newNetworkZone + status: ACTIVE + usage: POLICY + created: '2019-05-17T18:44:31.000Z' + lastUpdated: '2019-05-21T13:50:49.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24' + - type: CIDR + value: 2.3.4.5/24 + proxies: + - type: CIDR + value: 2.2.3.4/24 + - type: CIDR + value: 3.3.4.5/24 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + CreateSessionBody: + summary: Create a new Session with a valid session token + value: + sessionToken: 00HiohZYpJgMSHwmL9TQy7RRzuY-q9soKp1SPmYYow + CreateSessionResponse: + summary: Create a new Session with a valid session token + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + CreateUISchemaBody: + summary: UI Schema body request + value: + uiSchema: + type: Group + elements: + - type: Control + scope: '#/properties/firstName' + label: First Name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last Name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Primary email + options: + format: text + buttonLabel: Submit + label: Sign in + CreateUISchemaResponse: + summary: Returns full UI Schema body + value: + id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Primary email + options: + format: text + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + hints: + allow: + - GET + - PUT + - DELETE + CreateUpdateEmailCustomizationRequest: + value: + language: fr + subject: Bienvenue dans ${org.name}! + body:

Bonjour ${user.profile.firstName}. Activer le compte

+ isDefault: false + CreateUpdateEmailCustomizationResponse: + value: + language: fr + subject: Bienvenue dans ${org.name}! + body:

Bonjour ${user.profile.firstName}. Activer le compte

+ isDefault: false + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + hints: + allow: + - GET + - PUT + - DELETE + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + CreateUpdateIamRolePermissionRequestExample: + value: + conditions: + include: + okta:ResourceAttribute/User/Profile: + - city + - state + - zipCode + CreateUserRequest: + summary: Create a user type request + value: + description: A new custom user type + displayName: New User Type + name: newUserType + CreateUserResponse: + summary: Create a user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: New User Type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + DeactivateNetworkZone: + summary: Deactivated Network Zone response + value: + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: LegacyIpZone + status: INACTIVE + usage: POLICY + created: '2019-05-17T18:44:31.000Z' + lastUpdated: '2019-05-21T13:50:49.000Z' + system: true + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + DefaultRealmAssignmentRule: + value: + id: rul2jy7jLUlnO5ng00g4 + status: ACTIVE + name: Catch-all Rule + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + conditions: + profileSourceId: 0oa4enoRyjwSCy6hx0g4, + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf2g5 + priority: 499 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-rules/rul2jy7jLUlnO5ng00g4 + method: GET + DefaultRealmResponse: + value: + id: guox9jQ16k9V8IQWL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + profile: + name: Default Realm + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IQWL0g3 + method: GET + DeviceAssuranceAndroidRequest: + summary: Android request + value: + name: Device Assurance Android + osVersion: + minimum: 12 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceAndroidResponse: + summary: Android response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance Android + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceAndroidWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with dynamic version requirement request + value: + name: Device Assurance Android + osVersion: + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 0 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceAndroidWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance Android + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 0 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: ChromeOS with third-party signal providers request + value: + name: Device Assurance ChromeOS + platform: CHROMEOS + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + allowScreenLock: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_OS_VERIFIED_MODE + DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: ChromeOS with third-party signal providers response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance ChromeOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + platform: CHROMEOS + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + allowScreenLock: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_OS_VERIFIED_MODE + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceIosRequest: + summary: iOS request + value: + name: Device Assurance iOS + osVersion: + minimum: 12.4.5 + jailbreak: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + DeviceAssuranceIosResponse: + summary: iOS response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance iOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + jailbroken: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceIosWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with dynamic version requirement request + value: + name: Device Assurance iOS + osVersion: + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + latestSecurityPatch: true + jailbreak: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + DeviceAssuranceIosWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance iOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + latestSecurityPatch: true + jailbroken: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSRequest: + summary: macOS request + value: + name: Device Assurance macOS + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceMacOSResponse: + summary: macOS response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with dynamic version requirement request + value: + name: Device Assurance macOS + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceMacOSWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with third-party signal providers request + value: + name: Device Assurance macOS + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain": testDomain + builtInDnsClientEnabled": true + chromeRemoteDesktopAppBlocked": true + safeBrowsingProtectionLevel": true + siteIsolationEnabled": true + passwordProtectionWarningTrigger": PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode": true + DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with third-party signal providers response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_BROWSER_HW_KEY + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsRequest: + summary: Windows request + value: + name: Device Assurance Windows + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsResponse: + summary: Windows response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 and Windows 10 dynamic version requirements request + value: + name: Device Assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 1 + latestSecurityPatch: true + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 and Windows 10 dynamic version requirements response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 1 + latestSecurityPatch: true + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with third-party signal providers request + value: + name: Device Assurance Windows + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + secureBootEnabled: true + windowsMachineDomain: testMachineDomain + windowsUserDomain: testUserDomain + thirdPartyBlockingEnabled: true + crowdStrikeCustomerId: testCustomerId + crowdStrikeAgentId": testAgentId + keyTrustLevel: CHROME_BROWSER_HW_KEY + DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with third-party signal providers response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + secureBootEnabled: true + windowsMachineDomain: testMachineDomain + windowsUserDomain: testUserDomain + thirdPartyBlockingEnabled: true + crowdStrikeCustomerId: testCustomerId + crowdStrikeAgentId": testAgentId + keyTrustLevel: CHROME_BROWSER_HW_KEY + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version request + value: + name: Device Assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 1 + - majorVersionConstraint: WINDOWS_10 + minimum: 10.0.19045.0 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 1 + - majorVersionConstraint: WINDOWS_10 + minimum: 10.0.19045.0 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 minimum version and a Windows 10 dynamic version requirement request + value: + name: Device Assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + minimum: 10.0.22000.0 + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: NOT_ALLOWED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Windows 11 minimum version and Windows 10 dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device Assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + minimum: 10.0.22000.0 + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: NOT_ALLOWED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceResponse: + value: + id: guo8jx5vVoxfvJeLb0w4 + status: ACTIVE + created: '2020-11-03T21:47:01.000Z' + lastUpdated: '2020-11-03T23:46:27.000Z' + profile: + displayName: DESKTOP-EHAD3IE + platform: WINDOWS + manufacturer: International Corp + model: VMware7,1 + osVersion: 10.0.18362 + serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce + udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE + sid: S-1-5-21-3992267483-1860856704-2413701314-500 + registered: true + secureHardwarePresent: false + diskEncryptionType: NONE + resourceId: guo8jx5vVoxfvJeLb0w4 + resourceDisplayName: + value: DESKTOP-EHAD3IE + sensitive: false + resourceType: UDDevice + resourceAlternateId: null + _links: + suspend: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users + hints: + allow: + - GET + deactivate: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate + hints: + allow: + - POST + EmailCustomizationResponse: + value: + language: en + isDefault: true + subject: Welcome to ${org.name}! + body:

Hello, ${user.profile.firstName}. Click here to activate your account. + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + hints: + allow: + - GET + - PUT + - DELETE + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + EmailDomainResponse: + value: + id: OeD114iNkrcN6aR680g4 + validationStatus: NOT_STARTED + displayName: Admin + userName: admin + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + EmailSettingsResponse: + value: + recipients: ALL_USERS + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + EmailTemplateDefaultContentResponse: + value: + subject: Welcome to ${org.name}! + body:

Hello, ${user.profile.firstName}. Click here to activate your account. + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview + hints: + allow: + - GET + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorAppFeatureAPIValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: feature' + errorLink: E0000001 + errorId: oaeZLxeiHUUQomPkM8xOqvu1A + errorCauses: + - errorSummary: Provisioning is not enabled for the app instance. + ErrorCAPTCHALimitOfOne: + value: + errorCode: E0000165 + errorSummary: CAPTCHA count limit reached. At most one CAPTCHA instance is allowed per Org. + errorLink: E0000165 + errorId: oaejrB1fWL1S7mc-2KcG-SOtw + errorCauses: [] + ErrorCAPTCHAOrgWideSetting: + value: + errorCode: E0000149 + errorSummary: Current CAPTCHA is associated with org-wide settings, cannot be removed. + errorLink: E0000149 + errorId: samplezsusshPdiTWiITwqBt8 + errorCauses: [] + ErrorCAPTCHAOrgWideSettingNull: + summary: captchaId is null, but enabledPages is defined + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: captchaId' + errorLink: E0000001 + errorId: oae-hk3rssXQmOWDRsaFfxe8A + errorCauses: + errorSummary: 'captchaId: Invalid CAPTCHA ID. The value of captchaId cannot be blank when enabledPages is not empty. Please resubmit with an existing CAPTCHA ID or disable CAPTCHA support on all supported pages.' + ErrorCreateUserWithExpiredPasswordWithNullPassword: + value: + errorCode: E0000124 + errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified + errorLink: E0000124 + errorId: oaeXxuZgXBySvqi1FvtkwoYCA + errorCauses: + - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified + ErrorCreateUserWithExpiredPasswordWithoutActivation: + value: + errorCode: E0000125 + errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true + errorLink: E0000125 + errorId: oaeDd77L9R-TJaD7j_rXsQ31w + errorCauses: + - errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true + ErrorCreateUserWithTooManyManyGroupsResponse: + value: + errorCode: E0000093 + errorSummary: Target count limit exceeded + errorLink: E0000093 + errorId: oaePVSLIYnIQsC0B-ptBIllVA + errorCauses: + - errorSummary: The number of group targets is too large. + ErrorDeleteBrandAssociatedWithDomain: + value: + errorCode: E0000201 + errorSummary: A brand associated with a domain cannot be deleted + errorLink: E0000201 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorDeleteDefaultBrand: + value: + errorCode: E0000200 + errorSummary: A default brand cannot be deleted + errorLink: E0000200 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorDeviceAssuranceInUse: + summary: Cannot delete device assurance policy in use by authentication policies + value: + errorSummary: Device assurance is in use and cannot be deleted. + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] + ErrorEmailCustomizationCannotClearDefault: + value: + errorCode: E0000185 + errorSummary: The isDefault parameter of the default email template customization can't be set to false. + errorLink: E0000185 + errorId: oaejrB1fWL1S7mc-2KcG-SOtw + errorCauses: [] + ErrorEmailCustomizationCannotDeleteDefault: + value: + errorCode: E0000184 + errorSummary: A default email template customization can't be deleted. + errorLink: E0000184 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorEmailCustomizationDefaultAlreadyExists: + value: + errorCode: E0000182 + errorSummary: A default email template customization already exists. + errorLink: E0000182 + errorId: oaeXYwTiMvASsC3O4HCzjFaCA + errorCauses: [] + ErrorEmailCustomizationLanguageAlreadyExists: + value: + errorCode: E0000183 + errorSummary: An email template customization for that language already exists. + errorLink: E0000183 + errorId: oaeUcGELffqRay0u1OPdnPypw + errorCauses: [] + ErrorEmailDomainAlreadyExists: + value: + errorCode: E0000197 + errorSummary: Email domain already exists. + errorLink: E0000197 + errorId: oaeEdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorEmailDomainInUse: + value: + errorCode: E0000216 + errorSummary: Email domain can't be deleted due to mail provider restrictions. + errorLink: E0000216 + errorId: oaeEdRqprFuTyKokyYPbURJkB + errorCauses: [] + ErrorEmailDomainInvalidStatus: + value: + errorCode: E0000217 + errorSummary: Invalid status. Can't validate email domain with current status. + errorLink: E0000217 + errorId: oaeEdRqprFuTyKokyYPbURJkD + errorCauses: [] + ErrorEmailDomainNotVerified: + value: + errorCode: E0000218 + errorSummary: Email domain couldn't be verified by mail provider. + errorLink: E0000218 + errorId: oaeEdRqprFuTyKokyYPbURJkC + errorCauses: [] + ErrorInvalidEmailTemplateRecipients: + value: + errorCode: E0000189 + errorSummary: This template does not support the recipients value. + errorLink: E0000189 + errorId: oae8L1-UkcNTeGi5xVQ28_lww + errorCauses: [] + ErrorInvalidTokenProvided: + summary: Invalid Token Provided + value: + errorCode: E0000011 + errorSummary: Invalid token provided + errorLink: E0000011 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorMissingRequiredParameter: + summary: Missing Required Parameter + value: + errorCode: E0000028 + errorSummary: The request is missing a required parameter. + errorLink: E0000028 + errorId: sampleiCF-l7mr9XqM1NQ + errorCauses: [] + ErrorPinOrCredRequestsGenerationFailure: + summary: PIN or Cred Requests Generation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: pinRequest|credRequests' + errorLink: E0000001 + errorId: oaehk3rssXQmOWDRsaFfxe8A + errorCauses: + errorSummary: There was a problem generating the pinRequest|credRequests. + ErrorPinOrCredResponsesProcessingFailure: + summary: PIN or Cred Response Processing Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: pinResponse|credResponses' + errorLink: E0000001 + errorId: oaehk3rssXQmOWDRsaFfxe8B + errorCauses: + errorSummary: There was a problem generating the pinResponse|credResponses. + ErrorPushProviderUsedByCustomAppAuthenticator: + value: + errorCode: E0000187 + errorSummary: Cannot delete push provider because it is being used by a custom app authenticator. + errorLink: E0000187 + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: You exceeded the maximum number of requests. Try again in a while. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + GetBrandResponse: + value: + id: bnd114iNkrcN6aR680g4 + removePoweredByOkta: false + customPrivacyPolicyUrl: null + name: Okta Default + isDefault: true + locale: en + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + hints: + allow: + - GET + GetEmailTemplateResponse: + value: + name: UserActivation + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + settings: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + defaultContent: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + customizations: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations + hints: + allow: + - GET + - POST + - DELETE + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + GetRealmAssignmentRuleResponse: + value: + id: rul2jy7jLUlnO3ng00g4 + status: ACTIVE + name: Realm Assignment Rule 1 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + priority: 0 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-rules/rul2jy7jLUlnO3ng00g4 + method: GET + GetUserResponse: + summary: Retrieve a user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: New User Type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + GroupSchemaAddRequest: + value: + definitions: + custom: + id: '#custom' + type: object + properties: + groupContact: + title: Group administrative contact + description: Group administrative contact + type: string + required: false + minLength: 1 + maxLength: 20 + permissions: + - principal: SELF + action: READ_WRITE + required: [] + GroupSchemaResponse: + value: + $schema: http://json-schema.org/draft-04/schema# + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/group/default + method: GET + rel: self + created: '2021-01-30T00:18:24.000Z' + definitions: + base: + id: '#base' + properties: {} + required: + - name + type: object + custom: + id: '#custom' + properties: + groupContact: + description: Group administrative contact + master: + type: PROFILE_MASTER + mutability: READ_WRITE + permissions: + - action: READ_WRITE + principal: SELF + scope: NONE + title: Group administrative contact + type: string + required: [] + type: object + description: Okta group profile template + id: https://{yourOktaDomain}/meta/schemas/group/default + lastUpdated: '2021-02-25T23:05:31.000Z' + name: group + properties: + profile: + allOf: + - $ref: '#/definitions/custom' + - $ref: '#/definitions/base' + title: Okta group + type: object + ListAllKeysResponse: + summary: List All Keys response example + value: + - id: HKY1i2htmXF5UNQhL0g4 + keyId: bb5bed7d-6e4d-488f-9c86-59b93a2bb3fb + name: My new key + created: '2022-08-22T16:34:33.000Z' + lastUpdated: '2022-08-22T16:34:33.000Z' + isUsed: 'true' + - id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: Test key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + ListAppGrantsEx: + summary: List all app Grants example + value: + - id: oag91n9ruw3dsaXzP0h6 + status: ACTIVE + created: '2023-02-21T16:54:00.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-21T16:54:00.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.users.read + source: ADMIN + _embedded: + scope: + id: okta.users.read + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + - id: oaghm3sh9ukdkvDmO0h6 + status: ACTIVE + created: '2023-02-03T21:57:49.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-03T21:57:49.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.apps.manage + source: ADMIN + _embedded: + scope: + id: okta.apps.manage + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oaghm3sh9ukdkvDmO0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + ListAssocAuthServerResponse: + summary: List associated Authorization Servers + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: CUSTOM_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: DYNAMIC + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + use: sig _links: self: - href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - DELETE + ListAuthServersResponse: + summary: List all custom authorization servers in your org + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - GET - DELETE - user: - href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + ListBrandsResponse: + value: + - id: bnd114iNkrcN6aR680g4 + name: Okta Default + isDefault: true + removePoweredByOkta: false + customPrivacyPolicyUrl: null + locale: en + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 hints: allow: - GET - - name: Another API Token - userId: 00uabcdefg1234567890 - tokenWindow: PT5M - id: 00T1234567890abcdefg - clientName: Okta API - expiresAt: 2021-11-11T20:43:10.000Z - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + hints: + allow: + - GET + ListCustomTokenClaimsResponse: + summary: List all custom token Claims for an authorization server + value: + - id: '{claimId}' + name: sub + status: ACTIVE + claimType: RESOURCE + valueType: EXPRESSION + value: '(appuser != null) ? appuser.userName : app.clientId' + conditions: + scopes: + - profile + system: true + alwaysIncludeInToken: true + apiResourceId: null _links: self: - href: https://{yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} hints: allow: - GET + - PUT - DELETE - user: - href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 + ListEmailCustomizationResponse: + value: + - language: en + isDefault: true + subject: Welcome to ${org.name}! + body:

Hello, ${user.profile.firstName}. Click here to activate your account. + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 hints: allow: - GET - ApiTokenMetadataResponse: + - PUT + - DELETE + template: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + ListEmailTemplateResponse: value: - name: My API Token - userId: 00uXXXXXXXXXXXXXXXXX - tokenWindow: P30D - id: 00Tabcdefg1234567890 - clientName: Okta API - expiresAt: 2021-12-11T20:38:10.000Z - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z - _links: - self: - href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 - hints: - allow: - - GET - - DELETE - user: - href: https://{yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX - hints: - allow: - - GET - AppUserSchemaAddRequest: + - name: UserActivation + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + settings: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + defaultContent: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + customizations: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations + hints: + allow: + - GET + - POST + - DELETE + test: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + ListFeatureDependenciesResponse: + summary: List all dependencies for a feature + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: OPEN + value: EA + status: ENABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListFeatureDependentsResponse: + summary: List all feature dependents for the specified feature + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: OPEN + value: EA + status: ENABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListFeaturesResponse: + summary: List all self-service features for your org + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: CLOSED + value: BETA + status: DISABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListMappingsResponse: + summary: List all Profile Mappings response + value: + - id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + ListRealmAssignmentRulesResponse: + value: + - id: rul2jy7jLUlnO3ng00g4 + status: ACTIVE + name: Realm Assignment Rule 1 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: user.profile.role ==\"Manager\" + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + priority: 0 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-rules/rul2jy7jLUlnO3ng00g4 + method: GET + - id: rul2jy7jLUlnO5ng00g4 + status: ACTIVE + name: Catch-all Rule + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + conditions: + profileSourceId: 0oa4enoRyjwSCy6hx0g4, + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf2g5 + priority: 499 + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realm-rules/rul2jy7jLUlnO5ng00g4 + method: GET + ListRealmAwareUsersResponse: + summary: List all Users + value: + - id: 00u118oQYT4TBGuay0g4 + status: ACTIVE + created: '2022-04-04T15:56:05.000Z' + activated: null + statusChanged: null + lastLogin: '2022-05-04T19:50:52.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + passwordChanged: '2022-04-04T16:00:22.000Z' + type: + id: oty1162QAr8hJjTaq0g4 + profile: + firstName: Alice + lastName: Smith + mobilePhone: null + secondEmail: null + login: alice.smith@example.com + email: alice.smith@example.com + realmId: guo1afiNtSnZYILxO0g4 + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + self: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + ListRealmsResponse: + value: + - id: guox9jQ16k9V8IFEL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + profile: + name: Car Co + realmType: PARTNER + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 + method: GET + ListRiskProviderResponse: + summary: List Risk Provider response example + value: + - id: 00rp12r4skkjkjgsn + action: log_only + name: Risk-Partner-X + clientId: 00ckjsfgjkdkjdkkljjsd + created: '2021-01-05 22:18:30' + lastUpdated: '2021-01-05 22:18:30' + _links: + self: + href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn + hints: + allow: + - GET + - PUT + ListSessionsResponse: + value: + - id: uij4ri8ZLk0ywyqxB0g1 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CREATED + importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T16:15:44.000Z' + ListSessionsResponseForGetSessions: + value: + - id: uij4ri8ZLk0ywyqxB0g1 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CREATED + importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T16:15:44.000Z' + - id: uij4ri8ZLk0ywyqxB0g2 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: TRIGGERED + importType: INCREMENTAL + created: '2022-04-04T16:56:05.000Z' + lastUpdated: '2022-05-05T17:15:44.000Z' + - id: uij4ri8ZLk0ywyqxB0g3 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: IN_PROGRESS + importType: INCREMENTAL + created: '2022-04-04T17:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + - id: uij4ri8ZLk0ywyqxB0g4 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: EXPIRED + importType: INCREMENTAL + created: '2022-04-04T18:56:05.000Z' + lastUpdated: '2022-05-05T19:15:44.000Z' + - id: uij4ri8ZLk0ywyqxB0g5 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CLOSED + importType: INCREMENTAL + created: '2022-04-04T19:56:05.000Z' + lastUpdated: '2022-05-05T20:15:44.000Z' + ListUISchemaResponse: + summary: Lists all UI Schemas response + value: + - id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + options: + format: text + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://example.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + hints: + allow: + - GET + - PUT + - DELETE + - id: uis4abjqkkKXVPGAU0g7 + uiSchema: + type: Group + label: Sign in 2 + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://example.com/api/v1/meta/uischemas/uis4abjqkkKXVPGAU0g7 + hints: + allow: + - GET + - PUT + - DELETE + ListUserBlocksAnyDevicesResponse: value: - definitions: - custom: - id: '#custom' - type: object - properties: - twitterUserName: - title: Twitter username - description: User's username for twitter.com - type: string - required: false - minLength: 1 - maxLength: 20 - required: [] - AppUserSchemaResponse: + - type: DEVICE_BASED + appliesTo: ANY_DEVICES + ListUserBlocksUnknownDevicesResponse: value: - id: https://{yourOktaDomain}/meta/schemas/apps/0oa25gejWwdXNnFH90g4/default - $schema: http://json-schema.org/draft-04/schema# - name: Example App - title: Example App User - lastUpdated: '2017-07-18T23:18:43.000Z' - created: '2017-07-18T22:35:30.000Z' - definitions: - base: - id: '#base' - type: object - properties: - userName: - title: Username - type: string - required: true - scope: NONE - maxLength: 100 - required: - - userName - custom: - id: '#custom' - type: object - properties: - twitterUserName: - title: Twitter username - description: User's username for twitter.com - type: string - scope: NONE - minLength: 1 - maxLength: 20 - required: [] - type: object - properties: + - type: DEVICE_BASED + appliesTo: UNKNOWN_DEVICES + ListUsersResponse: + summary: List all Users + value: + - id: 00u118oQYT4TBTemp0g4 + status: ACTIVE + created: '2022-04-04T15:56:05.000Z' + activated: null + statusChanged: null + lastLogin: '2022-05-04T19:50:52.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + passwordChanged: '2022-04-04T16:00:22.000Z' + type: + id: oty1162QAr8hJjTaq0g4 profile: - allOf: - - $ref: '#/definitions/base' - - $ref: '#/definitions/custom' - AuthenticatorRequestDuo: + firstName: Alice + lastName: Smith + mobilePhone: null + secondEmail: null + login: alice.smith@example.com + email: alice.smith@example.com + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + self: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + ListsAllUserTypes: + summary: Lists all user types value: - key: duo - name: Duo Security - provider: - type: DUO - configuration: - userNameTemplate: - template: oktaId - integrationKey: testIntegrationKey - secretKey: testSecretKey - host: https://api-xxxxxxxx.duosecurity.com - AuthenticatorResponseDuo: + - id: otyfnly5cQjJT9PnR0g4 + displayName: New User Type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + - id: otyz9fj2jMiRBC1ZT1d6 + displayName: User + name: user + description: Okta user profile template with default permission settings + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: true + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + ListsOwnerOneResponse: + summary: Lists a response with one owner value: - type: app - id: aut9gnvcjUHIWb37J0g4 - key: duo - status: ACTIVE - name: Duo Security - created: '2022-07-15T21:14:02.000Z' - lastUpdated: '2022-07-15T21:14:02.000Z' - settings: {} - provider: - type: DUO - configuration: - host: https://api-xxxxxxxx.duosecurity.com - userNameTemplate: - template: oktaId - _links: - self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4 - hints: - allow: - - GET - - PUT - deactivate: - href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/lifecycle/deactivate - hints: - allow: - - POST - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/methods - hints: - allow: - - GET - AuthenticatorResponseEmail: &ref_14 + - id: 00g1gae1k0znUcLuU0h8 + type: GROUP + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Product & Engineering + lastUpdated: '2023-03-29 18:18:37.0' + ListsOwnersMultipleResponse: + summary: Lists a response with multiple owners value: - type: email - id: aut1nbsPHh7jNjjyP0g4 - key: okta_email + - id: 00u1cmbqjkkmFXeqb0h8 + type: USER + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Mabel Mora + lastUpdated: '2023-03-29T18:30:58.000Z' + - id: 00u1cmc52x5B86cnZ0h8 + type: USER + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Cinda Canning + lastUpdated: '2023-03-29T18:30:55.000Z' + LogStreamActivateResponse: + summary: Activate Log Stream response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:22:43.000Z' + created: '2023-03-24T21:02:43.000Z' status: ACTIVE - name: Email - created: '2020-07-26T21:05:23.000Z' - lastUpdated: '2020-07-28T21:45:52.000Z' settings: - allowedFor: any - tokenLifetimeInMinutes: 5 + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 _links: self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 - hints: - allow: - - GET - - PUT - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods - hints: - allow: - - GET + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET deactivate: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate - hints: - allow: - - POST - AuthenticatorResponsePassword: &ref_15 - value: - type: password - id: aut1nbtrJKKA9m45a0g4 - key: okta_password - status: ACTIVE - name: Password - created: '2020-07-26T21:05:23.000Z' - lastUpdated: '2020-07-26T21:05:23.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 - hints: - allow: - - GET - - PUT - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods - hints: - allow: - - GET - AuthenticatorResponsePhone: &ref_16 + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamDeactivateResponse: + summary: Deactivate Log Stream response value: - type: phone - id: aut1nbuyD8m1ckAYc0g4 - key: phone_number + id: 0oa7agphh5FT7H521d7 + type: splunk_cloud_logstreaming + name: Splunk Cloud Example + lastUpdated: '2023-03-24T21:23:00.000Z' + created: '2023-03-24T21:15:13.000Z' status: INACTIVE - name: Phone - created: '2020-07-26T21:05:23.000Z' - lastUpdated: '2020-07-29T00:21:29.000Z' settings: - allowedFor: none + edition: aws + host: okexample.splunkcloud.com _links: self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 - hints: - allow: - - GET - - PUT - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods - hints: - allow: - - GET + href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7 + method: GET activate: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate - hints: - allow: - - POST - AuthenticatorResponseSecurityQuestion: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7/lifecycle/activate + method: POST + LogStreamGetAllResponse: + summary: Lists all Log Streams value: - type: security_question - id: aut1nbvIgEenhwE6c0g4 - key: security_question + - id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:02:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamPostRequest: + summary: Create an AWS EventBridge Log Stream + value: + type: aws_eventbridge + name: Example AWS EventBridge + settings: + eventSourceName: your-event-source-name + accountId: '123456789012' + region: us-east-2 + LogStreamPostResponse: + summary: AWS EventBridge Log Stream response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:02:43.000Z' + created: '2023-03-24T21:02:43.000Z' status: ACTIVE - name: Security Question - created: '2020-07-26T21:05:23.000Z' - lastUpdated: '2020-07-26T21:05:23.000Z' + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 _links: self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4 - hints: - allow: - - GET - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/methods - hints: - allow: - - GET + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET deactivate: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/lifecycle/deactivate - hints: - allow: - - POST - AuthenticatorResponseWebAuthn: &ref_17 + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamPutRequest: + summary: Replace AWS EventBridge name value: - type: security_key - id: aut1nd8PQhGcQtSxB0g4 - key: webauthn + type: aws_eventbridge + name: Updated AWS EventBridge + settings: + eventSourceName: your-event-source-name + accountId: '123456789012' + region: us-east-2 + LogStreamPutResponse: + summary: Replace AWS EventBridge name response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Updated AWS EventBridge + lastUpdated: '2023-03-24T21:12:43.000Z' + created: '2023-03-24T21:02:43.000Z' status: ACTIVE - name: Security Key or Biometric - created: '2020-07-26T21:16:37.000Z' - lastUpdated: '2020-07-27T18:59:30.000Z' + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 _links: self: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 - hints: - allow: - - GET - - PUT - methods: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods - hints: - allow: - - GET + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET deactivate: - href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate - hints: - allow: - - POST - AuthenticatorsResponse: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamSchemaAws: value: - - *ref_14 - - *ref_15 - - *ref_16 - - *ref_17 - BehaviorRuleRequest: + $schema: https://json-schema.org/draft/2020-12/schema + $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge + title: AWS EventBridge + type: object + properties: + settings: + description: Configuration properties specific to AWS EventBridge + type: object + properties: + accountId: + title: AWS Account ID + description: Your Amazon AWS Account ID. + type: string + writeOnce: true + pattern: ^\d{12}$ + eventSourceName: + title: AWS Event Source Name + description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge. + type: string + writeOnce: true + pattern: ^[\.\-_A-Za-z0-9]{1,75}$ + region: + title: AWS Region + description: The destination AWS region for your system log events. + type: string + writeOnce: true + oneOf: + - title: US East (Ohio) + const: us-east-2 + - title: US East (N. Virginia) + const: us-east-1 + - title: US West (N. California) + const: us-west-1 + - title: US West (Oregon) + const: us-west-2 + - title: Canada (Central) + const: ca-central-1 + - title: Europe (Frankfurt) + const: eu-central-1 + - title: Europe (Ireland) + const: eu-west-1 + - title: Europe (London) + const: eu-west-2 + - title: Europe (Paris) + const: eu-west-3 + - title: Europe (Milan) + const: eu-south-1 + - title: Europe (Stockholm) + const: eu-north-1 + required: + - eventSourceName + - accountId + - region + errorMessage: + properties: + accountId: Account number must be 12 digits. + eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters. + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + LogStreamSchemaList: value: - name: My Behavior Rule - type: VELOCITY - BehaviorRuleResponse: + - $schema: https://json-schema.org/draft/2020-12/schema + $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge + title: AWS EventBridge + type: object + properties: + settings: + description: Configuration properties specific to AWS EventBridge + type: object + properties: + accountId: + title: AWS Account ID + description: Your Amazon AWS Account ID. + type: string + writeOnce: true + pattern: ^\d{12}$ + eventSourceName: + title: AWS Event Source Name + description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge. + type: string + writeOnce: true + pattern: ^[\.\-_A-Za-z0-9]{1,75}$ + region: + title: AWS Region + description: The destination AWS region for your system log events. + type: string + writeOnce: true + oneOf: + - title: US East (Ohio) + const: us-east-2 + - title: US East (N. Virginia) + const: us-east-1 + - title: US West (N. California) + const: us-west-1 + - title: US West (Oregon) + const: us-west-2 + - title: Canada (Central) + const: ca-central-1 + - title: Europe (Frankfurt) + const: eu-central-1 + - title: Europe (Ireland) + const: eu-west-1 + - title: Europe (London) + const: eu-west-2 + - title: Europe (Paris) + const: eu-west-3 + - title: Europe (Milan) + const: eu-south-1 + - title: Europe (Stockholm) + const: eu-north-1 + required: + - eventSourceName + - accountId + - region + errorMessage: + properties: + accountId: Account number must be 12 digits. + eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters. + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + - $schema: https://json-schema.org/draft/2020-12/schema + $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming + title: Splunk Cloud + type: object + properties: + settings: + description: Configuration properties specific to Splunk Cloud + type: object + properties: + host: + title: Host + description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com' + type: string + writeOnce: false + pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ + token: + title: HEC Token + description: The token from your Splunk Cloud HTTP Event Collector (HEC). + type: string + writeOnce: false + pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' + required: + - host + - token + errorMessage: + properties: + host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com' + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + LogStreamSchemaSplunk: value: - id: abcd1234 - name: My Behavior Rule - type: VELOCITY - settings: - velocityKph: 805 + $schema: https://json-schema.org/draft/2020-12/schema + $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming + title: Splunk Cloud + type: object + properties: + settings: + description: Configuration properties specific to Splunk Cloud + type: object + properties: + host: + title: Host + description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com' + type: string + writeOnce: false + pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ + token: + title: HEC Token + description: The token from your Splunk Cloud HTTP Event Collector (HEC). + type: string + writeOnce: false + pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' + required: + - host + - token + errorMessage: + properties: + host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com' + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + OAuth2RefreshTokenResponseEx: + summary: OAuth 2.0 refresh token example + value: + id: oar579Mcp7OUsNTlo0g3 status: ACTIVE - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z - _link: + created: '2023-03-09T03:18:06.000Z' + lastUpdated: '2023-03-09T03:18:06.000Z' + expiresAt: '2023-03-16T03:18:06.000Z' + issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 + clientId: 0oabskvc6442nkvQO0h7 + userId: 00u5t60iloOHN9pBi0h7 + scopes: + - offline_access + - car:drive + _embedded: + scopes: + - id: scppb56cIl4GvGxy70g3 + name: offline_access + description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: offline_access + - id: scp142iq2J8IGRUCS0g4 + name: car:drive + displayName: Drive car + description: Allows the user to drive a car + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4 + title: Drive car + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: Native self: - href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234 + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + revoke: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 hints: allow: - - GET - - POST - - PUT - DELETE - CAPTCHAInstanceRequestHCaptcha: - value: - name: myHCaptcha - secretKey: xxxxxxxxxxx - siteKey: xxxxxxxxxxx - type: HCAPTCHA - CAPTCHAInstanceRequestReCaptcha: + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7 + title: Example Client App + user: + href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3 + title: Saml Jackson + authorizationServer: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: Example Authorization Server + OAuth2RefreshTokenResponseListEx: + summary: App refresh token list example value: - name: myReCaptcha - secretKey: xxxxxxxxxxx - siteKey: yyyyyyyyyyyyyyy - type: RECAPTCHA_V2 - CAPTCHAInstanceResponseHCaptcha: + - id: oar579Mcp7OUsNTlo0g3 + status: ACTIVE + created: '2023-03-09T03:18:06.000Z' + lastUpdated: '2023-03-09T03:18:06.000Z' + expiresAt: '2023-03-16T03:18:06.000Z' + issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 + clientId: 0oabskvc6442nkvQO0h7 + userId: 00u5t60iloOHN9pBi0h7 + scopes: + - offline_access + - car:drive + _embedded: + scopes: + - id: scppb56cIl4GvGxy70g3 + name: offline_access + description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: offline_access + - id: scp142iq2J8IGRUCS0g4 + name: car:drive + displayName: Drive car + description: Allows the user to drive a car + _links: + scope: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4 + title: Drive car + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: Native + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + revoke: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7 + title: Example Client App + user: + href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3 + title: Saml Jackson + authorizationServer: + href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: Example Authorization Server + OperationResponse: value: - id: abcd1234 - name: myHCaptcha - siteKey: xxxxxxxxxxx - type: HCAPTCHA + id: rre4mje4ez6B2a7B60g7 + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + ruleOperation: + numUserMoved: 50 + configuration: + id: 0pr1b7rxZj2ibQzfP0g5 + name: Realm Assignment Rule 1 + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + realmName: Realm Name _links: self: - href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234 - hints: - allow: - - GET - - POST - - PUT - - DELETE - CAPTCHAInstanceResponseReCaptcha: + rel: self + href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7 + method: GET + OrgCAPTCHASettingsConfigured: + summary: Org-wide Captcha Settings are configured value: - id: abcd4567 - name: myReCaptcha - siteKey: yyyyyyyyyyyyyyy - type: RECAPTCHA_V2 + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN _links: self: href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 @@ -17271,250 +23737,162 @@ components: - POST - PUT - DELETE - CreateBrandDomainRequest: + OrgCAPTCHASettingsDisable: + summary: Disable Org-wide Captcha Settings value: - domainId: OcD11vyscTlIkpC7i0g4 - CreateBrandRequest: - value: - name: My Awesome Brand - CreateBrandResponse: + captchaId: 'null' + enabledPages: 'null' + OrgCAPTCHASettingsDisabled: + summary: Disabled Org-wide Captcha Settings value: - id: bnd114iNkrcN6aR680g5 - removePoweredByOkta: false - customPrivacyPolicyUrl: null - name: My Awesome Brand - isDefault: false + captchaId: 'null' + enabledPages: '[]' _links: self: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5 + href: https://your-subdomain.okta.com/api/v1/captchas/ hints: allow: - GET - PUT - - DELETE - themes: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5/themes - hints: - allow: - - GET - CreateUpdateEmailCustomizationRequest: - value: - language: fr - subject: Bienvenue dans ${org.name}! - body:

Bonjour ${user.profile.firstName}. Activer le compte

- isDefault: false - CreateUpdateEmailCustomizationResponse: + OrgCAPTCHASettingsEmpty: + summary: Org-wide Captcha Settings aren't configured value: - language: fr - subject: Bienvenue dans ${org.name}! - body:

Bonjour ${user.profile.firstName}. Activer le compte

- isDefault: false - id: oel11u6DqUiMbQkpl0g4 - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + captchaId: null + enabledPages: [] _links: self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + href: https://your-subdomain.okta.com/api/v1/captchas hints: allow: - GET + - POST - PUT - DELETE - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation - hints: - allow: - - GET - preview: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + OrgCAPTCHASettingsUpdate: + summary: Update Org-wide Captcha Settings + value: + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN + OrgCAPTCHASettingsUpdated: + summary: Updated Org-wide Captcha Settings + value: + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 hints: allow: - GET - test: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test - hints: - allow: - POST - DeviceAssuranceAndroidRequest: + - PUT + - DELETE + PerClientRateLimitSettingsEnforceDefault: value: - name: Device Assurance Android - osVersion: - minimum: 12.4.5 - diskEncryptionType: - include: - - USER - - FULL - jailbreak: false - platform: ANDROID - screenLockType: - include: - - BIOMETRIC - secureHardwarePresent: true - DeviceAssuranceIosRequest: + defaultMode: ENFORCE + PerClientRateLimitSettingsEnforceDefaultWithOverrides: value: - name: Device Assurance IOS - osVersion: - minimum: 12.4.5 - jailbreak: false - platform: IOS - screenLockType: - include: - - BIOMETRIC - DeviceAssuranceMacOSRequest: + defaultMode: ENFORCE + useCaseModeOverrides: + OAUTH2_AUTHORIZE: PREVIEW + OIE_APP_INTENT: DISABLE + PerClientRateLimitSettingsPreviewDefaultWithOverrides: value: - name: Device Assurance macOS - osVersion: - minimum: 12.4.5 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: MACOS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true - DeviceAssuranceResponse: + defaultMode: PREVIEW + useCaseModeOverrides: + LOGIN_PAGE: ENFORCE + PermissionResponse: value: - id: dae3m8o4rWhwReDeM1c5 - name: Device Assurance Example - lastUpdate: 2022-01-01T00:00:00.000Z - createdUpdate: 2022-01-01T00:00:00.000Z - lastUpdatedBy: 00u217pyf72CdUrBt1c5 - createdBy: 00u217pyf72CdUrBt1c5 - osVersion: - minimum: 12.4.5.9 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: WINDOWS - screenLockType: - include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true + label: okta.users.manage + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: - href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 - hints: - allow: - - DELETE - - GET - - PUT - DeviceAssuranceWindowsRequest: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.manage + PermissionResponseWithConditions: value: - name: Device Assurance Windows - osVersion: - minimum: 12.4.5.9 - diskEncryptionType: - include: - - ALL_INTERNAL_VOLUMES - platform: WINDOWS - screenLockType: + label: okta.users.read + conditions: include: - - PASSCODE - - BIOMETRIC - secureHardwarePresent: true - DeviceResponse: - value: - id: guo8jx5vVoxfvJeLb0w4 - status: ACTIVE - created: '2020-11-03T21:47:01.000Z' - lastUpdated: '2020-11-03T23:46:27.000Z' - profile: - displayName: DESKTOP-EHAD3IE - platform: WINDOWS - manufacturer: International Corp - model: VMware7,1 - osVersion: 10.0.18362 - serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce - udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE - sid: S-1-5-21-3992267483-1860856704-2413701314-500 - registered: true - secureHardwarePresent: false - resourceId: guo8jx5vVoxfvJeLb0w4 - resourceDisplayName: - value: DESKTOP-EHAD3IE - sensitive: false - resourceType: UDDevice - resourceAlternateId: null + okta:ResourceAttribute/User/Profile: + - city + - state + - zipCode + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' _links: - suspend: - href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend - hints: - allow: - - POST + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: - href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4 - hints: - allow: - - GET - - PATCH - - PUT - users: - href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users - hints: - allow: - - GET - deactivate: - href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate - hints: - allow: - - POST - EmailCustomizationResponse: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read + PermissionsResponse: value: - language: en - isDefault: true - subject: Welcome to ${org.name}! - body:

Hello, ${user.profile.firstName}. Click here to activate your account. - id: oel11u6DqUiMbQkpl0g4 - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z + permissions: + - label: okta.users.create + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.create + - label: okta.users.read + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read + - label: okta.groups.read + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.groups.read + - label: okta.users.userprofile.manage + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.userprofile.manage + PreviewEmailCustomizationResponse: + value: + subject: Welcome to Okta! + body:

Hello, John. Click here to activate your account. _links: self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview hints: allow: - GET - - PUT - - DELETE template: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET - preview: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview - hints: - allow: - - GET test: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test hints: allow: - POST - EmailSettingsResponse: - value: - recipients: ALL_USERS - _links: - self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings - hints: - allow: - - GET - - PUT - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation - hints: - allow: - - GET - EmailTemplateDefaultContentResponse: + PreviewEmailTemplateDefaultContentResponse: value: - subject: Welcome to ${org.name}! - body:

Hello, ${user.profile.firstName}. Click here to activate your account. + subject: Welcome to Okta! + body:

Hello, John. Click here to activate your account. _links: self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview hints: allow: - GET @@ -17523,898 +23901,1339 @@ components: hints: allow: - GET - preview: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview + defaultContent: + href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test/default-content hints: allow: - - GET - ErrorAccessDenied: - value: - errorCode: E0000006 - errorSummary: You do not have permission to perform the requested action - errorLink: E0000006 - errorId: sampleNUSD_8fdkFd8fs8SDBK - errorCauses: [] - ErrorApiValidationFailed: - value: - errorCode: E0000001 - errorSummary: 'Api validation failed: {0}' - errorLink: E0000001 - errorId: sampleiCF-8D5rLW6myqiPItW - errorCauses: [] - ErrorCAPTCHALimitOfOne: - value: - errorCode: E0000165 - errorSummary: CAPTCHA count limit reached. At most one CAPTCHA instance is allowed per Org. - errorLink: E0000165 - errorId: oaejrB1fWL1S7mc-2KcG-SOtw - errorCauses: [] - ErrorCAPTCHAOrgWideSetting: - value: - errorCode: E0000149 - errorSummary: Current CAPTCHA is associated with org-wide settings, cannot be removed. - errorLink: E0000149 - errorId: samplezsusshPdiTWiITwqBt8 - errorCauses: [] - ErrorCreateUserWithExpiredPasswordWithNullPassword: - value: - errorCode: E0000124 - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified - errorLink: E0000124 - errorId: oaeXxuZgXBySvqi1FvtkwoYCA - errorCauses: - - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified - ErrorCreateUserWithExpiredPasswordWithoutActivation: - value: - errorCode: E0000125 - errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true - errorLink: E0000125 - errorId: oaeDd77L9R-TJaD7j_rXsQ31w - errorCauses: - - errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true - ErrorCreateUserWithTooManyManyGroupsResponse: - value: - errorCode: E0000093 - errorSummary: Target count limit exceeded - errorLink: E0000093 - errorId: oaePVSLIYnIQsC0B-ptBIllVA - errorCauses: - - errorSummary: The number of group targets is too large. - ErrorDeleteBrandAssociatedWithDomain: - value: - errorCode: E0000201 - errorSummary: A brand associated with a domain cannot be deleted - errorLink: E0000201 - errorId: oaeAdRqprFuTyKokyYPbURJkA - errorCauses: [] - ErrorDeleteDefaultBrand: - value: - errorCode: E0000200 - errorSummary: A default brand cannot be deleted - errorLink: E0000200 - errorId: oaeAdRqprFuTyKokyYPbURJkA - errorCauses: [] - ErrorDeviceAssuranceInUse: - value: - errorSummary: Device assurance is in use and cannot be deleted. - errorId: oaenwA1ra80S9W-pvbh4m6haA - errorCauses: [] - ErrorEmailCustomizationCannotClearDefault: - value: - errorCode: E0000185 - errorSummary: The isDefault parameter of the default email template customization can't be set to false. - errorLink: E0000185 - errorId: oaejrB1fWL1S7mc-2KcG-SOtw - errorCauses: [] - ErrorEmailCustomizationCannotDeleteDefault: - value: - errorCode: E0000184 - errorSummary: A default email template customization can't be deleted. - errorLink: E0000184 - errorId: oaeAdRqprFuTyKokyYPbURJkA - errorCauses: [] - ErrorEmailCustomizationDefaultAlreadyExists: - value: - errorCode: E0000182 - errorSummary: A default email template customization already exists. - errorLink: E0000182 - errorId: oaeXYwTiMvASsC3O4HCzjFaCA - errorCauses: [] - ErrorEmailCustomizationLanguageAlreadyExists: - value: - errorCode: E0000183 - errorSummary: An email template customization for that language already exists. - errorLink: E0000183 - errorId: oaeUcGELffqRay0u1OPdnPypw - errorCauses: [] - ErrorInvalidEmailTemplateRecipients: - value: - errorCode: E0000189 - errorSummary: This template does not support the recipients value. - errorLink: E0000189 - errorId: oae8L1-UkcNTeGi5xVQ28_lww - errorCauses: [] - ErrorLinkDefaultBrand: + - POST + PrincipalRateLimitEntityRequestEmptyPercentages: value: - errorCode: E0000203 - errorSummary: Failed to associate this domain with the given brandId - errorLink: E0000203 - errorId: oaeAdRqprFuTyKokyYPbURJkA - errorCauses: - - errorSummary: The default brand cannot be mapped to a domain - ErrorPushProviderUsedByCustomAppAuthenticator: + principalId: token1234 + principalType: SSWS_TOKEN + PrincipalRateLimitEntityRequestSSWSToken: value: - errorCode: E0000187 - errorSummary: Cannot delete push provider because it is being used by a custom app authenticator. - errorLink: E0000187 - errorId: oaenwA1ra80S9W-pvbh4m6haA - errorCauses: [] - ErrorResourceNotFound: + principalId: token1234 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 75 + PrincipalRateLimitEntityResponseSSWSToken: value: - errorCode: E0000007 - errorSummary: 'Not found: {0}' - errorLink: E0000007 - errorId: sampleMlLvGUj_YD5v16vkYWY - errorCauses: [] - ErrorTooManyRequests: + id: abcd1234 + orgId: org1234 + principalId: token1234 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 75 + createdDate: '2022-05-19T20:05:32.720Z' + createdBy: user1234 + lastUpdate: '2022-05-20T21:13:07.410Z' + lastUpdatedBy: user4321 + ProvisioningConnectionOauthRequestEx: + summary: Provisioning Connection with OAuth 2.0 value: - errorCode: E0000047 - errorSummary: You exceeded the maximum number of requests. Try again in a while. - errorLink: E0000047 - errorId: sampleQPivGUj_ND5v78vbYWW - errorCauses: [] - GetBrandResponse: + profile: + authScheme: OAUTH2 + clientId: 0oa2h6su6bVFyJzIf1d7 + ProvisioningConnectionOauthResponseEx: + summary: Provisioning Connection with OAuth 2.0 value: - id: bnd114iNkrcN6aR680g4 - removePoweredByOkta: false - customPrivacyPolicyUrl: null - name: Okta Default - isDefault: true + authScheme: OAUTH2 + status: ENABLED _links: self: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default hints: allow: - GET - - PUT - - DELETE - themes: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate hints: allow: - - GET - GetEmailTemplateResponse: + - POST + ProvisioningConnectionTokenRequestEx: + summary: Provisioning Connection with token value: - name: UserActivation + profile: + authScheme: TOKEN + token: 00NgAPZqUVy8cX9ehNzzahEE5b-On9sImTcInvWp-x + ProvisioningConnectionTokenResponseEx: + summary: Provisioning Connection with token + value: + authScheme: TOKEN + status: ENABLED _links: self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default hints: allow: - GET - settings: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate + hints: + allow: + - POST + PushProviderAPNsRequest: + value: + name: APNs Example + providerType: APNS + configuration: + keyId: KEY_ID + teamId: TEAM_ID + tokenSigningKey: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' + fileName: fileName.p8 + PushProviderAPNsResponse: + value: + id: ppctekcmngGaqeiBxB0g4 + name: APNs Example + providerType: APNS + lastUpdatedDate: '2022-01-01T00:00:00.000Z' + configuration: + keyId: KEY_ID + teamId: TEAM_ID + fileName: fileName.p8 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 hints: allow: + - DELETE - GET - PUT - defaultContent: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + PushProviderFCMRequest: + value: + name: FCM Example + providerType: FCM + configuration: + serviceAccountJson: + type: service_account + project_id: PROJECT_ID + private_key_id: KEY_ID + private_key: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' + client_email: SERVICE_ACCOUNT_EMAIL + client_id: CLIENT_ID + auth_uri: https://accounts.google.com/o/oauth2/auth + token_uri: https://accounts.google.com/o/oauth2/token + auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs + client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL + fileName: fileName.json + PushProviderFCMResponse: + value: + id: ppctekcmngGaqeiBxB0g4 + name: FCM Example + providerType: FCM + lastUpdatedDate: '2022-01-01T00:00:00.000Z' + configuration: + projectId: PROJECT_ID + fileName: fileName.p8 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 hints: allow: + - DELETE - GET - customizations: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations + - PUT + RateLimitAdminNotificationsDisabled: + value: + notificationsEnabled: false + RateLimitAdminNotificationsEnabled: + value: + notificationsEnabled: true + RateLimitWarningThresholdValidExample: + value: + warningThreshold: 66 + RealmResponse: + value: + id: guox9jQ16k9V8IFEL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + profile: + name: Car Co + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 + method: GET + RefreshCurrentSessionResponse: + summary: Refresh current session + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: hints: allow: - GET - - POST - DELETE - test: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + href: https://{yourOktaDomain}/api/v1/sessions/me + refresh: hints: allow: - POST - GroupSchemaAddRequest: - value: - definitions: - custom: - id: '#custom' - type: object - properties: - groupContact: - title: Group administrative contact - description: Group administrative contact - type: string - required: false - minLength: 1 - maxLength: 20 - permissions: - - principal: SELF - action: READ_WRITE - required: [] - GroupSchemaResponse: + href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh + user: + hints: + allow: + - GET + href: https://{yourOktaDomain}/api/v1/users/me + name: User Name + RefreshSessionResponse: + summary: Refresh an existing Session using the session ID value: - $schema: http://json-schema.org/draft-04/schema# + amr: + - pwd + createdAt: '2019-08-25T14:17:22Z' + expiresAt: '2019-08-25T14:17:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP _links: self: - href: https://{yourOktaDomain}/api/v1/meta/schemas/group/default - method: GET - rel: self - created: '2021-01-30T00:18:24.000Z' - definitions: - base: - id: '#base' - properties: {} - required: - - name - type: object - custom: - id: '#custom' - properties: - groupContact: - description: Group administrative contact - master: - type: PROFILE_MASTER - mutability: READ_WRITE - permissions: - - action: READ_WRITE - principal: SELF - scope: NONE - title: Group administrative contact - type: string - required: [] - type: object - description: Okta group profile template - id: https://{yourOktaDomain}/meta/schemas/group/default - lastUpdated: '2021-02-25T23:05:31.000Z' - name: group + hints: + allow: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + RemoveMappingBody: + summary: Update an existing profile mapping by removing one or more properties + value: properties: - profile: - allOf: - - $ref: '#/definitions/custom' - - $ref: '#/definitions/base' - title: Okta group - type: object - LinkBrandDomain: + nickName: + expression: null + pushStatus: null + RemoveMappingResponse: + summary: Update an existing profile mapping by removing one or more properties value: - domainId: OcD11vyscTlIkpC7i0g4 + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH _links: self: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/domains/OcD11vyscTlIkpC7i0g4 + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + ReplaceAnEventHookWithFilter: + summary: Replace an event hook + value: + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + ReplaceAuthServerBody: + summary: Replace a custom authorization server + value: + name: New Authorization Server + description: Authorization Server description + audiences: + - api://default + credentials: + signing: + rotationMode: AUTO + use: sig + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + ReplaceAuthServerResponse: + summary: Replace a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes hints: allow: - - PUT - - DELETE - brand: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + - GET + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims hints: allow: - GET - - PUT - - DELETE - domain: - href: https://{yourOktaDomain}/api/v1/domains/OcD11vyscTlIkpC7i0g4 + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - GET - - PUT - DELETE - ListBrandsResponse: - value: - - id: bnd114iNkrcN6aR680g4 - name: Okta Default - isDefault: true - removePoweredByOkta: false - customPrivacyPolicyUrl: null - _links: - self: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + - PUT + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server hints: allow: - GET - - PUT - - DELETE - themes: - href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration hints: allow: - GET - ListEmailCustomizationResponse: + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + ReplaceCustomTokenClaimBody: + summary: Replace a custom token Claim value: - - language: en - isDefault: true - subject: Welcome to ${org.name}! - body:

Hello, ${user.profile.firstName}. Click here to activate your account. - id: oel11u6DqUiMbQkpl0g4 - created: 2021-11-09T20:38:10.000Z - lastUpdated: 2021-11-11T20:38:10.000Z - _links: - self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 - hints: - allow: - - GET - - PUT - - DELETE - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation - hints: - allow: - - GET - preview: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview - hints: - allow: - - GET - test: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test - hints: - allow: - - POST - ListEmailTemplateResponse: + - alwaysIncludeInToken: true + claimType: IDENTITY + conditions: + scopes: + - profile + group_filter_type: CONTAINS + name: Knowledge_Base + status: ACTIVE + system: false + value: Knowledge Base + valueType: GROUPS + ReplaceCustomTokenClaimResponse: + summary: Replace a custom token Claim response value: - - name: UserActivation + - id: '{claimId}' + name: Knowledge_Base + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Knowledge Base + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS _links: self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation - hints: - allow: - - GET - settings: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} hints: allow: - GET - PUT - defaultContent: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content - hints: - allow: - - GET - customizations: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations - hints: - allow: - - GET - - POST - DELETE - test: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test - hints: - allow: - - POST - ListSessionsResponse: + ReplaceKeyResponse: + summary: Replace a key response example value: - - id: uij4ri8ZLk0ywyqxB0g4 - identitySourceId: 0oa3l6l6WK6h0R0QW0g4 - status: CREATED - importType: INCREMENTAL - ListUserBlocksAnyDevicesResponse: + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My updated new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:16:59.000Z' + isUsed: 'false' + ReplaceNetworkZone: + summary: Replace a Network Zone value: - - type: DEVICE_BASED - appliesTo: ANY_DEVICES - ListUserBlocksUnknownDevicesResponse: + type: IP + id: nzovw2rFz2YoqmvwZ0g9 + name: UpdatedNetZone + status: ACTIVE + usage: POLICY + gateways: + - type: CIDR + value: 10.2.3.4/24 + - type: CIDR + value: 12.2.3.4/24 + - type: RANGE + value: 13.4.5.6-13.4.5.8 + - type: CIDR + value: 14.2.3.4/24 + proxies: + - type: CIDR + value: 12.2.3.4/24 + - type: CIDR + value: 13.3.4.5/24 + - type: RANGE + value: 14.4.5.6-14.4.5.8 + - type: RANGE + value: 15.5.6.7/24-15.5.6.9 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate + hints: + allow: + - POST + ReplaceNetworkZoneResponse: + summary: Replace Network Zone response value: - - type: DEVICE_BASED - appliesTo: UNKNOWN_DEVICES - ListUsersResponse: + type: IP + id: nzovw2rFz2YoqmvwZ0g3 + name: UpdatedNetZone + status: ACTIVE + usage: POLICY + created: '2019-01-24T19:53:28.000Z' + lastUpdated: '2019-02-24T19:53:28.000Z' + system: false + gateways: + - type: CIDR + value: 10.2.3.4/24 + - type: CIDR + value: 12.2.3.4/24 + - type: RANGE + value: 13.4.5.6-13.4.5.8 + - type: CIDR + value: 14.2.3.4/24 + proxies: + - type: CIDR + value: 12.2.3.4/24 + - type: CIDR + value: 13.3.4.5/24 + - type: RANGE + value: 14.4.5.6-14.4.5.8 + - type: RANGE + value: 15.5.6.7/24-15.5.6.9 + ReplaceUserTypePutRequest: + summary: Replace user type request value: - - id: 00u118oQYT4TBGuay0g4 - status: ACTIVE - created: 2022-04-04T15:56:05.000Z - activated: null - statusChanged: null - lastLogin: 2022-05-04T19:50:52.000Z - lastUpdated: 2022-05-05T18:15:44.000Z - passwordChanged: 2022-04-04T16:00:22.000Z - type: - id: oty1162QAr8hJjTaq0g4 - profile: - firstName: Alice - lastName: Smith - mobilePhone: null - secondEmail: null - login: alice.smith@example.com - email: alice.smith@example.com - credentials: - password: {} - provider: - type: OKTA - name: OKTA - _links: - self: - href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 - LogStreamRequest: + displayName: Replacement Display Name + description: Replacement description + name: newUserType + ReplaceUserTypePutResponse: + summary: Replace user type response value: - type: aws_eventbridge - name: Example AWS EventBridge - settings: - eventSourceName: your-event-source-name - accountId: '123456789012' - region: us-east-2 - LogStreamResponse: + id: otyfnly5cQjJT9PnR0g4 + displayName: Replacement Display Name + name: newUserType + description: Replacement description + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + ResourceSelectorCreateRequestExample: value: - id: 0oa1orqUGCIoCGNxf0g4 - type: aws_eventbridge - name: Example AWS EventBridge - lastUpdated: '2021-10-21T16:55:30.000Z' - created: '2021-10-21T16:55:29.000Z' - status: ACTIVE - settings: - accountId: '123456789012' - eventSourceName: your-event-source-name - region: us-east-2 + name: All applications except Workday applications + description: All applications except Workday applications + schema: /api/v1/apps + filter: name ne "workday" + ResourceSelectorCreateResponseExample: + value: + id: rsl1hx31gVEa6x10v0g5 + name: All applications except Workday applications + description: All applications except Workday applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps + _links: + self: + href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5 + resources: + href: https://{yourOktaDomain}/api/v1/apps?filter="name ne "workday"" + ResourceSelectorPatchRequestExample: + value: + name: All applications except Facebook applications + description: All applications except Facebook applications + filter: name ne "facebook" + ResourceSelectorPatchResponseExample: + value: + id: rsl1hx31gVEa6x10v0g5 + name: All applications except Facebook applications + description: All applications except Facebook applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps _links: self: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 - method: GET - deactivate: - href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate - method: POST - LogStreamSchemaAws: - value: &ref_18 - $schema: https://json-schema.org/draft/2020-12/schema - $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge - title: AWS EventBridge - type: object - properties: - settings: - description: Configuration properties specific to AWS EventBridge - type: object - properties: - accountId: - title: AWS Account ID - description: Your Amazon AWS Account ID. - type: string - writeOnce: true - pattern: ^\d{12}$ - eventSourceName: - title: AWS Event Source Name - description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge. - type: string - writeOnce: true - pattern: ^[\.\-_A-Za-z0-9]{1,75}$ - region: - title: AWS Region - description: The destination AWS region for your system log events. - type: string - writeOnce: true - oneOf: - - title: US East (Ohio) - const: us-east-2 - - title: US East (N. Virginia) - const: us-east-1 - - title: US West (N. California) - const: us-west-1 - - title: US West (Oregon) - const: us-west-2 - - title: Canada (Central) - const: ca-central-1 - - title: Europe (Frankfurt) - const: eu-central-1 - - title: Europe (Ireland) - const: eu-west-1 - - title: Europe (London) - const: eu-west-2 - - title: Europe (Paris) - const: eu-west-3 - - title: Europe (Milan) - const: eu-south-1 - - title: Europe (Stockholm) - const: eu-north-1 - required: - - eventSourceName - - accountId - - region - errorMessage: - properties: - accountId: Account number must be 12 digits. - eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters. - name: - title: Name - description: A name for this log stream in Okta - type: string - writeOnce: false - pattern: ^.{1,100}$ - required: - - name - - settings - errorMessage: - properties: - name: Name can't exceed 100 characters. - LogStreamSchemaList: + href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5 + resources: + href: https://{yourOktaDomain}/api/v1/apps?filter="name ne "facebook"" + ResourceSelectorResponseExample: value: - - *ref_18 - - &ref_19 - $schema: https://json-schema.org/draft/2020-12/schema - $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming - title: Splunk Cloud - type: object - properties: - settings: - description: Configuration properties specific to Splunk Cloud - type: object - properties: - host: - title: Host - description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com' - type: string - writeOnce: false - pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ - token: - title: HEC Token - description: The token from your Splunk Cloud HTTP Event Collector (HEC). - type: string - writeOnce: false - pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' - required: - - host - - token - errorMessage: - properties: - host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com' - name: - title: Name - description: A name for this log stream in Okta - type: string - writeOnce: false - pattern: ^.{1,100}$ - required: - - name - - settings - errorMessage: - properties: - name: Name can't exceed 100 characters. - LogStreamSchemaSplunk: - value: *ref_19 - PerClientRateLimitSettingsEnforceDefault: + id: rsl1hx31gVEa6x10v0g5 + name: All applications except a specific application + description: All applications except a specific application + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps + _links: + self: + href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5 + resources: + href: https://{yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqAAJWWGELFTYASH" + ResourceSelectorsResponseExample: value: - defaultMode: ENFORCE - PerClientRateLimitSettingsEnforceDefaultWithOverrides: + resourceSelectors: + - id: rsl1hx31gVEa6x10v0g5 + name: All applications except Workday applications + description: All applications except Workday applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps + _links: + resources: + href: http://${yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqCAJWWGELFTYASJ" + - id: rsl1hx31gVEa6x10v0g6 + name: All applications except Facebook applications + description: All applications except Facebook applications + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g6:apps + _links: + resources: + href: http://${yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqAAJWWGELFTYASH + _links: + next: + href: https://{yourOktaDomain}/api/v1/resource-selectors?after=rsl1hx31gVEa6x10v0g6 + ResourceSetBindingAddMembersRequestExample: value: - defaultMode: ENFORCE - useCaseModeOverrides: - OAUTH2_AUTHORIZE: PREVIEW - OIE_APP_INTENT: DISABLE - PerClientRateLimitSettingsPreviewDefaultWithOverrides: + additions: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/users/00u67DU2qNCjNZYO0g3 + ResourceSetBindingCreateRequestExample: value: - defaultMode: PREVIEW - useCaseModeOverrides: - LOGIN_PAGE: ENFORCE - PermissionResponse: + role: cr0Yq6IJxGIr0ouum0g3 + members: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + ResourceSetBindingMemberResponse: value: - label: okta.users.manage + id: irb1qe6PGuMc7Oh8N0g4 created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.manage - PermissionsResponse: + href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 + ResourceSetBindingMembersResponse: value: - permissions: - - label: okta.users.create + members: + - id: irb1qe6PGuMc7Oh8N0g4 created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.create - - label: okta.users.read + href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 + - id: irb1q92TFAHzySt3x0g4 created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read - - label: okta.groups.read + href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + _links: + binding: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members?after=0ouRq6IJmGIr3ouum0g3 + ResourceSetBindingResponseExample: + value: + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetBindingResponseWithIdExample: + value: + id: cr0Yq6IJxGIr0ouum0g3 + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetBindingsResponse: + value: + roles: + - id: cr0WxyzJxGIr0ouum0g4 + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0WxyzJxGIr0ouum0g4 + members: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0WxyzJxGIr0ouum0g4/members + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings?after=cr0WxyzJxGIr0ouum0g4 + ResourceSetRequest: + value: + label: SF-IT-People + description: People in the IT department of San Francisco + resources: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + - https://{yourOktaDomain}/api/v1/users + ResourceSetResourcePatchRequestExample: + value: + additions: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + ResourceSetResourcesResponse: + value: + resources: + - id: ire106sQKoHoXXsAe0g4 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - id: ire106riDrTYl4qA70g4 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + - id: irezvo4AwE2ngpMw40g3 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + users: + href: https://{yourOktaDomain}/api/v1/users + groups: + href: https://{yourOktaDomain}/api/v1/groups + _links: + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources?after=irezvn1ZZxLSIBM2J0g3 + resource-set: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetResponse: + value: + id: iamoJDFKaJxGIr0oamd9g + label: SF-IT-People + description: People in the IT department of San Francisco + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + resources: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + ResourceSetsResponse: + value: + resource-sets: + - id: iamoJDFKaJxGIr0oamd9g + label: SF-IT-1 + description: First San Francisco IT Resource Set created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.groups.read - - label: okta.users.userprofile.manage + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + resources: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + - id: iamoJDFKaJxGIr0oamd0q + label: SF-IT-2 + description: Second San Francisco IT Resource Set created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: - role: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.userprofile.manage - PreviewEmailCustomizationResponse: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q + resources: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/resources + bindings: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/bindings + _links: + next: + href: https://{yourOktaDomain}/api/v1/iam/resource-sets?after=iamoJDFKaJxGIr0oamd0q + RetrieveADeactivatedEventHook: + summary: Deactivated event hook value: - subject: Welcome to Okta! - body:

Hello, John. Click here to activate your account. + id: who8vt36qfNpCGz9H1e6 + status: INACTIVE + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + method: POST + authScheme: + type: HEADER + key: authorization _links: self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify hints: allow: - - GET - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate hints: allow: - - GET - test: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + - POST + RetrieveAllEventHooks: + summary: Retrieves all event hooks + value: + - id: who8tsqyrhCdmetzx135 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T17:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T17:43:03.000Z' + events: + type: EVENT_TYPE + items: + - user.lifecycle.deactivate + - user.lifecycle.activate + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userDeactivate + headers: [] + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/deactivate + hints: + allow: + - POST + - id: who8vt36qfNpCGz9H1e6 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + version: null + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: [] + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAllZones: + summary: Retrieves all Network Zones + value: + - type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: LegacyIpZone + status: ACTIVE + usage: POLICY + created: '2019-05-17T18:44:31.000Z' + lastUpdated: '2019-05-21T13:50:49.000Z' + system: true + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + - type: DYNAMIC + id: nzowc1U5Jh5xuAK0o0g3 + name: test + status: ACTIVE + usage: POLICY + created: '2019-05-17T18:44:31.000Z' + lastUpdated: '2019-05-21T13:50:49.000Z' + system: false + locations: + - country: AF + region: AF-BGL + proxyType: ANY + asns: + - '23457' + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAllZonesWithFilter: + summary: Retrieves Network Zones with filter + value: + - type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: LegacyIpZone + status: ACTIVE + usage: POLICY + created: '2019-05-17T18:44:31.000Z' + lastUpdated: '2019-05-21T13:50:49.000Z' + system: true + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAnEventHook: + summary: Retrieve an event hook + value: + id: who8vt36qfNpCGz9H1e6 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify hints: allow: - POST - PreviewEmailTemplateDefaultContentResponse: + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAnEventHookWithFilter: + summary: Retrieve an event hook value: - subject: Welcome to Okta! - body:

Hello, John. Click here to activate your account. + id: who8vt36qfNpCGz9H1e6 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + version: null + expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + method: POST + authScheme: + type: HEADER + key: authorization _links: self: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAuthServerResponse: + summary: Retrieve a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes hints: allow: - GET - template: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + claims: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims hints: allow: - GET - defaultContent: - href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test/default-content + policies: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies hints: allow: - - POST - PrincipalRateLimitEntityRequestEmptyPercentages: - value: - principalId: token1234 - principalType: SSWS_TOKEN - PrincipalRateLimitEntityRequestSSWSToken: - value: - principalId: token1234 - principalType: SSWS_TOKEN - defaultPercentage: 50 - defaultConcurrencyPercentage: 75 - PrincipalRateLimitEntityResponseSSWSToken: - value: - id: abcd1234 - orgId: org1234 - principalId: token1234 - principalType: SSWS_TOKEN - defaultPercentage: 50 - defaultConcurrencyPercentage: 75 - createdDate: '2022-05-19T20:05:32.720Z' - createdBy: user1234 - lastUpdate: '2022-05-20T21:13:07.410Z' - lastUpdatedBy: user4321 - PushProviderAPNsRequest: - value: - name: APNs Example - providerType: APNS - configuration: - keyId: KEY_ID - teamId: TEAM_ID - tokenSigningKey: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' - fileName: fileName.p8 - PushProviderAPNsResponse: - value: - id: ppctekcmngGaqeiBxB0g4 - name: APNs Example - providerType: APNS - lastUpdatedDate: 2022-01-01T00:00:00.000Z - configuration: - keyId: KEY_ID - teamId: TEAM_ID - fileName: fileName.p8 - _links: + - GET self: - href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - - DELETE - GET + - DELETE - PUT - PushProviderFCMRequest: - value: - name: FCM Example - providerType: FCM - configuration: - serviceAccountJson: - type: service_account - project_id: PROJECT_ID - private_key_id: KEY_ID - private_key: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' - client_email: SERVICE_ACCOUNT_EMAIL - client_id: CLIENT_ID - auth_uri: https://accounts.google.com/o/oauth2/auth - token_uri: https://accounts.google.com/o/oauth2/token - auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs - client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL - fileName: fileName.json - PushProviderFCMResponse: + metadata: + - name: oauth-authorization-server + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + RetrieveCurrentSessionResponse: + summary: Retrieve current session value: - id: ppctekcmngGaqeiBxB0g4 - name: FCM Example - providerType: FCM - lastUpdatedDate: 2022-01-01T00:00:00.000Z - configuration: - projectId: PROJECT_ID - fileName: fileName.p8 + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP _links: self: - href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 hints: allow: - - DELETE - GET - - PUT - RateLimitAdminNotificationsDisabled: - value: - notificationsEnabled: false - RateLimitAdminNotificationsEnabled: - value: - notificationsEnabled: true - ResourceSetBindingAddMembersRequestExample: - value: - additions: - - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - - https://{yourOktaDomain}/api/v1/users/00u67DU2qNCjNZYO0g3 - ResourceSetBindingCreateRequestExample: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/me + refresh: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh + user: + hints: + allow: + - GET + href: https://{yourOktaDomain}/api/v1/users/me + name: User Name + RetrieveCustomTokenClaimResponse: + summary: Retrieve a custom token Claim response value: - role: cr0Yq6IJxGIr0ouum0g3 - members: - - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - ResourceSetBindingMemberResponse: + - id: '{claimId}' + name: Support + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Support + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + RetrieveFeaturesResponse: + summary: Retrieve a feature by ID value: - id: irb1qe6PGuMc7Oh8N0g4 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' + id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: CLOSED + value: BETA + status: DISABLED + type: self-service _links: self: - href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 - ResourceSetBindingMembersResponse: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + RetrieveKeyResponse: + summary: Retrieve a key by hookKeyId response example value: - members: - - id: irb1qe6PGuMc7Oh8N0g4 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 - - id: irb1q92TFAHzySt3x0g4 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - _links: - binding: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 - next: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members?after=0ouRq6IJmGIr3ouum0g3 - ResourceSetBindingResponseExample: + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + RetrieveMappingsResponse: + summary: Retrieve a single Profile Mapping value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + firstName: + expression: user.firstName + pushStatus: PUSH + lastName: + expression: user.lastName + pushStatus: PUSH _links: self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 - bindings: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings - resource-set: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - ResourceSetBindingResponseWithIdExample: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + RetrieveNetworkZoneDynamic: + summary: Dynamic Network Zone response value: - id: cr0Yq6IJxGIr0ouum0g3 + type: DYNAMIC + id: nzowc1U5Jh5xuAK0o0g3 + name: test + status: ACTIVE + usage: POLICY + created: '2019-05-17T18:44:31.000Z' + lastUpdated: '2019-05-21T13:50:49.000Z' + system: false + locations: + - country: AF + region: AF-BGL + proxyType: ANY + asns: + - '23457' _links: self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 - bindings: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings - resource-set: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - ResourceSetBindingsResponse: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + RetrieveNetworkZoneIP: + summary: IP Network Zone response value: - roles: - - id: cr0WxyzJxGIr0ouum0g4 - _links: - self: - href: https://{yourOktaDomain}/api/v1/iam/roles/cr0WxyzJxGIr0ouum0g4 - members: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0WxyzJxGIr0ouum0g4/members + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: LegacyIpZone + status: ACTIVE + usage: POLICY + created: '2019-05-17T18:44:31.000Z' + lastUpdated: '2019-05-21T13:50:49.000Z' + system: true + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 _links: self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings - resource-set: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - next: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings?after=cr0WxyzJxGIr0ouum0g4 - ResourceSetRequest: - value: - label: SF-IT-People - description: People in the IT department of San Francisco - resources: - - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users - - https://{yourOktaDomain}/api/v1/users - ResourceSetResourcePatchRequestExample: - value: - additions: - - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users - ResourceSetResourcesResponse: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + RetrievePublicKeyResponse: + summary: Retrieve Public Key response example value: - resources: - - id: ire106sQKoHoXXsAe0g4 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - - id: ire106riDrTYl4qA70g4 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users - - id: irezvo4AwE2ngpMw40g3 - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - users: - href: https://{yourOktaDomain}/api/v1/users - groups: - href: https://{yourOktaDomain}/api/v1/groups - _links: - next: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources?after=irezvn1ZZxLSIBM2J0g3 - resource-set: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - ResourceSetResponse: + _embedded: + kty: RSA + alg: RSA + kid: 7fbc27fd-e3df-4522-86bf-1930110256ad + use: null + e: AQAB + 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` + RetrieveSessionResponse: + summary: Retrieve Session information for a single session ID value: - id: iamoJDFKaJxGIr0oamd9g - label: SF-IT-People - description: People in the IT department of San Francisco - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP _links: self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - resources: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources - bindings: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings - ResourceSetsResponse: + hints: + allow: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + RetrieveUISchemaResponse: + summary: Retrieves a UI Schema response value: - resource-sets: - - id: iamoJDFKaJxGIr0oamd9g - label: SF-IT-1 - description: First San Francisco IT Resource Set - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g - resources: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources - bindings: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings - - id: iamoJDFKaJxGIr0oamd0q - label: SF-IT-2 - description: Second San Francisco IT Resource Set - created: '2021-02-06T16:20:57.000Z' - lastUpdated: '2021-02-06T16:20:57.000Z' - _links: - self: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q - resources: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/resources - bindings: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/bindings + id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' _links: - next: - href: https://{yourOktaDomain}/api/v1/iam/resource-sets?after=iamoJDFKaJxGIr0oamd0q - RiskEventsRequest: + self: + href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + hints: + allow: + - GET + - PUT + - DELETE + RiskEventsRequestExample: + summary: Risk Events payload example value: - timestamp: '2021-01-20T00:00:00.001Z' subjects: @@ -18429,19 +25248,43 @@ components: riskLevel: LOW - ip: 2.2.2.2 riskLevel: HIGH + RiskProviderPutRequest: + summary: Replace Risk Provider request example + value: + name: Risk-Partner-Y + action: enforce_and_log + clientId: 00ckjsfgjkdkjdkkljjsd + RiskProviderPutResponse: + summary: Replace Risk Provider response example + value: + id: 00rp12r4skkjkjgsn + action: enforce_and_log + name: Risk-Partner-Y + clientId: 00ckjsfgjkdkjdkkljjsd + created: '2021-01-05 22:18:30' + lastUpdated: '2021-01-05 23:18:30' + _links: + self: + href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn + hints: + allow: + - GET + - PUT RiskProviderRequest: + summary: Risk Provider payload example value: name: Risk-Partner-X action: log_only clientId: 00ckjsfgjkdkjdkkljjsd RiskProviderResponse: + summary: Risk Provider response example value: id: 00rp12r4skkjkjgsn action: log_only name: Risk-Partner-X clientId: 00ckjsfgjkdkjdkkljjsd created: '2021-01-05 22:18:30' - lastUpdated: '2021-01-05 21:23:10' + lastUpdated: '2021-01-05 22:18:30' _links: self: href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn @@ -18449,6 +25292,19 @@ components: allow: - GET - PUT + RoleAssignedUsersResponseExample: + value: + value: + - id: 00u118oQYT4TBGuay0g4 + orn: orn:okta:00o5rb5mt2H3d1TJd0h7:users:00u118oQYT4TBGuay0g4 + _links: + self: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + roles: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4/roles + _links: + next: + href: http://your-subdomain.okta.com/api/v1/iam/assignees/users?after=00u118oQYT4TBGuay0g4&limit=1 RoleRequest: value: label: UserCreator @@ -18496,18 +25352,334 @@ components: _links: next: href: https://{yourOktaDomain}/api/v1/iam/roles?after=cr0Fw7HKcWIroo88m3r1 + SimulatePolicyBody: + summary: Simulate policy request body + description: Simulate policy request body + value: + policyType: + - OKTA_SIGN_ON + - MFA_ENROLL + appInstance: 0oa4eroj3nYCIJIW70g7 + policyContext: + groups: + ids: + - 00g4eralvekR5RLuS0g7 + - 00g4eralvekR5RLuS0g8 + risk: + level: LOW + zones: + ids: + - nzo4eralxcRnbIHYJ0g7 + device: + platform: IOS + registered: true + managed: true + SimulatePolicyResponse: + summary: Simulate policy response body + description: Simulate policy response body + value: + evaluation: + - status: null + policyType: OkTA_SIGN_ON + result: + policies: + - id: 00p4eromwukk6qUku0g7 + - name: test policy + - status: MATCH + - conditions: [] + - rules: + - id: 0pr4erof85nGcyC7Y0g7 + - name: test rule + - status: MATCH + - conditions: + - type: people.groups.include + - status: MATCH + undefined: + policies: null + evaluated: + policies: null + - status: null + policyType: ACCESS_POLICY + result: + policies: + - id: rst4eram06ZKZewEe0g7 + - name: Any two factors + - status: MATCH + - conditions: [] + - rules: + - id: rul4eram07VsWgybo0g7 + - name: Catch-all rule + - status: MATCH + - conditions: [] + undefined: + policies: null + evaluated: + policies: null + - status: null + policyType: PROFILE_ENROLLMENT + result: + policies: + - id: rst4eram08ZSjPTOl0g7 + - name: Default Policy + - status: MATCH + - conditions: [] + - rules: + - id: rul4eram094PrQ2BX0g7 + - name: Catch-all rule + - status: MATCH + - conditions: [] + undefined: + policies: null + evaluated: + policies: null + SubmissionOidcRequest: + summary: Submission OIDC request example + value: + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + oidc: + redirectUris: + - https://${org.subdomain}.example.com/strawberry/oidc/login + initiateLoginUri: https://${org.subdomain}.example.com/strawberry/oidc/sp-init + postLogoutUris: + - https://${org.subdomain}.example.com/strawberry/oidc/logged-out + doc: https://example.com/strawberry/help/oidcSetup + config: + - name: subdomain + label: Subdomain + SubmissionOidcResponse: + summary: Submission OIDC response example + value: + id: acme_strawberrycentral_1 + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + oidc: + redirectUris: + - https://${org.subdomain}.example.com/strawberry/oidc/login + initiateLoginUri: https://${org.subdomain}.example.com/strawberry/oidc/sp-init + postLogoutUris: + - https://${org.subdomain}.example.com/strawberry/oidc/logged-out + doc: https://example.com/strawberry/help/oidcSetup + config: + - name: subdomain + label: Subdomain + status: New + lastUpdated: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR + lastPublished: '2023-09-01T13:23:45.000Z' + SubmissionSamlRequest: + summary: Submission SAML request example + value: + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + saml: + acs: + - url: https://${org.subdomain}.example.com/saml/login + entityId: https://${org.subdomain}.example.com + doc: https://example.com/strawberry/help/samlSetup + config: + - name: subdomain + label: Subdomain + SubmissionSamlResponse: + summary: Submission SAML response example + value: + id: acme_strawberrycentral_1 + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + saml: + acs: + - url: https://${org.subdomain}.example.com/saml/login + entityId: https://${org.subdomain}.example.com + doc: https://example.com/strawberry/help/samlSetup + config: + - name: subdomain + label: Subdomain + status: To be reviewed by Okta + lastUpdated: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR + lastPublished: null + SubmissionsResponse: + summary: Submission list example + value: + - id: acme_strawberrycentral_1 + name: Strawberry Central + description: Your one source for in-season strawberry deals + logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + sso: + saml: + acs: + - url: https://${org.subdomain}.example.com/saml/login + entityId: https://${org.subdomain}.example.com + doc: https://example.com/strawberry/help/samlSetup + config: + - name: subdomain + label: Subdomain + status: Complete + lastUpdated: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR + lastPublished: '2023-09-01T13:23:45.000Z' + TestInfoOidcRequest: + summary: OIDC SSO Submission Testing Information request + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + oidcTestConfiguration: + jit: false + spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init + TestInfoOidcResponse: + summary: OIDC SSO Submission Testing Information response + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + oidcTestConfiguration: + idp: true + sp: true + jit: false + spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init + TestInfoSamlRequest: + summary: SAML SSO Submission Testing Information request + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + samlTestConfiguration: + idp: true + sp: true + jit: false + spInitiateUrl: https://test.example.com/strawberry/saml/sp-init + spInitiateDescription: Go to the app URL from a browser and enter your username + TestInfoSamlResponse: + summary: SAML SSO Submission Testing Information response + value: + testAccount: + url: https://example.com/strawberry/login + username: test@example.com + password: sUperP@ssw0rd + instructions: Go to your app URL from a browser and enter your credentials + escalationSupportContact: strawberry.support@example.com + samlTestConfiguration: + idp: true + sp: true + jit: false + spInitiateUrl: https://test.example.com/strawberry/saml/sp-init + spInitiateDescription: Go to the app URL from a browser and enter your username + ThreatInsightResponseExample: + summary: ThreatInsight response + value: + action: none + excludeZones: [] + created: '2020-08-05T22:18:30.629Z' + lastUpdated: '2020-08-05T22:18:30.629Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/threats/configuration + hints: + allow: + - GET + - POST + ThreatInsightUpdateRequestExample: + summary: ThreatInsight update request + value: + action: audit + excludeZones: + - nzo1q7jEOsoCnoKcj0g4 + - nzouagptWUz5DlLfM0g3 + ThreatInsightUpdateResponseExample: + summary: ThreatInsight update response + value: + action: audit + excludeZones: + - nzo1q7jEOsoCnoKcj0g4 + - nzouagptWUz5DlLfM0g3 + created: '2020-08-05T22:18:30.629Z' + lastUpdated: '2020-10-13T21:23:10.178Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/threats/configuration + hints: + allow: + - GET + - POST TriggerSessionResponse: value: - id: uij4ri8ZLk0ywyqxB0g4 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: TRIGGERED importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + UpdateAppFeatureRequestEx: + summary: Update USER_PROVISIONING request + value: + create: + lifecycleCreate: + status: ENABLED + update: + lifecycleDeactivate: + status: ENABLED + profile: + status: ENABLED + password: + status: ENABLED + seed: RANDOM + change: CHANGE + UpdateAppFeatureResponseEx: + summary: Update USER_PROVISIONING response + value: + name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: ENABLED + update: + lifecycleDeactivate: + status: ENABLED + profile: + status: ENABLED + password: + status: ENABLED + seed: RANDOM + change: CHANGE + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT UpdateBrandRequest: value: customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy agreeToCustomPrivacyPolicy: true removePoweredByOkta: true name: New Name For Brand + emailDomainId: OeD114iNkrcN6aR680g4 + locale: en + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null UpdateBrandResponse: value: id: bnd114iNkrcN6aR680g4 @@ -18516,6 +25688,12 @@ components: name: New Name For Brand isDefault: true customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + locale: en _links: self: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 @@ -18529,6 +25707,112 @@ components: hints: allow: - GET + UpdateEmailDomainRequest: + value: + displayName: IT Admin + userName: noreply + UpdateFeatureLifecycleResponse: + summary: Update the feature lifecycle status + value: + description: Example feature description + id: ftrZooGoT8b41iWRiQs7 + name: Example feature name + stage: + state: OPEN + value: BETA + status: DISABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + UpdateMappingBody: + summary: Update an existing profile mapping by updating one or more properties + value: + properties: + nickName: + expression: user.honorificPrefix + user.displayName + pushStatus: DONT_PUSH + UpdateMappingResponse: + summary: Update an existing profile mapping by updating one or more properties + value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.honorificPrefix + user.displayName + pushStatus: DONT_PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + UpdateUserTypePostRequest: + summary: Update user type request + value: + displayName: Updated Display Name + UpdateUserTypePostResponse: + summary: Update user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: Updated Display Name + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + UpdatedEmailDomainResponse: + value: + id: OeD114iNkrcN6aR680g4 + validationStatus: NOT_STARTED + displayName: IT Admin + userName: noreply + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net UserSchemaAddRequest: value: definitions: @@ -18621,6 +25905,27 @@ components: allOf: - $ref: '#/definitions/base' - $ref: '#/definitions/custom' + VerifiedEmailDomainResponse: + value: + id: OeD114iNkrcN6aR680g4 + validationStatus: VERIFIED + displayName: IT Admin + userName: noreply + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net WellKnownOrgMetadataResponseClassic: value: id: 00o5rb5mt2H3d1TJd0h7 @@ -18636,16 +25941,707 @@ components: value: id: 00o47wwoytgsDqEtz0g7 _links: - organization: - href: https://{{yourSubdomain}}.okta.com - alternate: - href: https://{{yourCustomDomain}} - pipeline: idx - settings: - analyticsCollectionEnabled: false - bugReportingEnabled: true - omEnabled: false + organization: + href: https://{{yourSubdomain}}.okta.com + alternate: + href: https://{{yourCustomDomain}} + pipeline: idx + settings: + analyticsCollectionEnabled: false + bugReportingEnabled: true + omEnabled: false + activeAPIServiceIntegrationInstanceSecretResponse: + summary: Activate Secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: '***MQGQ' + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + idp-discovery-dynamic-routing-rule: + summary: IdP discovery policy - Dynamic routing rule + description: This routing rule uses a dynamic Identity Provider. + value: + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + idp-discovery-dynamic-routing-rule-response: + summary: IdP discovery policy - Dynamic routing rule + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + idp-discovery-specific-routing-rule: + summary: IdP discovery policy - Specific routing rule + description: This routing rule uses a specific Identity Provider. + value: + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY + idp-discovery-specific-routing-rule-response: + summary: IdP discovery policy - Specific routing rule + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY + inactiveAPIServiceIntegrationInstanceSecretResponse: + summary: Deactivate Secret response example + value: + id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: '***DhOW' + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + newAPIServiceIntegrationInstanceSecretResponse: + summary: New secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + secret_hash: FpCwXwSjTRQNtEI11I00-g + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + postAPIServiceIntegrationRequest: + value: + type: my_app_cie + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + postAPIServiceIntegrationResponse: + summary: Post response example + value: + id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + sspr-enabled-no-step-up: + summary: Password policy - SSPR with no step up + description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators with no secondary authentication required. + value: + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-no-step-up-response: + summary: Password policy - SSPR with no step up + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-no-step-up-update: + summary: Password policy - SSPR with no step up + description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators with no secondary authentication required. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sq-step-up: + summary: Password policy - SSPR with security question as step-up auth + description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are the initial authenticators, and the secondary authentication is a security question. + value: + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + methods: + - security_question + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sq-step-up-response: + summary: Password policy - SSPR with security question as step up + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + methods: + - security_question + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sq-step-up-update: + summary: Password policy - SSPR with security question as step up + description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are initial authenticators, and the secondary authentication is a security question. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + methods: + - security_question + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up: + summary: Password policy - SSPR with any SSO authenticator as step up + description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators. The step-up authentication required is any active SSO authenticator. + value: + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-response: + summary: Password policy - SSPR with any SSO authenticator as step up + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-update: + summary: Password policy - SSPR with any SSO authenticator as step up + description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators. The step-up authentication required is any active SSO authenticator. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-with-constraints: + summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint + description: This password policy permits self-service password change, reset, and unlock. Okta Verify push, Phone SMS, or Google OTP are initial authenticators. The secondary authentication required is any SSO authenticator. The `methodConstraints` property limits OTP authenticators to Google. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + - otp + methodConstraints: + - method: otp + allowedAuthenticators: + - key: google_otp + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-with-constraints-response: + summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint + value: + id: ruleId + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + - otp + methodConstraints: + - method: otp + allowedAuthenticators: + - key: google_otp + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-with-constraints-update: + summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint + description: This password policy permits self-service password change, reset, and unlock. Okta Verify push, Phone SMS, or Google OTP are initial authenticators. The secondary authentication required is any SSO authenticator. The `methodConstraints` property limits OTP authenticators to Google. + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + - otp + methodConstraints: + - method: otp + allowedAuthenticators: + - key: google_otp + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + twofa-enabled-disallow-password-allow-phishing: + summary: Authentication policy - 2FA with granular authentication + description: This two-factor authentication policy uses a rule to disallow passwords and require phishing resistance for possession authenticators for authentication. + value: + name: Passwordless 2FA + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + possession: + deviceBound: REQUIRED + phishingREsistant: REQUIRED + type: ACCESS_POLICY + twofa-enabled-disallow-password-allow-phishing-response: + summary: Authentication policy - 2FA with granular authentication + description: The rule from a two-factor authentication policy that disallows passwords and requires phishing resistance + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: Passwordless 2FA + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: false + possession: + deviceBound: REQUIRED + phishingREsistant: REQUIRED + required: true + type: ACCESS_POLICY + _links: + self: + href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT parameters: + UISchemaId: + name: id + description: The unique ID of the UI Schema + in: path + required: true + schema: + type: string + example: uis4a7liocgcRgcxZ0g7 + authenticatorEnrollmentId: + name: authenticatorEnrollmentId + in: path + required: true + description: ID for a WebAuthn Preregistration Factor in Okta + schema: + type: string + pathApiServiceId: + name: apiServiceId + in: path + schema: + type: string + required: true + description: '`id` of the API Service Integration instance' + example: 000lr2rLjZ6NsGn1P0g3 pathApiTokenId: name: apiTokenId in: path @@ -18654,6 +26650,45 @@ components: example: 00Tabcdefg1234567890 required: true description: id of the API Token + pathAppId: + name: appId + description: Application ID + in: path + required: true + schema: + type: string + example: 0oafxqCAJWWGELFTYASJ + pathAppName: + name: appName + in: path + required: true + schema: + type: string + example: oidc_client + pathAssociatedServerId: + name: associatedServerId + description: '`id` of the associated Authorization Server' + in: path + required: true + schema: + type: string + example: aus6xt9jKPmCyn6kg0g4 + pathAuthServerId: + name: authServerId + description: '`id` of the Authorization Server' + in: path + required: true + schema: + type: string + example: GeGRTEr7f3yu2n7grw22 + pathAuthenticatorId: + name: authenticatorId + description: '`id` of the Authenticator' + in: path + required: true + schema: + type: string + example: aut1nd8PQhGcQtSxB0g4 pathBehaviorId: name: behaviorId in: path @@ -18668,22 +26703,59 @@ components: required: true schema: type: string - description: The ID of the brand. + description: The ID of the brand pathCaptchaId: name: captchaId in: path schema: type: string - example: abcd1234 required: true - description: id of the CAPTCHA + description: The unique key used to identify your CAPTCHA instance + pathClaimId: + name: claimId + description: '`id` of Claim' + in: path + required: true + schema: + type: string + example: hNJ3Uk76xLagWkGx5W3N + pathClientId: + name: clientId + description: '`client_id` of the app' + in: path + required: true + schema: + type: string + example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD + pathContactType: + name: contactType + in: path + required: true + schema: + type: string + pathCredentialKeyId: + name: keyId + description: '`id` of the certificate key' + in: path + required: true + schema: + type: string + example: P7jXpG-LG2ObNgY9C0Mn2uf4InCQTmRZMDCZoVNxdrk + pathCsrId: + name: csrId + description: '`id` of the CSR' + in: path + required: true + schema: + type: string + example: fd7x1h7uTcZFx22rU1f7 pathCustomizationId: name: customizationId in: path required: true schema: type: string - description: The ID of the email customization. + description: The ID of the email customization pathDeviceAssuranceId: in: path name: deviceAssuranceId @@ -18701,11 +26773,12 @@ components: description: '`id` of the device' pathDomainId: name: domainId + description: '`id` of the Domain' in: path required: true schema: type: string - description: The ID of the domain. + example: OmWNeywfTzElSLOBMZsL pathEmailDomainId: name: emailDomainId in: path @@ -18713,20 +26786,172 @@ components: schema: type: string description: The ID of the email domain. + pathEmailServerId: + name: emailServerId + in: path + required: true + schema: + type: string + description: ID of your SMTP Server configuration + pathEventHookId: + name: eventHookId + description: '`id` of the Event Hook' + in: path + required: true + schema: + type: string + example: who8vt36qfNpCGz9H1e6 + pathFactorId: + name: factorId + description: ID of an existing User Factor + in: path + required: true + schema: + type: string + example: zAgrsaBe0wVGRugDYtdv + pathFeatureId: + name: featureId + description: '`id` of the feature' + in: path + required: true + schema: + type: string + example: R5HjqNn1pEqWGy48E9jg + pathFeatureName: + name: featureName + description: Name of the Feature + in: path + required: true + schema: + $ref: '#/components/schemas/ApplicationFeatureType' + example: USER_PROVISIONING + pathFirstPartyAppName: + name: appName + description: '`appName` of the application' + in: path + required: true + schema: + type: string + example: admin-console + pathGrantId: + name: grantId + description: Grant ID + in: path + required: true + schema: + type: string + example: iJoqkwx50mrgX4T9LcaH + pathGroupId: + name: groupId + description: The `id` of the group + in: path + required: true + schema: + type: string + example: 00g1emaKYZTWRYYRRTSK + pathGroupRuleId: + name: groupRuleId + description: The `id` of the group rule + in: path + required: true + schema: + type: string + example: 0pr3f7zMZZHPgUoWO0g4 + pathHookKeyId: + name: hookKeyId + description: '`id` of the Hook Key' + in: path + required: true + schema: + type: string + example: XreKU5laGwBkjOTehusG pathIdentitySourceId: name: identitySourceId in: path required: true schema: type: string + pathIdentitySourceSessionId: + name: sessionId + in: path + required: true + schema: + type: string + pathIdpCsrId: + name: idpCsrId + description: '`id` of the IdP CSR' + in: path + required: true + schema: + type: string + example: 1uEhyE65oV3H6KM9gYcN + pathIdpId: + name: idpId + description: '`id` of IdP' + in: path + required: true + schema: + type: string + example: SVHoAOh0l8cPQkVX1LRl + pathIdpKeyId: + name: idpKeyId + description: '`id` of IdP Key' + in: path + required: true + schema: + type: string + example: KmMo85SSsU7TZzOShcGb + pathInlineHookId: + name: inlineHookId + description: '`id` of the Inline Hook' + in: path + required: true + schema: + type: string + example: Y7Rzrd4g4xj6WdKzrBHH + pathKeyId: + name: keyId + description: ID of the Key Credential for the application + in: path + required: true + schema: + type: string + example: sjP9eiETijYz110VkhHN + pathLifecycle: + name: lifecycle + description: Whether to `ENABLE` or `DISABLE` the feature + in: path + required: true + schema: + $ref: '#/components/schemas/FeatureLifecycle' + pathLinkedObjectName: + name: linkedObjectName + in: path + required: true + schema: + type: string pathLogStreamId: name: logStreamId in: path schema: type: string - example: abcd1234 + example: 0oa1orzg0CHSgPcjZ0g4 + required: true + description: Unique identifier for the Log Stream + pathLogStreamType: + name: logStreamType + in: path + required: true + schema: + $ref: '#/components/schemas/LogStreamType' + pathMappingId: + name: mappingId + description: '`id` of the Mapping' + in: path required: true - description: id of the log stream + schema: + type: string + example: cB6u7X8mptebWkffatKA pathMemberId: name: memberId in: path @@ -18735,6 +26960,33 @@ components: example: irb1qe6PGuMc7Oh8N0g4 required: true description: '`id` of a member' + pathMethodType: + name: methodType + description: Type of the authenticator method + in: path + required: true + schema: + $ref: '#/components/schemas/AuthenticatorMethodType' + pathNotificationType: + name: notificationType + in: path + required: true + schema: + $ref: '#/components/schemas/NotificationType' + pathOperation: + name: operation + in: path + required: true + schema: + type: string + pathOwnerId: + description: The `id` of the group owner + name: ownerId + in: path + required: true + schema: + type: string + example: 00u1emaK22TWRYd3TtG pathPermissionType: name: permissionType in: path @@ -18743,6 +26995,22 @@ components: example: okta.users.manage required: true description: An okta permission type + pathPolicyId: + name: policyId + description: '`id` of the Policy' + in: path + required: true + schema: + type: string + example: 00plrilJ7jZ66Gn0X0g3 + pathPolicyMappingId: + name: mappingId + description: '`id` of the policy resource Mapping' + in: path + required: true + schema: + type: string + example: maplr2rLjZ6NsGn1P0g3 pathPoolId: name: poolId in: path @@ -18750,6 +27018,20 @@ components: schema: type: string required: true + pathPrimaryRelationshipName: + name: primaryRelationshipName + in: path + required: true + schema: + type: string + pathPrimaryUserId: + name: primaryUserId + description: '`id` of primary User' + in: path + required: true + schema: + type: string + example: ctxeQ5JnAVdGFBB7Zr7W pathPrincipalRateLimitId: name: principalRateLimitId in: path @@ -18758,6 +27040,14 @@ components: example: abcd1234 required: true description: id of the Principal Rate Limit + pathPublicKeyId: + name: publicKeyId + description: '`id` of the Public Key' + in: path + required: true + schema: + type: string + example: FcH2P9Eg7wr0o8N2FuV0 pathPushProviderId: in: path name: pushProviderId @@ -18765,6 +27055,20 @@ components: description: Id of the push provider schema: type: string + pathRealmId: + name: realmId + description: '`id` of the Realm' + in: path + required: true + schema: + type: string + example: vvrcFogtKCrK9aYq3fgV + pathRelationshipName: + name: relationshipName + in: path + required: true + schema: + type: string pathResourceId: name: resourceId in: path @@ -18773,6 +27077,14 @@ components: example: ire106sQKoHoXXsAe0g4 required: true description: '`id` of a resource' + pathResourceSelectorId: + name: resourceSelectorId + in: path + schema: + type: string + example: rsl1hx31gVEa6x10v0g5 + required: true + description: '`id` of a Resource Selector' pathResourceSetId: name: resourceSetId in: path @@ -18780,43 +27092,155 @@ components: type: string example: iamoJDFKaJxGIr0oamd9g required: true - description: '`id` of a resource set' + description: '`id` of a Resource Set' pathRiskProviderId: name: riskProviderId in: path schema: type: string - example: 00rp12r4skkjkjgsn - required: true - description: '`id` of the risk provider' - pathRoleIdOrLabel: - name: roleIdOrLabel + example: 00rp12r4skkjkjgsn + required: true + description: '`id` of the Risk Provider object' + pathRoleId: + name: roleId + description: '`id` of the Role' + in: path + required: true + schema: + type: string + example: 3Vg1Pjp3qzw4qcCK5EdO + pathRoleIdOrLabel: + name: roleIdOrLabel + in: path + schema: + type: string + example: cr0Yq6IJxGIr0ouum0g3 + required: true + description: '`id` or `label` of the role' + pathRoleRef: + name: roleRef + in: path + description: A reference to an existing role. Standard roles require a `roleType`, while Custom Roles require a `roleId`. See [Standard Role Types](https://developer.okta.com/docs/concepts/role-assignment/#standard-role-types). + required: true + schema: + oneOf: + - title: roleType + type: string + $ref: '#/components/schemas/RoleType' + - title: roleId + type: string + pathRuleId: + name: ruleId + description: '`id` of the Policy Rule' + in: path + required: true + schema: + type: string + example: ruld3hJ7jZh4fn0st0g3 + pathSchemaId: + name: schemaId + in: path + required: true + schema: + type: string + pathScopeId: + name: scopeId + description: '`id` of Scope' + in: path + required: true + schema: + type: string + example: 0TMRpCWXRKFjP7HiPFNM + pathSecretId: + name: secretId + in: path + schema: + type: string + required: true + description: '`id` of the API Service Integration instance Secret' + example: ocs2f4zrZbs8nUa7p0g4 + pathSection: + name: section + in: path + required: true + schema: + type: string + pathSessionId: + name: sessionId + description: '`id` of the Session' + in: path + required: true + schema: + type: string + example: l7FbDVqS8zHSy65uJD85 + pathSubmissionId: + name: submissionId + description: OIN Integration ID + in: path + required: true + schema: + type: string + example: acme_submissionapp_1 + pathTargetGroupId: + name: targetGroupId + in: path + required: true + schema: + type: string + example: 00g1e9dfjHeLAsdX983d + pathTemplateId: + name: templateId + description: '`id` of the Template' + in: path + required: true + schema: + type: string + example: 6NQUJ5yR3bpgEiYmq8IC + pathTemplateName: + name: templateName + in: path + required: true + schema: + type: string + description: The name of the email template + pathThemeId: + name: themeId in: path + required: true schema: type: string - example: cr0Yq6IJxGIr0ouum0g3 + description: The ID of the theme + pathTokenId: + name: tokenId + description: '`id` of Token' + in: path required: true - description: '`id` or `label` of the role' - pathSessionId: - name: sessionId + schema: + type: string + example: sHHSth53yJAyNSTQKDJZ + pathTransactionId: + name: transactionId + description: ID of an existing Factor verification transaction in: path required: true schema: type: string - pathTemplateName: - name: templateName + example: gPAQcN3NDjSGOCAeG2Jv + pathTrustedOriginId: + name: trustedOriginId + description: '`id` of the Trusted Origin' in: path required: true schema: type: string - description: The name of the email template. - pathThemeId: - name: themeId + example: 7j2PkU1nyNIDe26ZNufR + pathTypeId: + name: typeId in: path required: true schema: type: string - description: The ID of the theme. + description: The unique key for the User Type pathUpdateId: name: updateId in: path @@ -18826,16 +27250,81 @@ components: required: true pathUserId: name: userId + description: ID of an existing Okta user in: path required: true schema: type: string + pathZoneId: + name: zoneId + in: path + schema: + type: string + required: true + description: '`id` of the Network Zone' + example: nzowc1U5Jh5xuAK0o0g3 queryAfter: name: after in: query schema: type: string - description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination) for more information. + description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination). + queryAppAfter: + name: after + in: query + description: The cursor to use for pagination. It's an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination). + schema: + type: string + example: 16275000448691 + queryAppExpand: + name: expand + in: query + description: 'An optional parameter to include scope details in the `_embedded` attribute. Valid value: `scope`' + schema: + type: string + example: scope + queryExpandAuthenticator: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - methods + - authenticationPolicy + description: Specifies additional metadata for the response + queryExpandBrand: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - themes + - domains + - emailDomain + description: Specifies additional metadata to be included in the response + queryExpandEmailDomain: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - brands + description: Specifies additional metadata to be included in the response queryExpandEmailTemplate: name: expand in: query @@ -18849,7 +27338,7 @@ components: enum: - settings - customizationCount - description: Specifies additional metadata to be included in the response. + description: Specifies additional metadata to be included in the response queryExpandPageRoot: name: expand in: query @@ -18866,7 +27355,13 @@ components: - customizedUrl - preview - previewUrl - description: Specifies additional metadata to be included in the response. + description: Specifies additional metadata to be included in the response + queryFilter: + name: q + in: query + description: Searches the records for matching value + schema: + type: string queryLanguage: name: language schema: @@ -18881,7 +27376,7 @@ components: minimum: 1 maximum: 200 default: 20 - description: A limit on the number of objects to return. + description: A limit on the number of objects to return queryLimitPerPoolType: name: limitPerPoolType in: query @@ -18904,7 +27399,222 @@ components: schema: type: boolean required: false + queryUserExpand: + name: expand + in: query + description: 'An optional parameter to include metadata in the `_embedded` attribute. Valid value: `blocks`' + required: false + schema: + type: string + example: blocks + ruleId: + name: ruleId + description: '`id` of the Realm Assignment Rule' + in: path + required: true + schema: + type: string + example: rul2jy7jLUlnO3ng00g4 + simulateParameter: + name: expand + description: Use `expand=EVALUATED` to include a list of evaluated but not matched policies and policy rules. Use `expand=RULE` to include details about why a rule condition was (not) matched. + in: query + schema: + type: string + example: expand=EVALUATED&expand=RULE + requestBodies: + AuthenticatorRequestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Authenticator' + examples: + Duo: + $ref: '#/components/examples/AuthenticatorRequestDuo' + required: true + responses: + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorMissingRequiredParameter400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + MissingRequiredParameter: + $ref: '#/components/examples/ErrorMissingRequiredParameter' + ErrorInvalidToken401: + description: Unauthorized + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidTokenProvided: + $ref: '#/components/examples/ErrorInvalidTokenProvided' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + AuthenticatorResponse: + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/Authenticator' + examples: + Duo: + $ref: '#/components/examples/AuthenticatorResponseDuo' + Email: + $ref: '#/components/examples/AuthenticatorResponseEmail' + Password: + $ref: '#/components/examples/AuthenticatorResponsePassword' + Phone: + $ref: '#/components/examples/AuthenticatorResponsePhone' + WebAuthn: + $ref: '#/components/examples/AuthenticatorResponseWebAuthn' + SecurityQuestion: + $ref: '#/components/examples/AuthenticatorResponseSecurityQuestion' schemas: + APIServiceIntegrationInstance: + type: object + properties: + configGuideUrl: + type: string + description: The URL to the API service integration configuration guide + example: https://{docDomain}/my-app-cie/configuration-guide + readOnly: true + createdAt: + type: string + description: Timestamp when the API Service Integration instance was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + createdBy: + type: string + description: The user ID of the API Service Integration instance creator + example: 00uu3u0ujW1P6AfZC2d5 + readOnly: true + grantedScopes: + type: array + description: The list of Okta management scopes granted to the API Service Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management). + items: + type: string + example: + - okta.logs.read + id: + type: string + description: The ID of the API Service Integration instance + readOnly: true + example: 0oa72lrepvp4WqEET1d9 + name: + type: string + description: The name of the API service integration that corresponds with the `type` property. This is the full name of the API service integration listed in the Okta Integration Network (OIN) catalog. + readOnly: true + example: My App Cloud Identity Engine + type: + type: string + description: The type of the API service integration. This string is an underscore-concatenated, lowercased API service integration name. For example, `my_api_log_integration`. + example: my_app_cie + _links: + $ref: '#/components/schemas/APIServiceIntegrationLinks' + readOnly: true + APIServiceIntegrationInstanceSecret: + type: object + properties: + client_secret: + type: string + description: The OAuth 2.0 client secret string. The client secret string is returned in the response of a Secret creation request. In other responses (such as list, activate, or deactivate requests), the client secret is returned as an undisclosed hashed value. + example: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + readOnly: true + created: + type: string + description: Timestamp when the API Service Integration instance Secret was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + id: + type: string + description: The ID of the API Service Integration instance Secret + example: ocs2f4zrZbs8nUa7p0g4 + readOnly: true + lastUpdated: + type: string + description: Timestamp when the API Service Integration instance Secret was updated + example: '2023-02-21T20:08:24.000Z' + readOnly: true + secret_hash: + type: string + description: OAuth 2.0 client secret string hash + example: yk4SVx4sUWVJVbHt6M-UPA + readOnly: true + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the API Service Integration instance Secret + example: ACTIVE + _links: + $ref: '#/components/schemas/APIServiceIntegrationSecretLinks' + readOnly: true + required: + - id + - status + - client_secret + - created + - lastUpdated + - secret_hash + - _links + APIServiceIntegrationLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + properties: + client: + $ref: '#/components/schemas/HrefObjectClientLink' + logo: + $ref: '#/components/schemas/HrefObjectLogoLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + APIServiceIntegrationSecretLinks: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + delete: + $ref: '#/components/schemas/HrefObjectDeleteLink' + readOnly: true APNSConfiguration: properties: fileName: @@ -18937,15 +27647,67 @@ components: AccessPolicyConstraint: type: object properties: + authenticationMethods: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + description:

This property specifies the precise authenticator and method for authentication. + type: array + items: + $ref: '#/components/schemas/AuthenticationMethodObject' + excludedAuthenticationMethods: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + description:
This property specifies the precise authenticator and method to exclude from authentication. + items: + $ref: '#/components/schemas/AuthenticationMethodObject' methods: + description: The Authenticator methods that are permitted items: type: string + enum: + - PASSWORD + - SECURITY_QUESTION + - SMS + - VOICE + - EMAIL + - PUSH + - SIGNED_NONCE + - OTP + - TOTP + - WEBAUTHN + - DUO + - IDP + - CERT type: array reauthenticateIn: + description: The duration after which the user must re-authenticate regardless of user activity. This re-authentication interval overrides the Verification Method object's `reauthenticateIn` interval. The supported values use ISO 8601 period format for recurring time intervals (for example, `PT1H`). type: string + required: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + description:
This property indicates whether the knowledge or possession factor is required by the assurance. It's optional in the request, but is always returned in the response. By default, this field is `true`. If the knowledge or possession constraint has values for`excludedAuthenticationMethods` the `required` value is false. + type: boolean types: + description: The Authenticator types that are permitted items: type: string + enum: + - SECURITY_KEY + - PHONE + - EMAIL + - PASSWORD + - SECURITY_QUESTION + - APP + - FEDERATED type: array AccessPolicyConstraints: type: object @@ -18993,25 +27755,43 @@ components: condition: type: string AcsEndpoint: + description: An array of ACS endpoints. You can configure a maximum of 100 endpoints. type: object properties: index: type: integer + description: Index of the URL in the array of ACS endpoints + example: 0 url: type: string - ActivateFactorRequest: + description: URL of the ACS + maxLength: 1024 + example: https://www.example.com/sso/saml + required: + - url + - index + Actions: type: object properties: - attestation: - type: string - clientData: - type: string - passCode: - type: string - registrationData: - type: string - stateToken: - type: string + assignUserToRealm: + $ref: '#/components/schemas/AssignUserToRealm' + AdminConsoleSettings: + title: Okta Admin Console Settings + description: Settings specific to the Okta Admin Console + type: object + properties: + sessionIdleTimeoutMinutes: + description: The absolute maximum session lifetime of the Okta Admin Console. Must be no more than 12 hours. + type: integer + minimum: 5 + maximum: 720 + default: 15 + sessionMaxLifetimeMinutes: + description: The absolute maximum session lifetime of the Okta Admin Console. Must be no more than 7 days. + type: integer + minimum: 5 + maximum: 10080 + default: 720 Agent: description: Agent details type: object @@ -19041,7 +27821,7 @@ components: version: type: string _links: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/LinksSelf' AgentPool: description: An AgentPool is a collection of agents that serve a common purpose. An AgentPool has a unique ID within an org, and contains a collection of agents disjoint to every other AgentPool (i.e. no two AgentPools share an Agent). type: object @@ -19089,7 +27869,7 @@ components: targetVersion: type: string _links: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/LinksSelf' AgentPoolUpdateSetting: description: Setting for auto-update type: object @@ -19177,11 +27957,7 @@ components: userId: type: string _link: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - readOnly: true + $ref: '#/components/schemas/LinksSelf' required: - name AppAndInstanceConditionEvaluatorAppOrInstance: @@ -19189,9 +27965,11 @@ components: properties: id: type: string + description: ID of the app readOnly: true name: type: string + description: Name of the app type type: $ref: '#/components/schemas/AppAndInstanceType' AppAndInstancePolicyRuleCondition: @@ -19206,10 +27984,34 @@ components: items: $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' AppAndInstanceType: + description: Type of app type: string x-okta-known-values: - APP - APP_TYPE + AppCustomHrefObject: + type: object + properties: + hints: + type: object + description: Describes allowed HTTP verbs for the `href` + properties: + allow: + type: array + items: + type: string + href: + type: string + description: Link URI + title: + type: string + description: Link name + type: + type: string + description: The media type of the link. If omitted, it is implicitly `application/json`. + required: + - href + readOnly: true AppInstancePolicyRuleCondition: type: object properties: @@ -19255,74 +28057,167 @@ components: type: integer readOnly: true AppUser: + title: Application User + description: The App User object defines a user's app-specific profile and credentials for an app. type: object - properties: - created: - type: string - format: date-time - readOnly: true + properties: + created: + allOf: + - $ref: '#/components/schemas/createdProperty' + - example: '2014-06-24T15:27:59.000Z' credentials: $ref: '#/components/schemas/AppUserCredentials' externalId: type: string + description: |- + The ID of the user in the target app that's linked to the Okta App User object. + This value is the native app-specific identifier or primary key for the user in the target app. + + The `externalId` is set during import when the user is confirmed (reconciled) or during provisioning when the user has been successfully created in the target app. + This value isn't populated for SSO app assignments (for example, SAML or SWA) because it isn't synchronized with a target app. readOnly: true + example: 70c14cc17d3745e8a9f98d599a68329c id: type: string - readOnly: false + description: Unique identifier of the App User object (only required for apps with `signOnMode` or authentication schemes that don't require credentials) + example: 00u11z6WHMYCGPCHCRFK lastSync: type: string + description: Timestamp of the last synchronization operation. This value is only updated for apps with the `IMPORT_PROFILE_UPDATES` or `PUSH PROFILE_UPDATES` feature. format: date-time readOnly: true + example: '2014-06-24T15:27:59.000Z' lastUpdated: - type: string - format: date-time - readOnly: true + allOf: + - $ref: '#/components/schemas/lastUpdatedProperty' + - example: '2014-06-24T15:28:14.000Z' passwordChanged: type: string + description: Timestamp when the App User password was last changed format: date-time readOnly: true + nullable: true + example: '2014-06-24T15:27:59.000Z' profile: - type: object - additionalProperties: - type: object - properties: {} + $ref: '#/components/schemas/AppUserProfile' scope: type: string + description: Toggles the assignment between user or group scope + enum: + - USER + - GROUP + example: USER status: - type: string - readOnly: true + $ref: '#/components/schemas/AppUserStatus' statusChanged: type: string + description: Timestamp when the App User status was last changed format: date-time readOnly: true + example: '2014-06-24T15:28:14.000Z' syncState: - type: string - readOnly: true + $ref: '#/components/schemas/AppUserSyncState' _embedded: type: object + description: Embedded resources related to the App User using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification additionalProperties: type: object properties: {} readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksAppAndUser' + required: + - created + - lastUpdated + - scope + - status + - statusChanged + - _links AppUserCredentials: + description: Specifies a user's credentials for the app. The authentication scheme of the app determines whether a username or password can be assigned to a user. type: object properties: password: $ref: '#/components/schemas/AppUserPasswordCredential' userName: type: string + description: Username for the app + minLength: 1 + maxLength: 100 + example: testuser AppUserPasswordCredential: + description: Specifies a password for a user. This is a write-only property. An empty `password` object is returned to indicate that a password value exists. type: object properties: value: + description: Password value type: string format: password + writeOnly: true + AppUserProfile: + description: |- + App user profiles are app-specific and can be customized by the Profile Editor in the Admin Console. + SSO apps typically don't support app user profiles, while apps with user provisioning features have app-specific profiles. + Properties that are visible in the Admin Console for an app assignment can also be assigned through the API. + Some properties are reference properties that are imported from the target app and can't be configured. + additionalProperties: + type: object + properties: {} + type: object + AppUserStatus: + description: Status of an App User + example: ACTIVE + type: string + x-enumDescriptions: + ACTIVE: The App User is provisioned and is enabled to use the app. This status also occurs if the app has the `IMPORT_PROFILE_UPDATES` feature enabled and user import is confirmed, or if the app doesn't have provisioning enabled. + INACTIVE: The App User is provisioned, but isn't enabled to use the app. App Users in this status can be reactivated with a password reset or permanently deleted. + IMPORTED: The App User is created based on imported data. + MATCHED: The imported user is matched with an existing App User. + UNASSIGNED: The App User was imported, but the user-matching operation was skipped. + SUSPENDED: The App User is provisioned, but isn't enabled to use the app. App Users in this status can be reactivated without a password reset. + PENDING: The App User is provisioned, but in a pending state and can't use the app. The status moves to `ACTIVE` when the App User is activated. + APPROVED: The App User was created but not provisioned. This status can occur when manual provisioning acknowledgment is required. + REVOKED: The App User is disabled and waiting for deprovisioning acknowledgment. The App User can be deleted after deprovisioning acknowledgment. + IMPLICIT: The App User is now migrated to use implicit app assignment. + STAGED: The App User doesn't have `externalId` set and the background provisioning operation is queued. This applies to apps with the `PUSH_NEW_USERS` feature enabled. + PROVISIONED: The background provisioning operation completed and the App User was assigned an `externalId` successfully. + DEPROVISIONED: The user was removed by the provisioning operation and the `externalId` property is unassigned. + readOnly: true + x-okta-known-values: + - ACTIVE + - APPROVED + - DEPROVISIONED + - IMPLICIT + - IMPORTED + - INACTIVE + - MATCHED + - PENDING + - PROVISIONED + - REVOKED + - STAGED + - SUSPENDED + - UNASSIGNED + AppUserSyncState: + description: |- + The synchronization state for the App User. + The App User's `syncState` depends on whether the `PROFILE_MASTERING` feature is enabled for the app. + + > **Note:** User provisioning currently must be configured through the Admin Console. + example: SYNCHRONIZED + type: string + x-enumDescriptions: + DISABLED: The provisioning feature is disabled for the app (`PROFILE_MASTERING` feature is disabled). + OUT_OF_SYNC: The App User has changes that haven't been pushed to the target app. + SYNCING: A background provisioning operation is running to update the user's profile in the target app. + SYNCHRONIZED: All changes to the App User profile have successfully been synchronized with the target app. + ERROR: A background provisioning operation failed to update the user's profile in the target app. You must resolve the provisioning task in the Admin Console before you retry the operation. + readOnly: true + x-okta-known-values: + - DISABLED + - ERROR + - OUT_OF_SYNC + - SYNCHRONIZED + - SYNCING Application: type: object properties: @@ -19332,26 +28227,28 @@ components: type: string format: date-time readOnly: true + description: Timestamp when the Application object was created features: type: array + description: Enabled app features items: type: string id: type: string readOnly: true + description: Unique ID for the app instance label: $ref: '#/components/schemas/ApplicationLabel' lastUpdated: type: string format: date-time readOnly: true + description: Timestamp when the Application object was last updated licensing: $ref: '#/components/schemas/ApplicationLicensing' profile: type: object - additionalProperties: - type: object - properties: {} + description: Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps) signOnMode: $ref: '#/components/schemas/ApplicationSignOnMode' status: @@ -19368,15 +28265,20 @@ components: $ref: '#/components/schemas/ApplicationLinks' discriminator: *ref_1 ApplicationAccessibility: + description: Specifies access settings for the app type: object properties: errorRedirectUrl: type: string + description: Custom error page URL for the app loginRedirectUrl: type: string + description: Custom login page URL for the app selfService: type: boolean + description: Represents whether the app can be self-assignable by users ApplicationCredentials: + description: Credentials for the specified `signOnMode` type: object properties: signing: @@ -19392,6 +28294,9 @@ components: type: string client_secret: type: string + pkce_required: + type: boolean + description: Require Proof Key for Code Exchange (PKCE) for additional verification token_endpoint_auth_method: $ref: '#/components/schemas/OAuthEndpointAuthenticationMethod' ApplicationCredentialsScheme: @@ -19435,21 +28340,42 @@ components: userSuffix: type: string ApplicationFeature: + description: | + The Feature object is used to configure application feature settings. type: object properties: - capabilities: - $ref: '#/components/schemas/CapabilitiesObject' description: type: string + description: Description of the feature + example: Settings for provisioning users from Okta to a downstream application + readOnly: true name: - type: string + $ref: '#/components/schemas/ApplicationFeatureType' + readOnly: true status: - $ref: '#/components/schemas/EnabledStatus' + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED + - example: ENABLED + - readOnly: true _links: - additionalProperties: - type: object - readOnly: true - type: object + allOf: + - $ref: '#/components/schemas/LinksSelf' + - readOnly: true + discriminator: *ref_3 + ApplicationFeatureType: + description: | + Identifying name of the feature + + | Value | Description | + | --------- | ------------- | + | USER_PROVISIONING | Represents the **To App** provisioning feature setting in the Admin Console | + example: USER_PROVISIONING + type: string + x-enumDescriptions: + USER_PROVISIONING: Represents the **To App** provisioning feature setting in the Admin Console + x-okta-known-values: + - USER_PROVISIONING ApplicationGroupAssignment: type: object properties: @@ -19474,12 +28400,9 @@ components: properties: {} readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' ApplicationLabel: + description: User-defined display name for app type: string ApplicationLayout: type: object @@ -19488,7 +28411,7 @@ components: type: array items: type: object - additionalProperties: true + additionalProperties: {} label: type: string options: @@ -19513,12 +28436,31 @@ components: additionalProperties: {} scope: type: string + ApplicationLayouts: + type: object + properties: + _links: + type: object + properties: + general: + $ref: '#/components/schemas/ApplicationLayoutsLinksItem' + signOn: + $ref: '#/components/schemas/ApplicationLayoutsLinksItem' + provisioning: + $ref: '#/components/schemas/ApplicationLayoutsLinksItem' + readOnly: true + ApplicationLayoutsLinksItem: + items: + $ref: '#/components/schemas/HrefObject' + type: array ApplicationLicensing: type: object properties: seatCount: type: integer + description: Number of licenses purchased for the app ApplicationLifecycleStatus: + description: App instance status type: string readOnly: true x-okta-known-values: @@ -19526,15 +28468,14 @@ components: - DELETED - INACTIVE ApplicationLinks: - additionalProperties: true - type: object + description: Discoverable resources related to the app properties: accessPolicy: $ref: '#/components/schemas/HrefObject' activate: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/HrefObjectActivateLink' deactivate: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/HrefObjectDeactivateLink' groups: $ref: '#/components/schemas/HrefObject' logo: @@ -19544,11 +28485,11 @@ components: metadata: $ref: '#/components/schemas/HrefObject' self: - $ref: '#/components/schemas/HrefObject' + $ref: '#/components/schemas/HrefObjectSelfLink' users: $ref: '#/components/schemas/HrefObject' - readOnly: true ApplicationSettings: + description: App settings type: object properties: identityStoreId: @@ -19596,6 +28537,7 @@ components: items: type: string ApplicationSignOnMode: + description: Authentication mode for the app type: string x-okta-known-values: - AUTO_LOGIN @@ -19612,35 +28554,119 @@ components: properties: appLinks: type: object + description: Links or icons that appear on the End-User Dashboard when they're assigned to the app additionalProperties: type: boolean autoLaunch: type: boolean + description: Automatically signs in to the app when user signs into Okta autoSubmitToolbar: type: boolean + description: Automatically sign in when user lands on the sign-in page hide: $ref: '#/components/schemas/ApplicationVisibilityHide' ApplicationVisibilityHide: + description: Hides the app for specific end-user apps type: object properties: iOS: type: boolean web: type: boolean + AssignGroupOwnerRequestBody: + type: object + properties: + id: + description: The `id` of the group owner + type: string + type: + $ref: '#/components/schemas/GroupOwnerType' AssignRoleRequest: type: object properties: type: $ref: '#/components/schemas/RoleType' + AssignUserToRealm: + type: object + properties: + realmId: + type: string + AssociatedServerMediated: + type: object + properties: + trusted: + type: array + description: A list of the authorization server IDs + items: + type: string + AttackProtectionAuthenticatorSettings: + type: object + properties: + verifyKnowledgeSecondWhen2faRequired: + type: boolean + description: If true, requires users to verify a possession factor before verifying a knowledge factor when the assurance requires two-factor authentication (2FA). + default: false + AuthServerLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + claims: + allOf: + - description: Link to the authorization server claims + - $ref: '#/components/schemas/HrefObject' + deactivate: + allOf: + - $ref: '#/components/schemas/HrefObjectDeactivateLink' + metadata: + description: Link to the authorization server metadata + type: array + items: + $ref: '#/components/schemas/HrefObject' + policies: + allOf: + - description: Link to the authorization server policies + - $ref: '#/components/schemas/HrefObject' + rotateKey: + allOf: + - description: Link to the authorization server key rotation + - $ref: '#/components/schemas/HrefObject' + scopes: + allOf: + - description: Link to the authorization server scopes + - $ref: '#/components/schemas/HrefObject' + AuthenticationMethodObject: + type: object + properties: + key: + type: string + description: A label that identifies the authenticator + method: + type: string + description: Specifies the method used for the authenticator AuthenticationProvider: + description: |- + Specifies the authentication provider that validates the user's password credential. The user's current provider + is managed by the Delegated Authentication settings for your organization. The provider object is read-only. type: object properties: name: type: string + description: The name of the authentication provider + readOnly: true type: $ref: '#/components/schemas/AuthenticationProviderType' AuthenticationProviderType: + description: The type of authentication provider type: string + x-enumDescriptions: + ACTIVE_DIRECTORY: Specifies the directory instance name as the `name` property + FEDERATION: Doesn't support a `password` or `recovery question` credential and must authenticate through a trusted Identity Provider + IMPORT: Specifies a hashed password that was imported from an external source + LDAP: Specifies the directory instance name as the `name` property + OKTA: Specifies the Okta Identity Provider + SOCIAL: Doesn't support a `password` or `recovery question` credential and must authenticate through a trusted Identity Provider + readOnly: true x-okta-known-values: - ACTIVE_DIRECTORY - FEDERATION @@ -19671,14 +28697,191 @@ components: settings: $ref: '#/components/schemas/AuthenticatorSettings' status: - $ref: '#/components/schemas/AuthenticatorStatus' + $ref: '#/components/schemas/LifecycleStatus' type: $ref: '#/components/schemas/AuthenticatorType' - _links: - additionalProperties: - type: object - readOnly: true + _embedded: type: object + properties: + methods: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodBase' + policies: + type: array + items: + $ref: '#/components/schemas/Policy' + _links: + $ref: '#/components/schemas/AuthenticatorLinks' + AuthenticatorIdentity: + description: Represents a particular authenticator serving as a constraint on a method + type: object + properties: + key: + type: string + AuthenticatorLinks: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + methods: + description: Link to Authenticator methods + allOf: + - $ref: '#/components/schemas/HrefObject' + AuthenticatorMethodAlgorithm: + description: The encryption algorithm for this authenticator method + type: string + x-okta-known-values: + - ES256 + - RS256 + AuthenticatorMethodBase: + type: object + properties: + status: + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/AuthenticatorMethodType' + _links: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + discriminator: *ref_5 + AuthenticatorMethodConstraint: + description: 'Limits the authenticators that can be used for a given method. Currently, only the `otp` method supports constraints, and Google authenticator (key : ''google_otp'') is the only allowed authenticator.' + type: object + properties: + allowedAuthenticators: + type: array + items: + $ref: '#/components/schemas/AuthenticatorIdentity' + method: + enum: + - otp + AuthenticatorMethodOtp: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' + - type: object + properties: + acceptableAdjacentIntervals: + type: integer + minimum: 0 + maximum: 10 + algorithm: + $ref: '#/components/schemas/OtpTotpAlgorithm' + encoding: + $ref: '#/components/schemas/OtpTotpEncoding' + factorProfileId: + type: string + passCodeLength: + type: integer + minimum: 6 + maximum: 10 + multipleOf: 2 + protocol: + $ref: '#/components/schemas/OtpProtocol' + timeIntervalInSeconds: + type: integer + AuthenticatorMethodProperty: + type: string + x-okta-known-values: + - DEVICE_BOUND + - HARDWARE_PROTECTED + - PHISHING_RESISTANT + - USER_PRESENCE + - USER_VERIFYING + AuthenticatorMethodPush: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + - type: object + properties: + settings: + type: object + properties: + algorithms: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodAlgorithm' + keyProtection: + $ref: '#/components/schemas/PushMethodKeyProtection' + transactionTypes: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodTransactionType' + AuthenticatorMethodSignedNonce: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + - type: object + properties: + settings: + type: object + properties: + algorithms: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodAlgorithm' + keyProtection: + $ref: '#/components/schemas/PushMethodKeyProtection' + showSignInWithOV: + $ref: '#/components/schemas/ShowSignInWithOV' + AuthenticatorMethodSimple: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + AuthenticatorMethodTotp: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + - type: object + properties: + settings: + type: object + properties: + timeIntervalInSeconds: + type: integer + encoding: + type: string + algorithm: + type: string + passCodeLength: + type: integer + AuthenticatorMethodTransactionType: + type: string + x-okta-known-values: + - CIBA + - LOGIN + AuthenticatorMethodType: + type: string + x-okta-known-values: + - cert + - duo + - email + - idp + - otp + - password + - push + - security_question + - signed_nonce + - sms + - totp + - voice + - webauthn + AuthenticatorMethodWebAuthn: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + - type: object + properties: + settings: + type: object + properties: + userVerification: + $ref: '#/components/schemas/UserVerificationEnum' + attachment: + $ref: '#/components/schemas/WebAuthnAttachment' + AuthenticatorMethodWithVerifiableProperties: + allOf: + - $ref: '#/components/schemas/AuthenticatorMethodBase' + - type: object + properties: + verifiableProperties: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodProperty' AuthenticatorProvider: properties: configuration: @@ -19716,11 +28919,6 @@ components: type: integer userVerification: $ref: '#/components/schemas/UserVerificationEnum' - AuthenticatorStatus: - type: string - x-okta-known-values: - - ACTIVE - - INACTIVE AuthenticatorType: type: string x-okta-known-values: @@ -19736,6 +28934,7 @@ components: properties: audiences: type: array + description: The recipients that the tokens are intended for. This becomes the `aud` claim in an access token. Okta currently supports only one audience. items: type: string created: @@ -19746,33 +28945,46 @@ components: $ref: '#/components/schemas/AuthorizationServerCredentials' description: type: string + description: The description of the custom authorization server id: type: string + description: The ID of the custom authorization server readOnly: true issuer: type: string + description: The complete URL for the custom authorization server. This becomes the `iss` claim in an access token. issuerMode: - $ref: '#/components/schemas/IssuerMode' + type: string + description: |- + Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL. + + `issuerMode` is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses. + + When set to `ORG_URL`, then in responses, `issuer` is the Okta org domain URL: `https://${yourOktaDomain}`. + + When set to `CUSTOM_URL`, then in responses, `issuer` is the custom domain URL configured in the administration user interface. + + When set to `DYNAMIC`, then in responses, `issuer` is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain. + + After you configure a custom URL domain, all new custom authorization servers use `CUSTOM_URL` by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use `DYNAMIC` by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled. lastUpdated: type: string format: date-time readOnly: true name: type: string + description: The name of the custom authorization server status: $ref: '#/components/schemas/LifecycleStatus' _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/AuthServerLinks' AuthorizationServerCredentials: type: object properties: signing: $ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig' AuthorizationServerCredentialsRotationMode: + description: The Key rotation mode for the authorization server type: string x-okta-known-values: - AUTO @@ -19782,12 +28994,16 @@ components: properties: kid: type: string + description: The ID of the JSON Web Key used for signing tokens issued by the authorization server + readOnly: true lastRotated: type: string + description: The timestamp when the authorization server started using the `kid` for signing tokens format: date-time readOnly: true nextRotation: type: string + description: The timestamp when the authorization server changes the Key for signing tokens. This is only returned when `rotationMode` is set to `AUTO`. format: date-time readOnly: true rotationMode: @@ -19795,6 +29011,7 @@ components: use: $ref: '#/components/schemas/AuthorizationServerCredentialsUse' AuthorizationServerCredentialsUse: + description: How the key is used type: string x-okta-known-values: - sig @@ -19804,7 +29021,12 @@ components: - type: object properties: conditions: - $ref: '#/components/schemas/PolicyRuleConditions' + $ref: '#/components/schemas/AuthorizationServerPolicyConditions' + AuthorizationServerPolicyConditions: + type: object + properties: + clients: + $ref: '#/components/schemas/ClientPolicyCondition' AuthorizationServerPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' @@ -19822,18 +29044,16 @@ components: token: $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleAction' AuthorizationServerPolicyRuleConditions: - allOf: - - $ref: '#/components/schemas/PolicyRuleConditions' - - type: object - properties: - clients: - $ref: '#/components/schemas/ClientPolicyCondition' - grantTypes: - $ref: '#/components/schemas/GrantTypePolicyRuleCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - scopes: - $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' + type: object + properties: + clients: + $ref: '#/components/schemas/ClientPolicyCondition' + grantTypes: + $ref: '#/components/schemas/GrantTypePolicyRuleCondition' + people: + $ref: '#/components/schemas/PolicyPeopleCondition' + scopes: + $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' AutoLoginApplication: allOf: - $ref: '#/components/schemas/Application' @@ -19843,6 +29063,7 @@ components: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string + description: Unique key for the application definition settings: $ref: '#/components/schemas/AutoLoginApplicationSettings' AutoLoginApplicationSettings: @@ -19857,8 +29078,10 @@ components: properties: loginUrl: type: string + description: Primary URL of the sign-in page for this app redirectUrl: type: string + description: Secondary URL of the sign-in page for this app AutoUpdateSchedule: description: The schedule of auto-update configured by admin. type: object @@ -19877,17 +29100,36 @@ components: format: date-time timezone: type: string + AwsAccountId: + description: Your AWS account ID + minLength: 12 + maxLength: 12 + example: 123456789012 + type: string + AwsEventSourceName: + description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge + minLength: 1 + maxLength: 75 + example: your-event-source-name + type: string + pattern: ^[a-zA-Z0-9.\-_]$ AwsRegion: - description: An AWS region + description: The destination AWS region where your event source is located type: string x-okta-known-values: + - ap-northeast-1 + - ap-northeast-2 + - ap-northeast-3 + - ap-south-1 + - ap-southeast-1 + - ap-southeast-2 - ca-central-1 - eu-central-1 - eu-north-1 - - eu-south-1 - eu-west-1 - eu-west-2 - eu-west-3 + - sa-east-1 - us-east-1 - us-east-2 - us-west-1 @@ -19902,6 +29144,28 @@ components: required: - displayName - userName + BaseEmailServer: + type: object + properties: + alias: + type: string + description: Human-readable name for your SMTP server + example: CustomServer1 + enabled: + type: boolean + description: If `true`, routes all email traffic through your SMTP server + host: + type: string + description: Hostname or IP address of your SMTP server + example: 192.168.160.1 + port: + type: integer + description: Port number of your SMTP server + example: 587 + username: + type: string + description: Username used to access your SMTP server + example: aUser BasicApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' @@ -19927,6 +29191,7 @@ components: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string + description: Unique key for the app definition default: template_basic_auth settings: $ref: '#/components/schemas/BasicApplicationSettings' @@ -19960,15 +29225,11 @@ components: type: $ref: '#/components/schemas/BehaviorRuleType' _link: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - readOnly: true + $ref: '#/components/schemas/LinksSelf' required: - name - type - discriminator: *ref_3 + discriminator: *ref_7 BehaviorRuleAnomalousDevice: allOf: - $ref: '#/components/schemas/BehaviorRule' @@ -20071,6 +29332,7 @@ components: $ref: '#/components/schemas/ApplicationCredentials' name: type: string + description: Unique key for the app definition default: bookmark settings: $ref: '#/components/schemas/BookmarkApplicationSettings' @@ -20117,12 +29379,9 @@ components: customPrivacyPolicyUrl: type: string defaultApp: - type: object - properties: - appInstanceId: - type: string - appLinkName: - type: string + $ref: '#/components/schemas/DefaultApp' + emailDomainId: + type: string id: readOnly: true type: string @@ -20135,31 +29394,6 @@ components: type: string removePoweredByOkta: type: boolean - _links: - properties: - self: - $ref: '#/components/schemas/HrefObject' - themes: - $ref: '#/components/schemas/HrefObject' - readOnly: true - type: object - BrandDomain: - type: object - properties: - domainId: - type: string - readOnly: true - _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - brand: - $ref: '#/components/schemas/HrefObject' - domain: - $ref: '#/components/schemas/HrefObject' - readOnly: true - description: Links to resources related to this brand domain BrandDomains: title: BrandDomains items: @@ -20172,10 +29406,41 @@ components: type: boolean customPrivacyPolicyUrl: type: string + defaultApp: + $ref: '#/components/schemas/DefaultApp' + emailDomainId: + type: string + locale: + $ref: '#/components/schemas/Language' name: type: string removePoweredByOkta: type: boolean + BrandWithEmbedded: + allOf: + - $ref: '#/components/schemas/Brand' + type: object + properties: + _embedded: + type: object + properties: + themes: + type: array + items: + $ref: '#/components/schemas/ThemeResponse' + domains: + items: + $ref: '#/components/schemas/DomainResponse' + type: array + emailDomain: + $ref: '#/components/schemas/EmailDomainResponse' + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + themes: + $ref: '#/components/schemas/HrefObject' BrowserPluginApplication: allOf: - $ref: '#/components/schemas/Application' @@ -20185,6 +29450,7 @@ components: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string + description: Unique key for the app definition settings: $ref: '#/components/schemas/SwaApplicationSettings' BulkDeleteRequestBody: @@ -20215,48 +29481,81 @@ components: type: object properties: id: + description: The unique key for the CAPTCHA instance type: string readOnly: true name: + description: The name of the CAPTCHA instance type: string secretKey: + description: The secret key issued from the CAPTCHA provider to perform server-side validation for a CAPTCHA token type: string writeOnly: true siteKey: + description: The site key issued from the CAPTCHA provider to render a CAPTCHA on a page type: string type: $ref: '#/components/schemas/CAPTCHAType' _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - readOnly: true + $ref: '#/components/schemas/LinksSelf' CAPTCHAType: + description: The type of CAPTCHA provider type: string x-okta-known-values: - HCAPTCHA - RECAPTCHA_V2 - CallUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/CallUserFactorProfile' - CallUserFactorProfile: - type: object - properties: - phoneExtension: - type: string - phoneNumber: - type: string CapabilitiesCreateObject: + description: | + Determines whether Okta assigns a new application account to each user managed by Okta. + + Okta doesn't create a new account if it detects that the username specified in Okta already exists in the application. + The user's Okta username is assigned by default. type: object properties: lifecycleCreate: $ref: '#/components/schemas/LifecycleCreateSettingObject' + CapabilitiesImportRulesObject: + description: Defines user import rules + type: object + properties: + userCreateAndMatch: + $ref: '#/components/schemas/CapabilitiesImportRulesUserCreateAndMatchObject' + CapabilitiesImportRulesUserCreateAndMatchObject: + description: Rules for matching and creating users + type: object + properties: + allowPartialMatch: + type: boolean + description: Allows user import upon partial matching. Partial matching occurs when the first and last names of an imported user match those of an existing Okta user, even if the username or email attributes don't match. + autoActivateNewUsers: + type: boolean + description: If set to `true`, imported new users are automatically activated. + autoConfirmExactMatch: + type: boolean + description: If set to `true`, exact-matched users are automatically confirmed on activation. If set to `false`, exact-matched users need to be confirmed manually. + autoConfirmNewUsers: + type: boolean + description: If set to `true`, imported new users are automatically confirmed on activation. This doesn't apply to imported users that already exist in Okta. + autoConfirmPartialMatch: + type: boolean + description: If set to `true`, partially matched users are automatically confirmed on activation. If set to `false`, partially matched users need to be confirmed manually. + exactMatchCriteria: + type: string + description: Determines the attribute to match users + enum: + - EMAIL + - USERNAME + CapabilitiesImportSettingsObject: + description: Defines import settings + type: object + properties: + schedule: + $ref: '#/components/schemas/ImportScheduleObject' + username: + $ref: '#/components/schemas/ImportUsernameObject' CapabilitiesObject: + title: USER_PROVISIONING + description: Defines the configurations for the USER_PROVISIONING feature type: object properties: create: @@ -20264,6 +29563,7 @@ components: update: $ref: '#/components/schemas/CapabilitiesUpdateObject' CapabilitiesUpdateObject: + description: Determines whether updates to a user's profile are pushed to the application type: object properties: lifecycleDeactivate: @@ -20305,17 +29605,16 @@ components: website: type: string _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' CatalogApplicationStatus: type: string x-okta-known-values: - ACTIVE - INACTIVE ChangeEnum: + description: Determines whether a change in a user's password also updates the user's password in the application + default: KEEP_EXISTING + example: CHANGE type: string x-okta-known-values: - CHANGE @@ -20327,6 +29626,8 @@ components: $ref: '#/components/schemas/PasswordCredential' oldPassword: $ref: '#/components/schemas/PasswordCredential' + revokeSessions: + type: boolean ChannelBinding: type: object properties: @@ -20334,18 +29635,53 @@ components: $ref: '#/components/schemas/RequiredEnum' style: type: string + ChromeBrowserVersion: + description: Current version of the Chrome Browser + type: object + properties: + minimum: + type: string ClientPolicyCondition: + description: Specifies which clients are included in the Policy type: object properties: include: type: array + description: Which clients are included in the Policy items: type: string + ClientPrivilegesSetting: + description: The org setting that assigns the super admin role by default to a public client app + type: object + properties: + clientPrivilegesSetting: + type: boolean Compliance: type: object properties: fips: $ref: '#/components/schemas/FipsEnum' + Conditions: + type: object + properties: + expression: + $ref: '#/components/schemas/Expression' + profileSourceId: + type: string + ContentSecurityPolicySetting: + type: object + properties: + mode: + type: string + enum: + - enforced + - report_only + reportUri: + type: string + srcList: + type: array + items: + type: string ContextPolicyRuleCondition: allOf: - $ref: '#/components/schemas/DevicePolicyRuleCondition' @@ -20353,23 +29689,78 @@ components: properties: expression: type: string - CreateBrandDomainRequest: - title: CreateBrandDomainRequest + CreateBrandRequest: + title: CreateBrandRequest type: object properties: - domainId: + name: type: string - CreateBrandRequest: - title: CreateBrandRequest + required: + - name + CreateIamRoleRequest: + type: object + properties: + description: + type: string + description: Description of the role + label: + type: string + description: Unique label for the role + permissions: + type: array + description: Array of permissions that the role will grant. See [Permission Types](https://developer.okta.com/docs/concepts/role-assignment/#permission-types). + items: + $ref: '#/components/schemas/RolePermissionType' + required: + - label + - description + - permissions + CreateRealmAssignmentRuleRequest: type: object properties: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' name: type: string + priority: + type: integer + CreateRealmRequest: + type: object + properties: + profile: + $ref: '#/components/schemas/RealmProfile' + CreateResourceSetRequest: + type: object + properties: + description: + type: string + description: Description of the Resource Set + label: + type: string + description: Unique label for the Resource Set + resources: + type: array + items: + type: string CreateSessionRequest: type: object properties: sessionToken: type: string + description: The session token obtained during authentication + CreateUISchema: + description: The request body properties for the new UI Schema + type: object + properties: + uiSchema: + $ref: '#/components/schemas/UISchemaObject' + CreateUpdateIamRolePermissionRequest: + type: object + properties: + conditions: + $ref: '#/components/schemas/PermissionConditions' CreateUserRequest: type: object properties: @@ -20382,16 +29773,22 @@ components: profile: $ref: '#/components/schemas/UserProfile' type: - $ref: '#/components/schemas/UserType' + type: object + description: |- + The ID of the user type. Add this value if you want to create a user with a non-default [user type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/). + The user type determines which [schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can + only be assigned a different user type by an administrator through a full replacement (`PUT`) operation. + properties: + id: + type: string + description: The ID of the user type required: - profile Csr: type: object properties: created: - type: string - format: date-time - readOnly: true + $ref: '#/components/schemas/createdProperty' csr: type: string readOnly: true @@ -20430,43 +29827,184 @@ components: type: array items: type: string - CustomHotpUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - factorProfileId: - type: string - profile: - $ref: '#/components/schemas/CustomHotpUserFactorProfile' - CustomHotpUserFactorProfile: - type: object - properties: - sharedSecret: - type: string CustomizablePage: type: object properties: pageContent: type: string DNSRecord: + description: DNS TXT and CNAME records to be registered for the Domain type: object properties: expiration: + description: DNS TXT record expiration type: string fqdn: + description: DNS record name type: string + example: _oktaverification.login.example.com recordType: $ref: '#/components/schemas/DNSRecordType' values: + description: DNS record value type: array items: type: string + example: + - 79496f234c814638b1cc44f51a782781 DNSRecordType: + example: TXT type: string x-okta-known-values: - CNAME - TXT + DTCChromeOS: + description: Google Chrome Device Trust Connector provider + type: object + properties: + allowScreenLock: + description: Indicates whether the AllowScreenLock enterprise policy is enabled + type: boolean + browserVersion: + $ref: '#/components/schemas/ChromeBrowserVersion' + builtInDnsClientEnabled: + description: Indicates if a software stack is used to communicate with the DNS server + type: boolean + chromeRemoteDesktopAppBlocked: + description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy + type: boolean + deviceEnrollmentDomain: + description: Enrollment domain of the customer that is currently managing the device + type: string + diskEncrypted: + description: Indicates whether the main disk is encrypted + type: boolean + keyTrustLevel: + $ref: '#/components/schemas/KeyTrustLevelOSMode' + managedDevice: + description: Indicates whether the device is enrolled in ChromeOS device management + type: boolean + osFirewall: + description: Indicates whether a firewall is enabled at the OS-level on the device + type: boolean + osVersion: + $ref: '#/components/schemas/OSVersionFourComponents' + passwordProtectionWarningTrigger: + $ref: '#/components/schemas/PasswordProtectionWarningTrigger' + realtimeUrlCheckMode: + description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled + type: boolean + safeBrowsingProtectionLevel: + $ref: '#/components/schemas/SafeBrowsingProtectionLevel' + screenLockSecured: + description: Indicates whether the device is password-protected + type: boolean + siteIsolationEnabled: + description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled + type: boolean + DTCMacOS: + description: Google Chrome Device Trust Connector provider + type: object + properties: + browserVersion: + $ref: '#/components/schemas/ChromeBrowserVersion' + builtInDnsClientEnabled: + description: Indicates if a software stack is used to communicate with the DNS server + type: boolean + chromeRemoteDesktopAppBlocked: + description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy + type: boolean + deviceEnrollmentDomain: + description: Enrollment domain of the customer that is currently managing the device + type: string + diskEncrypted: + description: Indicates whether the main disk is encrypted + type: boolean + keyTrustLevel: + $ref: '#/components/schemas/KeyTrustLevelBrowserKey' + osFirewall: + description: Indicates whether a firewall is enabled at the OS-level on the device + type: boolean + osVersion: + $ref: '#/components/schemas/OSVersionThreeComponents' + passwordProtectionWarningTrigger: + $ref: '#/components/schemas/PasswordProtectionWarningTrigger' + realtimeUrlCheckMode: + description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled + type: boolean + safeBrowsingProtectionLevel: + $ref: '#/components/schemas/SafeBrowsingProtectionLevel' + screenLockSecured: + description: Indicates whether the device is password-protected + type: boolean + siteIsolationEnabled: + description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled + type: boolean + DTCWindows: + description: Google Chrome Device Trust Connector provider + type: object + properties: + browserVersion: + $ref: '#/components/schemas/ChromeBrowserVersion' + builtInDnsClientEnabled: + description: Indicates if a software stack is used to communicate with the DNS server + type: boolean + chromeRemoteDesktopAppBlocked: + description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy + type: boolean + crowdStrikeAgentId: + description: Agent ID of an installed CrowdStrike agent + type: string + crowdStrikeCustomerId: + description: Customer ID of an installed CrowdStrike agent + type: string + deviceEnrollmentDomain: + description: Enrollment domain of the customer that is currently managing the device + type: string + diskEncrypted: + description: Indicates whether the main disk is encrypted + type: boolean + keyTrustLevel: + $ref: '#/components/schemas/KeyTrustLevelBrowserKey' + osFirewall: + description: Indicates whether a firewall is enabled at the OS-level on the device + type: boolean + osVersion: + $ref: '#/components/schemas/OSVersionFourComponents' + passwordProtectionWarningTrigger: + $ref: '#/components/schemas/PasswordProtectionWarningTrigger' + realtimeUrlCheckMode: + description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled + type: boolean + safeBrowsingProtectionLevel: + $ref: '#/components/schemas/SafeBrowsingProtectionLevel' + screenLockSecured: + description: Indicates whether the device is password-protected + type: boolean + secureBootEnabled: + description: Indicates whether the device's startup software has its Secure Boot feature enabled + type: boolean + siteIsolationEnabled: + description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled + type: boolean + thirdPartyBlockingEnabled: + description: Indicates whether Chrome is blocking third-party software injection + type: boolean + windowsMachineDomain: + description: Windows domain that the current machine has joined + type: string + windowsUserDomain: + description: Windows domain for the current OS user + type: string + DefaultApp: + type: object + properties: + appInstanceId: + type: string + appLinkName: + type: string + classicApplicationUri: + type: string Device: type: object properties: @@ -20482,7 +30020,7 @@ components: lastUpdated: type: string format: date-time - description: Timestamp when the device was last updated + description: Timestamp when the device record was last updated. Updates occur when Okta collects and saves device signals during authentication, and when the lifecycle state of the device changes. readOnly: true profile: $ref: '#/components/schemas/DeviceProfile' @@ -20502,26 +30040,14 @@ components: status: $ref: '#/components/schemas/DeviceStatus' _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - users: - $ref: '#/components/schemas/HrefObject' - activate: - $ref: '#/components/schemas/HrefObject' - deactivate: - $ref: '#/components/schemas/HrefObject' - suspend: - $ref: '#/components/schemas/HrefObject' - unsuspend: - $ref: '#/components/schemas/HrefObject' - readOnly: true + $ref: '#/components/schemas/LinksSelfAndFullUsersLifecycle' DeviceAccessPolicyRuleCondition: allOf: - $ref: '#/components/schemas/DevicePolicyRuleCondition' - type: object properties: + assurance: + $ref: '#/components/schemas/DevicePolicyRuleConditionAssurance' managed: type: boolean registered: @@ -20536,53 +30062,185 @@ components: createdDate: type: string readOnly: true - diskEncryptionType: - type: object - properties: - include: - type: array - items: - $ref: '#/components/schemas/DiskEncryptionType' id: type: string readOnly: true - jailbreak: - type: boolean + lastUpdate: + type: string + readOnly: true lastUpdatedBy: type: string readOnly: true - lastUpdatedDate: - type: string - readOnly: true name: type: string description: Display name of the Device Assurance Policy - osVersion: - $ref: '#/components/schemas/VersionObject' platform: $ref: '#/components/schemas/Platform' - screenLockType: - type: object + _links: + $ref: '#/components/schemas/LinksSelf' + discriminator: *ref_9 + DeviceAssuranceAndroidPlatform: + allOf: + - $ref: '#/components/schemas/DeviceAssurance' + - type: object + properties: + diskEncryptionType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/DiskEncryptionTypeAndroid' + jailbreak: + type: boolean + osVersion: + $ref: '#/components/schemas/OSVersion' + screenLockType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/ScreenLockType' + secureHardwarePresent: + type: boolean + DeviceAssuranceChromeOSPlatform: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + allOf: + - $ref: '#/components/schemas/DeviceAssurance' + - type: object + properties: + thirdPartySignalProviders: + type: object + description: Settings for third-party signal providers (based on the `CHROMEOS` platform) + properties: + dtc: + $ref: '#/components/schemas/DTCChromeOS' + DeviceAssuranceIOSPlatform: + allOf: + - $ref: '#/components/schemas/DeviceAssurance' + - type: object + properties: + jailbreak: + type: boolean + osVersion: + $ref: '#/components/schemas/OSVersion' + screenLockType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/ScreenLockType' + DeviceAssuranceMacOSPlatform: + allOf: + - $ref: '#/components/schemas/DeviceAssurance' + - type: object + properties: + diskEncryptionType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/DiskEncryptionTypeDesktop' + osVersion: + $ref: '#/components/schemas/OSVersion' + screenLockType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/ScreenLockType' + secureHardwarePresent: + type: boolean + thirdPartySignalProviders: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: object + description: Settings for third-party signal providers (based on the `MACOS` platform) + properties: + dtc: + $ref: '#/components/schemas/DTCMacOS' + DeviceAssuranceWindowsPlatform: + allOf: + - $ref: '#/components/schemas/DeviceAssurance' + - type: object properties: - include: + diskEncryptionType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/DiskEncryptionTypeDesktop' + osVersion: + $ref: '#/components/schemas/OSVersionFourComponents' + osVersionConstraints: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] type: array + description: | +
Specifies the Windows version requirements for the assurance policy. Each requirement must correspond to a different major version (Windows 11 or Windows 10). If a requirement isn't specified for a major version, then devices on that major version satisfy the condition. + + There are two types of OS requirements: + * **Static**: A specific Windows version requirement that doesn't change until you update the policy. A static OS Windows requirement is specified with `majorVersionConstraint` and `minimum`. + * **Dynamic**: A Windows version requirement that is relative to the latest major release and security patch. A dynamic OS Windows requirement is specified with `majorVersionConstraint` and `dynamicVersionRequirement`. + + > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. The `osVersionConstraints` property is only supported for the Windows platform. You can't specify both `osVersion.minimum` and `osVersionConstraints` properties at the same time. items: - $ref: '#/components/schemas/ScreenLockType' - secureHardwarePresent: - type: boolean - _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - readOnly: true + $ref: '#/components/schemas/OSVersionConstraint' + minItems: 1 + maxItems: 2 + screenLockType: + type: object + properties: + include: + type: array + items: + $ref: '#/components/schemas/ScreenLockType' + secureHardwarePresent: + type: boolean + thirdPartySignalProviders: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: object + description: Settings for third-party signal providers (based on the `WINDOWS` platform) + properties: + dtc: + $ref: '#/components/schemas/DTCWindows' DeviceDisplayName: + description: Display name of the device type: object properties: sensitive: type: boolean value: type: string + DeviceList: + allOf: + - $ref: '#/components/schemas/Device' + - properties: + _embedded: + type: object + description: List of associated users for the device if the `expand=user` query parameter is specified in the request. Use `expand=userSummary` to get only a summary of each associated user for the device. + properties: + users: + description: Users for the device + type: array + items: + $ref: '#/components/schemas/DeviceUser' + readOnly: true DevicePlatform: description: OS platform of the device type: string @@ -20615,6 +30273,13 @@ components: type: boolean trustLevel: $ref: '#/components/schemas/DevicePolicyTrustLevel' + DevicePolicyRuleConditionAssurance: + type: object + properties: + include: + type: array + items: + type: string DevicePolicyRuleConditionPlatform: type: object properties: @@ -20634,6 +30299,8 @@ components: DeviceProfile: type: object properties: + diskEncryptionType: + $ref: '#/components/schemas/DiskEncryptionTypeDef' displayName: type: string description: Display name of the device @@ -20641,9 +30308,12 @@ components: maxLength: 255 imei: type: string - description: International Mobile Equipment Identity of the device + description: International Mobile Equipment Identity (IMEI) of the device minLength: 14 maxLength: 17 + integrityJailbreak: + type: boolean + description: Indicates if the device is jailbroken or rooted. Only applicable to `IOS` and `ANDROID` platforms manufacturer: type: string description: Name of the manufacturer of the device @@ -20667,7 +30337,7 @@ components: description: Indicates if the device is registered at Okta secureHardwarePresent: type: boolean - description: Indicates if the device constains a secure hardware functionality + description: Indicates if the device contains a secure hardware functionality serialNumber: type: string description: Serial number of the device @@ -20678,7 +30348,7 @@ components: maxLength: 256 tpmPublicKeyHash: type: string - description: Windows Trsted Platform Module hash value + description: Windows Trusted Platform Module hash value udid: type: string description: macOS Unique Device identifier of the device @@ -20688,89 +30358,170 @@ components: - platform - registered DeviceStatus: + description: The state object of the device type: string + x-enumDescriptions: + ACTIVE: Use activated devices to create and delete Device user links + DEACTIVATED: Deactivation causes a Device to lose all device user links. Set the Device status to DEACTIVATED before deleting it. + SUSPENDED: Use suspended devices to create and delete device user links. You can only unsuspend or deactivate suspended devices. + UNSUSPENDED: Returns a suspended Device to ACTIVE. x-okta-known-values: - ACTIVE - - CREATED - DEACTIVATED - SUSPENDED - DiskEncryptionType: - type: string - x-okta-known-values: - - ALL_INTERNAL_VOLUMES - - FULL - - USER - Domain: + - UNSUSPENDED + DeviceUser: type: object properties: - brandId: + created: type: string - certificateSourceType: - $ref: '#/components/schemas/DomainCertificateSourceType' - dnsRecords: - type: array - items: - $ref: '#/components/schemas/DNSRecord' - domain: + description: Timestamp when device was created + managementStatus: type: string - id: + description: The management status of the device + enum: + - MANAGED + - NOT_MANAGED + x-enumDescriptions: + MANAGED: The device has management software installed + NOT_MANAGED: The device doesn't have management software installed + screenLockType: type: string - publicCertificate: - $ref: '#/components/schemas/DomainCertificateMetadata' - validationStatus: - $ref: '#/components/schemas/DomainValidationStatus' + description: Screen lock type of the device + enum: + - NONE + - PASSCODE + - BIOMETRIC + user: + $ref: '#/components/schemas/User' + DigestAlgorithm: + description: Algorithm used to generate the key. Only required for the PBKDF2 algorithm. + type: string + x-okta-known-values: + - SHA256_HMAC + - SHA512_HMAC + DiskEncryptionTypeAndroid: + type: string + x-okta-known-values: + - FULL + - USER + DiskEncryptionTypeDef: + description: |- + Type of encryption used on the device + > **Note:** The following values map to Disk Encryption ON: `FULL`, `USER`, `ALL_INTERNAL_VOLUMES`. All other values map to Disk Encryption OFF. + type: string + x-enumDescriptions: + NONE: No encryption has been set. + FULL: Disk is fully encrypted. Only applicable to `IOS` and `ANDROID` platforms. + USER: Encryption key is tied to the user or profile. Only applicable to `ANDROID` platform. + ALL_INTERNAL_VOLUMES: All internal disks are encrypted. Only applicable to `WINDOWS` and `MACOS` platforms. + SYSTEM_VOLUME: Only the system volume is encrypted. Only applicable to `WINDOWS` and `MACOS` platforms. + x-okta-known-values: + - ALL_INTERNAL_VOLUMES + - FULL + - NONE + - SYSTEM_VOLUME + - USER + DiskEncryptionTypeDesktop: + type: string + x-okta-known-values: + - ALL_INTERNAL_VOLUMES DomainCertificate: + description: Defines the properties of the certificate type: object properties: certificate: + description: Certificate content type: string + example: '"-----BEGIN CERTIFICATE-----\nMIIFNzCCBB+gAwIBAgHTAAXomJWRama3ypu8TIxdA9wzMA0GCSqGSIb3DQEBCwUA\nMDIzCzAJCgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTAyMTAwNTEzMDVaFw0yMTA1MTEwNTEzMDVaMCQxIjAgBgNVBAMT\nGWFuaXRhdGVzdC5zaWdtYW5ldGNvcnAudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQC5cyk6x63iBJSWvtgsOBqIxfO8euPHcRnyWsL9dsvnbNyOnyvc\nqFWxdiW3sh2cItzYtoN1Zfgj5lWGOVXbHxP0VaNG9fHVX3+NHP6LFHQz92BzAYQm\npqi9zaP/aKJklk6LdPFbVLGhuZfm34+ijW9YsgLTKR2WTaZJK5QtamVVmP+VsSCl\na2ifFzjz2FCkMMEc/Y0zUyP+en/mbL71K+VnpZdlEC1s38EvjRTFKFZTKVw5wpWg\nCZQq/AZYj9RxR23IIuRcUJ8TQ2pyoc3kIXPWjiIarSgBlA8G9kCsxgzXP2RyLwKr\nIBIo+qyHweifpPYW28ipdSbPjiypAMdpbGLDAgMBAAGjggJTMIICTzAOBgNVHQ8B\nAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB\n/wQCMAAwHQYDVR0OBBYEFPVZKiovtIK4Av/IBUQeLUs29pT6MB8GA1UdIwQYMBaA\nFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcw\nAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMu\naS5sZW5jci5vcmcvMCQGA1UdEQQdMBuCGWFuaXRhdGVzdC5zaWdtYW5ldGNvcnAu\ndXMwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF\nBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQC\nBIH0BIHxAO8AdgBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXeK\nkmOsAAAEAwBHMEUCIQDSudPEWXk969BT8yz3ag6BJWCMRU5tefEw9nXEQMsh5gIg\nUmfGIuUlcNNI5PydVIHj+zns+SR8P7zfd3FIxW4gK0QAdQD2XJQv0XcwIhRUGAgw\nlFaO400TGTO/3wwvIAvMTvFk4wAAAXeKkmOlAAAEAwBGMEQCIHQkr2qOGuInvonv\nW4vvdI61nraax5V6SC3E0D2JSO91AiBVhpX4BBafRAh36r7l8LrxAfxBM3CjBmAC\nq8fUrWfIWDANBgkqhkiG9w0BAQsFAAOCAQEAgGDMKXofKpDdv5kkID3s5GrKdzaj\njFmb/6kyqd1E6eGXZAewCP1EF5BVvR6lBP2aRXiZ6sJVZktoIfztZnbxBGgbPHfv\nR3iXIG6fxkklzR9Y8puPMBFadANE/QV78tIRAlyaqeSNsoxHi7ssQjHTP111B2lf\n3KmuTpsruut1UesEJcPReLk/1xTkRx262wAncach5Wp+6GWWduTZYJbsNFyrK1RP\nYQ0qYpP9wt2qR+DGaRUBG8i1XLnZS8pkyxtKhVw/a5Fowt+NqCpEBjjJiWJRSGnG\nNSgRtSXq11j8O4JONi8EXe7cEtvzUiLR5PL3itsK2svtrZ9jIwQ95wOPaA==\n-----END CERTIFICATE-----",' certificateChain: + description: Certificate chain type: string + example: '"-----BEGIN CERTIFICATE-----\nMIIFPjCCBCbjAwIBAgISA7RikMltj36DkLk1DUzjwfYBMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTEwMTExOTQ3MjRaFw0yMjAxMDkxOTQ3MjNaMCgxJjAkBgNVBAMT\nHWFuaXRhdGVzdHJhaW4uc2lnbWFuZXRjb3JwLnVzMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEA40EsG7YrFlsH3XdZKirdKKOC7/cca5g9L4rwyA/PlfeU\nB7mJhbQI/a3yZbtY+GjHmedBx15aPtyq+NFZLOkiRCXx0k2zNIJB4yC6Jr/Yp8C2\nrXO6mrCcuqpX7SuDPBtrfdYcIg8G6m0wjj1V1p2/XR8G//CBe8I2XTaTpHsx/VC8\nMNOAA27aSbeX4Nz6TQ69rFuxRG+neUbcz2hQKwroCsCHi6iBmqRkg19Uh8315Cx2\nBUqY0JecpP42KMiktzIoSlqS9yZSuNQh1kP1tPwkEzbs/t3FrfCnnRx5RDr2pJpV\nnonL3sB3TVotS3nFgPNHCfp65O0Bg/3ZpU9IvUpcdQIDAQABo4ICVjCCAlIwDgYD\nVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV\nHRMBAf8EAjAAMB0GA1UdDgQWBBSzWt3Dvp71cKA2Z54ESjjyM4dp+jAfBgNVHSME\nGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB\nBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov\nL3IzLmkubGVuY3Iub3JnLzAoBgNVHREEITAfgh1hbml0YXRlc3RyYWluLnNpZ21h\nbmV0Y29ycC51czBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo\nMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQIGCisG\nAQQB1nkCBAIEgfMEgfAA7gB1AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgia\nN9kTAAABfHEcLqAAAAQDAEYwRAIgMlyQ61FjuIKDfATjz0wfkskChD0csVe0TStq\nmC7NbLACICp3CYMvvDiWt1pr5pzCwTQO8F6v0/qNjmH4mjCutAgyAHUARqVV63X6\nkSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF8cRwvRAAABAMARjBEAiAZd6Vn\n7MLXT7JeIxZrfbNARrf5oCM4UAVjjJeaUhB1MwIgSLW5cVAZvkiwbQW+vIutFjBz\na8cNb/i+nM7RxFW+JPgwDQYJKoZIhvcNAQELBQADggEBAIlHZiHIuOvYFteqpwvR\n0ElqinIpkYsfI+0O5FwHBXz7vMCPGtfdlcX5M10eW3aEBo9lR59mjDMsMufbTb60\nJuSnguelkUoq4WzqjZI+2uy/FTztI5GPpXmXW3IyzbqmCWQt7u8N607g1TYLBaLL\nrbFIhl+LbTJAa//mxI6bb4l/86j/kSjht6U0OIde7ylscb+3MHobbpIWJYp8Jr1D\nubm/0glL46ExnuLbIKojLhDBnG/wHVunB0rJxGh1vPvwD75O1nSIdxuNlVcGwws+\n7wsOyPA1s0VWzrMN1olLMyIPFCwPvfCm1E8Dje1AXMpmyDlqjEoQsoMUH//GKF0S\nTgM=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\nWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\nR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\nsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\nNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\nZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\nAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\nAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\nFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\nAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\nOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\ngt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\nPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\nikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\nCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\nlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\navAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\nyJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\nyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\nhCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\nHlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\nov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\nwYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\nLtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\nbHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\nsR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\nXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\nFQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\nSLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\nPRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\nTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\nSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\nc3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\nATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\nb3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\nU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\nMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\nWCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\nhe8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\nDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n-----END CERTIFICATE-----"' privateKey: + description: Certificate private key type: string + example: '"-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0AAQEFAASCBKgwghSkAgEAAoIBAQC5cyk6y63iBJSW\nstgsOBqIxfO8euPHcRnyWsL9dsvnbNyOnyvcqFWxdiW3sh2cItzYtoN1Zfgj5lWG\nOVXbHxP0VaNG9fHVX3+NHP6LFHQz92BzAYQmpqi9zaP/aKJklk6LdPFbVLGhuZfm\n34+ijW9YsgLTKR2WTaZJK5QtamVVmP+VsSCla2ifFzjz2FCkMMEc/Y0zUyP+en/m\nbL71K+VnpZdlEC1s38EvjRTFKFZTKVw5wpWgCZQq/AZYj9RxR23IIuRcUJ8TQ2py\noc3kIXPWjiIarSgBlA8G9kCsxgzXP2RyLwKrIBIo+qyHweifpPYW28ipdSbPjiyp\nAMdpbGLDAgMBAAECggEAUXVfT91z6IqghhKwO8QtC5T/+fN06B8rCYSKj/FFoZL0\n0oTiLFuYwImoCadoUDQUE/Efj0rKE2LSgFHg/44IItQXE01m+5WmHmL1ADxsyoLH\nz9yDosKj7jNM7RyV8F8Bg0pL1hU+rU4rhhL/MaS0mx4eFYjC4UmcWBmXTdelSVJa\nkvXvQLT5y86bqh7tqMjM/kALTWRz5CgNJFk/ONA1yo5RTX9S7SIXimBgAvuGqP8i\nMPEhJou7U3DfzXVfvP8byqNdsZs6ZNhG3wXspl61mRyrY+51SOaNLA7Bkji7x4bH\nNw6mJI0IJTAP9oc1Z8fYeMuxT1bfuD7VOupSP0mAMQKBgQDk+KuyQkmPymeP/Wwu\nII4DUpleVzxTK9obMQQoCEEElbQ6+jTb+8ixP0bWLvBXg/rX734j7OWfn/bljWLH\nXLrSoqQZF1+XMVeY4g4wx9UuTK/D2n791zdOgQivxbIPdWL3a4ap86ar8uyMgJu8\nBLXfFBAOc+9myqUkbeO7wt0e6QKBgQDPV04jPtIJoMrggpQDNreGrANKOmsXWxj4\nOHW13QNdJ2KGQpoTdoqQ8ZmlxuA8Bf2RjHsnB2kgGVTVQR74zRib4MByhvsdhvVm\nF2LNsJoIDfqtv3c+oj13VonRUGuzUeJpwT/snyaL+jQ/ZZcYz0jDgDhIODTcFYj8\nDMSD5SHgywKBgHH6MwWuJ44TNBAiF2qyu959jGjAxf+k0ZI9iRMgYLUWjDvbdtqW\ncCWDGRDfFraJtSEuTz003GzkJPPJuIUC7OCTI1p2HxhU8ITi6itwHfdJJyk4J4TW\nT+qdIqTUpTk6tsPw23zYE3x+lS+viVZDhgEArKl1HpOthh0nMnixnH6ZAoGBAKGn\nV+xy1h9bldFk/TFkP8Jn6ki9MzGKfPVKT7vzDORcCJzU4Hu8OFy5gSmW3Mzvfrsz\n4/CR/oxgM5vwoc0pWr5thJ3GT5K93iYypX3o6q7M91zvonDa3UFl3x2qrc2pUfVS\nDhzWGJ+Z+5JSCnP1aK3EEh18dPoCcELTUYPj6X3xAoGBALAllTb3RCIaqIqk+s3Y\n6KDzikgwGM6j9lmOI2MH4XmCVym4Z40YGK5nxulDh2Ihn/n9zm13Z7ul2DJwgQSO\n0zBc7/CMOsMEBaNXuKL8Qj4enJXMtub4waQ/ywqHIdc50YaPI5Ax8dD/10h9M6Qc\nnUFLNE8pXSnsqb0eOL74f3uQ\n-----END PRIVATE KEY-----"' type: $ref: '#/components/schemas/DomainCertificateType' + required: + - certificate + - certificateChain + - privateKey + - type DomainCertificateMetadata: + description: Certificate metadata for the domain type: object properties: expiration: + description: Certificate expiration type: string + example: '2021-05-11T05:13:05.000Z' fingerprint: + description: Certificate fingerprint type: string + example: 73:68:82:7B:83:2E:48:29:A5:5E:E8:40:41:80:B3:AA:03:C4:42:43:05:73:45:BC:AA:47:00:23:A3:70:E5:C4 subject: + description: Certificate subject type: string + example: CN=login.example.com DomainCertificateSourceType: + description: Certificate source type that indicates whether the certificate is provided by the user or Okta. type: string x-okta-known-values: - MANUAL - OKTA_MANAGED DomainCertificateType: + description: Certificate type type: string x-okta-known-values: - PEM DomainLinks: - type: object - properties: - brand: - $ref: '#/components/schemas/HrefObject' - certificate: - $ref: '#/components/schemas/HrefObject' - self: - $ref: '#/components/schemas/HrefObject' - verify: - $ref: '#/components/schemas/HrefObject' + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + brand: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The associated brand + certificate: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The certificate link references the domain certificate + verify: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The verify link verifies the domain and transitions the domain status to `VERIFIED` DomainListResponse: + description: Defines a list of domains with a subset of the properties for each domain. type: object properties: domains: + description: Each element of the array defines an individual domain. type: array items: $ref: '#/components/schemas/DomainResponse' + DomainRequest: + type: object + properties: + certificateSourceType: + $ref: '#/components/schemas/DomainCertificateSourceType' + domain: + description: Custom domain name + type: string + example: login.example.com + required: + - certificateSourceType + - domain DomainResponse: + description: The properties that define an individual domain. type: object properties: brandId: + description: The ID number of the brand type: string + example: bndul904tTZ6kWVhP0g3 certificateSourceType: $ref: '#/components/schemas/DomainCertificateSourceType' dnsRecords: @@ -20778,9 +30529,13 @@ components: items: $ref: '#/components/schemas/DNSRecord' domain: + description: Custom domain name type: string + example: login.example.com id: + description: Unique ID of the domain type: string + example: OcDz6iRyjkaCTXkdo0g3 publicCertificate: $ref: '#/components/schemas/DomainCertificateMetadata' validationStatus: @@ -20788,6 +30543,8 @@ components: _links: $ref: '#/components/schemas/DomainLinks' DomainValidationStatus: + description: Status of the domain + example: VERIFIED type: string x-okta-known-values: - COMPLETED @@ -20801,15 +30558,65 @@ components: type: integer unit: type: string + ECKeyJWK: + description: Elliptic Curve Key in JWK format, currently used during enrollment to encrypt fulfillment requests to Yubico, or during activation to verify Yubico's JWS objects in fulfillment responses. The currently agreed protocol uses P-384. + type: object + properties: + crv: + type: string + enum: + - P-384 + kid: + type: string + description: The unique identifier of the key + kty: + type: string + enum: + - EC + description: The type of public key + use: + type: string + description: The intended use for the key. The ECKeyJWK is always `enc` because Okta uses it to encrypt requests to Yubico. + enum: + - enc + x: + type: string + description: The public x coordinate for the elliptic curve point + 'y': + type: string + description: The public y coordinate for the elliptic curve point + required: + - x + - 'y' + - kty + - crv + - use + - kid EmailContent: type: object properties: body: type: string - description: The email's HTML body. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + description: | + The HTML body of the email. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + + Not required if Custom languages for Okta Email Templates is enabled. A `null` body is replaced with a default value from one of the following in priority order: + + 1. An existing default email customization, if one exists + 2. Okta-provided translated content for the specified language, if one exists + 3. Okta-provided translated content for the brand locale, if it's set + 4. Okta-provided content in English subject: type: string - description: The email's subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + description: | + The email subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + + Not required if Custom languages for Okta Email Templates is enabled. A `null` subject is replaced with a default value from one of the following in priority order: + + 1. An existing default email customization, if one exists + 2. Okta-provided translated content for the specified language, if one exists + 3. Okta-provided translated content for the brand locale, if it's set + 4. Okta-provided content in English required: - subject - body @@ -20826,7 +30633,7 @@ components: id: type: string readOnly: true - description: A unique identifier for this email customization. + description: A unique identifier for this email customization isDefault: type: boolean description: Whether this is the default customization for the email template. Each customized email template must have exactly one default customization. Defaults to `true` for the first customization and `false` thereafter. @@ -20838,18 +30645,17 @@ components: readOnly: true description: The UTC time at which this email customization was last updated. _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - template: - $ref: '#/components/schemas/HrefObject' - preview: - $ref: '#/components/schemas/HrefObject' - test: - $ref: '#/components/schemas/HrefObject' - readOnly: true - description: Links to resources related to this email customization. + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + self: + $ref: '#/components/schemas/HrefObject' + template: + $ref: '#/components/schemas/HrefObject' + preview: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' required: - language EmailDefaultContent: @@ -20859,33 +30665,45 @@ components: properties: _links: type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - template: - $ref: '#/components/schemas/HrefObject' - preview: - $ref: '#/components/schemas/HrefObject' - test: - $ref: '#/components/schemas/HrefObject' - readOnly: true - description: Links to resources related to this email template's default content. + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + template: + $ref: '#/components/schemas/HrefObject' + preview: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' EmailDomain: allOf: - $ref: '#/components/schemas/BaseEmailDomain' type: object properties: + brandId: + type: string domain: type: string + validationSubdomain: + type: string + description: Subdomain for the email sender's custom mail domain. Specify your subdomain when you configure a custom mail domain. + default: mail required: - domain - EmailDomainListResponse: + - brandId + EmailDomainDNSRecord: type: object properties: - email-domains: - type: array - items: - $ref: '#/components/schemas/EmailDomainResponse' + fqdn: + type: string + recordType: + $ref: '#/components/schemas/EmailDomainDNSRecordType' + verificationValue: + type: string + EmailDomainDNSRecordType: + type: string + x-okta-known-values: + - CNAME + - TXT EmailDomainResponse: allOf: - $ref: '#/components/schemas/BaseEmailDomain' @@ -20894,13 +30712,42 @@ components: dnsValidationRecords: type: array items: - $ref: '#/components/schemas/DNSRecord' + $ref: '#/components/schemas/EmailDomainDNSRecord' + domain: + type: string + id: + type: string + validationStatus: + $ref: '#/components/schemas/EmailDomainStatus' + validationSubdomain: + type: string + description: The subdomain for the email sender's custom mail domain + default: mail + EmailDomainResponseWithEmbedded: + type: object + properties: + displayName: + type: string + userName: + type: string + dnsValidationRecords: + type: array + items: + $ref: '#/components/schemas/EmailDomainDNSRecord' domain: type: string id: type: string validationStatus: $ref: '#/components/schemas/EmailDomainStatus' + _embedded: + type: object + properties: + brands: + type: array + items: + $ref: '#/components/schemas/Brand' + readOnly: true EmailDomainStatus: type: string x-okta-known-values: @@ -20915,26 +30762,53 @@ components: body: type: string readOnly: true - description: The email's HTML body. + description: The email's HTML body subject: type: string readOnly: true - description: The email's subject. + description: The email's subject _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - contentSource: - $ref: '#/components/schemas/HrefObject' - template: - $ref: '#/components/schemas/HrefObject' - test: - $ref: '#/components/schemas/HrefObject' - defaultContent: - $ref: '#/components/schemas/HrefObject' - readOnly: true - description: Links to resources related to this email preview. + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + contentSource: + $ref: '#/components/schemas/HrefObject' + template: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' + defaultContent: + $ref: '#/components/schemas/HrefObject' + EmailServerListResponse: + type: object + properties: + email-servers: + type: array + items: + $ref: '#/components/schemas/EmailServerResponse' + EmailServerPost: + allOf: + - $ref: '#/components/schemas/EmailServerRequest' + - required: + - host + - port + - username + - password + - alias + EmailServerRequest: + allOf: + - $ref: '#/components/schemas/BaseEmailServer' + - properties: + password: + type: string + description: Password used to access your SMTP server + EmailServerResponse: + allOf: + - $ref: '#/components/schemas/BaseEmailServer' + - properties: + id: + type: string + description: ID of your SMTP server EmailSettings: type: object properties: @@ -20952,7 +30826,7 @@ components: name: type: string readOnly: true - description: The name of this email template. + description: The name of this email template _embedded: type: object properties: @@ -20962,38 +30836,38 @@ components: type: integer readOnly: true _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - settings: - $ref: '#/components/schemas/HrefObject' - defaultContent: - $ref: '#/components/schemas/HrefObject' - customizations: - $ref: '#/components/schemas/HrefObject' - test: - $ref: '#/components/schemas/HrefObject' - readOnly: true - description: Links to resources related to this email template. + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + settings: + $ref: '#/components/schemas/HrefObject' + defaultContent: + $ref: '#/components/schemas/HrefObject' + customizations: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' EmailTemplateTouchPointVariant: type: string x-okta-known-values: - FULL_THEME - OKTA_DEFAULT - EmailUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/EmailUserFactorProfile' - EmailUserFactorProfile: + EmailTestAddresses: type: object properties: - email: + from: + type: string + description: Email address that sends test emails + example: sender@host.com + to: type: string + description: Email address that receives test emails + example: receiver@host.com + required: + - from + - to EnabledStatus: + description: Setting status type: string x-okta-known-values: - DISABLED @@ -21005,6 +30879,93 @@ components: - LOGO_ON_FULL_WHITE_BACKGROUND - OKTA_DEFAULT - WHITE_LOGO_BACKGROUND + EnrollmentActivationRequest: + description: Enrollment Initialization Request + type: object + properties: + credResponses: + description: List of credential responses from the fulfillment provider + type: array + items: + $ref: '#/components/schemas/WebAuthnCredResponse' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + pinResponseJwe: + description: Encrypted JWE of PIN response from the fulfillment provider + type: string + serial: + description: Serial number of the YubiKey + type: string + userId: + description: ID of an existing Okta user + type: string + version: + description: Firmware version of the YubiKey + type: string + yubicoSigningJwks: + description: List of usable signing keys from Yubico (in JWKS format) used to verify the JWS inside the JWE + type: array + items: + $ref: '#/components/schemas/ECKeyJWK' + EnrollmentActivationResponse: + description: Enrollment Initialization Response + type: object + properties: + authenticatorEnrollmentIds: + description: List of IDs for preregistered WebAuthn Factors in Okta + type: array + items: + type: string + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + EnrollmentInitializationRequest: + description: Enrollment Initialization Request + type: object + properties: + enrollmentRpIds: + description: List of Relying Party hostnames to register on the YubiKey. + type: array + items: + type: string + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + yubicoTransportKeyJWK: + $ref: '#/components/schemas/ECKeyJWK' + EnrollmentInitializationResponse: + description: Yubico Transport Key in the form of a JWK, used to encrypt our fulfillment request to Yubico. The currently agreed protocol uses P-384. + type: object + properties: + credRequests: + description: List of credential requests for the fulfillment provider + type: array + items: + $ref: '#/components/schemas/WebAuthnCredRequest' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + pinRequestJwe: + description: Encrypted JWE of PIN request for the fulfillment provider + type: string + userId: + description: ID of an existing Okta user + type: string Error: title: Error type: object @@ -21028,6 +30989,13 @@ components: errorSummary: type: string description: A short description of what caused this error. Sometimes this contains dynamically-generated information about your specific error. + ErrorPage: + allOf: + - $ref: '#/components/schemas/CustomizablePage' + - type: object + properties: + contentSecurityPolicySetting: + $ref: '#/components/schemas/ContentSecurityPolicySetting' ErrorPageTouchPointVariant: type: string x-okta-known-values: @@ -21040,32 +31008,53 @@ components: channel: $ref: '#/components/schemas/EventHookChannel' created: + description: Timestamp of the event hook creation type: string format: date-time readOnly: true createdBy: + description: The ID of the user who created the event hook + type: string + readOnly: true + description: + description: Description of the event hook type: string + nullable: true events: $ref: '#/components/schemas/EventSubscriptions' id: type: string + description: Unique key for the event hook readOnly: true lastUpdated: + description: Date of the last event hook update type: string format: date-time readOnly: true name: + description: Display name for the event hook type: string status: - $ref: '#/components/schemas/LifecycleStatus' + description: Status of the event hook + type: string + enum: + - ACTIVE + - INACTIVE + readOnly: true verificationStatus: $ref: '#/components/schemas/EventHookVerificationStatus' _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + deactivate: + $ref: '#/components/schemas/HrefObject' + verify: + $ref: '#/components/schemas/HrefObject' + required: + - name + - events + - channel EventHookChannel: type: object properties: @@ -21074,63 +31063,152 @@ components: type: $ref: '#/components/schemas/EventHookChannelType' version: + description: Version of the channel. Currently the only supported version is `1.0.0``. type: string + required: + - type + - config + - version EventHookChannelConfig: type: object properties: authScheme: $ref: '#/components/schemas/EventHookChannelConfigAuthScheme' headers: + description: |- + Optional list of key/value pairs for headers that can be sent with the request to the external service. For example, + `X-Other-Header` is an example of an optional header, with a value of `my-header-value`, that you want Okta to pass to your + external service. type: array items: $ref: '#/components/schemas/EventHookChannelConfigHeader' + method: + description: The method of the Okta event hook request + type: string + readOnly: true uri: + description: The external service endpoint called to execute the event hook handler type: string + required: + - uri EventHookChannelConfigAuthScheme: + description: |- + The authentication scheme used for this request. + + To use Basic Auth for authentication, set `type` to `HEADER`, + `key` to `Authorization`, and `value` to the Base64-encoded string of "username:password". Ensure that you include + the scheme (including space) as part of the `value` parameter. For example, `Basic YWRtaW46c3VwZXJzZWNyZXQ=`. See + [HTTP Basic Authentication](/books/api-security/authn/api-authentication-options/#http-basic-authentication). type: object properties: key: + description: The name for the authorization header type: string type: $ref: '#/components/schemas/EventHookChannelConfigAuthSchemeType' value: + description: |- + The header value. This secret key is passed to your external service endpoint for security verification. + This property is not returned in the response. type: string + writeOnly: true EventHookChannelConfigAuthSchemeType: + description: The authentication scheme type. Currently only supports `HEADER`. type: string x-okta-known-values: - HEADER EventHookChannelConfigHeader: + nullable: true type: object properties: key: + description: The optional field or header name type: string value: + description: The value for the key type: string EventHookChannelType: + description: The channel type. Currently supports `HTTP`. type: string x-okta-known-values: - HTTP + EventHookFilterMap: + description: The object that maps the filter to the event type + items: + $ref: '#/components/schemas/EventHookFilterMapObject' + type: array + EventHookFilterMapObject: + type: object + properties: + condition: + $ref: '#/components/schemas/EventHookFilterMapObjectCondition' + event: + type: string + description: The filtered event type + EventHookFilterMapObjectCondition: + type: object + properties: + expression: + type: string + description: The Okta Expression language statement that filters the event type + version: + type: string + nullable: true + description: Internal field + readOnly: true + EventHookFilters: + nullable: true + description: |- + The optional filter defined on a specific event type + + > **Note:** Event hook filters is a [self-service Early Access (EA)](/docs/concepts/feature-lifecycle-management/#self-service-features) feature. See [Manage Early Access and Beta features](https://help.okta.com/okta_help.htm?id=ext_secur_manage_ea_bata) to enable. + If you want to disable this feature, it's recommended to first remove all event filters. + type: object + properties: + eventFilterMap: + $ref: '#/components/schemas/EventHookFilterMap' + type: + type: string + description: The type of filter. Currently only supports `EXPRESSION_LANGUAGE` + readOnly: true + EventHookSubscribedEventTypes: + description: |- + The subscribed event types that trigger the event hook. When you register an event hook + you need to specify which events you want to subscribe to. To see the list of event types + currently eligible for use in event hooks, use the [Event Types catalog](/docs/reference/api/event-types/#catalog) + and search with the parameter `event-hook-eligible`. + items: + type: string + type: array EventHookVerificationStatus: + description: Verification status of the event hook. `UNVERIFIED` event hooks won't receive any events. type: string + readOnly: true x-okta-known-values: - UNVERIFIED - VERIFIED EventSubscriptionType: + description: The events object type. Currently supports `EVENT_TYPE`. type: string x-okta-known-values: - EVENT_TYPE - - FLOW_EVENT EventSubscriptions: type: object properties: + filter: + $ref: '#/components/schemas/EventHookFilters' items: - type: array - items: - type: string + $ref: '#/components/schemas/EventHookSubscribedEventTypes' type: $ref: '#/components/schemas/EventSubscriptionType' - discriminator: - propertyName: type + required: + - type + - items + Expression: + type: object + properties: + value: + type: string FCMConfiguration: properties: fileName: @@ -21151,66 +31229,20 @@ components: properties: configuration: $ref: '#/components/schemas/FCMConfiguration' - FactorProvider: - type: string - x-okta-known-values: - - CUSTOM - - DUO - - FIDO - - GOOGLE - - OKTA - - RSA - - SYMANTEC - - YUBICO - FactorResultType: - type: string - x-okta-known-values: - - CANCELLED - - CHALLENGE - - ERROR - - FAILED - - PASSCODE_REPLAYED - - REJECTED - - SUCCESS - - TIMEOUT - - TIME_WINDOW_EXCEEDED - - WAITING - FactorStatus: - type: string - x-okta-known-values: - - ACTIVE - - DISABLED - - ENROLLED - - EXPIRED - - INACTIVE - - NOT_SETUP - - PENDING_ACTIVATION - FactorType: - type: string - x-okta-known-values: - - call - - email - - hotp - - push - - question - - sms - - token - - token:hardware - - token:hotp - - token:software:totp - - u2f - - web - - webauthn Feature: + description: Specifies feature release cycle information type: object properties: description: type: string + description: Brief description of the feature and what it provides id: type: string + description: Unique identifier for this feature readOnly: true name: type: string + description: Name of the feature stage: $ref: '#/components/schemas/FeatureStage' status: @@ -21218,12 +31250,40 @@ components: type: $ref: '#/components/schemas/FeatureType' _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + dependents: + description: Link to feature dependents + type: object + readOnly: true + properties: + href: + description: Link URI + type: string + readOnly: true + dependencies: + description: Link to feature dependencies + type: object + readOnly: true + properties: + href: + description: Link URI + type: string + readOnly: true + FeatureLifecycle: + example: ENABLE + type: string + x-okta-known-values: + - DISABLE + - ENABLE FeatureStage: + description: |- + Current release cycle stage of a feature + + If a feature's stage value is `EA`, the state is `null` and not returned. If the value is `BETA`, the state is `OPEN` or `CLOSED` depending on whether the `BETA` feature is manageable. + + > **Note:** If a feature's stage is `OPEN BETA`, you can update it only in Preview cells. If a feature's stage is `CLOSED BETA`, you can disable it only in Preview cells. type: object properties: state: @@ -21231,16 +31291,19 @@ components: value: $ref: '#/components/schemas/FeatureStageValue' FeatureStageState: + description: Indicates the release state of the feature type: string x-okta-known-values: - CLOSED - OPEN FeatureStageValue: + description: Current release stage of the feature type: string x-okta-known-values: - BETA - EA FeatureType: + description: Type of feature type: string x-okta-known-values: - self-service @@ -21255,16 +31318,69 @@ components: resetPasswordUrl: type: string readOnly: true + FulfillmentData: + description: Fulfillment provider details + type: object + properties: + customizationId: + description: ID for the set of custom configurations of the requested Factor + type: string + inventoryProductId: + description: ID for the specific inventory bucket of the requested Factor + type: string + productId: + description: ID for the make and model of the requested Factor + type: string + FulfillmentRequest: + description: Fulfillment Request + type: object + properties: + fulfillmentData: + $ref: '#/components/schemas/FulfillmentData' + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + GoogleApplicationSettings: + allOf: + - $ref: '#/components/schemas/OINBaseSignOnModeApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/GoogleApplicationSettingsApplication' + GoogleApplicationSettingsApplication: + description: Google app instance properties + type: object + properties: + domain: + type: string + description: Your Google Apps company domain + rpId: + type: string + description: RPID + required: + - domain GrantOrTokenStatus: + description: Status + example: ACTIVE type: string + readOnly: true x-okta-known-values: - ACTIVE - REVOKED GrantTypePolicyRuleCondition: + description: Array of grant types that this condition includes. Determines the mechanism that Okta uses to authorize the creation of the tokens. type: object properties: include: type: array + description: Array of grant types thagt this condition includes. items: type: string Group: @@ -21301,76 +31417,86 @@ components: properties: {} readOnly: true _links: - type: object - properties: - apps: - $ref: '#/components/schemas/HrefObject' - logo: - type: array - items: - $ref: '#/components/schemas/HrefObject' - self: - $ref: '#/components/schemas/HrefObject' - source: - $ref: '#/components/schemas/HrefObject' - users: - $ref: '#/components/schemas/HrefObject' - readOnly: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + apps: + $ref: '#/components/schemas/HrefObject' + logo: + type: array + items: + $ref: '#/components/schemas/HrefObject' + source: + $ref: '#/components/schemas/HrefObject' + users: + $ref: '#/components/schemas/HrefObject' GroupCondition: + description: Specifies a set of Groups whose Users are to be included or excluded type: object properties: exclude: type: array + description: Groups to be excluded items: type: string include: type: array + description: Groups to be included items: type: string GroupOwner: type: object properties: displayName: + description: The display name of the group owner type: string readOnly: true id: + description: The `id` of the group owner type: string - readOnly: true lastUpdated: + description: Timestamp when the group owner was last updated type: string format: date-time readOnly: true originId: + description: The ID of the app instance if the `originType` is `APPLICATION`. This value is `NULL` if `originType` is `OKTA_DIRECTORY`. type: string originType: $ref: '#/components/schemas/GroupOwnerOriginType' resolved: + description: If `originType`is APPLICATION, this parameter is set to `FALSE` until the owner’s `originId` is reconciled with an associated Okta ID. type: boolean type: $ref: '#/components/schemas/GroupOwnerType' GroupOwnerOriginType: + description: The source where group ownership is managed type: string x-okta-known-values: - APPLICATION - OKTA_DIRECTORY GroupOwnerType: + description: The entity type of the owner type: string x-okta-known-values: - GROUP - - UNKNOWN - USER GroupPolicyRuleCondition: + description: Specifies a set of Groups whose Users are to be included or excluded type: object properties: exclude: type: array + description: Groups to be excluded items: type: string include: type: array + description: Groups to be included items: type: string GroupProfile: + additionalProperties: true type: object properties: description: @@ -21493,10 +31619,7 @@ components: readOnly: true type: string _links: - additionalProperties: - type: object - readOnly: true - type: object + $ref: '#/components/schemas/LinksSelf' x-okta-allow-null-property-value-for-updates: true GroupSchemaAttribute: type: object @@ -21591,40 +31714,34 @@ components: - APP_GROUP - BUILT_IN - OKTA_GROUP - HardwareUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/HardwareUserFactorProfile' - HardwareUserFactorProfile: - type: object - properties: - credentialId: - type: string HookKey: type: object properties: created: type: string format: date-time + description: Timestamp when the key was created. readOnly: true id: type: string + description: The unique identifier for the key. readOnly: true isUsed: type: string format: boolean + description: Whether this key is currently in use by other hooks. keyId: type: string + description: The alias of the public key. readOnly: true lastUpdated: type: string format: date-time + description: Timestamp when the key was updated. readOnly: true name: type: string + description: Display name of the key. readOnly: false _embedded: $ref: '#/components/schemas/JsonWebKey' @@ -21644,11 +31761,11 @@ components: - OKTA_DEFAULT HrefObject: title: Link Object - description: Singular link objected returned in HAL `_links` object. type: object properties: hints: type: object + description: Describes allowed HTTP verbs for the `href` properties: allow: type: array @@ -21656,13 +31773,56 @@ components: $ref: '#/components/schemas/HttpMethod' href: type: string + description: Link URI name: type: string + description: Link name type: type: string description: The media type of the link. If omitted, it is implicitly `application/json`. required: - href + readOnly: true + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectAppLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app resource + HrefObjectClientLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the client resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + HrefObjectDeleteLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to delete the resource + HrefObjectLogoLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the logo resource + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObjectSuspendLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to suspend the resource + HrefObjectUnsuspendLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to unsuspend the resource + HrefObjectUserLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the user resource HttpMethod: type: string x-okta-known-values: @@ -21693,23 +31853,15 @@ components: format: date-time description: Timestamp when the role was last updated readOnly: true - permissions: - type: array - description: Array of permissions that the role will grant. See [Permission Types](https://developer.okta.com/docs/concepts/role-assignment/#permission-types). - items: - $ref: '#/components/schemas/RolePermissionType' - _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - permissions: - $ref: '#/components/schemas/HrefObject' - readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + permissions: + $ref: '#/components/schemas/HrefObject' required: - label - description - - permissions IamRoles: type: object properties: @@ -21718,11 +31870,7 @@ components: items: $ref: '#/components/schemas/IamRole' _links: - type: object - properties: - next: - $ref: '#/components/schemas/HrefObject' - readOnly: true + $ref: '#/components/schemas/LinksNext' IdentityProvider: type: object properties: @@ -21744,6 +31892,8 @@ components: type: string policy: $ref: '#/components/schemas/IdentityProviderPolicy' + properties: + $ref: '#/components/schemas/IdentityProviderProperties' protocol: $ref: '#/components/schemas/Protocol' status: @@ -21751,11 +31901,7 @@ components: type: $ref: '#/components/schemas/IdentityProviderType' _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' IdentityProviderApplicationUser: type: object properties: @@ -21780,11 +31926,7 @@ components: properties: {} readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' IdentityProviderCredentials: type: object properties: @@ -21801,6 +31943,9 @@ components: type: string client_secret: type: string + pkce_required: + type: boolean + description: Require Proof Key for Code Exchange (PKCE) for additional verification IdentityProviderCredentialsSigning: type: object properties: @@ -21827,13 +31972,19 @@ components: - OCSP IdentityProviderPolicy: allOf: - - $ref: '#/components/schemas/Policy' - type: object properties: accountLink: $ref: '#/components/schemas/PolicyAccountLink' - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' + mapAMRClaims: + type: boolean + description:
Enable mapping AMR from IdP to Okta to downstream apps + default: false + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine maxClockSkew: type: integer provisioning: @@ -21855,6 +32006,15 @@ components: type: string provider: $ref: '#/components/schemas/IdentityProviderPolicyProvider' + IdentityProviderProperties: + nullable: true + type: object + properties: + additionalAmr: + type: array + nullable: true + items: + type: string IdentityProviderType: type: string x-okta-known-values: @@ -21871,6 +32031,10 @@ components: IdentitySourceSession: type: object properties: + created: + type: string + format: date-time + readOnly: true id: type: string readOnly: true @@ -21880,6 +32044,10 @@ components: importType: type: string readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true status: $ref: '#/components/schemas/IdentitySourceSessionStatus' IdentitySourceSessionStatus: @@ -21890,6 +32058,7 @@ components: - CREATED - ERROR - EXPIRED + - IN_PROGRESS - TRIGGERED IdentitySourceUserProfileForDelete: type: object @@ -21898,7 +32067,7 @@ components: type: string maxLength: 512 IdentitySourceUserProfileForUpsert: - additionalProperties: true + additionalProperties: {} type: object properties: email: @@ -21932,21 +32101,75 @@ components: userName: type: string maxLength: 100 + IdpDiscoveryPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + IdpDiscoveryPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + $ref: '#/components/schemas/IdpPolicyRuleAction' + conditions: + $ref: '#/components/schemas/IdpDiscoveryPolicyRuleCondition' + IdpDiscoveryPolicyRuleCondition: + allOf: + - type: object + properties: + app: + $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' + network: + $ref: '#/components/schemas/PolicyNetworkCondition' + userIdentifier: + $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' + platform: + $ref: '#/components/schemas/PlatformPolicyRuleCondition' IdpPolicyRuleAction: type: object properties: - providers: - items: - $ref: '#/components/schemas/IdpPolicyRuleActionProvider' - type: array + idp: + type: object + properties: + providers: + items: + $ref: '#/components/schemas/IdpPolicyRuleActionProvider' + type: array + description: List of configured Identity Providers that a given Rule can route to. Ability to define multiple providers is a part of the Okta Identity Engine. This allows users to choose a Provider when they sign in. Contact support for information on the Identity Engine. + idpSelectionType: + description: Determines whether the rule should use expression language or a specific IdP + $ref: '#/components/schemas/IdpSelectionType' + matchCriteria: + items: + $ref: '#/components/schemas/IdpPolicyRuleActionMatchCriteria' + type: array + description: Required if `idpSelectionType` is set to `DYNAMIC` + IdpPolicyRuleActionMatchCriteria: + type: object + properties: + propertyName: + type: string + description: The IdP property that the evaluated string should match to + providerExpression: + type: string + description: | + You can provide an Okta Expression Language expression with the Login Context that's evaluated with the IdP. For example, the value `login.identifier` refers to the user's username. If the user is signing in with the username `john.doe@mycompany.com`, the expression `login.identifier.substringAfter(@))` is evaluated to the domain name of the user, for example: `mycompany.com`. IdpPolicyRuleActionProvider: type: object properties: id: - readOnly: true type: string - type: + description: IdP types of `OKTA`, `AgentlessDSSO`, and `IWA` don't require an ID. + name: type: string + description: Provider `name` in Okta. Optional. Supported in `IDENTITY ENGINE`. + type: + $ref: '#/components/schemas/IdentityProviderType' + IdpSelectionType: + type: string + x-okta-known-values: + - DYNAMIC + - SPECIFIC IframeEmbedScopeAllowedApps: type: string x-okta-known-values: @@ -21957,6 +32180,51 @@ components: url: readOnly: true type: string + ImportScheduleObject: + description: Import schedule configuration + type: object + properties: + fullImport: + allOf: + - $ref: '#/components/schemas/ImportScheduleSettings' + - description: Determines the full import schedule + incrementalImport: + allOf: + - $ref: '#/components/schemas/ImportScheduleSettings' + - description: Determines the incremental import schedule + status: + $ref: '#/components/schemas/EnabledStatus' + ImportScheduleSettings: + type: object + properties: + expression: + type: string + description: The import schedule in UNIX cron format + example: 00 21 * * Mon,Thu,Fri,Sat + timezone: + type: string + description: The import schedule time zone in Internet Assigned Numbers Authority (IANA) time zone name format + minLength: 1 + maxLength: 64 + example: America/Los_Angeles + required: + - expression + ImportUsernameObject: + description: Determines the Okta username for the imported user + type: object + properties: + userNameExpression: + type: string + description: For `usernameFormat=CUSTOM`, specifies the Okta Expression Language statement for a username format that imported users use to sign in to Okta + usernameFormat: + type: string + description: Determines the username format when users sign in to Okta + default: EMAIL + enum: + - EMAIL + - CUSTOM + required: + - usernameFormat InactivityPolicyRuleCondition: type: object properties: @@ -21964,6 +32232,11 @@ components: type: integer unit: type: string + InboundProvisioningApplicationFeature: + allOf: + - $ref: '#/components/schemas/ApplicationFeature' + - type: object + - {} InlineHook: type: object properties: @@ -21989,11 +32262,7 @@ components: version: type: string _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' InlineHookChannel: type: object properties: @@ -22142,48 +32411,69 @@ components: type: object properties: alg: + description: 'The algorithm used with the Key. Valid value: `RS256`' type: string created: - type: string - format: date-time + $ref: '#/components/schemas/createdProperty' e: + description: RSA key value (public exponent) for Key binding type: string + readOnly: true expiresAt: + description: Timestamp when the certificate expires type: string format: date-time + readOnly: true key_ops: + description: Identifies the operation(s) for which the key is intended to be used type: array items: type: string kid: + description: Unique identifier for the certificate type: string + readOnly: true kty: + description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`' type: string + readOnly: true lastUpdated: type: string format: date-time + $ref: '#/components/schemas/lastUpdatedProperty' 'n': + description: RSA modulus value that is used by both the public and private keys and provides a link between them type: string status: + description: |- + An `ACTIVE` Key is used to sign tokens issued by the authorization server. Supported values: `ACTIVE`, `NEXT`, or `EXPIRED`
+ A `NEXT` Key is the next Key that the authorization server uses to sign tokens when Keys are rotated. The `NEXT` Key might not be listed if it hasn't been generated yet. + An `EXPIRED` Key is the previous Key that the authorization server used to sign tokens. The `EXPIRED` Key might not be listed if no Key has expired or the expired Key was deleted. type: string use: + description: 'Acceptable use of the certificate. Valid value: `sig`' type: string + readOnly: true x5c: + description: X.509 certificate chain that contains a chain of one or more certificates type: array items: type: string + readOnly: true x5t: + description: X.509 certificate SHA-1 thumbprint, which is the base64url-encoded SHA-1 thumbprint (digest) of the DER encoding of an X.509 certificate type: string + readOnly: true x5t#S256: + description: X.509 certificate SHA-256 thumbprint, which is the base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of an X.509 certificate type: string + readOnly: true x5u: + description: A URI that refers to a resource for the X.509 public key certificate or certificate chain corresponding to the key used to digitally sign the JWS (JSON Web Signature) type: string - _links: - type: object - additionalProperties: - type: object - properties: {} readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' JwkUse: type: object properties: @@ -22198,22 +32488,48 @@ components: properties: name: type: string + KeyTrustLevelBrowserKey: + description: Represents the attestation strength used by the Chrome Verified Access API + example: CHROME_BROWSER_HW_KEY + type: string + x-enumDescriptions: + CHROME_BROWSER_HW_KEY: Identity of the device was attested using a key pair that is OS encapsulated by a hardware layer + CHROME_BROWSER_OS_KEY: Identity of the device was attested using a key pair that is simply stored on the device but not in any specific hardware layer + x-okta-known-values: + - CHROME_BROWSER_HW_KEY + - CHROME_BROWSER_OS_KEY + KeyTrustLevelOSMode: + description: Represents the attestation strength used by the Chrome Verified Access API + example: CHROME_OS_VERIFIED_MODE + type: string + x-enumDescriptions: + CHROME_OS_VERIFIED_MODE: Identity of the device was attested using an enterprise-emitted certificate, and the device is in Verified mode + CHROME_OS_DEVELOPER_MODE: Identity of the device was attested using an enterprise-emitted certificate, and the device is in Developer mode + x-okta-known-values: + - CHROME_OS_DEVELOPER_MODE + - CHROME_OS_VERIFIED_MODE KnowledgeConstraint: allOf: - $ref: '#/components/schemas/AccessPolicyConstraint' Language: - description: The language specified as an [IETF BCP 47 language tag](https://datatracker.ietf.org/doc/html/rfc5646). + description: The language specified as an [IETF BCP 47 language tag](https://datatracker.ietf.org/doc/html/rfc5646) type: string LifecycleCreateSettingObject: + description: Determines whether to update a user in the application when a user in Okta is updated type: object properties: status: - $ref: '#/components/schemas/EnabledStatus' + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED LifecycleDeactivateSettingObject: + description: Determines whether deprovisioning occurs when the app is unassigned type: object properties: status: - $ref: '#/components/schemas/EnabledStatus' + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED LifecycleExpirationPolicyRuleCondition: type: object properties: @@ -22236,11 +32552,7 @@ components: primary: $ref: '#/components/schemas/LinkedObjectDetails' _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' LinkedObjectDetails: type: object properties: @@ -22256,6 +32568,79 @@ components: type: string x-okta-known-values: - USER + LinksAppAndUser: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of resources related to the App User. + type: object + properties: + app: + $ref: '#/components/schemas/HrefObjectAppLink' + user: + $ref: '#/components/schemas/HrefObjectUserLink' + readOnly: true + LinksNext: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. Use the `LinksNext` object for dynamic discovery of related resources and lifecycle operations. + type: object + properties: + next: + $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksSelf: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + LinksSelfAndFullUsersLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + suspend: + $ref: '#/components/schemas/HrefObjectSuspendLink' + unsuspend: + $ref: '#/components/schemas/HrefObjectUnsuspendLink' + users: + description: Link to Device users + allOf: + - $ref: '#/components/schemas/HrefObject' + LinksSelfAndLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + LinksSelfAndRoles: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + roles: + $ref: '#/components/schemas/HrefObject' + LinksSelfLifecycleAndAuthorize: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + ListProfileMappings: + description: |- + A collection of the profile mappings that include a subset of the profile mapping object's properties. The Profile Mapping object describes a mapping between an Okta User's and an App User's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). + + > **Note:** Same type source/target mappings aren't supported by this API. Profile mappings must either be Okta->App or App->Okta. + type: object + properties: + id: + type: string + description: Unique identifier for profile mapping + readOnly: true + source: + $ref: '#/components/schemas/ProfileMappingSource' + target: + $ref: '#/components/schemas/ProfileMappingTarget' + _links: + $ref: '#/components/schemas/LinksSelf' LoadingPageTouchPointVariant: type: string x-okta-known-values: @@ -22274,7 +32659,7 @@ components: alternateId: type: string readOnly: true - detail: + detailEntry: type: object additionalProperties: type: object @@ -22511,35 +32896,46 @@ components: created: type: string format: date-time - description: Timestamp when the Log Stream was created + description: Timestamp when the Log Stream object was created readOnly: true + example: '2022-10-21T16:59:59.000Z' id: type: string - description: Unique key for the Log Stream + description: Unique identifier for the Log Stream readOnly: true + example: 0oa1orzg0CHSgPcjZ0g4 lastUpdated: type: string format: date-time - description: Timestamp when the Log Stream was last updated + description: Timestamp when the Log Stream object was last updated readOnly: true + example: '2022-10-21T17:15:10.000Z' name: - type: string - description: Unique name for the Log Stream + $ref: '#/components/schemas/LogStreamName' status: - $ref: '#/components/schemas/LifecycleStatus' + type: string + description: Lifecycle status of the Log Stream object + enum: + - ACTIVE + - INACTIVE + readOnly: true type: $ref: '#/components/schemas/LogStreamType' _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - activate: - $ref: '#/components/schemas/HrefObject' - deactivate: - $ref: '#/components/schemas/HrefObject' - readOnly: true - discriminator: *ref_5 + $ref: '#/components/schemas/LogStreamLinksSelfAndLifecycle' + required: + - created + - id + - lastUpdated + - name + - status + - type + - _links + discriminator: *ref_11 + LogStreamActivateLink: + allOf: + - $ref: '#/components/schemas/LogStreamLinkObject' + - description: Link to activate the resource LogStreamAws: allOf: - $ref: '#/components/schemas/LogStream' @@ -22547,6 +32943,65 @@ components: properties: settings: $ref: '#/components/schemas/LogStreamSettingsAws' + required: + - settings + LogStreamAwsPutSchema: + allOf: + - $ref: '#/components/schemas/LogStreamPutSchema' + - type: object + properties: + settings: + $ref: '#/components/schemas/LogStreamSettingsAws' + required: + - settings + LogStreamDeactivateLink: + allOf: + - $ref: '#/components/schemas/LogStreamLinkObject' + - description: Link to deactivate the resource + LogStreamLinkObject: + title: Log Stream Link object + type: object + properties: + href: + type: string + description: The URI of the resource + method: + type: string + description: HTTP method allowed for the resource + enum: + - GET + - POST + required: + - href + readOnly: true + LogStreamLinksSelfAndLifecycle: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + type: object + properties: + activate: + $ref: '#/components/schemas/LogStreamActivateLink' + deactivate: + $ref: '#/components/schemas/LogStreamDeactivateLink' + self: + $ref: '#/components/schemas/LogStreamSelfLink' + required: + - self + readOnly: true + LogStreamName: + description: Unique name for the Log Stream object + example: My AWS EventBridge log stream + type: string + LogStreamPutSchema: + type: object + properties: + name: + $ref: '#/components/schemas/LogStreamName' + type: + $ref: '#/components/schemas/LogStreamType' + required: + - name + - type + discriminator: *ref_20 LogStreamSchema: type: object properties: @@ -22579,47 +33034,50 @@ components: type: string readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - LogStreamSettings: - type: object - LogStreamSettingsAws: + $ref: '#/components/schemas/LinksSelf' + LogStreamSelfLink: allOf: - - $ref: '#/components/schemas/LogStreamSettings' - - description: The AWS EventBridge Settings object specifies the configuration for the `aws_eventbridge` Log Stream type. This can't be modified after creation. - type: object - properties: - accountId: - type: string - description: Your AWS account ID - minLength: 12 - maxLength: 12 - eventSourceName: - type: string - description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge - pattern: ^[a-zA-Z0-9.\-_]$ - minLength: 1 - maxLength: 75 - region: - $ref: '#/components/schemas/AwsRegion' + - $ref: '#/components/schemas/LogStreamLinkObject' + - description: Link to the resource (self) + LogStreamSettingsAws: + description: Specifies the configuration for the `aws_eventbridge` Log Stream type. This configuration can't be modified after creation. + type: object + properties: + accountId: + $ref: '#/components/schemas/AwsAccountId' + eventSourceName: + $ref: '#/components/schemas/AwsEventSourceName' + region: + $ref: '#/components/schemas/AwsRegion' + required: + - accountId + - eventSourceName + - region LogStreamSettingsSplunk: - allOf: - - $ref: '#/components/schemas/LogStreamSettings' - - description: The Splunk Cloud Settings object specifies the configuration for the `splunk_cloud_logstreaming` Log Stream type. - type: object - properties: - host: - type: string - description: 'The domain name for your Splunk Cloud instance. Don''t include `http` or `https` in the string. For example: `acme.splunkcloud.com`' - minLength: 17 - maxLength: 116 - token: - type: string - description: The HEC token for your Splunk Cloud HTTP Event Collector - pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ + description: Specifies the configuration for the `splunk_cloud_logstreaming` Log Stream type. + type: object + properties: + edition: + $ref: '#/components/schemas/SplunkEdition' + host: + $ref: '#/components/schemas/SplunkHost' + token: + $ref: '#/components/schemas/SplunkToken' + required: + - edition + - host + - token + LogStreamSettingsSplunkPut: + description: Specifies the configuration for the `splunk_cloud_logstreaming` Log Stream type. + type: object + properties: + edition: + $ref: '#/components/schemas/SplunkEdition' + host: + $ref: '#/components/schemas/SplunkHost' + required: + - edition + - host LogStreamSplunk: allOf: - $ref: '#/components/schemas/LogStream' @@ -22627,8 +33085,26 @@ components: properties: settings: $ref: '#/components/schemas/LogStreamSettingsSplunk' + required: + - settings + LogStreamSplunkPutSchema: + allOf: + - $ref: '#/components/schemas/LogStreamPutSchema' + - type: object + properties: + settings: + $ref: '#/components/schemas/LogStreamSettingsSplunkPut' + required: + - settings LogStreamType: - description: The Log Stream type specifies the streaming provider used. Okta supports [AWS EventBridge](https://aws.amazon.com/eventbridge/) and [Splunk Cloud](https://www.splunk.com/en_us/software/splunk-cloud-platform.html). + description: |- + Specifies the streaming provider used + + Supported providers: + * `aws_eventbridge` ([AWS EventBridge](https://aws.amazon.com/eventbridge)) + * `splunk_cloud_logstreaming` ([Splunk Cloud](https://www.splunk.com/en_us/software/splunk-cloud-platform.html)) + + Select the provider type to see provider-specific configurations in the `settings` property: type: string x-okta-known-values: - aws_eventbridge @@ -22705,6 +33181,20 @@ components: MultifactorEnrollmentPolicyAuthenticatorSettings: type: object properties: + constraints: + nullable: true + minimum: 0 + type: object + properties: + aaguidGroups: + type: array + items: + type: string + uniqueItems: true + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] enroll: type: object properties: @@ -22756,80 +33246,88 @@ components: type: array items: type: string - description: 'Format of each array value: a string representation of an ASN numeric value' + description: 'Dynamic network zone property: An array of strings that represent an ASN numeric value' maximum: 75 - example: - - 23457 created: type: string format: date-time + description: Timestamp when the network zone was created readOnly: true gateways: type: array items: $ref: '#/components/schemas/NetworkZoneAddress' description: |- - IP addresses (range or CIDR form) of this Zone. + IP network zone property: the IP addresses (range or CIDR form) of this zone. The maximum array length is 150 entries for admin-created IP zones, 1000 entries for IP blocklist zones, and 5000 entries for the default system IP Zone. id: type: string + description: Unique identifier for the network zone readOnly: true lastUpdated: type: string format: date-time + description: Timestamp when the network zone was last modified readOnly: true locations: type: array items: $ref: '#/components/schemas/NetworkZoneLocation' - description: The geolocations of this Zone + description: 'Dynamic network zone property: an array of geolocations of this network zone' maximum: 75 name: type: string - description: Unique name for this Zone. Maximum of 128 characters. - example: newNetworkZone + description: Unique name for this network zone. Maximum of 128 characters. proxies: type: array items: $ref: '#/components/schemas/NetworkZoneAddress' + nullable: true description: |- - IP address (range or CIDR form) that are allowed to forward a request from gateway addresses. + IP network zone property: the IP addresses (range or CIDR form) that are allowed to forward a request from gateway addresses These proxies are automatically trusted by Threat Insights, and used to identify the client IP of a request. The maximum array length is 150 entries for admin-created zones and 5000 entries for the default system IP Zone. proxyType: type: string - description: 'One of: `""` or `null` (when not specified), `Any` (meaning any proxy), `Tor`, or `NotTorAnonymizer`' - example: ANY + description: 'Dynamic network zone property: the proxy type used' + enum: + - 'null' + - Any + - Tor + - NotTorAnonymizer + x-enumDescriptions: + 'null': (Or `""`) No proxy used + Any: Use any proxy type for the dynamic zone. + Tor: Use TorAnonymizer as the proxy type for the dynamic zone. + NotTorAnonymizer: Use NotTorAnonymizer as the proxy type for the dynamic zone. status: $ref: '#/components/schemas/NetworkZoneStatus' system: type: boolean description: |- - Indicates if this is a system Network Zone. For admin-created zones, this is always `false`. + Indicates if this is a system network zone. For admin-created zones, this is always `false`. The system IP Policy Network Zone (`LegacyIpZone`) is included by default in your Okta org. Notice that `system=true` for the `LegacyIpZone` object. Admin users can modify the name of this default system Zone and can add up to 5000 gateway or proxy IP entries. type: $ref: '#/components/schemas/NetworkZoneType' - description: 'Type of Zone: `IP` or `DYNAMIC`' usage: $ref: '#/components/schemas/NetworkZoneUsage' - description: 'Usage of Zone: `POLICY` or `BLOCKLIST`' _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + deactivate: + $ref: '#/components/schemas/HrefObject' NetworkZoneAddress: description: Specifies the value of an IP address expressed using either `range` or `CIDR` form. - example: 1.2.3.4/24 type: object properties: type: $ref: '#/components/schemas/NetworkZoneAddressType' value: type: string + description: Value in CIDR/range form depending on the type specified NetworkZoneAddressType: - example: CIDR + description: Format of the value type: string x-okta-known-values: - CIDR @@ -22850,27 +33348,44 @@ components: Do not use continent codes as they are treated as generic codes for undesignated regions. example: US-CA NetworkZoneStatus: - example: ACTIVE + description: Network zone status type: string x-okta-known-values: - ACTIVE - INACTIVE NetworkZoneType: - example: IP + description: The type of network zone type: string x-okta-known-values: - DYNAMIC - IP NetworkZoneUsage: - example: BLOCKLIST + description: The usage of the network zone type: string x-okta-known-values: - BLOCKLIST - POLICY NotificationType: + description: The type of notification type: string + x-enumDescriptions: + AD_AGENT: System notification sent when an AD agent disconnects or reconnects + AGENT_AUTO_UPDATE_NOTIFICATION: System notification sent when an agent automatically updates + APP_IMPORT: System notification sent with the status of an app user import + CONNECTOR_AGENT: System notification sent when an on-premises provisioning or Okta on-prem MFA agent disconnects or reconnects + IWA_AGENT: System notification sent when an IGA agent disconnects or reconnects + LDAP_AGENT: System notification sent when an LDAP agent disconnects or reconnects + OKTA_ANNOUNCEMENT: Okta communication sent for announcements and release notes + OKTA_ISSUE: Okta communication sent for trust incident alerts and updates + OKTA_UPDATE: Okta communication sent for scheduled system updates + RATELIMIT_NOTIFICATION: System notification sent when an org reaches rate limit warning or violation thresholds + REPORT_SUSPICIOUS_ACTIVITY: System notification sent when a user reports suspicious activity + USER_DEPROVISION: System notification sent when a user is deprovisioned from apps + USER_LOCKED_OUT: System notification sent when a user is locked out from logging in to Okta x-okta-known-values: - AD_AGENT + - AGENT_AUTO_UPDATE_NOTIFICATION + - AGENT_AUTO_UPDATE_NOTIFICATION_LDAP - APP_IMPORT - CONNECTOR_AGENT - IWA_AGENT @@ -22883,18 +33398,24 @@ components: - USER_DEPROVISION - USER_LOCKED_OUT OAuth2Actor: + description: User that created the object type: object properties: id: type: string + description: User ID readOnly: true type: type: string + description: Type of user + example: User + readOnly: true OAuth2Claim: type: object properties: alwaysIncludeInToken: type: boolean + description: Specifies whether to include Claims in the token. The value is always `TRUE` for access token Claims. If the value is set to `FALSE` for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the `authorization_code`. The client instead uses the access token to get Claims from the `/userinfo` endpoint. claimType: $ref: '#/components/schemas/OAuth2ClaimType' conditions: @@ -22903,24 +33424,25 @@ components: $ref: '#/components/schemas/OAuth2ClaimGroupFilterType' id: type: string + description: ID of the Claim readOnly: true name: type: string + description: Name of the Claim status: $ref: '#/components/schemas/LifecycleStatus' system: + description: When `true`, indicates that Okta created the Claim type: boolean value: + description: Specifies the value of the Claim. This value must be a string literal if `valueType` is `GROUPS`, and the string literal is matched with the selected `group_filter_type`. The value must be an Okta EL expression if `valueType` is `EXPRESSION`. type: string valueType: $ref: '#/components/schemas/OAuth2ClaimValueType' _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' OAuth2ClaimConditions: + description: Specifies the scopes for the Claim type: object properties: scopes: @@ -22928,18 +33450,31 @@ components: items: type: string OAuth2ClaimGroupFilterType: + description: |- + Specifies the type of group filter if `valueType` is `GROUPS` + + If `valueType` is `GROUPS`, then the groups returned are filtered according to the value of `group_filter_type`. + + If you have complex filters for Groups, you can [create a Groups allowlist](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/) to put them all in a Claim. type: string + x-enumDescriptions: + STARTS_WITH: Group names start with `value` (not case-sensitive). For example, if `value` is `group1`, then `group123` and `Group123` are included. + EQUALS: Group name is the same as `value` (not case-sensitive). For example, if `value` is `group1`, then `group1` and `Group1` are included, but `group123` isn't. + CONTAINS: Group names contain `value` (not case-sensitive). For example, if `value` is `group1`, then `MyGroup123` and `group1` are included. + REGEX: Group names match the regular expression in `value` (case-sensitive). For example if `value` is `/^[a-z0-9_-]{3,16}$/`, then any Group name that has at least three letters, no more than 16, and contains lowercase letters, a hyphen, or numbers is a match. x-okta-known-values: - CONTAINS - EQUALS - REGEX - STARTS_WITH OAuth2ClaimType: + description: Specifies whether the Claim is for an access token (`RESOURCE`) or an ID token (`IDENTITY`) type: string x-okta-known-values: - IDENTITY - RESOURCE OAuth2ClaimValueType: + description: Specifies whether the Claim is an Okta Expression Language (EL) expression (`EXPRESSION`), a set of groups (`GROUPS`), or a system claim (`SYSTEM`) type: string x-okta-known-values: - EXPRESSION @@ -22949,67 +33484,121 @@ components: type: object properties: client_id: + description: Unique key for the client application. The `client_id` is immutable type: string readOnly: true client_name: + description: Human-readable string name of the client application type: string readOnly: true client_uri: type: string readOnly: true logo_uri: + description: URL string that references a logo for the client consent dialog (not the sign-in dialog) type: string readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' OAuth2RefreshToken: type: object properties: clientId: type: string + description: Client ID created: - type: string - format: date-time - readOnly: true - createdBy: - $ref: '#/components/schemas/OAuth2Actor' + $ref: '#/components/schemas/createdProperty' expiresAt: type: string + description: Expiration time of the OAuth 2.0 Token format: date-time readOnly: true id: type: string + description: ID of the Token object readOnly: true issuer: type: string + description: The complete URL of the authorization server that issued the Token lastUpdated: - type: string - format: date-time - readOnly: true + $ref: '#/components/schemas/lastUpdatedProperty' scopes: type: array + description: The scope names attached to the Token items: type: string status: $ref: '#/components/schemas/GrantOrTokenStatus' userId: type: string + description: The ID of the user associated with the Token _embedded: type: object - additionalProperties: - type: object - properties: {} + description: The embedded resources related to the object if the `expand` query parameter is specified + properties: + scopes: + type: array + description: The scope objects attached to the Token + items: + $ref: '#/components/schemas/OAuth2RefreshTokenScope' readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + description: Link to the app resource + allOf: + - $ref: '#/components/schemas/AppCustomHrefObject' + revoke: + description: Link to revoke the refresh Token + allOf: + - $ref: '#/components/schemas/AppCustomHrefObject' + - properties: + hints: + properties: + allow: + items: + enum: + - DELETE + default: DELETE + client: + description: Link to the client resource + allOf: + - $ref: '#/components/schemas/AppCustomHrefObject' + user: + description: Link to the user resource + allOf: + - $ref: '#/components/schemas/AppCustomHrefObject' + authorizationServer: + description: Link to the Token authorization server resource + allOf: + - $ref: '#/components/schemas/AppCustomHrefObject' + OAuth2RefreshTokenScope: + type: object + properties: + description: + type: string + description: Description of the Scope + displayName: + type: string + description: Name of the end user displayed in a consent dialog + id: + type: string + description: Scope object ID readOnly: true + name: + type: string + description: Scope name + _links: + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + type: object + properties: + scope: + description: Link to Scope resource + allOf: + - $ref: '#/components/schemas/AppCustomHrefObject' OAuth2Scope: type: object properties: @@ -23017,76 +33606,116 @@ components: $ref: '#/components/schemas/OAuth2ScopeConsentType' default: type: boolean + description: Indicates if this Scope is a default scope description: type: string + description: Description of the Scope displayName: type: string + description: Name of the end user displayed in a consent dialog id: type: string + description: Scope object ID readOnly: true metadataPublish: $ref: '#/components/schemas/OAuth2ScopeMetadataPublish' name: type: string + description: Scope name + optional: + type: boolean system: type: boolean + description: Indicates if Okta created the Scope OAuth2ScopeConsentGrant: + description: Grant object that represents an app consent scope grant type: object properties: clientId: type: string - created: - type: string - format: date-time + description: Client ID of the app integration readOnly: true + created: + $ref: '#/components/schemas/createdProperty' createdBy: $ref: '#/components/schemas/OAuth2Actor' id: type: string + description: ID of the Grant object readOnly: true issuer: type: string + description: The issuer of your org authorization server. This is typically your Okta domain. + example: https://my_test_okta_org.oktapreview.com lastUpdated: - type: string - format: date-time - readOnly: true + $ref: '#/components/schemas/lastUpdatedProperty' scopeId: type: string + description: The name of the [Okta scope](https://developer.okta.com/docs/api/oauth2/#oauth-20-scopes) for which consent is granted + example: okta.users.read source: $ref: '#/components/schemas/OAuth2ScopeConsentGrantSource' status: $ref: '#/components/schemas/GrantOrTokenStatus' userId: type: string + description: User ID that granted consent (if `source` is `END_USER`) + readOnly: true _embedded: type: object - additionalProperties: - type: object - properties: {} + description: Embedded resources related to the Grant + properties: + scope: + type: object + properties: + id: + type: string + description: The name of the Okta scope for which consent is granted + example: okta.users.read readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + description: Link to the app resource + allOf: + - $ref: '#/components/schemas/AppCustomHrefObject' + client: + description: Link to the client resource + allOf: + - $ref: '#/components/schemas/AppCustomHrefObject' + - readOnly: true + required: + - issuer + - scopeId OAuth2ScopeConsentGrantSource: + description: User type source that granted consent + example: ADMIN type: string + readOnly: true x-okta-known-values: - ADMIN - END_USER OAuth2ScopeConsentType: + description: Indicates whether a consent dialog is needed for the Scope + default: IMPLICIT type: string x-okta-known-values: - ADMIN + - FLEXIBLE - IMPLICIT - REQUIRED OAuth2ScopeMetadataPublish: + description: Indicates whether the Scope is included in the metadata + default: NO_CLIENTS type: string x-okta-known-values: - ALL_CLIENTS - NO_CLIENTS OAuth2ScopesMediationPolicyRuleCondition: + description: Array of scopes that the condition includes type: object properties: include: @@ -23098,25 +33727,28 @@ components: properties: clientId: type: string - created: - type: string - format: date-time + description: Client ID + example: 0oabskvc6442nkvQO0h7 readOnly: true + created: + $ref: '#/components/schemas/createdProperty' expiresAt: type: string + description: Expiration time of the OAuth 2.0 Token format: date-time readOnly: true id: type: string + description: ID of the Token object readOnly: true issuer: type: string + description: The complete URL of the authorization server that issued the Token lastUpdated: - type: string - format: date-time - readOnly: true + $ref: '#/components/schemas/lastUpdatedProperty' scopes: type: array + description: Name of scopes attached to the Token items: type: string status: @@ -23125,16 +33757,13 @@ components: type: string _embedded: type: object + description: Embedded resources related to the object if the `expand` query parameter is specified additionalProperties: type: object properties: {} readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' OAuthApplicationCredentials: allOf: - $ref: '#/components/schemas/ApplicationCredentials' @@ -23157,10 +33786,10 @@ components: - client_credentials - implicit - interaction_code - - interaction_code - password - refresh_token - urn:ietf:params:oauth:grant-type:device_code + - urn:ietf:params:oauth:grant-type:jwt-bearer - urn:ietf:params:oauth:grant-type:saml2-bearer - urn:ietf:params:oauth:grant-type:token-exchange OAuthResponseType: @@ -23169,6 +33798,324 @@ components: - code - id_token - token + OINApplication: + type: object + properties: + accessibility: + $ref: '#/components/schemas/ApplicationAccessibility' + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the Application object was created + credentials: + $ref: '#/components/schemas/SchemeApplicationCredentials' + features: + type: array + description: Enabled app features + items: + type: string + id: + type: string + readOnly: true + description: Unique ID for the app instance + label: + $ref: '#/components/schemas/ApplicationLabel' + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the Application object was last updated + licensing: + $ref: '#/components/schemas/ApplicationLicensing' + name: + type: string + description: Unique key for the app definition + profile: + type: object + description: Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps) + additionalProperties: + type: object + properties: {} + settings: + $ref: '#/components/schemas/OINBaseSignOnModeApplicationSettings' + signOnMode: + $ref: '#/components/schemas/ApplicationSignOnMode' + status: + $ref: '#/components/schemas/ApplicationLifecycleStatus' + visibility: + $ref: '#/components/schemas/ApplicationVisibility' + _embedded: + type: object + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/ApplicationLinks' + OINApplicationSettingsSignOn: + description: Base sign-in setting schema for an OIN app + type: object + properties: + signOnMode: + $ref: '#/components/schemas/ApplicationSignOnMode' + discriminator: + propertyName: signOnMode + mapping: + AUTO_LOGIN: '#/components/schemas/OINAutoLoginApplicationSettingsSignOn' + SAML_1_1: '#/components/schemas/OINSaml11ApplicationSettingsSignOn' + SAML_2_0: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' + OINAutoLoginApplicationSettingsSignOn: + allOf: + - $ref: '#/components/schemas/OINApplicationSettingsSignOn' + - type: object + - description: Contains the sign-in attributes available when configuring an app with `AUTO_LOGIN` as the `signOnMode` + - required: + - loginUrl + properties: + signOnMode: + default: AUTO_LOGIN + loginUrl: + type: string + description: Primary URL of the sign-in page for this app + redirectUrl: + type: string + description: Secondary URL of the sign-in page for this app + OINBaseSignOnModeApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + properties: + app: + type: object + nullable: true + additionalProperties: + type: string + properties: {} + signOn: + $ref: '#/components/schemas/OINApplicationSettingsSignOn' + OINSaml11ApplicationSettingsSignOn: + allOf: + - $ref: '#/components/schemas/OINApplicationSettingsSignOn' + - type: object + - description: Contains the sign-in attributes available when configuring an app with `SAML_1_1` as the `signOnMode` + properties: + signOnMode: + default: SAML_1_1 + defaultRelayState: + type: string + description: Identifies a specific application resource in an IDP-initiated SSO scenario + ssoAcsUrlOverride: + type: string + description: Assertion Consumer Service URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm) + audienceOverride: + type: string + description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm) + recipientOverride: + type: string + description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm) + OINSaml20ApplicationSettingsSignOn: + description: Contains the sign-in attributes available when configuring an app with `SAML_2_0` as the `signOnMode` + allOf: + - $ref: '#/components/schemas/OINSaml11ApplicationSettingsSignOn' + - type: object + - required: + - destinationOverride + properties: + signOnMode: + default: SAML_2_0 + destinationOverride: + type: string + description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm) + honorForceAuthn: + type: boolean + description: Set to `true` to prompt users for their credentials when a SAML request has the `ForceAuthn` attribute set to `true` + configuredAttributeStatements: + type: array + items: + $ref: '#/components/schemas/SamlAttributeStatement' + OSVersion: + description: | + Specifies the OS requirement for the policy. + + There are two types of OS requirements: + + * **Static**: A specific OS version requirement that doesn't change until you update the policy. A static OS requirement is specified with the `osVersion.minimum` property. + * **Dynamic**: An OS version requirement that is relative to the latest major OS release and security patch. A dynamic OS requirement is specified with the `osVersion.dynamicVersionRequirement` property. + > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. You can't specify both `osVersion.minimum` and `osVersion.dynamicVersionRequirement` properties at the same time. + type: object + properties: + dynamicVersionRequirement: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + description:
Contains the necessary properties for a dynamic version requirement + type: object + properties: + type: + type: string + description: Indicates the type of the dynamic OS version requirement + enum: + - MINIMUM + - EXACT + - EXACT_ANY_SUPPORTED + x-enumDescriptions: + MINIMUM: The device version must be equal to or newer than the dynamically determined version. `distanceFromLatestMajor` must be specified for this type. + EXACT: The device version must be on the same major version as the dynamically determined version. `distanceFromLatestMajor` must be specified for this type. + EXACT_ANY_SUPPORTED: The device version must be on a major version which is supported. You can't specify `distanceFromLatestMajor` for this type. + distanceFromLatestMajor: + description: Indicates the distance from the latest major version + type: integer + minimum: 0 + maximum: 1 + latestSecurityPatch: + description: Indicates whether the device needs to be on the latest security patch + type: boolean + minimum: + description: The device version must be equal to or newer than the specified version string (maximum of three components for iOS and macOS, and maximum of four components for Android) + type: string + example: 12.4.5 + OSVersionConstraint: + type: object + properties: + dynamicVersionRequirement: + type: object + description: Contains the necessary properties for a dynamic Windows version requirement + properties: + type: + type: string + description: Indicates the type of the dynamic Windows version requirement + enum: + - MINIMUM + - EXACT + - EXACT_ANY_SUPPORTED + - NOT_ALLOWED + x-enumDescriptions: + MINIMUM: The device version must be equal to or newer than the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type. + EXACT: The device version must be on the same major version as the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type. + EXACT_ANY_SUPPORTED: The device version must be on a Windows major version which is supported. You can't specify `distanceFromLatestMajor` for this type. + NOT_ALLOWED: The device version isn't allowed. You can't specify `distanceFromLatestMajor` or `latestSecurityPatch` for this type. + distanceFromLatestMajor: + description: Indicates the distance from the latest Windows major version + type: integer + minimum: 0 + maximum: 1 + latestSecurityPatch: + description: Indicates whether the policy requires Windows devices to be on the latest security patch + type: boolean + majorVersionConstraint: + type: string + description: Indicates the Windows major version + enum: + - WINDOWS_11 + - WINDOWS_10 + x-enumDescriptions: + WINDOWS_11: The device is on Windows 11 + WINDOWS_10: The device is on Windows 10 or an older Windows version + minimum: + description: The Windows device version must be equal to or newer than the specified version + type: string + example: 12.4.5.9 + required: + - majorVersionConstraint + OSVersionFourComponents: + description: Current version of the operating system (maximum of four components in the versioning scheme) + type: object + properties: + minimum: + type: string + example: 12.4.5.9 + OSVersionThreeComponents: + description: Current version of the operating system (maximum of three components in the versioning scheme) + type: object + properties: + minimum: + type: string + example: 12.4.5 + Office365ApplicationSettings: + allOf: + - $ref: '#/components/schemas/OINBaseSignOnModeApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/Office365ApplicationSettingsApplication' + Office365ApplicationSettingsApplication: + description: Office365 app instance properties + type: object + properties: + domain: + type: string + description: The domain for your Office 365 account + domains: + description: List of Office 365 domains + type: array + items: + $ref: '#/components/schemas/Office365Domain' + msftTenant: + type: string + description: Microsoft tenant name + required: + - msftTenant + - domain + Office365Domain: + type: object + properties: + index: + type: integer + name: + type: string + description: The domain for your Office 365 account + Office365ProvisioningSettings: + title: office365 + description: Settings required for the Office 365 provisioning connection + type: object + properties: + adminPassword: + type: string + description: Office 365 global administrator password + adminUsername: + type: string + description: Office 365 global administrator user name + required: + - adminUsername + - adminPassword + Oidc: + description: OIDC configuration details + type: object + properties: + doc: + type: string + format: uri + description: The URL to your customer-facing instructions for configuring your OIDC integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines). + example: https://example.com/strawberry/help/oidcSetup + initiateLoginUri: + type: string + format: uri + description: The URL to redirect users when they click on your app from their Okta End-User Dashboard + example: https://${org.subdomain}.example.com/strawberry/oidc/sp-init + postLogoutUris: + type: array + description: The sign-out redirect URIs for your app. You can send a request to `/v1/logout` to sign the user out and redirect them to one of these URIs. + items: + type: string + format: uri + description: 'A sign-out redirect URI. You can use the org properties you defined in the `config` array as variables in your URI. For example: `https://${org.subdomain}.example.com/strawberry/oidc/logged-out`' + example: https://${org.subdomain}.example.com/strawberry/oidc/logged-out + redirectUris: + type: array + minItems: 1 + description: List of sign-in redirect URIs + items: + type: string + format: uri + description: Sign-in redirect URI + example: https://${org.subdomain}.example.com/strawberry/oidc/login + required: + - redirectUris + - doc OktaSignOnPolicy: allOf: - $ref: '#/components/schemas/Policy' @@ -23254,6 +34201,7 @@ components: $ref: '#/components/schemas/OAuthApplicationCredentials' name: type: string + description: Unique key for the app definition default: oidc_client settings: $ref: '#/components/schemas/OpenIdConnectApplicationSettings' @@ -23293,6 +34241,19 @@ components: type: string consent_method: $ref: '#/components/schemas/OpenIdConnectApplicationConsentMethod' + dpop_bound_access_tokens: + type: boolean + description: Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header. + default: false + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + frontchannel_logout_session_required: + description: Include user session details. + type: boolean + frontchannel_logout_uri: + description: URL where Okta sends the logout request. + type: string grant_types: type: array items: @@ -23305,8 +34266,14 @@ components: $ref: '#/components/schemas/OpenIdConnectApplicationIssuerMode' jwks: $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClientKeys' + jwks_uri: + description: URL string that references a JSON Web Key Set for validating JWTs presented to Okta. + type: string logo_uri: type: string + participate_slo: + description: Allows the app to participate in front-channel single logout. + type: boolean policy_uri: type: string post_logout_redirect_uris: @@ -23335,12 +34302,28 @@ components: items: $ref: '#/components/schemas/JsonWebKey' OpenIdConnectApplicationSettingsRefreshToken: + description: | + Refresh token configuration for an OAuth 2.0 client + + When you create or update an OAuth 2.0 client, you can configure refresh token rotation by setting the `rotation_type` and `leeway` properties. If you don't set these properties when you create an app integration, the default values are used. + When you update an app integration, your previously configured values are used. type: object properties: leeway: type: integer + minimum: 0 + maximum: 60 + description: | + The leeway, in seconds, allowed for the OAuth 2.0 client. + After the refresh token is rotated, the previous token remains valid for the specified period of time so clients can get the new token. + + > **Note:** A leeway of 0 doesn't necessarily mean that the previous token is immediately invalidated. The previous token is invalidated after the new token is generated and returned in the response. + default: 30 + example: 20 rotation_type: $ref: '#/components/schemas/OpenIdConnectRefreshTokenRotationType' + required: + - rotation_type OpenIdConnectApplicationType: type: string x-okta-known-values: @@ -23349,10 +34332,79 @@ components: - service - web OpenIdConnectRefreshTokenRotationType: + description: The refresh token rotation mode for the OAuth 2.0 client + example: STATIC type: string + x-enumDescriptions: + ROTATE: The default rotation type for single-page apps (SPAs) + STATIC: The default rotation type for all clients, except SPAs x-okta-known-values: - ROTATE - STATIC + OperationRequest: + type: object + properties: + ruleId: + type: string + OperationResponse: + type: object + properties: + completed: + type: string + format: date-time + readOnly: true + created: + type: string + format: date-time + readOnly: true + id: + type: string + readOnly: true + numUserMoved: + type: number + readOnly: true + realmId: + type: string + readOnly: true + realmName: + type: string + readOnly: true + ruleOperation: + type: object + properties: + configuration: + type: object + properties: + actions: + type: object + properties: + assignUserToRealm: + type: object + properties: + realmId: + type: string + realmName: + type: string + conditions: + $ref: '#/components/schemas/Conditions' + id: + type: string + name: + type: string + started: + type: string + format: date-time + readOnly: true + status: + type: string + readOnly: true + enum: + - COMPLETED + - SCHEDULED + - IN_PROGRESS + - FAILED + _links: + $ref: '#/components/schemas/LinksSelf' OperationalStatus: description: Operational status of a given agent type: string @@ -23361,6 +34413,26 @@ components: - DISRUPTED - INACTIVE - OPERATIONAL + OrgCAPTCHASettings: + title: OrgCAPTCHASettings + description: '' + type: object + properties: + captchaId: + description: The unique key of the associated CAPTCHA instance + type: string + enabledPages: + description: An array of pages that have CAPTCHA enabled + type: array + items: + $ref: '#/components/schemas/enabledPagesType' + _links: + type: object + description: Link relations for the CAPTCHA settings object + properties: + self: + $ref: '#/components/schemas/HrefObject' + readOnly: true OrgContactType: type: string x-okta-known-values: @@ -23372,18 +34444,14 @@ components: contactType: $ref: '#/components/schemas/OrgContactType' _links: - additionalProperties: - type: object + $ref: '#/components/schemas/LinksSelf' OrgContactUser: type: object properties: userId: type: string _links: - additionalProperties: - type: object - readOnly: true - type: object + $ref: '#/components/schemas/LinksSelf' OrgOktaCommunicationSetting: type: object properties: @@ -23391,8 +34459,7 @@ components: type: boolean readOnly: true _links: - additionalProperties: - type: object + $ref: '#/components/schemas/LinksSelf' OrgOktaSupportSetting: type: string x-okta-known-values: @@ -23408,8 +34475,7 @@ components: support: $ref: '#/components/schemas/OrgOktaSupportSetting' _links: - additionalProperties: - type: object + $ref: '#/components/schemas/LinksSelf' OrgPreferences: type: object properties: @@ -23417,8 +34483,7 @@ components: type: boolean readOnly: true _links: - additionalProperties: - type: object + $ref: '#/components/schemas/LinksSelf' OrgSetting: type: object properties: @@ -23466,8 +34531,26 @@ components: website: type: string _links: - additionalProperties: - type: object + $ref: '#/components/schemas/LinksSelf' + OtpProtocol: + type: string + x-okta-known-values: + - SYMANTEC + - TOTP + - YUBICO + OtpTotpAlgorithm: + description: HMAC algorithm + type: string + x-okta-known-values: + - HMacSHA1 + - HMacSHA256 + - HMacSHA512 + OtpTotpEncoding: + type: string + x-okta-known-values: + - base32 + - base64 + - hexadecimal PageRoot: type: object properties: @@ -23488,18 +34571,21 @@ components: format: uri readOnly: true _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - default: - $ref: '#/components/schemas/HrefObject' - customized: - $ref: '#/components/schemas/HrefObject' - preview: - $ref: '#/components/schemas/HrefObject' - readOnly: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + default: + $ref: '#/components/schemas/HrefObject' + customized: + $ref: '#/components/schemas/HrefObject' + preview: + $ref: '#/components/schemas/HrefObject' PasswordCredential: + description: |- + When a user has a valid password, imported hashed password, or password hook, and a response object contains + a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This + indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password + authenticator: **Security** > **Authenticators** > **Password** (or for Okta Classic orgs, use **Security** > **Authentication** > **Password**). type: object properties: hash: @@ -23508,33 +34594,69 @@ components: $ref: '#/components/schemas/PasswordCredentialHook' value: type: string + writeOnly: true + description: Specifies the password for a user. The Password Policy validates this password. format: password PasswordCredentialHash: + description: |- + Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly + from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. + A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. + See [Create User with Imported Hashed Password](https://developer.okta.com/docs/reference/api/users/#create-user-with-imported-hashed-password) + for information on using this object when creating a user. When updating a user with a hashed password, the user must be in the `STAGED` status. type: object properties: algorithm: $ref: '#/components/schemas/PasswordCredentialHashAlgorithm' + digestAlgorithm: + $ref: '#/components/schemas/DigestAlgorithm' + iterationCount: + type: integer + description: The number of iterations used when hashing passwords using PBKDF2. Must be >= 4096. Only required for PBKDF2 algorithm. + keySize: + type: integer + description: Size of the derived key in bytes. Only required for PBKDF2 algorithm. salt: + description: |- + Only required for salted hashes. For BCRYPT, this specifies Radix-64 as the encoded salt used to generate the hash, + which must be 22 characters long. For other salted hashes, this specifies the Base64-encoded salt used to + generate the hash. type: string saltOrder: type: string + description: Specifies whether salt was pre- or postfixed to the password before hashing. Only required for salted algorithms. value: + description: |- + For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual base64-encoded hash of the password (and salt, if used). + This is the Base64-encoded `value` of the SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either pre-fixing or post-fixing + the `salt` to the `password`, depending on the `saltOrder`. If a `salt` was not used in the `source` system, then this should just be + the Base64-encoded `value` of the password's SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the actual Radix-64 encoded hashed password. type: string workFactor: type: integer + description: Governs the strength of the hash and the time required to compute it. Only required for BCRYPT algorithm. + minimum: 1 + maximum: 20 PasswordCredentialHashAlgorithm: + description: The algorithm used to generate the hash using the password (and salt, when applicable). type: string x-okta-known-values: - BCRYPT - MD5 + - PBKDF2 - SHA-1 - SHA-256 - SHA-512 PasswordCredentialHook: + description: |- + Specify a [password import inline hook](https://developer.okta.com/docs/reference/password-hook/) to trigger verification of the user's password + the first time the user logs in. This allows an existing password to be imported into Okta directly from some other store. + See [Create User with Password Hook](https://developer.okta.com/docs/reference/api/users/#create-user-with-password-import-inline-hook) for information on using this object when creating a user. type: object properties: type: type: string + description: The type of password inline hook. Currently, must be set to default. PasswordDictionary: type: object properties: @@ -23730,7 +34852,7 @@ components: passwordChange: $ref: '#/components/schemas/PasswordPolicyRuleAction' selfServicePasswordReset: - $ref: '#/components/schemas/PasswordPolicyRuleAction' + $ref: '#/components/schemas/SelfServicePasswordResetAction' selfServiceUnlock: $ref: '#/components/schemas/PasswordPolicyRuleAction' PasswordPolicyRuleConditions: @@ -23751,7 +34873,20 @@ components: $ref: '#/components/schemas/PasswordPolicyPasswordSettings' recovery: $ref: '#/components/schemas/PasswordPolicyRecoverySettings' + PasswordProtectionWarningTrigger: + description: Indicates whether the Password Protection Warning feature is enabled + example: PHISHING_REUSE + type: string + x-enumDescriptions: + PASSWORD_PROTECTION_OFF: Password protection warning is off + PASSWORD_REUSE: Password protection warning is triggered by password reuse + PHISHING_REUSE: Password protection warning is triggered by password reuse on a phishing page + x-okta-known-values: + - PASSWORD_PROTECTION_OFF + - PASSWORD_REUSE + - PHISHING_REUSE PasswordSettingObject: + description: Determines whether Okta creates and pushes a password in the application for each assigned user type: object properties: change: @@ -23759,7 +34894,10 @@ components: seed: $ref: '#/components/schemas/SeedEnum' status: - $ref: '#/components/schemas/EnabledStatus' + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED + - example: ENABLED PerClientRateLimitMode: type: string x-okta-known-values: @@ -23789,6 +34927,8 @@ components: Permission: type: object properties: + conditions: + $ref: '#/components/schemas/PermissionConditions' created: type: string format: date-time @@ -23804,13 +34944,18 @@ components: description: Timestamp when the role was last updated readOnly: true _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - role: - $ref: '#/components/schemas/HrefObject' - readOnly: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + role: + $ref: '#/components/schemas/HrefObject' + PermissionConditions: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + description: Conditions for further restricting a permission + nullable: true + type: object Permissions: type: object properties: @@ -23818,6 +34963,21 @@ components: type: array items: $ref: '#/components/schemas/Permission' + PinRequest: + description: Pin Request + type: object + properties: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta + type: string + fulfillmentProvider: + description: Name of the fulfillment provider for the WebAuthn Preregistration Factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string PipelineType: description: The authentication pipeline of the org. `idx` means the org is using the Identity Engine, while `v1` means the org is using the Classic authentication pipeline. type: string @@ -23828,6 +34988,7 @@ components: type: string x-okta-known-values: - ANDROID + - CHROMEOS - IOS - MACOS - WINDOWS @@ -23874,27 +35035,36 @@ components: type: object properties: created: + description: Timestamp when the Policy was created type: string format: date-time readOnly: true description: + description: Policy description type: string id: + description: Policy ID type: string readOnly: true lastUpdated: + description: Timestamp when the Policy was last updated type: string format: date-time readOnly: true name: + description: Policy name type: string priority: + description: Specifies the order in which this Policy is evaluated in relation to the other policies in a custom authorization server. type: integer status: + description: Specifies whether requests have access to this Policy $ref: '#/components/schemas/LifecycleStatus' system: + description: Specifies whether Okta created the Policy type: boolean type: + description: Indicates that the Policy is an authorization server policy (`OAUTH_AUTHORIZATION_POLICY`) $ref: '#/components/schemas/PolicyType' _embedded: type: object @@ -23903,12 +35073,8 @@ components: properties: {} readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - discriminator: *ref_7 + $ref: '#/components/schemas/LinksSelf' + discriminator: *ref_13 PolicyAccess: type: string x-okta-known-values: @@ -23938,6 +35104,96 @@ components: type: array items: type: string + PolicyContext: + type: object + properties: + device: + type: object + properties: + platform: + type: string + description: The platform of the device, for example, IOS. + registered: + type: boolean + description: If the device is registered + managed: + type: boolean + description: If the device is managed + groups: + type: object + description: An array of Group IDs for the simulate operation. Only user IDs or Group IDs are allowed, not both. + properties: + ids: + type: array + items: + type: string + uniqueItems: true + required: + - ids + ip: + type: string + description: The network rule condition, zone, or IP address + risk: + type: object + description: The risk rule condition level + properties: + level: + type: string + enum: + - LOW + - MEDIUM + - HIGH + user: + type: object + description: The user ID for the simulate operation. Only user IDs or Group IDs are allowed, not both. + properties: + id: + type: string + description: The unique ID number for the user. + required: + - id + zones: + type: object + properties: + ids: + type: array + items: + type: string + required: + - user + - groups + PolicyMapping: + type: object + properties: + id: + type: string + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + application: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the mapped application + authenticator: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the mapped authenticator + policy: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the mapped policy + PolicyMappingRequest: + type: object + properties: + resourceId: + type: string + resourceType: + $ref: '#/components/schemas/PolicyMappingResourceType' + PolicyMappingResourceType: + type: string + x-okta-known-values: + - APP PolicyNetworkCondition: type: object properties: @@ -23952,11 +35208,13 @@ components: items: type: string PolicyNetworkConnection: + description: Network selection mode type: string x-okta-known-values: - ANYWHERE - ZONE PolicyPeopleCondition: + description: Identifies Users and Groups that are used together type: object properties: groups: @@ -23984,43 +35242,36 @@ components: properties: created: type: string + description: Timestamp when the rule was created format: date-time readOnly: true nullable: true id: type: string + description: Identifier for the rule lastUpdated: type: string + description: Timestamp when the rule was last modified format: date-time readOnly: true nullable: true name: type: string + description: Name of the rule priority: type: integer + description: Priority of the rule status: $ref: '#/components/schemas/LifecycleStatus' system: type: boolean + description: Specifies whether Okta created the Policy Rule (`system=true`). You can't delete Policy Rules that have `system` set to `true`. default: false type: $ref: '#/components/schemas/PolicyRuleType' - discriminator: *ref_9 + discriminator: *ref_15 PolicyRuleActions: type: object - properties: - enroll: - $ref: '#/components/schemas/PolicyRuleActionsEnroll' - idp: - $ref: '#/components/schemas/IdpPolicyRuleAction' - passwordChange: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - selfServicePasswordReset: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - selfServiceUnlock: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - signon: - $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions' PolicyRuleActionsEnroll: type: object properties: @@ -24088,6 +35339,7 @@ components: userStatus: $ref: '#/components/schemas/UserStatusPolicyRuleCondition' PolicyRuleType: + description: Rule type type: string x-okta-known-values: - ACCESS_POLICY @@ -24120,12 +35372,12 @@ components: - USERNAME - USERNAME_OR_EMAIL PolicyType: + description: All Okta orgs contain only one IdP Discovery Policy with an immutable default Rule routing to your org's sign-in page. Creating or replacing a policy with `IDP_DISCOVERY` type isn't supported. type: string x-okta-known-values: - ACCESS_POLICY - IDP_DISCOVERY - MFA_ENROLL - - OAUTH_AUTHORIZATION_POLICY - OKTA_SIGN_ON - PASSWORD - PROFILE_ENROLLMENT @@ -24152,12 +35404,39 @@ components: properties: deviceBound: type: string + description: Indicates if device-bound Factors are required. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL hardwareProtection: type: string + description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL phishingResistant: type: string + description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL userPresence: type: string + description: Indicates if the user needs to approve an Okta Verify prompt or provide biometrics (meets NIST AAL2 requirements). This property is only set for `POSSESSION` constraints. + enum: + - OPTIONAL + - REQUIRED + default: REQUIRED + userVerification: + type: string + description: Indicates the user interaction requirement (PIN or biometrics) to ensure verification of a possession factor + enum: + - OPTIONAL + - REQUIRED + default: OPTIONAL PreRegistrationInlineHook: type: object properties: @@ -24236,12 +35515,20 @@ components: items: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleProfileAttribute' type: array + progressiveProfilingAction: + type: string + enum: + - ENABLED + - DISABLED targetGroupIds: items: type: string type: array unknownUserAction: type: string + enum: + - DENY + - REGISTER ProfileEnrollmentPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' @@ -24264,61 +35551,113 @@ components: required: type: boolean ProfileMapping: + description: |- + The Profile Mapping object describes a mapping between an Okta User's and an App User's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). + + > **Note:** Same type source/target mappings aren't supported by this API. Profile mappings must either be Okta->App or App->Okta. type: object properties: id: type: string + description: Unique identifier for a profile mapping readOnly: true properties: type: object additionalProperties: $ref: '#/components/schemas/ProfileMappingProperty' - readOnly: true + readOnly: false source: $ref: '#/components/schemas/ProfileMappingSource' target: - $ref: '#/components/schemas/ProfileMappingSource' + $ref: '#/components/schemas/ProfileMappingTarget' _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' ProfileMappingProperty: + description: A target property, in string form, that maps to a valid [JSON Schema Draft](https://tools.ietf.org/html/draft-zyp-json-schema-04) document. type: object properties: expression: + description: Combination or single source properties that are mapped to the target property type: string pushStatus: $ref: '#/components/schemas/ProfileMappingPropertyPushStatus' ProfileMappingPropertyPushStatus: + description: |- + Indicates whether to update target properties for user create and update or just for user create. + + Having a pushStatus of `PUSH` causes properties in the target to be updated on create and update. Having a pushStatus of `DONT_PUSH` causes properties in the target to be updated only on create. type: string x-okta-known-values: - DONT_PUSH - PUSH + ProfileMappingRequest: + description: The updated request body properties + type: object + properties: + properties: + type: object + additionalProperties: + $ref: '#/components/schemas/ProfileMappingProperty' + required: + - properties + - additionalProperties + - expression + - pushStatus ProfileMappingSource: + description: |- + The parameter is the source of a profile mapping and is a valid [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04) document with the following properties. The data type can be an app instance or an Okta object. + + > **Note:** If the source is Okta and the UserTypes feature isn't enabled, then the source `_links` only has a link to the schema. type: object properties: id: type: string + description: Unique identifier for the application instance or userType readOnly: true name: type: string + description: Variable name of the application instance or name of the referenced UserType readOnly: true type: type: string + description: Type of user referenced in the mapping readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} + $ref: '#/components/schemas/SourceLinks' + ProfileMappingTarget: + description: |- + The parameter is the target of a profile mapping and is a valid [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04) document with the following properties. The data type can be an app instance or an Okta object. + + > **Note:** If the target is Okta and the UserTypes feature isn't enabled, then the target `_links` only has a link to the schema. + type: object + properties: + id: + type: string + description: Unique identifier for the application instance or UserType + readOnly: true + name: + type: string + description: Variable name of the application instance or name of the referenced userType + readOnly: true + type: + type: string + description: Type of user referenced in the mapping readOnly: true + _links: + $ref: '#/components/schemas/SourceLinks' ProfileSettingObject: + description: | + This setting determines whether a user in the application gets updated when they're updated in Okta. + + If enabled, Okta updates a user's attributes in the application when the application is assigned. + Future changes made to the Okta user's profile automatically overwrite the corresponding attribute value in the application. type: object properties: status: - $ref: '#/components/schemas/EnabledStatus' + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - example: DISABLED + - default: DISABLED Protocol: type: object properties: @@ -24466,33 +35805,117 @@ components: status: $ref: '#/components/schemas/ProvisioningConnectionStatus' _links: - additionalProperties: - type: object - readOnly: true - type: object + $ref: '#/components/schemas/LinksSelfLifecycleAndAuthorize' + required: + - authScheme + - status + discriminator: *ref_21 ProvisioningConnectionAuthScheme: + description: Defines the method of authentication type: string + x-enumDescriptions: + TOKEN: A token is used to authenticate with the app. + OAUTH2: OAuth 2.0 is used to authenticate with the app. + UNKNOWN: The authentication scheme used by the app isn't supported, or the app doesn't support provisioning. x-okta-known-values: + - OAUTH2 - TOKEN - UNKNOWN + ProvisioningConnectionOauth: + allOf: + - $ref: '#/components/schemas/ProvisioningConnection' + - type: object + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionProfileOauth' + ProvisioningConnectionOauthRequest: + type: object + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionProfileOauth' + required: + - profile ProvisioningConnectionProfile: + description: | + The profile used to configure the connection method of authentication and the credentials. + Currently, token-based and OAuth 2.0-based authentication are supported. type: object properties: authScheme: $ref: '#/components/schemas/ProvisioningConnectionAuthScheme' - token: - type: string - ProvisioningConnectionRequest: - type: object - properties: - profile: - $ref: '#/components/schemas/ProvisioningConnectionProfile' + required: + - authScheme + ProvisioningConnectionProfileOauth: + description: | + The app provisioning connection profile used to configure the method of authentication and the credentials. + Currently, token-based and OAuth 2.0-based authentication are supported. + allOf: + - $ref: '#/components/schemas/ProvisioningConnectionProfile' + - type: object + properties: + clientId: + type: string + description: Unique client identifier for the OAuth 2.0 service app from the target org + required: + - authScheme + ProvisioningConnectionProfileOauthSettings: + title: Generic + description: Specific settings aren't defined for generic OAuth 2.0 provisioning connections + additionalProperties: + type: string + type: object + ProvisioningConnectionProfileToken: + description: | + The app provisioning connection profile used to configure the method of authentication and the credentials. + Currently, token-based and OAuth 2.0-based authentication are supported. + allOf: + - $ref: '#/components/schemas/ProvisioningConnectionProfile' + - type: object + properties: + token: + type: string + description: Token used to authenticate with the app + required: + - authScheme + - token + ProvisioningConnectionProfileUnknown: + description: Unknown provisioning connection + allOf: + - $ref: '#/components/schemas/ProvisioningConnectionProfile' + - type: object ProvisioningConnectionStatus: + description: Provisioning connection status + default: DISABLED type: string + x-enumDescriptions: + DISABLED: The provisioning connection is disabled. + ENABLED: The provisioning connection is enabled. + UNKNOWN: Provisioning isn't supported by the app, or the authentication method is unknown. x-okta-known-values: - DISABLED - ENABLED - UNKNOWN + ProvisioningConnectionToken: + allOf: + - $ref: '#/components/schemas/ProvisioningConnection' + - type: object + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionProfileToken' + ProvisioningConnectionTokenRequest: + type: object + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionProfileToken' + required: + - profile + ProvisioningConnectionUnknown: + allOf: + - $ref: '#/components/schemas/ProvisioningConnection' + - type: object + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionProfileUnknown' ProvisioningDeprovisionedAction: type: string x-okta-known-values: @@ -24535,6 +35958,11 @@ components: properties: action: $ref: '#/components/schemas/ProvisioningSuspendedAction' + PushMethodKeyProtection: + type: string + x-okta-known-values: + - ANY + - HARDWARE PushProvider: title: PushProvider type: object @@ -24551,76 +35979,345 @@ components: providerType: $ref: '#/components/schemas/ProviderType' _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - readOnly: true - discriminator: *ref_11 - PushUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - expiresAt: - type: string - format: date-time - factorResult: - $ref: '#/components/schemas/FactorResultType' - profile: - $ref: '#/components/schemas/PushUserFactorProfile' - PushUserFactorProfile: + $ref: '#/components/schemas/LinksSelf' + discriminator: *ref_17 + RateLimitAdminNotifications: + title: RateLimitAdminNotifications + description: '' type: object properties: - credentialId: + notificationsEnabled: + type: boolean + required: + - notificationsEnabled + RateLimitWarningThresholdRequest: + title: RateLimitWarningThreshold + description: '' + type: object + properties: + warningThreshold: + description: The threshold value (percentage) of a rate limit that, when exceeded, triggers a warning notification. By default, this value is 90 for Workforce orgs and 60 for CIAM orgs. + type: integer + minimum: 30 + maximum: 90 + required: + - warningThreshold + RateLimitWarningThresholdResponse: + title: RateLimitWarningThreshold + description: '' + type: object + properties: + warningThreshold: + description: The threshold value (percentage) of a rate limit that, when exceeded, triggers a warning notification. By default, this value is 90 for Workforce orgs and 60 for CIAM orgs. + type: integer + minimum: 30 + maximum: 90 + Realm: + type: object + properties: + created: type: string - deviceToken: + format: date-time + description: Timestamp when the Realm was created + readOnly: true + id: type: string - deviceType: + description: Unique key for the Realm + readOnly: true + isDefault: + type: boolean + description: Conveys whether the Realm is the default + readOnly: true + lastUpdated: type: string - name: + format: date-time + description: Timestamp when the Realm was last updated + readOnly: true + profile: + $ref: '#/components/schemas/RealmProfile' + _links: + $ref: '#/components/schemas/LinksSelf' + RealmAssignmentRule: + type: object + properties: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' + created: type: string - platform: + format: date-time + readOnly: true + id: type: string - version: + readOnly: true + isDefault: + type: boolean + readOnly: true + lastUpdated: type: string - RateLimitAdminNotifications: - title: RateLimitAdminNotifications - description: '' + format: date-time + readOnly: true + name: + type: string + priority: + type: integer + status: + $ref: '#/components/schemas/LifecycleStatus' + _links: + $ref: '#/components/schemas/LinksSelf' + RealmProfile: type: object properties: - notificationsEnabled: - type: boolean + name: + type: string + description: Name of a Realm + realmType: + type: string + description: An optional parameter to specify type of a Realm (Only applicable for Partner use-case) + enum: + - PARTNER + - OTHER + x-enumDescriptions: + PARTNER: Realm with external partner portal + OTHER: Other required: - - notificationsEnabled + - name RecoveryQuestionCredential: + description: |- + Specifies a secret question and answer that's validated (case insensitive) when a user forgets their + password or unlocks their account. The answer property is write-only. + type: object + properties: + answer: + type: string + description: The recovery question answer + minimum: 1 + maximum: 100 + writeOnly: true + question: + type: string + description: The recovery question + minimum: 1 + maximum: 100 + ReleaseChannel: + description: Release channel for auto-update + type: string + x-okta-known-values: + - BETA + - EA + - GA + - TEST + RequiredEnum: + type: string + x-okta-known-values: + - ALWAYS + - HIGH_RISK_ONLY + - NEVER + ResetPasswordToken: + type: object + properties: + resetPasswordUrl: + type: string + readOnly: true + ResourceSelectorCreateRequestSchema: + type: object + properties: + description: + type: string + description: Description of the Resource Selector + filter: + type: string + description: SCIM filter of the Resource Selector + name: + type: string + description: Name of the Resource Selector + schema: + type: string + description: Schema of the Resource Selector + ResourceSelectorPatchRequestSchema: + type: object + properties: + description: + type: string + description: Description of the Resource Selector + filter: + type: string + description: SCIM filter of the Resource Selector + name: + type: string + description: Name of the Resource Selector + ResourceSelectorResponseSchema: + type: object + properties: + description: + type: string + description: Description of the Resource Selector + id: + type: string + description: Unique key for the Resource Selector + name: + type: string + description: Name of the Resource Selector + orn: + type: string + description: An Okta resource name + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + resources: + $ref: '#/components/schemas/HrefObject' + ResourceSelectorResponseWithoutSelfLinkSchema: + type: object + properties: + description: + type: string + description: Description of the Resource Selector + id: + type: string + description: Unique key for the Resource Selector + name: + type: string + description: Name of the Resource Selector + orn: + type: string + description: An Okta resource name + _links: + allOf: + - properties: + resources: + $ref: '#/components/schemas/HrefObject' + ResourceSelectorsSchema: + type: object + properties: + resourceSelectors: + type: array + items: + $ref: '#/components/schemas/ResourceSelectorResponseWithoutSelfLinkSchema' + _links: + $ref: '#/components/schemas/LinksNext' + ResourceSet: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the role was created + readOnly: true + description: + type: string + description: Description of the Resource Set + id: + type: string + description: Unique key for the role + readOnly: true + label: + type: string + description: Unique label for the Resource Set + lastUpdated: + type: string + format: date-time + description: Timestamp when the role was last updated + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + resources: + $ref: '#/components/schemas/HrefObject' + bindings: + $ref: '#/components/schemas/HrefObject' + ResourceSetBindingAddMembersRequest: + type: object + properties: + additions: + type: array + items: + type: string + ResourceSetBindingCreateRequest: + type: object + properties: + members: + type: array + items: + type: string + role: + type: string + description: Unique key for the role + ResourceSetBindingMember: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the role was created + readOnly: true + id: + type: string + description: Unique key for the role + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the role was last updated + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' + ResourceSetBindingMembers: + type: object + properties: + members: + type: array + items: + $ref: '#/components/schemas/ResourceSetBindingMember' + _links: + allOf: + - $ref: '#/components/schemas/LinksNext' + - properties: + binding: + $ref: '#/components/schemas/HrefObject' + ResourceSetBindingResponse: + type: object + properties: + id: + type: string + description: '`id` of the role' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + bindings: + $ref: '#/components/schemas/HrefObject' + resource-set: + $ref: '#/components/schemas/HrefObject' + ResourceSetBindingRole: type: object properties: - answer: - type: string - question: + id: type: string - ReleaseChannel: - description: Release channel for auto-update - type: string - x-okta-known-values: - - BETA - - EA - - GA - - TEST - RequiredEnum: - type: string - x-okta-known-values: - - ALWAYS - - HIGH_RISK_ONLY - - NEVER - ResetPasswordToken: + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + members: + $ref: '#/components/schemas/HrefObject' + ResourceSetBindings: type: object properties: - resetPasswordUrl: - type: string - readOnly: true - ResourceSet: + roles: + type: array + items: + $ref: '#/components/schemas/ResourceSetBindingRole' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + bindings: + $ref: '#/components/schemas/HrefObject' + resource-set: + $ref: '#/components/schemas/HrefObject' + ResourceSetResource: type: object properties: created: @@ -24630,1117 +36327,2182 @@ components: readOnly: true description: type: string - description: Description of the resource set + description: Description of the Resource Set id: type: string description: Unique key for the role readOnly: true - label: - type: string - description: Unique label for the resource set lastUpdated: type: string format: date-time description: Timestamp when the role was last updated readOnly: true _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - resources: - $ref: '#/components/schemas/HrefObject' - bindings: - $ref: '#/components/schemas/HrefObject' - readOnly: true - ResourceSetBindingAddMembersRequest: + $ref: '#/components/schemas/LinksSelf' + ResourceSetResourcePatchRequest: type: object properties: additions: type: array items: type: string - ResourceSetBindingCreateRequest: + ResourceSetResources: type: object properties: - members: + resources: type: array items: - type: string - role: + $ref: '#/components/schemas/ResourceSetResource' + _links: + allOf: + - $ref: '#/components/schemas/LinksNext' + - properties: + resource-set: + $ref: '#/components/schemas/HrefObject' + ResourceSets: + type: object + properties: + resource-sets: + type: array + items: + $ref: '#/components/schemas/ResourceSet' + _links: + $ref: '#/components/schemas/LinksNext' + ResponseLinks: + type: object + RiskEvent: + type: object + properties: + expiresAt: type: string - description: Unique key for the role - ResourceSetBindingMember: + format: date-time + description: 'Timestamp at which the event expires (expressed as a UTC time zone using ISO 8601 format: yyyy-MM-dd`T`HH:mm:ss.SSS`Z`). If this optional field is not included, Okta automatically expires the event 24 hours after the event is consumed.' + subjects: + type: array + description: List of Risk Event Subjects + items: + $ref: '#/components/schemas/RiskEventSubject' + timestamp: + type: string + format: date-time + description: 'Timestamp of when the event is produced (expressed as a UTC time zone using ISO 8601 format: yyyy-MM-dd`T`HH:mm:ss.SSS`Z`)' + required: + - subjects + RiskEventSubject: + type: object + properties: + ip: + type: string + description: The risk event subject IP address (either an IPv4 or IPv6 address) + message: + type: string + description: Additional reasons for the risk level of the IP + maxLength: 512 + pattern: ^[a-zA-Z0-9 .\-_]*$ + riskLevel: + $ref: '#/components/schemas/RiskEventSubjectRiskLevel' + required: + - ip + - riskLevel + RiskEventSubjectRiskLevel: + description: The risk level associated with the IP + type: string + x-okta-known-values: + - HIGH + - LOW + - MEDIUM + RiskPolicyRuleCondition: + type: object + properties: + behaviors: + uniqueItems: true + type: array + items: + type: string + RiskProvider: type: object properties: + action: + $ref: '#/components/schemas/RiskProviderAction' + clientId: + type: string + description: The ID of the [OAuth service app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#create-a-service-app-and-grant-scopes) that is used to send risk events to Okta + example: 00cjkjjkkgjkdkjdkkljjsd created: type: string format: date-time - description: Timestamp when the role was created + description: Timestamp when the Risk Provider object was created readOnly: true + example: '2021-01-05 22:18:30' id: type: string - description: Unique key for the role + description: The ID of the Risk Provider object readOnly: true + example: 00rp12r4skkjkjgsn lastUpdated: type: string format: date-time - description: Timestamp when the role was last updated + description: Timestamp when the Risk Provider object was last updated readOnly: true + example: '2021-01-05 22:18:30' + name: + type: string + description: Name of the risk provider + maxLength: 50 + example: Risk-Partner-X _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - readOnly: true - ResourceSetBindingMembers: + $ref: '#/components/schemas/LinksSelf' + required: + - name + - clientId + - action + - id + - _links + RiskProviderAction: + description: Action taken by Okta during authentication attempts based on the risk events sent by this provider + default: log_only + type: string + x-enumDescriptions: + log_only: Include risk event information in the System Log + none: No action + enforce_and_log: Use risk event information to evaluate risks during authentication attempts and include risk event information in the System Log + x-okta-known-values: + - enforce_and_log + - log_only + - none + RiskScorePolicyRuleCondition: type: object properties: - members: - type: array - items: - $ref: '#/components/schemas/ResourceSetBindingMember' - _links: + level: + type: string + Role: + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + format: date-time + readOnly: true + description: + type: string + id: + type: string + readOnly: true + label: + type: string + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + status: + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/RoleType' + _embedded: type: object - properties: - binding: - $ref: '#/components/schemas/HrefObject' - next: - $ref: '#/components/schemas/HrefObject' + additionalProperties: + type: object + properties: {} readOnly: true - ResourceSetBindingResponse: + _links: + $ref: '#/components/schemas/LinksSelf' + RoleAssignedUser: type: object properties: id: type: string - description: '`id` of the role' - _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - bindings: - $ref: '#/components/schemas/HrefObject' - resource-set: - $ref: '#/components/schemas/HrefObject' readOnly: true - ResourceSetBindingRole: + orn: + type: string + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelfAndRoles' + RoleAssignedUsers: + type: object + properties: + value: + type: array + items: + $ref: '#/components/schemas/RoleAssignedUser' + _links: + $ref: '#/components/schemas/LinksNext' + RoleAssignmentType: + type: string + x-okta-known-values: + - GROUP + - USER + RolePermissionType: + type: string + x-okta-known-values: + - okta.apps.assignment.manage + - okta.apps.manage + - okta.apps.manageFirstPartyApps + - okta.apps.read + - okta.authzServers.manage + - okta.authzServers.read + - okta.customizations.manage + - okta.customizations.read + - okta.devices.lifecycle.activate + - okta.devices.lifecycle.deactivate + - okta.devices.lifecycle.delete + - okta.devices.lifecycle.manage + - okta.devices.lifecycle.suspend + - okta.devices.lifecycle.unsuspend + - okta.devices.manage + - okta.devices.read + - okta.governance.accessCertifications.manage + - okta.governance.accessRequests.manage + - okta.groups.appAssignment.manage + - okta.groups.create + - okta.groups.manage + - okta.groups.members.manage + - okta.groups.read + - okta.identityProviders.manage + - okta.identityProviders.read + - okta.profilesources.import.run + - okta.users.appAssignment.manage + - okta.users.create + - okta.users.credentials.expirePassword + - okta.users.credentials.manage + - okta.users.credentials.resetFactors + - okta.users.credentials.resetPassword + - okta.users.groupMembership.manage + - okta.users.lifecycle.activate + - okta.users.lifecycle.clearSessions + - okta.users.lifecycle.deactivate + - okta.users.lifecycle.delete + - okta.users.lifecycle.manage + - okta.users.lifecycle.suspend + - okta.users.lifecycle.unlock + - okta.users.lifecycle.unsuspend + - okta.users.manage + - okta.users.read + - okta.users.userprofile.manage + RoleType: + type: string + x-enumDescriptions: + - API_ACCESS_MANAGEMENT_ADMIN: Access Management Administrator + - API_ADMIN: Access Management Administrator + - APP_ADMIN: Application Administrator + - CUSTOM: Custom Label specified by the client + - GROUP_MEMBERSHIP_ADMIN: Group Membership Administrator + - HELP_DESK_ADMIN: Help Desk Administrator + - MOBILE_ADMIN: Mobile Administrator + - ORG_ADMIN: Organizational Administrator + - READ_ONLY_ADMIN: Read-Only Administrator + - REPORT_ADMIN: Report Administrator + - SUPER_ADMIN: Super Administrator + - USER_ADMIN: Group Administrator + x-okta-known-values: + - API_ACCESS_MANAGEMENT_ADMIN + - API_ADMIN + - APP_ADMIN + - CUSTOM + - GROUP_MEMBERSHIP_ADMIN + - HELP_DESK_ADMIN + - MOBILE_ADMIN + - ORG_ADMIN + - READ_ONLY_ADMIN + - REPORT_ADMIN + - SUPER_ADMIN + - USER_ADMIN + SafeBrowsingProtectionLevel: + description: Represents the current value of the Safe Browsing protection level + example: ENHANCED_PROTECTION + type: string + x-enumDescriptions: + NO_SAFE_BROWSING: Safe Browsing is never active + STANDARD_PROTECTION: Safe Browsing is active in the standard mode + ENHANCED_PROTECTION: Safe Browsing is active in the enhanced mode + x-okta-known-values: + - ENHANCED_PROTECTION + - NO_SAFE_BROWSING + - STANDARD_PROTECTION + SalesforceApplicationSettings: + allOf: + - $ref: '#/components/schemas/OINBaseSignOnModeApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/SalesforceApplicationSettingsApplication' + SalesforceApplicationSettingsApplication: + description: Salesforce app instance properties type: object properties: - id: + instanceType: type: string - _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - members: - $ref: '#/components/schemas/HrefObject' - ResourceSetBindings: + description: Salesforce instance that you want to connect to + enum: + - SANDBOX + - PRODUCTION + - GOVERNMENT + integrationType: + type: string + description: Salesforce integration type + enum: + - STANDARD + - PORTAL + - COMMUNITY + loginUrl: + type: string + description: The Login URL specified in your Salesforce Single Sign-On settings + logoutUrl: + type: string + description: Salesforce Logout URL + required: + - integrationType + - instanceType + Saml: + description: SAML configuration details type: object properties: - roles: + acs: type: array + minItems: 1 + description: 'List of Assertion Consumer Service (ACS) URLs. The default ACS URL is required and is indicated by a null `index` value. You can use the org-level variables you defined in the `config` array in the URL. For example: `https://${org.subdomain}.example.com/saml/login`' items: - $ref: '#/components/schemas/ResourceSetBindingRole' - _links: - type: object + type: object + properties: + index: + type: number + minimum: 0 + maximum: 65535 + description: Index of ACS URL. You can't reuse the same index in the ACS URL array. + example: 0 + url: + type: string + format: uri + maxLength: 1024 + description: Assertion Consumer Service (ACS) URL + example: https://${org.subdomain}.example.com/saml/login + doc: + type: string + format: uri + description: The URL to your customer-facing instructions for configuring your SAML integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines). + example: https://example.com/strawberry/help/samlSetup + entityId: + type: string + description: Globally unique name for your SAML entity. For instance, your Identity Provider (IdP) or Service Provider (SP) URL. + example: https://${org.subdomain}.example.com + required: + - acs + - entityId + - doc + SamlApplication: + allOf: + - $ref: '#/components/schemas/Application' + - type: object properties: - self: - $ref: '#/components/schemas/HrefObject' - bindings: - $ref: '#/components/schemas/HrefObject' - resource-set: - $ref: '#/components/schemas/HrefObject' - readOnly: true - ResourceSetResource: + credentials: + $ref: '#/components/schemas/ApplicationCredentials' + name: + type: string + description: Unique key for the app definition + settings: + $ref: '#/components/schemas/SamlApplicationSettings' + SamlApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + properties: + app: + $ref: '#/components/schemas/SamlApplicationSettingsApplication' + signOn: + $ref: '#/components/schemas/SamlApplicationSettingsSignOn' + SamlApplicationSettingsApplication: type: object properties: - created: - type: string - format: date-time - description: Timestamp when the role was created - readOnly: true - description: + acsUrl: type: string - description: Description of the resource set - id: + audRestriction: type: string - description: Unique key for the role - readOnly: true - lastUpdated: + baseUrl: type: string - format: date-time - description: Timestamp when the role was last updated - readOnly: true - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - ResourceSetResourcePatchRequest: + SamlApplicationSettingsSignOn: type: object properties: - additions: + acsEndpoints: type: array items: - type: string - ResourceSetResources: - type: object - properties: - resources: + $ref: '#/components/schemas/AcsEndpoint' + allowMultipleAcsEndpoints: + type: boolean + assertionSigned: + type: boolean + attributeStatements: type: array items: - $ref: '#/components/schemas/ResourceSetResource' - _links: - type: object - properties: - next: - $ref: '#/components/schemas/HrefObject' - resource-set: - $ref: '#/components/schemas/HrefObject' - ResourceSets: - type: object - properties: - resource-sets: + $ref: '#/components/schemas/SamlAttributeStatement' + audience: + type: string + audienceOverride: + type: string + description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm) + authnContextClassRef: + type: string + configuredAttributeStatements: type: array items: - $ref: '#/components/schemas/ResourceSet' - _links: - type: object - properties: - next: - $ref: '#/components/schemas/HrefObject' - readOnly: true - ResponseLinks: - type: object - RiskEvent: - type: object - properties: - expiresAt: + $ref: '#/components/schemas/SamlAttributeStatement' + defaultRelayState: type: string - format: date-time - description: 'Time stamp at which the event expires (Expressed as a UTC time zone using ISO 8601 format: yyyy-MM-dd''T''HH:mm:ss.SSS''Z''). If this optional field is not included, Okta automatically expires the event 24 hours after the event is consumed.' - subjects: - type: array + description: Identifies a specific application resource in an IDP-initiated SSO scenario + destination: + type: string + destinationOverride: + type: string + description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm) + digestAlgorithm: + type: string + honorForceAuthn: + type: boolean + description: Set to `true` to prompt users for their credentials when a SAML request has the `ForceAuthn` attribute set to `true` + idpIssuer: + type: string + inlineHooks: items: - $ref: '#/components/schemas/RiskEventSubject' - timestamp: + $ref: '#/components/schemas/SignOnInlineHook' + type: array + participateSlo: + $ref: '#/components/schemas/SloParticipate' + recipient: type: string - format: date-time - description: 'Time stamp at which the event is produced (Expressed as a UTC time zone using ISO 8601 format: yyyy-MM-dd''T''HH:mm:ss.SSS''Z'').' - required: - - subjects - RiskEventSubject: - type: object - properties: - ip: + recipientOverride: type: string - description: Either an IpV4 or IpV6 address. - message: + description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm) + requestCompressed: + type: boolean + responseSigned: + type: boolean + signatureAlgorithm: type: string - description: Any additional message that the provider can send specifying the reason for the risk level of the IP. - maxLength: 512 - pattern: ^[a-zA-Z0-9.\-_]$ - riskLevel: - $ref: '#/components/schemas/RiskEventSubjectRiskLevel' - required: - - ip - RiskEventSubjectRiskLevel: - type: string - x-okta-known-values: - - HIGH - - LOW - - MEDIUM - RiskPolicyRuleCondition: + slo: + $ref: '#/components/schemas/SingleLogout' + spCertificate: + $ref: '#/components/schemas/SpCertificate' + spIssuer: + type: string + ssoAcsUrl: + type: string + ssoAcsUrlOverride: + type: string + description: Assertion Consumer Service URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm) + subjectNameIdFormat: + type: string + subjectNameIdTemplate: + type: string + SamlAttributeStatement: + description: Define custom attribute statements for the integration. These statements are inserted into the SAML assertions shared with your app type: object properties: - behaviors: - uniqueItems: true + filterType: + type: string + filterValue: + type: string + name: + type: string + namespace: + type: string + type: + type: string + values: type: array items: type: string - RiskProvider: + ScheduledUserLifecycleAction: type: object properties: - action: - $ref: '#/components/schemas/RiskProviderAction' - clientId: + status: + $ref: '#/components/schemas/PolicyUserStatus' + SchemeApplicationCredentials: + allOf: + - $ref: '#/components/schemas/ApplicationCredentials' + - type: object + properties: + password: + $ref: '#/components/schemas/PasswordCredential' + revealPassword: + type: boolean + description: Allow users to securely see their password + scheme: + $ref: '#/components/schemas/ApplicationCredentialsScheme' + signing: + $ref: '#/components/schemas/ApplicationCredentialsSigning' + userName: + type: string + ScreenLockType: + type: string + x-okta-known-values: + - BIOMETRIC + - PASSCODE + SecurePasswordStoreApplication: + x-okta-defined-as: + name: template_sps + allOf: + - $ref: '#/components/schemas/Application' + - type: object + properties: + credentials: + $ref: '#/components/schemas/SchemeApplicationCredentials' + name: + type: string + description: Unique key for the app definition + default: template_sps + settings: + $ref: '#/components/schemas/SecurePasswordStoreApplicationSettings' + SecurePasswordStoreApplicationSettings: + allOf: + - $ref: '#/components/schemas/ApplicationSettings' + - type: object + properties: + app: + $ref: '#/components/schemas/SecurePasswordStoreApplicationSettingsApplication' + SecurePasswordStoreApplicationSettingsApplication: + type: object + properties: + optionalField1: + type: string + optionalField1Value: + type: string + optionalField2: + type: string + optionalField2Value: type: string - description: The ID of the [OAuth service app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#create-a-service-app-and-grant-scopes) that is used to send risk events to Okta - created: + optionalField3: type: string - format: date-time - description: Timestamp when the risk provider was created - readOnly: true - id: + optionalField3Value: type: string - description: The ID of the risk provider - readOnly: true - lastUpdated: + passwordField: type: string - format: date-time - description: Timestamp when the risk provider was last updated - readOnly: true - name: + url: type: string - description: Name of the risk provider - maxLength: 50 - _links: - type: object - properties: - self: - $ref: '#/components/schemas/HrefObject' - readOnly: true - required: - - name - - clientId - RiskProviderAction: - description: The action taken by Okta during authentication attempts based on the risk events sent by this provider. Logging can be found in the SystemLogs. - default: log_only + usernameField: + type: string + SeedEnum: + description: Determines whether the generated password is the user's Okta password or a randomly generated password + default: RANDOM + example: OKTA type: string x-okta-known-values: - - enforce_and_log - - log_only - - none - RiskScorePolicyRuleCondition: - type: object - properties: - level: - type: string - Role: + - OKTA + - RANDOM + SelfServicePasswordResetAction: + allOf: + - $ref: '#/components/schemas/PasswordPolicyRuleAction' + - type: object + - description: Enables or disables users to reset their own password and defines the authenticators and constraints needed to complete the reset + properties: + type: + type: string + readOnly: true + description: The type of rule action + enum: + - selfServicePasswordReset + requirement: + $ref: '#/components/schemas/SsprRequirement' + Session: type: object properties: - assignmentType: - $ref: '#/components/schemas/RoleAssignmentType' - created: + amr: + type: array + readOnly: true + description: Authentication method reference + items: + $ref: '#/components/schemas/SessionAuthenticationMethod' + createdAt: type: string format: date-time readOnly: true - description: + expiresAt: type: string + format: date-time + readOnly: true + description: A timestamp when the Session expires id: type: string readOnly: true - label: + description: A unique key for the Session + idp: + $ref: '#/components/schemas/SessionIdentityProvider' + lastFactorVerification: type: string + format: date-time readOnly: true - lastUpdated: + description: A timestamp when the user last performed multifactor authentication + lastPasswordVerification: type: string format: date-time readOnly: true + description: A timestamp when the user last performed the primary or step-up authentication with a password + login: + type: string + readOnly: true + description: A unique identifier for the user (username) status: - $ref: '#/components/schemas/LifecycleStatus' - type: - $ref: '#/components/schemas/RoleType' - _embedded: - type: object - additionalProperties: - type: object - properties: {} + $ref: '#/components/schemas/SessionStatus' + description: Current Session status + userId: + type: string readOnly: true + description: A unique key for the user _links: - type: object - additionalProperties: - type: object - properties: {} + $ref: '#/components/schemas/LinksSelf' + SessionAuthenticationMethod: + type: string + x-enumDescriptions: + pwd: Password authentication. **Inline hook value:** `PASSWORD` **Example:** Standard password-based sign-in + swk: Proof-of-possession (PoP) of a software key. **Inline hook value:** `POP_SOFTWARE_KEY` **Example:** Okta Verify with Push + hwk: Proof-of-possession (PoP) of a hardware key. **Inline hook value:** `POP_HARDWARE_KEY` **Example:** Yubikey factor + opt: One-time password. **Inline hook value:** `ONE_TIME_PASSWORD`. **Example:** Okta Verify, Google Authenticator + sms: SMS text message to the user at a registered number. **Inline hook value:** `SMS_MESSAGE`. **Example:** SMS factor + tel: Telephone call to the user at a registered number. **Inline hook value:** `TELEPHONE_CALL`. **Example:** Phone call factor + geo: Use of geo-location information. **Inline hook value:** `GEOLOCATION`. **Example:** IP Trust and Network Zone policy conditions + fpt: Fingerprint biometric authentication. **Inline hook value:** `BIO_FINGERPRINT`. **Example:** Okta Verify with Touch ID + kba: Knowledge-based authentication. **Inline hook value:** `KNOWLEDGE_BASED_AUTHENTICATION`. **Example:** Security Question factor + mfa: Multifactor authentication. **Inline hook value:** `MULTIFACTOR_AUTHENTICATION`. **Example:** This value is present whenever any MFA factor verification is performed. + mca: Multiple-channel authentication. **Inline hook value:** `MULTIPLE_CHANNEL_AUTHENTICATION`. **Example:** Authentication requires communication over more than one channel, such as Internet and mobile network + sc: Smart card authentication. **Inline hook value:** `SMART_CARD. **Example:** User authenticated using a smart card, such as a Personal Identity Verification (PIV) card or Common Access Card (CAC) + x-okta-known-values: + - fpt + - geo + - hwk + - kba + - mca + - mfa + - otp + - pwd + - sc + - sms + - swk + - tel + SessionIdentityProvider: + type: object + properties: + id: + type: string readOnly: true - RoleAssignmentType: + description: Identity Provider ID. If the `type` is `OKTA`, then the `id` is the org ID. + type: + $ref: '#/components/schemas/SessionIdentityProviderType' + SessionIdentityProviderType: type: string x-okta-known-values: - - GROUP - - USER - RolePermissionType: + - ACTIVE_DIRECTORY + - FEDERATION + - LDAP + - OKTA + - SOCIAL + SessionStatus: type: string + x-enumDescriptions: + ACTIVE: The Session is established and fully validated. + MFA_REQUIRED: The Session is established, but requires second factor verification. + MFA_ENROLL: The Session is established, but the user needs to enroll a second factor. x-okta-known-values: - - okta.apps.assignment.manage - - okta.apps.manage - - okta.apps.manageFirstPartyApps - - okta.apps.read - - okta.authzServers.manage - - okta.authzServers.read - - okta.customizations.manage - - okta.customizations.read - - okta.governance.accessCertifications.manage - - okta.governance.accessRequests.manage - - okta.groups.appAssignment.manage - - okta.groups.create - - okta.groups.manage - - okta.groups.members.manage - - okta.groups.read - - okta.profilesources.import.run - - okta.users.appAssignment.manage - - okta.users.create - - okta.users.credentials.expirePassword - - okta.users.credentials.manage - - okta.users.credentials.resetFactors - - okta.users.credentials.resetPassword - - okta.users.groupMembership.manage - - okta.users.lifecycle.activate - - okta.users.lifecycle.clearSessions - - okta.users.lifecycle.deactivate - - okta.users.lifecycle.delete - - okta.users.lifecycle.manage - - okta.users.lifecycle.suspend - - okta.users.lifecycle.unlock - - okta.users.lifecycle.unsuspend - - okta.users.manage - - okta.users.read - - okta.users.userprofile.manage - RoleType: + - ACTIVE + - MFA_ENROLL + - MFA_REQUIRED + ShowSignInWithOV: type: string x-okta-known-values: - - API_ACCESS_MANAGEMENT_ADMIN - - APP_ADMIN - - GROUP_MEMBERSHIP_ADMIN - - HELP_DESK_ADMIN - - MOBILE_ADMIN - - ORG_ADMIN - - READ_ONLY_ADMIN - - REPORT_ADMIN - - SUPER_ADMIN - - USER_ADMIN - SamlApplication: + - ALWAYS + - NEVER + SignInPage: allOf: - - $ref: '#/components/schemas/Application' + - $ref: '#/components/schemas/CustomizablePage' - type: object properties: - credentials: - $ref: '#/components/schemas/ApplicationCredentials' - name: - type: string - settings: - $ref: '#/components/schemas/SamlApplicationSettings' - SamlApplicationSettings: - allOf: - - $ref: '#/components/schemas/ApplicationSettings' - - type: object + contentSecurityPolicySetting: + $ref: '#/components/schemas/ContentSecurityPolicySetting' + widgetCustomizations: + type: object + properties: + signInLabel: + type: string + usernameLabel: + type: string + usernameInfoTip: + type: string + passwordLabel: + type: string + passwordInfoTip: + type: string + showPasswordVisibilityToggle: + type: boolean + showUserIdentifier: + type: boolean + forgotPasswordLabel: + type: string + forgotPasswordUrl: + type: string + unlockAccountLabel: + type: string + unlockAccountUrl: + type: string + helpLabel: + type: string + helpUrl: + type: string + customLink1Label: + type: string + customLink1Url: + type: string + customLink2Label: + type: string + customLink2Url: + type: string + authenticatorPageCustomLinkLabel: + type: string + authenticatorPageCustomLinkUrl: + type: string + classicRecoveryFlowEmailOrUsernameLabel: + type: string + widgetGeneration: + $ref: '#/components/schemas/WidgetGeneration' + widgetVersion: + $ref: '#/components/schemas/Version' + SignInPageTouchPointVariant: + type: string + x-okta-known-values: + - BACKGROUND_IMAGE + - BACKGROUND_SECONDARY_COLOR + - OKTA_DEFAULT + SignOnInlineHook: + properties: + id: + type: string + readOnly: false + SimulatePolicyBody: + description: The request body required for a simulate policy operation. + type: object + properties: + appInstance: + type: string + description: The application instance ID for a simulate operation + policyContext: + $ref: '#/components/schemas/PolicyContext' + policyTypes: + type: array + description: Supported policy types for a simulate operation. The default value, `null`, returns all types. + items: + $ref: '#/components/schemas/PolicyType' + required: + - appInstance + SimulatePolicyEvaluations: + type: object + properties: + evaluated: + type: object + description: A list of evaluated but not matched policies and rules + properties: + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + policyType: + type: array + description: The policy type of the simulate operation + items: + $ref: '#/components/schemas/PolicyType' + result: + $ref: '#/components/schemas/SimulatePolicyResult' + status: + type: string + description: The result of this entity evaluation + enum: + - MATCH + - NOT_MATCH + - UNDEFINED + undefined: + type: object + description: A list of undefined but not matched policies and rules properties: - app: - $ref: '#/components/schemas/SamlApplicationSettingsApplication' - signOn: - $ref: '#/components/schemas/SamlApplicationSettingsSignOn' - SamlApplicationSettingsApplication: + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + SimulatePolicyResponse: + description: The response body returned for a simulate policy operation. An array of `evaluations`. + items: + $ref: '#/components/schemas/SimulatePolicyEvaluations' + type: array + SimulatePolicyResult: + description: The result of the policy evaluation type: object properties: - acsUrl: - type: string - audRestriction: + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + SimulateResultConditions: + type: object + properties: + status: type: string - baseUrl: + description: The result of the entity evaluation + enum: + - MATCH + - UNMATCHED + - UNDEFINED + type: type: string - SamlApplicationSettingsSignOn: + description: The type of condition + SimulateResultPolicies: + items: + $ref: '#/components/schemas/SimulateResultPoliciesItems' + type: array + SimulateResultPoliciesItems: type: object properties: - acsEndpoints: - type: array - items: - $ref: '#/components/schemas/AcsEndpoint' - allowMultipleAcsEndpoints: - type: boolean - assertionSigned: - type: boolean - attributeStatements: + conditions: type: array - items: - $ref: '#/components/schemas/SamlAttributeStatement' - audience: - type: string - audienceOverride: + $ref: '#/components/schemas/SimulateResultConditions' + id: type: string - authnContextClassRef: + name: type: string - defaultRelayState: + rules: + type: array + $ref: '#/components/schemas/SimulateResultRules' + status: type: string - destination: + SimulateResultRules: + type: object + properties: + conditions: + type: array + $ref: '#/components/schemas/SimulateResultConditions' + id: type: string - destinationOverride: + description: The unique ID number of the policy rule + name: type: string - digestAlgorithm: + description: The name of the policy rule + status: type: string - honorForceAuthn: + description: The result of the entity evaluation + enum: + - MATCH + - UNMATCHED + - UNDEFINED + SingleLogout: + type: object + properties: + enabled: type: boolean - idpIssuer: + issuer: type: string - inlineHooks: - items: - $ref: '#/components/schemas/SignOnInlineHook' - type: array - recipient: + logoutUrl: type: string - recipientOverride: + SlackApplicationSettings: + allOf: + - $ref: '#/components/schemas/OINBaseSignOnModeApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/SlackApplicationSettingsApplication' + SlackApplicationSettingsApplication: + description: Slack app instance properties + type: object + properties: + domain: type: string - requestCompressed: - type: boolean - responseSigned: + description: The Slack app domain name + userEmailValue: + type: string + description: The `User.Email` attribute value + required: + - domain + SloParticipate: + type: object + properties: + bindingType: + type: string + description: Request binding type + enum: + - POST + - REDIRECT + enabled: type: boolean - signatureAlgorithm: + description: Allows the app to participate in front-channel single logout. + logoutRequestUrl: type: string - slo: - $ref: '#/components/schemas/SingleLogout' - spCertificate: - $ref: '#/components/schemas/SpCertificate' - spIssuer: + description: URL where Okta sends the logout request. + sessionIndexRequired: + type: boolean + description: Include user session details. + SmsTemplate: + type: object + properties: + created: type: string - ssoAcsUrl: + format: date-time + readOnly: true + id: type: string - ssoAcsUrlOverride: + readOnly: true + lastUpdated: type: string - subjectNameIdFormat: + format: date-time + readOnly: true + name: type: string - subjectNameIdTemplate: + template: type: string - SamlAttributeStatement: + translations: + $ref: '#/components/schemas/SmsTemplateTranslations' + type: + $ref: '#/components/schemas/SmsTemplateType' + SmsTemplateTranslations: + type: object + x-okta-extensible: true + SmsTemplateType: + type: string + x-okta-known-values: + - SMS_VERIFY_CODE + SocialAuthToken: type: object properties: - filterType: + expiresAt: type: string - filterValue: + format: date-time + readOnly: true + id: type: string - name: + readOnly: true + scopes: + type: array + items: + type: string + token: type: string - namespace: + tokenAuthScheme: type: string - type: + tokenType: type: string - values: + SourceLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + schema: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The associated schema + SpCertificate: + type: object + properties: + x5c: type: array items: type: string - ScheduledUserLifecycleAction: + SplunkEdition: + description: Edition of the Splunk Cloud instance + example: aws + type: string + x-okta-known-values: + - aws + - aws_govcloud + - gcp + SplunkHost: + description: 'The domain name for your Splunk Cloud instance. Don''t include `http` or `https` in the string. For example: `acme.splunkcloud.com`' + minLength: 17 + maxLength: 116 + example: acme.splunkcloud.com + type: string + SplunkToken: + description: The HEC token for your Splunk Cloud HTTP Event Collector. The token value is set at object creation, but isn't returned. + example: 11111111-1111-2222-2222-222222222222 + writeOnly: true + type: string + pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ + Sso: + description: 'Supported SSO protocol configurations. You must configure at least one protocol: `oidc` or `saml`' type: object properties: - status: - $ref: '#/components/schemas/PolicyUserStatus' - SchemeApplicationCredentials: + oidc: + $ref: '#/components/schemas/Oidc' + saml: + $ref: '#/components/schemas/Saml' + SsprPrimaryRequirement: + description: Defines the authenticators permitted for the initial authentication step of password recovery + type: object + properties: + methodConstraints: + description: Constraints on the values specified in the `methods` array. Specifying a constraint limits methods to specific authenticator(s). Currently, Google OTP is the only accepted constraint. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodConstraint' + methods: + type: array + description: Authenticator methods allowed for the initial authentication step of password recovery. Method `otp` requires a constraint limiting it to a Google authenticator. + items: + type: string + enum: + - push + - sms + - voice + - email + - otp + SsprRequirement: + description: Describes the initial and secondary authenticator requirements a user needs to reset their password + type: object + properties: + primary: + $ref: '#/components/schemas/SsprPrimaryRequirement' + stepUp: + $ref: '#/components/schemas/SsprStepUpRequirement' + SsprStepUpRequirement: + description: |- + Defines the secondary authenticators needed for password reset if `required` is true. The following are three valid configurations: + * `required`=false + * `required`=true with no methods to use any SSO authenticator + * `required`=true with `security_question` as the method + type: object + properties: + methods: + description: Authenticator methods required for secondary authentication step of password recovery. Specify this value only when `required` is true and `security_question` is permitted for the secondary authentication. + type: array + items: + type: string + enum: + - security_question + required: + type: boolean + SubmissionRequest: allOf: - - $ref: '#/components/schemas/ApplicationCredentials' - - type: object + - $ref: '#/components/schemas/SubmissionResponse' + required: + - name + - description + - logo + SubmissionResponse: + type: object + properties: + config: + type: array + description: 'List of org-level variables for the customer per-tenant configuration. For example, a `subdomain` variable can be used in the ACS URL: `https://${org.subdomain}.example.com/saml/login`' + items: + type: object + properties: + label: + type: string + description: Display name of the variable in the Admin Console + example: Subdomain + name: + type: string + maxLength: 1024 + minLength: 1 + description: Name of the variable + example: subdomain + description: + type: string + maxLength: 1024 + minLength: 1 + description: A general description of your application and the benefits provided to your customers + example: Your one source for in-season strawberry deals. Okta's Strawberry Central integration allow users to securely access those sweet deals. + id: + type: string + description: OIN Integration ID + readOnly: true + example: acme_submissionapp_1 + lastPublished: + type: string + description: Timestamp when the OIN Integration was last published + readOnly: true + example: '2023-08-24T14:15:22.000Z' + lastUpdated: + type: string + description: Timestamp when the OIN Integration instance was last updated + readOnly: true + example: '2023-08-24T14:15:22.000Z' + lastUpdatedBy: + type: string + description: ID of the user who made the last update + readOnly: true + example: 00ub0oNGTSWTBKOLGLNR + logo: + type: string + format: uri + description: URL to an uploaded application logo. This logo appears next to your app integration name in the OIN catalog. You must first [Upload an OIN Integration logo](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/uploadSubmissionLogo) to obtain the logo URL before you can specify this value. + example: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 + name: + type: string + maxLength: 64 + minLength: 1 + description: The app integration name. This is the main title used for your integration in the OIN catalog. + example: Strawberry Central + sso: + $ref: '#/components/schemas/Sso' + status: + type: string + description: Status of the OIN Integration submission + readOnly: true + example: New + Subscription: + type: object + properties: + channels: + description: |- + An array of sources send notifications to users. + > **Note**: Currently, Okta only allows `email` channels. + items: + type: string + type: array + notificationType: + $ref: '#/components/schemas/NotificationType' + status: + $ref: '#/components/schemas/SubscriptionStatus' + _links: + type: object + description: Discoverable resources related to the subscription properties: - password: - $ref: '#/components/schemas/PasswordCredential' - revealPassword: - type: boolean - scheme: - $ref: '#/components/schemas/ApplicationCredentialsScheme' - signing: - $ref: '#/components/schemas/ApplicationCredentialsSigning' - userName: - type: string - ScreenLockType: + self: + $ref: '#/components/schemas/HrefObject' + readOnly: true + SubscriptionStatus: + description: The status of the subscription type: string x-okta-known-values: - - BIOMETRIC - - PASSCODE - SecurePasswordStoreApplication: - x-okta-defined-as: - name: template_sps - allOf: - - $ref: '#/components/schemas/Application' - - type: object + - subscribed + - unsubscribed + SupportedMethods: + type: object + properties: + settings: + type: object properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - name: + keyProtection: type: string - default: template_sps - settings: - $ref: '#/components/schemas/SecurePasswordStoreApplicationSettings' - SecurePasswordStoreApplicationSettings: + algorithms: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodAlgorithm' + transactionTypes: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodTransactionType' + status: + type: string + type: + type: string + enum: + - push + SwaApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: app: - $ref: '#/components/schemas/SecurePasswordStoreApplicationSettingsApplication' - SecurePasswordStoreApplicationSettingsApplication: + $ref: '#/components/schemas/SwaApplicationSettingsApplication' + SwaApplicationSettingsApplication: type: object properties: - optionalField1: + buttonField: type: string - optionalField1Value: + buttonSelector: type: string - optionalField2: + checkbox: type: string - optionalField2Value: + extraFieldSelector: type: string - optionalField3: + extraFieldValue: type: string - optionalField3Value: + loginUrlRegex: type: string passwordField: type: string + passwordSelector: + type: string + redirectUrl: + type: string + targetURL: + type: string url: type: string usernameField: type: string - SecurityQuestion: + userNameSelector: + type: string + TempPassword: type: object properties: - answer: - type: string - question: + tempPassword: type: string - questionText: + readOnly: true + TestInfo: + description: Integration Testing Information + type: object + properties: + escalationSupportContact: type: string - SecurityQuestionUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object + maxLength: 255 + description: An email for Okta to contact your company about your integration. This email isn't shared with customers. + example: strawberry.support@example.com + oidcTestConfiguration: + type: object + description: OIDC test details properties: - profile: - $ref: '#/components/schemas/SecurityQuestionUserFactorProfile' - SecurityQuestionUserFactorProfile: + idp: + type: boolean + description: Read only.
Indicates if your integration supports IdP-initiated sign-in flows. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) is specified, this property is set to `true`. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) isn't set for the integration submission, this property is set to `false` + readOnly: true + sp: + type: boolean + description: Read only.
Indicates if your integration supports SP-initiated sign-in flows and is always set to `true` for OIDC SSO + readOnly: true + jit: + type: boolean + description: Indicates if your integration supports Just-In-Time (JIT) provisioning + spInitiateUrl: + type: string + format: uri + maxLength: 512 + description: URL for SP-initiated sign-in flows (required if `sp = true`) + example: https://test.example.com/strawberry/oidc/sp-init + required: + - spInitiateUrl + samlTestConfiguration: + type: object + description: SAML test details + properties: + idp: + type: boolean + description: Indicates if your integration supports IdP-initiated sign-in + sp: + type: boolean + description: Indicates if your integration supports SP-initiated sign-in + jit: + type: boolean + description: Indicates if your integration supports Just-In-Time (JIT) provisioning + spInitiateUrl: + type: string + format: uri + maxLength: 512 + description: URL for SP-initiated sign-in flows (required if `sp = true`) + example: https://test.example.com/strawberry/saml/sp-init + spInitiateDescription: + type: string + maxLength: 2048 + description: Instructions on how to sign in to your app using the SP-initiated flow (required if `sp = true`) + example: Go to your app URL from a browser and enter your username + required: + - spInitiateUrl + testAccount: + type: object + description: An account on a test instance of your app with admin privileges. A test admin account is required by Okta for integration testing. During OIN QA testing, an Okta analyst uses this admin account to configure your app for the various test case flows. + properties: + url: + type: string + format: uri + maxLength: 512 + description: The sign-in URL to a test instance of your app + example: https://example.com/strawberry/login + username: + type: string + maxLength: 255 + description: The username for your app admin account + example: test@example.com + password: + type: string + maxLength: 255 + description: The password for your app admin account + example: sUperP@ssw0rd + instructions: + type: string + maxLength: 2048 + description: Additional instructions to test the app integration, including instructions for obtaining test accounts + example: Go to your app URL from a browser and enter your credentials + required: + - url + - username + - password + required: + - escalationSupportContact + Theme: type: object properties: - answer: + backgroundImage: + readOnly: true type: string - question: + emailTemplateTouchPointVariant: + $ref: '#/components/schemas/EmailTemplateTouchPointVariant' + endUserDashboardTouchPointVariant: + $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' + errorPageTouchPointVariant: + $ref: '#/components/schemas/ErrorPageTouchPointVariant' + loadingPageTouchPointVariant: + $ref: '#/components/schemas/LoadingPageTouchPointVariant' + primaryColorContrastHex: type: string - questionText: + primaryColorHex: type: string - SeedEnum: - type: string - x-okta-known-values: - - OKTA - - RANDOM - Session: + secondaryColorContrastHex: + type: string + secondaryColorHex: + type: string + signInPageTouchPointVariant: + $ref: '#/components/schemas/SignInPageTouchPointVariant' + _links: + $ref: '#/components/schemas/LinksSelf' + ThemeResponse: type: object properties: - amr: - type: array + backgroundImage: readOnly: true - items: - $ref: '#/components/schemas/SessionAuthenticationMethod' - createdAt: type: string - format: date-time + emailTemplateTouchPointVariant: + $ref: '#/components/schemas/EmailTemplateTouchPointVariant' + endUserDashboardTouchPointVariant: + $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' + errorPageTouchPointVariant: + $ref: '#/components/schemas/ErrorPageTouchPointVariant' + favicon: readOnly: true - expiresAt: type: string - format: date-time - readOnly: true id: - type: string readOnly: true - idp: - $ref: '#/components/schemas/SessionIdentityProvider' - lastFactorVerification: type: string - format: date-time + loadingPageTouchPointVariant: + $ref: '#/components/schemas/LoadingPageTouchPointVariant' + logo: readOnly: true - lastPasswordVerification: type: string - format: date-time - readOnly: true - login: + primaryColorContrastHex: type: string - readOnly: true - status: - $ref: '#/components/schemas/SessionStatus' - userId: + primaryColorHex: type: string - readOnly: true - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - SessionAuthenticationMethod: - type: string - x-okta-known-values: - - fpt - - geo - - hwk - - kba - - mca - - mfa - - otp - - pwd - - sc - - sms - - swk - - tel - SessionIdentityProvider: - type: object - properties: - id: + secondaryColorContrastHex: type: string - readOnly: true - type: - $ref: '#/components/schemas/SessionIdentityProviderType' - SessionIdentityProviderType: - type: string - x-okta-known-values: - - ACTIVE_DIRECTORY - - FEDERATION - - LDAP - - OKTA - - SOCIAL - SessionStatus: - type: string - x-okta-known-values: - - ACTIVE - - MFA_ENROLL - - MFA_REQUIRED - SignInPage: - allOf: - - $ref: '#/components/schemas/CustomizablePage' - - type: object - properties: - widgetCustomizations: - type: object - properties: - signInLabel: - type: string - usernameLabel: - type: string - usernameInfoTip: - type: string - passwordLabel: - type: string - passwordInfoTip: - type: string - showPasswordVisibilityToggle: - type: boolean - showUserIdentifier: - type: boolean - forgotPasswordLabel: - type: string - forgotPasswordUrl: - type: string - unlockAccountLabel: - type: string - unlockAccountUrl: - type: string - helpLabel: - type: string - helpUrl: - type: string - customLink1Label: - type: string - customLink1Url: - type: string - customLink2Label: - type: string - customLink2Url: - type: string - authenticatorPageCustomLinkLabel: - type: string - authenticatorPageCustomLinkUrl: - type: string - classicRecoveryFlowEmailOrUsernameLabel: - type: string - widgetVersion: - $ref: '#/components/schemas/Version' - SignInPageTouchPointVariant: - type: string - x-okta-known-values: - - BACKGROUND_IMAGE - - BACKGROUND_SECONDARY_COLOR - - OKTA_DEFAULT - SignOnInlineHook: - properties: - id: + secondaryColorHex: type: string - readOnly: false - SingleLogout: + signInPageTouchPointVariant: + $ref: '#/components/schemas/SignInPageTouchPointVariant' + _links: + $ref: '#/components/schemas/LinksSelf' + ThirdPartyAdminSetting: + description: The third-party admin setting type: object properties: - enabled: + thirdPartyAdmin: type: boolean - issuer: - type: string - logoutUrl: - type: string - SmsTemplate: + ThreatInsightConfiguration: type: object properties: + action: + type: string + description: Specifies how Okta responds to authentication requests from suspicious IP addresses + enum: + - none + - audit + - block + x-enumDescriptions: + none: Indicates that ThreatInsight is disabled + audit: Indicates that Okta logs suspicious requests to the System Log + block: Indicates that Okta logs suspicious requests to the System Log and blocks the requests + example: none created: type: string format: date-time + description: Timestamp when the ThreatInsight Configuration object was created + example: '2020-08-05T22:18:30.629Z' readOnly: true - id: - type: string - readOnly: true + excludeZones: + type: array + description: |- + Accepts a list of [Network Zone](/openapi/okta-management/management/tag/NetworkZone/) IDs. + IPs in the excluded network zones aren't logged or blocked. + This ensures that traffic from known, trusted IPs isn't accidentally logged or blocked. + items: + type: string + example: [] lastUpdated: type: string format: date-time + description: Timestamp when the ThreatInsight Configuration object was last updated readOnly: true - name: - type: string - template: - type: string - translations: - $ref: '#/components/schemas/SmsTemplateTranslations' - type: - $ref: '#/components/schemas/SmsTemplateType' - SmsTemplateTranslations: - type: object - x-okta-extensible: true - SmsTemplateType: + example: '2020-09-08T20:53:20.882Z' + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - action + TimeDuration: + description: A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). type: string - x-okta-known-values: - - SMS_VERIFY_CODE - SmsUserFactor: + pattern: ^P(?!$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?$ + TokenAuthorizationServerPolicyRuleAction: + type: object + properties: + accessTokenLifetimeMinutes: + type: integer + description: Lifetime of the access token in minutes. The minimum is five minutes. The maximum is one day. + inlineHook: + $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook' + refreshTokenLifetimeMinutes: + type: integer + description: Lifetime of the refresh token is the minimum access token lifetime. + refreshTokenWindowMinutes: + type: integer + description: Timeframe when the refresh token is valid. The minimum is 10 minutes. The maximum is five years (2,628,000 minutes). + TokenAuthorizationServerPolicyRuleActionInlineHook: + type: object + properties: + id: + type: string + readOnly: false + TrendMicroApexOneServiceApplicationSettings: allOf: - - $ref: '#/components/schemas/UserFactor' + - $ref: '#/components/schemas/OINBaseSignOnModeApplicationSettings' - type: object + - required: + - app properties: - profile: - $ref: '#/components/schemas/SmsUserFactorProfile' - SmsUserFactorProfile: + app: + $ref: '#/components/schemas/TrendMicroApexOneServiceApplicationSettingsApplication' + TrendMicroApexOneServiceApplicationSettingsApplication: + description: Trend Micro Apex One as a Service app instance properties type: object properties: - phoneNumber: + baseURL: type: string - SocialAuthToken: + description: Base URL + required: + - baseURL + TrustedOrigin: type: object properties: - expiresAt: + created: type: string format: date-time readOnly: true + createdBy: + type: string id: type: string readOnly: true - scopes: - type: array - items: - type: string - token: + lastUpdated: type: string - tokenAuthScheme: + format: date-time + readOnly: true + lastUpdatedBy: type: string - tokenType: + name: type: string - SpCertificate: - type: object - properties: - x5c: + origin: + type: string + scopes: type: array items: - type: string - Subscription: + $ref: '#/components/schemas/TrustedOriginScope' + status: + type: string + _links: + $ref: '#/components/schemas/LinksSelf' + TrustedOriginScope: type: object properties: - channels: - items: - type: string + allowedOktaApps: type: array - notificationType: - $ref: '#/components/schemas/NotificationType' - status: - $ref: '#/components/schemas/SubscriptionStatus' - _links: - additionalProperties: - type: object - readOnly: true - type: object - SubscriptionStatus: + items: + $ref: '#/components/schemas/IframeEmbedScopeAllowedApps' + type: + $ref: '#/components/schemas/TrustedOriginScopeType' + TrustedOriginScopeType: type: string x-okta-known-values: - - subscribed - - unsubscribed - SwaApplicationSettings: - allOf: - - $ref: '#/components/schemas/ApplicationSettings' - - type: object - properties: - app: - $ref: '#/components/schemas/SwaApplicationSettingsApplication' - SwaApplicationSettingsApplication: + - CORS + - IFRAME_EMBED + - REDIRECT + UIElement: + description: Specifies the configuration of an input field on an enrollment form type: object properties: - buttonField: - type: string - buttonSelector: + label: type: string - checkbox: + description: Label name for the UI element + options: + type: object + description: UI Schema element options object + properties: + format: + type: string + description: Specifies how the input appears + enum: + - text + - radio + - select + - checkbox + - radio_yes_no + - radio_true_false + x-enumDescriptions: + text: The default format for the majority of property types. + radio: Radio button options. This option is only available for `string` data types with an `enum` or `one of` constraint. + select: Displays input as a dropdown list. This option is only available for the `country-code` data type or a string data type with an enum or one of constraint. + checkbox: Displays input as a checkbox. This option is only available for Boolean data types. + radio_yes_no: Displays input as two radio buttons, one with the option `yes` and the other `no`. This option is only available for Boolean data types. + radio_true_false: Displays input as two radio buttons, one with the option `true` and the other `false`. This option is only available for Boolean data types. + scope: type: string - extraFieldSelector: + description: Specifies the property bound to the input field. It must follow the format `#/properties/PROPERTY_NAME` where `PROPERTY_NAME` is a variable name for an attribute in `profile editor`. + type: type: string - extraFieldValue: + description: Specifies the relationship between this input element and `scope`. The `Control` value specifies that this input controls the value represented by `scope`. + UISchemaObject: + description: Properties of the UI schema + type: object + properties: + buttonLabel: type: string - loginUrlRegex: + description: Specifies the button label for the `Submit` button at the bottom of the enrollment form. + default: Submit + elements: + $ref: '#/components/schemas/UIElement' + label: type: string - passwordField: + description: Specifies the label at the top of the enrollment form under the logo. + default: Sign in + type: type: string - passwordSelector: + description: Specifies the type of layout + UISchemasResponseObject: + type: object + properties: + created: type: string - redirectUrl: + format: date-time + description: Timestamp when the UI Schema was created (ISO-86001) + readOnly: true + id: type: string - targetURL: + description: Unique identifier for the UI Schema + readOnly: true + lastUpdated: type: string - url: + format: date-time + description: Timestamp when the UI Schema was last modified (ISO-86001) + readOnly: true + uiSchema: + $ref: '#/components/schemas/UISchemaObject' + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - id + - uiSchema + - created + - lastUpdated + - _links + UpdateDomain: + type: object + properties: + brandId: + description: The `id` of the brand used to replace the existing brand. type: string - usernameField: + example: bndul904tTZ6kWVhP0g3 + required: + - brandId + UpdateEmailDomain: + allOf: + - $ref: '#/components/schemas/BaseEmailDomain' + UpdateIamRoleRequest: + type: object + properties: + description: type: string - userNameSelector: + description: Description of the role + label: type: string - TempPassword: + description: Unique label for the role + required: + - label + - description + UpdateRealmAssignmentRuleRequest: type: object properties: - tempPassword: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' + name: type: string - readOnly: true - Theme: + priority: + type: integer + UpdateRealmRequest: type: object properties: - backgroundImage: + profile: + $ref: '#/components/schemas/RealmProfile' + UpdateUISchema: + description: The updated request body properties + type: object + properties: + uiSchema: + $ref: '#/components/schemas/UISchemaObject' + UpdateUserRequest: + type: object + properties: + credentials: + $ref: '#/components/schemas/UserCredentials' + profile: + $ref: '#/components/schemas/UserProfile' + User: + type: object + properties: + activated: + type: string + description: The timestamp when the user status transitioned to `ACTIVE` + format: date-time readOnly: true + nullable: true + created: type: string - emailTemplateTouchPointVariant: - $ref: '#/components/schemas/EmailTemplateTouchPointVariant' - endUserDashboardTouchPointVariant: - $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' - errorPageTouchPointVariant: - $ref: '#/components/schemas/ErrorPageTouchPointVariant' - loadingPageTouchPointVariant: - $ref: '#/components/schemas/LoadingPageTouchPointVariant' - primaryColorContrastHex: + description: The timestamp when the user was created + format: date-time + readOnly: true + credentials: + $ref: '#/components/schemas/UserCredentials' + id: type: string - primaryColorHex: + description: The unique key for the user + readOnly: true + lastLogin: type: string - secondaryColorContrastHex: + description: The timestamp of the last login + format: date-time + readOnly: true + nullable: true + lastUpdated: type: string - secondaryColorHex: + description: The timestamp when the user was last updated + format: date-time + readOnly: true + passwordChanged: type: string - signInPageTouchPointVariant: - $ref: '#/components/schemas/SignInPageTouchPointVariant' - _links: + description: The timestamp when the user's password was last updated + format: date-time + readOnly: true + nullable: true + profile: + $ref: '#/components/schemas/UserProfile' + status: + $ref: '#/components/schemas/UserStatus' + statusChanged: + type: string + description: The timestamp when the status of the user last changed + format: date-time + readOnly: true + nullable: true + transitioningToStatus: + type: string + description: The target status of an in-progress asynchronous status transition. This property is only returned if the user's state is transitioning. + readOnly: true + nullable: true + enum: + - ACTIVE + - DEPROVISIONED + - PROVISIONED + type: + type: object + description: |- + The user type that determines the schema for the user's profile. The `type` property is a map that identifies + the User Type (see [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType)). + Currently it contains a single element, `id`. It can be specified when creating a new user, and may be updated by an administrator on a full replace of an existing user (but not a partial update). + properties: + id: + type: string + description: The ID of the user type + _embedded: + type: object + description: If specified, includes embedded resources related to the user additionalProperties: type: object + properties: {} readOnly: true - type: object - ThemeResponse: + _links: + description: |- + Specifies link relations (see [Web Linking](https://datatracker.ietf.org/doc/html/rfc8288) available for the current status of a user. + The Links object is used for dynamic discovery of related resources, lifecycle operations, and credential operations. The Links object is read-only. + + For an individual user result, the Links object contains a full set of link relations available for that user as determined by your policies. + For a collection of users, the Links object contains only the self link. Operations that return a collection of Users include List Users and List Group Members. + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + self: + description: Link to the individual user + allOf: + - $ref: '#/components/schemas/HrefObject' + activate: + description: Link to activate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + resetPassword: + description: Link to reset the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + resetFactors: + description: Link to reset the user's factors + allOf: + - $ref: '#/components/schemas/HrefObject' + expirePassword: + description: Link to expire the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + forgotPassword: + description: Link to initiate a forgot password operation + allOf: + - $ref: '#/components/schemas/HrefObject' + changeRecoveryQuestion: + description: Link to change the user's recovery question + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: Link to deactivate a user + allOf: + - $ref: '#/components/schemas/HrefObject' + reactivate: + description: Link to reactivate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + changePassword: + description: Link to change the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + schema: + description: Link to the user's profile schema + allOf: + - $ref: '#/components/schemas/HrefObject' + suspend: + description: Link to suspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unsuspend: + description: Link to unsuspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unlock: + description: Link to unlock the locked-out user + allOf: + - $ref: '#/components/schemas/HrefObject' + type: + description: Link to the user type + allOf: + - $ref: '#/components/schemas/HrefObject' + - readOnly: true + UserActivationToken: type: object properties: - backgroundImage: - readOnly: true + activationToken: type: string - emailTemplateTouchPointVariant: - $ref: '#/components/schemas/EmailTemplateTouchPointVariant' - endUserDashboardTouchPointVariant: - $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' - errorPageTouchPointVariant: - $ref: '#/components/schemas/ErrorPageTouchPointVariant' - favicon: readOnly: true + activationUrl: type: string - id: readOnly: true + UserBlock: + description: The description of the access block + type: object + properties: + appliesTo: type: string - loadingPageTouchPointVariant: - $ref: '#/components/schemas/LoadingPageTouchPointVariant' - logo: readOnly: true + description: The devices that the block applies to + enum: + - ANY_DEVICES + - UNKNOWN_DEVICES + x-enumDescriptions: + ANY_DEVICES: The account is blocked for all devices + UNKNOWN_DEVICES: The account is only blocked for unknown devices + type: type: string - primaryColorContrastHex: - type: string - primaryColorHex: - type: string - secondaryColorContrastHex: - type: string - secondaryColorHex: - type: string - signInPageTouchPointVariant: - $ref: '#/components/schemas/SignInPageTouchPointVariant' - _links: - additionalProperties: - type: object readOnly: true - type: object - ThreatInsightConfiguration: + description: Type of access block + enum: + - DEVICE_BASED + UserCondition: + description: Specifies a set of Users to be included or excluded + type: object + properties: + exclude: + description: Users to be excluded + type: array + items: + type: string + include: + description: Users to be included + type: array + items: + type: string + UserCredentials: + type: object + properties: + password: + $ref: '#/components/schemas/PasswordCredential' + provider: + $ref: '#/components/schemas/AuthenticationProvider' + recovery_question: + $ref: '#/components/schemas/RecoveryQuestionCredential' + UserFactor: type: object properties: - action: - type: string created: + description: Timestamp indicating when the Factor was enrolled type: string format: date-time readOnly: true - excludeZones: - type: array - items: - type: string + factorType: + $ref: '#/components/schemas/UserFactorType' + id: + description: ID of the Factor + type: string + readOnly: true lastUpdated: + description: Timestamp indicating when the Factor was last updated type: string format: date-time readOnly: true - _links: + profile: + type: object + description: Specific attributes related to the Factor + provider: + $ref: '#/components/schemas/UserFactorProvider' + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: Name of the Factor vendor. This is usually the same as the provider except for On-Prem MFA where it depends on administrator settings. + type: string + example: OKTA + readOnly: true + _embedded: type: object additionalProperties: type: object properties: {} readOnly: true - TimeDuration: - description: A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). - type: string - pattern: ^P(?!$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?$ - TokenAuthorizationServerPolicyRuleAction: + _links: + $ref: '#/components/schemas/LinksSelf' + discriminator: *ref_19 + UserFactorActivateRequest: type: object properties: - accessTokenLifetimeMinutes: - type: integer - inlineHook: - $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook' - refreshTokenLifetimeMinutes: - type: integer - refreshTokenWindowMinutes: - type: integer - TokenAuthorizationServerPolicyRuleActionInlineHook: + attestation: + type: string + clientData: + type: string + passCode: + type: string + registrationData: + type: string + stateToken: + type: string + UserFactorCall: + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + profile: + $ref: '#/components/schemas/UserFactorCallProfile' + UserFactorCallProfile: type: object properties: - id: + phoneExtension: + description: Extension of the associated `phoneNumber` type: string - readOnly: false - TokenUserFactor: + nullable: true + maxLength: 15 + phoneNumber: + description: Phone number of the Factor. You should format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/). + example: '+15554151337' + type: string + pattern: ^\+[1-9]\d{1,14}$ + maxLength: 15 + UserFactorCustomHOTP: + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + factorProfileId: + description: ID of an existing Custom TOTP Factor profile. To create this, see [Custom TOTP Factor](https://help.okta.com/okta_help.htm?id=ext-mfa-totp). + type: string + profile: + $ref: '#/components/schemas/UserFactorCustomHOTPProfile' + UserFactorCustomHOTPProfile: + type: object + properties: + sharedSecret: + description: Unique secret key used to generate the OTP + type: string + example: 484f97be3213b117e3a20438e291540a + UserFactorEmail: allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: - $ref: '#/components/schemas/TokenUserFactorProfile' - TokenUserFactorProfile: + $ref: '#/components/schemas/UserFactorEmailProfile' + UserFactorEmailProfile: type: object properties: - credentialId: + email: + description: Email address of the user + maxLength: 100 + example: z.cool@example.com type: string - TotpUserFactor: + UserFactorHardware: allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: - $ref: '#/components/schemas/TotpUserFactorProfile' - TotpUserFactorProfile: + $ref: '#/components/schemas/UserFactorHardwareProfile' + UserFactorHardwareProfile: type: object properties: credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com type: string - TrustedOrigin: + UserFactorProvider: + description: Provider for the Factor + type: string + x-okta-known-values: + - CUSTOM + - DUO + - FIDO + - GOOGLE + - OKTA + - RSA + - SYMANTEC + - YUBICO + UserFactorPush: + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + expiresAt: + description: Timestamp indicating when the Factor verification attempt expires + type: string + format: date-time + readOnly: true + factorResult: + $ref: '#/components/schemas/UserFactorResultType' + profile: + $ref: '#/components/schemas/UserFactorPushProfile' + UserFactorPushProfile: type: object properties: - created: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com type: string - format: date-time - readOnly: true - createdBy: + deviceToken: + description: Token used to identify the device type: string - id: + deviceType: + description: Type of device + example: SmartPhone_IPhone type: string - readOnly: true - lastUpdated: + name: + description: Name of the device + example: My Phone type: string - format: date-time - readOnly: true - lastUpdatedBy: + platform: + description: OS version of the associated device + example: IOS type: string - name: + version: + description: Installed version of Okta Verify + example: '9.0' type: string - origin: + UserFactorResultType: + description: Result of a Factor verification attempt + type: string + x-okta-known-values: + - CANCELLED + - CHALLENGE + - ERROR + - FAILED + - PASSCODE_REPLAYED + - REJECTED + - SUCCESS + - TIMEOUT + - TIME_WINDOW_EXCEEDED + - WAITING + UserFactorSMS: + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + profile: + $ref: '#/components/schemas/UserFactorSMSProfile' + UserFactorSMSProfile: + type: object + properties: + phoneNumber: + description: Phone number of the Factor. You should format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/). + example: '+15554151337' type: string - scopes: - type: array - items: - $ref: '#/components/schemas/TrustedOriginScope' - status: + pattern: ^\+[1-9]\d{1,14}$ + maxLength: 15 + UserFactorSecurityQuestion: + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + profile: + $ref: '#/components/schemas/UserFactorSecurityQuestionProfile' + UserFactorSecurityQuestionProfile: + type: object + properties: + answer: + description: Answer to the question + minLength: 4 + type: string + writeOnly: true + question: + description: Unique key for the question + example: disliked_food + enum: + - disliked_food + - name_of_first_plush_toy + - first_award + - favorite_security_question + - favorite_toy + - first_computer_game + - favorite_movie_quote + - first_sports_team_mascot + - first_music_purchase + - favorite_art_piece + - grandmother_favorite_desert + - first_thing_cooked + - childhood_dream_job + - first_kiss_location + - place_where_significant_other_was_met + - favorite_vacation_location + - new_years_two_thousand + - favorite_speaker_actor + - favorite_book_movie_character + - favorite_sports_player + type: string + questionText: + description: Human-readable text displayed to the user + example: What is the food you least liked as a child? type: string - _links: - type: object - additionalProperties: - type: object - properties: {} readOnly: true - TrustedOriginScope: + UserFactorStatus: + description: Status of the Factor + type: string + x-okta-known-values: + - ACTIVE + - DISABLED + - ENROLLED + - EXPIRED + - INACTIVE + - NOT_SETUP + - PENDING_ACTIVATION + UserFactorTOTP: + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + profile: + $ref: '#/components/schemas/UserFactorTOTPProfile' + UserFactorTOTPProfile: type: object properties: - allowedOktaApps: - type: array - items: - $ref: '#/components/schemas/IframeEmbedScopeAllowedApps' - type: - $ref: '#/components/schemas/TrustedOriginScopeType' - TrustedOriginScopeType: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com + type: string + UserFactorToken: + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + profile: + $ref: '#/components/schemas/UserFactorTokenProfile' + UserFactorTokenProfile: + type: object + properties: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com + type: string + UserFactorType: + description: Type of Factor type: string x-okta-known-values: - - CORS - - IFRAME_EMBED - - REDIRECT - U2fUserFactor: + - call + - email + - push + - question + - signed_nonce + - sms + - token + - token:hardware + - token:hotp + - token:software:totp + - u2f + - web + - webauthn + UserFactorU2F: allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: - $ref: '#/components/schemas/U2fUserFactorProfile' - U2fUserFactorProfile: + $ref: '#/components/schemas/UserFactorU2FProfile' + UserFactorU2FProfile: type: object properties: credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com type: string - UpdateDomain: + UserFactorVerifyRequest: type: object properties: - brandId: + activationToken: type: string - UpdateEmailDomain: - allOf: - - $ref: '#/components/schemas/BaseEmailDomain' - UpdateUserRequest: - type: object - properties: - credentials: - $ref: '#/components/schemas/UserCredentials' - profile: - $ref: '#/components/schemas/UserProfile' - User: - type: object - properties: - activated: + answer: + description: Answer to the question + minLength: 4 type: string - format: date-time - readOnly: true - nullable: true - created: + writeOnly: true + attestation: + description: Base64-encoded attestation from the WebAuthn JavaScript call type: string - format: date-time - readOnly: true - credentials: - $ref: '#/components/schemas/UserCredentials' - id: + clientData: + description: Base64-encoded client data from the WebAuthn authenticator type: string - readOnly: true - lastLogin: + nextPassCode: + description: OTP for the next time window + type: integer + example: 3956685498 + passCode: + description: OTP for the current time window type: string - format: date-time - readOnly: true - nullable: true - lastUpdated: + registrationData: + description: Base64-encoded registration data from the U2F JavaScript call type: string - format: date-time - readOnly: true - passwordChanged: + stateToken: + type: string + UserFactorVerifyResponse: + type: object + properties: + expiresAt: + description: Timestamp indicating when the verification expires type: string format: date-time readOnly: true - nullable: true - profile: - $ref: '#/components/schemas/UserProfile' - status: - $ref: '#/components/schemas/UserStatus' - statusChanged: + factorResult: + $ref: '#/components/schemas/UserFactorVerifyResult' + factorResultMessage: + description: A message for Factor verification type: string - format: date-time readOnly: true - nullable: true - transitioningToStatus: - $ref: '#/components/schemas/UserStatus' - type: - $ref: '#/components/schemas/UserType' _embedded: type: object additionalProperties: @@ -25748,92 +38510,90 @@ components: properties: {} readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - UserActivationToken: - type: object - properties: - activationToken: - type: string - readOnly: true - activationUrl: - type: string - readOnly: true - UserBlock: + $ref: '#/components/schemas/LinksSelf' + UserFactorVerifyResult: + description: Result of a Factor verification + type: string + x-enumDescriptions: + CANCELED: User canceled the verification + CHALLENGE: Okta issued a verification challenge + ERROR: Verification encountered an unexpected server error + EXPIRED: User didn't complete the verification within the allowed time window + FAILED: Verification failed + PASSCODE_REPLAYED: User previously verified the Factor within the same time window. Another verification is required during another time window. + REJECTED: User rejected the verification + SUCCESS: User completed the verification + TIMEOUT: Okta didn't complete the verification within the allowed time window + TIME_WINDOW_EXCEEDED: User completed the verification outside of the allowed time window. Another verification is required. + WAITING: Verification is in progress + x-okta-known-values: + - CHALLENGE + - ERROR + - EXPIRED + - FAILED + - PASSCODE_REPLAYED + - REJECTED + - SUCCESS + - TIMEOUT + - TIME_WINDOW_EXCEEDED + - WAITING + UserFactorWeb: + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + profile: + $ref: '#/components/schemas/UserFactorWebProfile' + UserFactorWebAuthn: + allOf: + - $ref: '#/components/schemas/UserFactor' + - type: object + properties: + profile: + $ref: '#/components/schemas/UserFactorWebAuthnProfile' + UserFactorWebAuthnProfile: type: object properties: - appliesTo: + authenticatorName: + description: Human-readable name of the authenticator + example: MacBook Touch ID type: string - readOnly: true - type: + credentialId: + description: ID for the Factor credential + example: AHoOEhwvYiMv6SSwLp7KYRNttXtg_kYgQoQiEIWPFH_T3Ztp5Vj3bQ5H0LypIFR8ka8kfiCJ3I5qVpxrsd6JTMWKcE3xNh_U2QVF0Kwlan8Fiw type: string - readOnly: true - UserCondition: - type: object - properties: - exclude: - type: array - items: - type: string - include: - type: array - items: - type: string - UserCredentials: - type: object - properties: - password: - $ref: '#/components/schemas/PasswordCredential' - provider: - $ref: '#/components/schemas/AuthenticationProvider' - recovery_question: - $ref: '#/components/schemas/RecoveryQuestionCredential' - UserFactor: + UserFactorWebProfile: type: object properties: - created: - type: string - format: date-time - readOnly: true - factorType: - $ref: '#/components/schemas/FactorType' - id: - type: string - readOnly: true - lastUpdated: + credentialId: + description: ID for the Factor credential + example: dade.murphy@example.com type: string - format: date-time - readOnly: true - provider: - $ref: '#/components/schemas/FactorProvider' - status: - $ref: '#/components/schemas/FactorStatus' - verify: - $ref: '#/components/schemas/VerifyFactorRequest' - _embedded: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true - discriminator: *ref_13 + UserGetSingleton: + allOf: + - $ref: '#/components/schemas/User' + - type: object + properties: + _embedded: + type: object + description: The embedded resources related to the object if the `expand` query parameter is specified + properties: + blocks: + type: array + description: A list of access block details for the user account + items: + $ref: '#/components/schemas/UserBlock' UserIdentifierConditionEvaluatorPattern: + description: Used in the User Identifier Condition object. Specifies the details of the patterns to match against. type: object properties: matchType: $ref: '#/components/schemas/UserIdentifierMatchType' value: type: string + description: The regex expression of a simple match string UserIdentifierMatchType: + description: The type of pattern. For regex, use `EXPRESSION`. type: string x-okta-known-values: - CONTAINS @@ -25875,21 +38635,25 @@ components: preventBruteForceLockoutFromUnknownDevices: type: boolean description: Prevents brute-force lockout from unknown devices for the password authenticator. + default: false UserNextLogin: type: string x-okta-known-values: - changePassword UserPolicyRuleCondition: + description: Specifies a set of Users to be included or excluded type: object properties: exclude: type: array + description: Users to be excluded items: type: string inactivity: $ref: '#/components/schemas/InactivityPolicyRuleCondition' include: type: array + description: Users to be included items: type: string lifecycleExpiration: @@ -25900,100 +38664,170 @@ components: $ref: '#/components/schemas/UserLifecycleAttributePolicyRuleCondition' UserProfile: additionalProperties: true + description: |- + Specifies the default and custom profile properties for a user. + + The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643). + The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and + specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the administrator UI + or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications. + + You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. + You can use the Profile Editor in the Admin console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions. + + Custom attributes may contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. type: object properties: city: type: string + description: The city or locality of the user's address (`locality`) maxLength: 128 nullable: true costCenter: type: string + description: Name of the cost center assigned to a user + nullable: true countryCode: + description: The country name component of the user's address (`country`) type: string maxLength: 2 nullable: true department: type: string + description: Name of the user's department displayName: type: string + description: Name of the user suitable for display to end users + nullable: true division: type: string + description: Name of the user's division + nullable: true email: type: string + description: The primary email address of the user. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). format: email minLength: 5 maxLength: 100 employeeNumber: + description: The organization or company assigned unique identifier for the user type: string firstName: type: string + description: Given name of the user (`givenName`) minLength: 1 maxLength: 50 nullable: true honorificPrefix: type: string + description: Honorific prefix(es) of the user, or title in most Western languages + nullable: true honorificSuffix: type: string + description: Honorific suffix(es) of the user + nullable: true lastName: type: string + description: The family name of the user (`familyName`) minLength: 1 maxLength: 50 nullable: true locale: - $ref: '#/components/schemas/Language' + type: string + description: |- + The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. + A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example, en_US specifies the language English and country US. This value is `en_US` by default. login: type: string + description: The unique identifier for the user (`username`). For validation, see [Login pattern validation](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation). See also [Okta login](https://developer.okta.com/docs/reference/api/users/#okta-login). maxLength: 100 + minLength: 5 manager: type: string + description: The `displayName` of the user's manager + nullable: true managerId: type: string + description: The `id` of the user's manager + nullable: true middleName: type: string + description: The middle name of the user + nullable: true mobilePhone: type: string + description: The mobile phone number of the user maxLength: 100 + minLength: 0 nullable: true nickName: type: string + description: The casual way to address the user in real life + nullable: true organization: type: string + description: Name of the the user's organization + nullable: true postalAddress: type: string + description: Mailing address component of the user's address maxLength: 4096 nullable: true preferredLanguage: type: string + description: The user's preferred written or spoken language + nullable: true primaryPhone: type: string + description: The primary phone number of the user such as a home number maxLength: 100 + minLength: 0 nullable: true profileUrl: type: string + description: The URL of the user's online profile. For example, a web page. See [URL](https://datatracker.ietf.org/doc/html/rfc1808). + nullable: true secondEmail: type: string format: email + description: The secondary email address of the user typically used for account recovery minLength: 5 maxLength: 100 nullable: true state: type: string + description: The state or region component of the user's address (`region`) maxLength: 128 nullable: true streetAddress: type: string + description: The full street address component of the user's address maxLength: 1024 nullable: true timezone: type: string + description: The user's time zone + nullable: true title: type: string + description: The user's title, such as Vice President + nullable: true userType: type: string + description: The property used to describe the organization-to-user relationship, such as employee or contractor + nullable: true zipCode: type: string + description: The ZIP code or postal code component of the user's address (`postalCode`) maxLength: 50 nullable: true + UserProvisioningApplicationFeature: + allOf: + - $ref: '#/components/schemas/ApplicationFeature' + - type: object + - properties: + capabilities: + $ref: '#/components/schemas/CapabilitiesObject' UserSchema: type: object properties: @@ -26022,11 +38856,7 @@ components: type: string readOnly: true _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/LinksSelf' UserSchemaAttribute: type: object properties: @@ -26258,7 +39088,9 @@ components: type: type: string UserStatus: + description: The current status of the user type: string + readOnly: true x-okta-known-values: - ACTIVE - DEPROVISIONED @@ -26279,34 +39111,45 @@ components: created: type: string format: date-time + description: A timestamp from when the User Type was created readOnly: true createdBy: type: string + description: The user ID of the account that created the User Type readOnly: true default: type: boolean + description: A boolean value to indicate if this is the default User Type readOnly: true description: type: string + description: The human-readable description of the User Type displayName: type: string + description: The human-readable name of the User Type id: type: string + description: The unique key for the User Type + readOnly: true lastUpdated: type: string format: date-time + description: A timestamp from when the User Type was most recently updated readOnly: true lastUpdatedBy: type: string + description: The user ID of the most recent account to edit the User Type readOnly: true name: type: string + description: |- + The name of the User Type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters. + This value becomes read-only after creation and can't be updated. _links: - type: object - additionalProperties: - type: object - properties: {} - readOnly: true + $ref: '#/components/schemas/UserTypeLinks' + required: + - name + - displayName UserTypeCondition: properties: exclude: @@ -26317,9 +39160,45 @@ components: items: type: string type: array + UserTypeLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + schema: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The associated schema + UserTypePostRequest: + type: object + properties: + description: + type: string + description: The updated human-readable description of the User Type + displayName: + type: string + description: The updated human-readable display name for the User Type + UserTypePutRequest: + type: object + properties: + description: + type: string + description: The human-readable description of the User Type + displayName: + type: string + description: The human-readable name of the User Type + name: + type: string + description: The name of the existing type + required: + - name + - displayName + - description UserVerificationEnum: + description: User verification setting type: string x-okta-known-values: + - DISCOURAGED - PREFERRED - REQUIRED VerificationMethod: @@ -26335,96 +39214,108 @@ components: type: string type: type: string - VerifyFactorRequest: + Version: + description: The version specified as a [Semantic Version](https://semver.org/). + type: string + pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ + WebAuthnAttachment: + type: string + x-okta-known-values: + - ANY + - BUILT_IN + - ROAMING + WebAuthnCredRequest: + description: Credential request object for the initialized credential, along with the enrollment and key identifiers to associate with the credential type: object properties: - activationToken: - type: string - answer: - type: string - attestation: - type: string - clientData: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta type: string - nextPassCode: + credRequestJwe: + description: Encrypted JWE of credential request for the fulfillment provider type: string - passCode: + keyId: + description: ID for the Okta response key-pair used to encrypt and decrypt credential requests and responses type: string - registrationData: + WebAuthnCredResponse: + description: Credential response object for enrolled credential details, along with enrollment and key identifiers to associate the credential + type: object + properties: + authenticatorEnrollmentId: + description: ID for a WebAuthn Preregistration Factor in Okta type: string - stateToken: + credResponseJWE: + description: Encrypted JWE of credential response from the fulfillment provider type: string - VerifyUserFactorResponse: + WebAuthnPreregistrationFactor: + description: User Factor variant used for WebAuthn Preregistration Factors type: object properties: - expiresAt: + created: + description: Timestamp indicating when the Factor was enrolled type: string format: date-time readOnly: true - factorResult: - $ref: '#/components/schemas/VerifyUserFactorResult' - factorResultMessage: + factorType: + $ref: '#/components/schemas/UserFactorType' + id: + description: ID of the Factor type: string - _embedded: - type: object - additionalProperties: - type: object - properties: {} readOnly: true - _links: + lastUpdated: + description: Timestamp indicating when the Factor was last updated + type: string + format: date-time + readOnly: true + profile: type: object - additionalProperties: - type: object - properties: {} + description: Specific attributes related to the Factor + provider: + $ref: '#/components/schemas/UserFactorProvider' + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: Name of the Factor vendor. This is usually the same as the provider. + type: string + example: OKTA readOnly: true - VerifyUserFactorResult: - type: string - x-okta-known-values: - - CHALLENGE - - ERROR - - EXPIRED - - FAILED - - PASSCODE_REPLAYED - - REJECTED - - SUCCESS - - TIMEOUT - - TIME_WINDOW_EXCEEDED - - WAITING - Version: - description: The version specified as a [Semantic Version](https://semver.org/). - type: string - pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ - VersionObject: + _links: + $ref: '#/components/schemas/LinksSelf' + WellKnownAppAuthenticatorConfiguration: type: object properties: - minimum: + appAuthenticatorEnrollEndpoint: type: string - WebAuthnUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object - properties: - profile: - $ref: '#/components/schemas/WebAuthnUserFactorProfile' - WebAuthnUserFactorProfile: - type: object - properties: - authenticatorName: + authenticatorId: type: string - credentialId: + description: The unique identifier of the app authenticator + createdDate: type: string - WebUserFactor: - allOf: - - $ref: '#/components/schemas/UserFactor' - - type: object + format: date-time + key: + type: string + lastUpdated: + type: string + format: date-time + name: + type: string + description: The authenticator display name + orgId: + type: string + settings: + type: object properties: - profile: - $ref: '#/components/schemas/WebUserFactorProfile' - WebUserFactorProfile: - type: object - properties: - credentialId: + userVerification: + type: string + $ref: '#/components/schemas/UserVerificationEnum' + supportedMethods: + type: array + items: + $ref: '#/components/schemas/SupportedMethods' + type: type: string + enum: + - app WellKnownOrgMetadata: type: object properties: @@ -26452,6 +39343,11 @@ components: omEnabled: type: boolean description: Whether the legacy Okta Mobile application is enabled for the org + WidgetGeneration: + type: string + x-okta-known-values: + - G2 + - G3 WsFederationApplication: x-okta-defined-as: name: template_wsfed @@ -26463,6 +39359,7 @@ components: $ref: '#/components/schemas/ApplicationCredentials' name: type: string + description: Unique key for the app definition default: template_wsfed settings: $ref: '#/components/schemas/WsFederationApplicationSettings' @@ -26500,69 +39397,186 @@ components: type: boolean wReplyURL: type: string - responses: - ErrorApiValidationFailed400: - description: Bad Request - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - API Validation Failed: - $ref: '#/components/examples/ErrorApiValidationFailed' - ErrorAccessDenied403: - description: Forbidden - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - Access Denied: - $ref: '#/components/examples/ErrorAccessDenied' - ErrorResourceNotFound404: - description: Not Found - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - Resource Not Found: - $ref: '#/components/examples/ErrorResourceNotFound' - ErrorTooManyRequests429: - description: Too Many Requests - content: - application/json: - schema: - $ref: '#/components/schemas/Error' - examples: - Resource Not Found: - $ref: '#/components/examples/ErrorTooManyRequests' - AuthenticatorResponse: - description: OK - content: - application/json: - schema: - $ref: '#/components/schemas/Authenticator' - examples: - Duo: - $ref: '#/components/examples/AuthenticatorResponseDuo' - Email: - $ref: '#/components/examples/AuthenticatorResponseEmail' - Password: - $ref: '#/components/examples/AuthenticatorResponsePassword' - Phone: - $ref: '#/components/examples/AuthenticatorResponsePhone' - WebAuthn: - $ref: '#/components/examples/AuthenticatorResponseWebAuthn' - Security Question: - $ref: '#/components/examples/AuthenticatorResponseSecurityQuestion' - requestBodies: - AuthenticatorRequestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Authenticator' - examples: - Duo: - $ref: '#/components/examples/AuthenticatorRequestDuo' - required: true + ZoomUsApplicationSettings: + allOf: + - $ref: '#/components/schemas/OINBaseSignOnModeApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/ZoomUsApplicationSettingsApplication' + ZoomUsApplicationSettingsApplication: + description: Zoom app instance properties + type: object + properties: + subDomain: + type: string + description: Your Zoom subdomain + required: + - subDomain + ZscalerbyzApplicationSettings: + allOf: + - $ref: '#/components/schemas/OINBaseSignOnModeApplicationSettings' + - type: object + - required: + - app + properties: + app: + $ref: '#/components/schemas/ZscalerbyzApplicationSettingsApplication' + ZscalerbyzApplicationSettingsApplication: + description: Zscaler app instance properties + type: object + properties: + siteDomain: + type: string + description: Your Zscaler domain + createdProperty: + description: Timestamp when the object was created + format: date-time + type: string + readOnly: true + enabledPagesType: + title: enabledPages + type: string + x-enumDescriptions: + SIGN_IN: User sign-in page + SSPR: Self-service Password Recovery page + SSR: Self-service Registration page + x-okta-known-values: + - SIGN_IN + - SSPR + - SSR + lastUpdatedProperty: + format: date-time + description: Timestamp when the object was last updated + type: string + readOnly: true + postAPIServiceIntegrationInstance: + allOf: + - $ref: '#/components/schemas/APIServiceIntegrationInstance' + - type: object + properties: + clientSecret: + type: string + description: The client secret for the API Service Integration instance. This property is only returned in a POST response. + readOnly: true + postAPIServiceIntegrationInstanceRequest: + type: object + properties: + grantedScopes: + type: array + description: The list of Okta management scopes granted to the API Service Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management). + items: + type: string + example: + - okta.logs.read + type: + type: string + description: The type of the API service integration. This string is an underscore-concatenated, lowercased API service integration name. For example, `my_api_log_integration`. + example: my_app_cie + required: + - type + - grantedScopes + securitySchemes: + apiToken: + description: 'Pass the API token as the Authorization header value prefixed with SSWS: `Authorization: SSWS {API Token}`' + name: Authorization + type: apiKey + in: header + oauth2: + type: oauth2 + description: 'Pass the access_token as the value of the Authorization header: `Authorization: Bearer {access_token}`' + flows: + authorizationCode: + authorizationUrl: /oauth2/v1/authorize + tokenUrl: /oauth2/v1/token + scopes: + okta.agentPools.manage: Allows the app to create and manage agent pools in your Okta organization. + okta.agentPools.read: Allows the app to read agent pools in your Okta organization. + okta.apiTokens.manage: Allows the app to manage API Tokens in your Okta organization. + okta.apiTokens.read: Allows the app to read API Tokens in your Okta organization. + okta.appGrants.manage: Allows the app to create and manage grants in your Okta organization. + okta.appGrants.read: Allows the app to read grants in your Okta organization. + okta.apps.manage: Allows the app to create and manage Apps in your Okta organization. + okta.apps.read: Allows the app to read information about Apps in your Okta organization. + okta.authenticators.manage: Allows the app to manage all authenticators (e.g. enrollments, reset). + okta.authenticators.read: Allows the app to read org authenticators information. + okta.authorizationServers.manage: Allows the app to create and manage Authorization Servers in your Okta organization. + okta.authorizationServers.read: Allows the app to read information about Authorization Servers in your Okta organization. + okta.behaviors.manage: Allows the app to create and manage behavior detection rules in your Okta organization. + okta.behaviors.read: Allows the app to read behavior detection rules in your Okta organization. + okta.brands.manage: Allows the app to create and manage Brands and Themes in your Okta organization. + okta.brands.read: Allows the app to read information about Brands and Themes in your Okta organization. + okta.captchas.manage: Allows the app to create and manage CAPTCHAs in your Okta organization. + okta.captchas.read: Allows the app to read information about CAPTCHAs in your Okta organization. + okta.deviceAssurance.manage: Allows the app to manage device assurances. + okta.deviceAssurance.read: Allows the app to read device assurances. + okta.devices.manage: Allows the app to manage device status transitions and delete a device. + okta.devices.read: Allows the app to read the existing device's profile and search devices. + okta.domains.manage: Allows the app to manage custom Domains for your Okta organization. + okta.domains.read: Allows the app to read information about custom Domains for your Okta organization. + okta.emailDomains.manage: Allows the app to manage Email Domains for your Okta organization. + okta.emailDomains.read: Allows the app to read information about Email Domains for your Okta organization. + okta.emailServers.manage: Allows the app to manage Email Servers for your Okta organization. + okta.emailServers.read: Allows the app to read information about Email Servers for your Okta organization. + okta.eventHooks.manage: Allows the app to create and manage Event Hooks in your Okta organization. + okta.eventHooks.read: Allows the app to read information about Event Hooks in your Okta organization. + okta.features.manage: Allows the app to create and manage Features in your Okta organization. + okta.features.read: Allows the app to read information about Features in your Okta organization. + okta.groups.manage: Allows the app to manage existing groups in your Okta organization. + okta.groups.read: Allows the app to read information about groups and their members in your Okta organization. + okta.identitySources.manage: Allows the custom identity sources to manage user entities in your Okta organization + okta.identitySources.read: Allows to read session information for custom identity sources in your Okta organization + okta.idps.manage: Allows the app to create and manage Identity Providers in your Okta organization. + okta.idps.read: Allows the app to read information about Identity Providers in your Okta organization. + okta.inlineHooks.manage: Allows the app to create and manage Inline Hooks in your Okta organization. + okta.inlineHooks.read: Allows the app to read information about Inline Hooks in your Okta organization. + okta.linkedObjects.manage: Allows the app to manage linked object definitions in your Okta organization. + okta.linkedObjects.read: Allows the app to read linked object definitions in your Okta organization. + okta.logStreams.manage: Allows the app to create and manage log streams in your Okta organization. + okta.logStreams.read: Allows the app to read information about log streams in your Okta organization. + okta.logs.read: Allows the app to read information about System Log entries in your Okta organization. + okta.manifests.manage: Allows the app to manage OIN submissions in your Okta organization. + okta.manifests.read: Allows the app to read OIN submissions in your Okta organization. + okta.networkZones.manage: Allows the app to create and manage Network Zones in your Okta organization. + okta.networkZones.read: Allows the app to read Network Zones in your Okta organization. + okta.oauthIntegrations.manage: Allows the app to create and manage API service Integration instances in your Okta organization. + okta.oauthIntegrations.read: Allows the app to read API service Integration instances in your Okta organization. + okta.orgs.manage: Allows the app to manage organization-specific details for your Okta organization. + okta.orgs.read: Allows the app to read organization-specific details about your Okta organization. + okta.policies.manage: Allows the app to manage policies in your Okta organization. + okta.policies.read: Allows the app to read information about policies in your Okta organization. + okta.principalRateLimits.manage: Allows the app to create and manage Principal Rate Limits in your Okta organization. + okta.principalRateLimits.read: Allows the app to read information about Principal Rate Limits in your Okta organization. + okta.profileMappings.manage: Allows the app to manage user profile mappings in your Okta organization. + okta.profileMappings.read: Allows the app to read user profile mappings in your Okta organization. + okta.pushProviders.manage: Allows the app to create and manage push notification providers such as APNs and FCM. + okta.pushProviders.read: Allows the app to read push notification providers such as APNs and FCM. + okta.rateLimits.manage: Allows the app to create and manage rate limits in your Okta organization. + okta.rateLimits.read: Allows the app to read information about rate limits in your Okta organization. + okta.realms.manage: Allows the app to create new realms and to manage their details. + okta.realms.read: Allows the app to read the existing realms and their details. + okta.resourceSelectors.manage: Allows the app to manage resource selectors in your Okta org. + okta.resourceSelectors.read: Allows the app to read resource selectors in your Okta org. + okta.riskEvents.manage: Allows the app to publish risk events to your Okta organization. + okta.riskProviders.manage: Allows the app to create and manage risk provider integrations in your Okta organization. + okta.riskProviders.read: Allows the app to read all risk provider integrations in your Okta organization. + okta.roles.manage: Allows the app to manage administrative role assignments for users in your Okta organization. + okta.roles.read: Allows the app to read administrative role assignments for users in your Okta organization. + okta.schemas.manage: Allows the app to create and manage Schemas in your Okta organization. + okta.schemas.read: Allows the app to read information about Schemas in your Okta organization. + okta.sessions.manage: Allows the app to manage all sessions in your Okta organization. + okta.sessions.read: Allows the app to read all sessions in your Okta organization. + okta.templates.manage: Allows the app to manage all custom templates in your Okta organization. + okta.templates.read: Allows the app to read all custom templates in your Okta organization. + okta.threatInsights.manage: Allows the app to manage all ThreatInsight configurations in your Okta organization. + okta.threatInsights.read: Allows the app to read all ThreatInsight configurations in your Okta organization. + okta.trustedOrigins.manage: Allows the app to manage all Trusted Origins in your Okta organization. + okta.trustedOrigins.read: Allows the app to read all Trusted Origins in your Okta organization. + okta.uischemas.manage: Allows the app to manage all the UI Schemas in your Okta organization. + okta.uischemas.read: Allows the app to read all the UI Schemas in your Okta organization. + okta.userTypes.manage: Allows the app to manage user types in your Okta organization. + okta.userTypes.read: Allows the app to read user types in your Okta organization. + okta.users.manage: Allows the app to create new users and to manage all users' profile and credentials information. + okta.users.read: Allows the app to read the existing users' profiles and credentials. \ No newline at end of file diff --git a/.generator/templates/api_application_test.go b/.generator/templates/api_application_test.go index 605d8ea3b..f83e2456a 100644 --- a/.generator/templates/api_application_test.go +++ b/.generator/templates/api_application_test.go @@ -106,7 +106,7 @@ func Test_Activate_Application(t *testing.T) { app, _, err := apiClient.ApplicationAPI.GetApplication(apiClient.cfg.Context, createdApp.BasicAuthApplication.GetId()).Execute() require.NoError(t, err, "Could not get app by ID") assert.Equal(t, createdApp.BasicAuthApplication.GetId(), app.BasicAuthApplication.GetId()) - assert.Equal(t, APPLICATIONLIFECYCLESTATUS_INACTIVE, app.BasicAuthApplication.GetStatus()) + assert.Equal(t, "INACTIVE", app.BasicAuthApplication.GetStatus()) }) t.Run("activate applications", func(t *testing.T) { _, err = apiClient.ApplicationAPI.ActivateApplication(apiClient.cfg.Context, createdApp.BasicAuthApplication.GetId()).Execute() @@ -114,7 +114,7 @@ func Test_Activate_Application(t *testing.T) { newapp, _, err := apiClient.ApplicationAPI.GetApplication(apiClient.cfg.Context, createdApp.BasicAuthApplication.GetId()).Execute() require.NoError(t, err, "Could not get app by ID") assert.Equal(t, createdApp.BasicAuthApplication.GetId(), newapp.BasicAuthApplication.GetId()) - assert.Equal(t, APPLICATIONLIFECYCLESTATUS_ACTIVE, newapp.BasicAuthApplication.GetStatus()) + assert.Equal(t, "ACTIVE", newapp.BasicAuthApplication.GetStatus()) }) err = cleanUpApplication(createdApp.BasicAuthApplication.GetId()) require.NoError(t, err, "Clean up app should not error") @@ -279,17 +279,18 @@ func TestGetDefaultProvisioningConnectionForApplication(t *testing.T) { t.Run("get provisioning", func(t *testing.T) { conn, _, err := apiClient.ApplicationConnectionsAPI.GetDefaultProvisioningConnectionForApplication(apiClient.cfg.Context, createdApp.SamlApplication.GetId()).Execute() require.NoError(t, err, "getting default provisioning connection for application should not error.") - assert.NotEmpty(t, conn.GetAuthScheme()) - assert.NotEmpty(t, conn.GetStatus()) + assert.NotEmpty(t, conn.ProvisioningConnectionToken.GetAuthScheme()) + assert.NotEmpty(t, conn.ProvisioningConnectionToken.GetStatus()) }) t.Run("set provisioning", func(t *testing.T) { - profile := ProvisioningConnectionProfile{} + profile := ProvisioningConnectionProfileToken{} profile.SetAuthScheme("TOKEN") profile.SetToken("TEST") - payload := ProvisioningConnectionRequest{Profile: profile} - conn, _, err := apiClient.ApplicationConnectionsAPI.UpdateDefaultProvisioningConnectionForApplication(apiClient.cfg.Context, createdApp.SamlApplication.GetId()).ProvisioningConnectionRequest(payload).Activate(false).Execute() + request := NewProvisioningConnectionTokenRequest(profile) + payload := UpdateDefaultProvisioningConnectionForApplicationRequest{ProvisioningConnectionTokenRequest: request} + conn, _, err := apiClient.ApplicationConnectionsAPI.UpdateDefaultProvisioningConnectionForApplication(apiClient.cfg.Context, createdApp.SamlApplication.GetId()).UpdateDefaultProvisioningConnectionForApplicationRequest(payload).Activate(false).Execute() require.NoError(t, err, "setting default provisioning connection for application should not error.") - assert.Equal(t, PROVISIONINGCONNECTIONAUTHSCHEME_TOKEN, conn.GetAuthScheme()) + assert.Equal(t, "TOKEN", conn.GetAuthScheme()) }) err = cleanUpApplication(createdApp.SamlApplication.GetId()) require.NoError(t, err, "Clean up app should not error") diff --git a/.generator/templates/api_idp_test.go b/.generator/templates/api_idp_test.go index 66d890b3f..4e255cf07 100644 --- a/.generator/templates/api_idp_test.go +++ b/.generator/templates/api_idp_test.go @@ -50,16 +50,16 @@ func Test_Get_Identity_Provider(t *testing.T) { func Test_Activate_Identity_Provider(t *testing.T) { createdIdp, _, err := setupIdp(randomTestString()) require.NoError(t, err, "Creating a new idp should not error") - assert.Equal(t, LIFECYCLESTATUS_ACTIVE, createdIdp.GetStatus()) + assert.Equal(t, "ACTIVE", createdIdp.GetStatus()) t.Run("deactivate idp", func(t *testing.T) { didp, _, err := apiClient.IdentityProviderAPI.DeactivateIdentityProvider(apiClient.cfg.Context, createdIdp.GetId()).Execute() require.NoError(t, err, "Could not deactivate idp") - assert.Equal(t, LIFECYCLESTATUS_INACTIVE, didp.GetStatus()) + assert.Equal(t, "INACTIVE", didp.GetStatus()) }) t.Run("activate idp", func(t *testing.T) { aidp, _, err := apiClient.IdentityProviderAPI.ActivateIdentityProvider(apiClient.cfg.Context, createdIdp.GetId()).Execute() require.NoError(t, err, "Could not activate idp") - assert.Equal(t, LIFECYCLESTATUS_ACTIVE, aidp.GetStatus()) + assert.Equal(t, "ACTIVE", aidp.GetStatus()) }) err = cleanUpIdp(createdIdp.GetId()) require.NoError(t, err, "Clean up idp should not error") diff --git a/.generator/templates/api_policy_test.go b/.generator/templates/api_policy_test.go index de872b728..09188a280 100644 --- a/.generator/templates/api_policy_test.go +++ b/.generator/templates/api_policy_test.go @@ -98,7 +98,7 @@ func Test_Activate_Policy(t *testing.T) { policy, _, err := apiClient.PolicyAPI.GetPolicy(apiClient.cfg.Context, createdPolicy.AccessPolicy.GetId()).Execute() require.NoError(t, err, "Could not get policy by ID") assert.Equal(t, createdPolicy.AccessPolicy.GetId(), policy.AccessPolicy.GetId()) - assert.Equal(t, LIFECYCLESTATUS_INACTIVE, policy.AccessPolicy.GetStatus()) + assert.Equal(t, "INACTIVE", policy.AccessPolicy.GetStatus()) }) t.Run("activate policy", func(t *testing.T) { _, err = apiClient.PolicyAPI.ActivatePolicy(apiClient.cfg.Context, createdPolicy.AccessPolicy.GetId()).Execute() @@ -106,7 +106,7 @@ func Test_Activate_Policy(t *testing.T) { policy, _, err := apiClient.PolicyAPI.GetPolicy(apiClient.cfg.Context, createdPolicy.AccessPolicy.GetId()).Execute() require.NoError(t, err, "Could not get policy by ID") assert.Equal(t, createdPolicy.AccessPolicy.GetId(), policy.AccessPolicy.GetId()) - assert.Equal(t, LIFECYCLESTATUS_ACTIVE, policy.AccessPolicy.GetStatus()) + assert.Equal(t, "ACTIVE", policy.AccessPolicy.GetStatus()) }) err = cleanUpPolicy(createdPolicy.AccessPolicy.GetId()) require.NoError(t, err, "Clean up policy should not error") @@ -115,6 +115,7 @@ func Test_Activate_Policy(t *testing.T) { // ACCESS/AUTHENTICATION POLICY ONLY // TODO Used to work, now fail with 401 func Test_Clone_Policy(t *testing.T) { + t.Skip("Will failed due to change in API authz") createdPolicy, _, err := setupAccessPolicy(randomTestString()) require.NoError(t, err, "Creating a new policy should not error") var policyID string @@ -141,7 +142,7 @@ func Test_Policy_Rules_Operation(t *testing.T) { configuration.Debug = true proxyClient := NewAPIClient(configuration) accessPolicyRule := &AccessPolicyRule{} - accessPolicyRule.SetType(POLICYRULETYPE_ACCESS_POLICY) + accessPolicyRule.SetType("ACCESS_POLICY") name := randomTestString() accessPolicyRule.SetName(name) payload := ListPolicyRules200ResponseInner{AccessPolicyRule: accessPolicyRule} @@ -176,7 +177,7 @@ func Test_Policy_Rules_Operation(t *testing.T) { require.NoError(t, err, "Could not deactivate policy rule") rpolicyRule, _, err := apiClient.PolicyAPI.GetPolicyRule(apiClient.cfg.Context, createdPolicy.AccessPolicy.GetId(), createdPolicyRule.AccessPolicyRule.GetId()).Execute() require.NoError(t, err, "Could not get policy rule by ID") - assert.Equal(t, LIFECYCLESTATUS_INACTIVE, rpolicyRule.AccessPolicyRule.GetStatus()) + assert.Equal(t, "INACTIVE", rpolicyRule.AccessPolicyRule.GetStatus()) }) t.Run("activate policy rule", func(t *testing.T) { @@ -184,7 +185,7 @@ func Test_Policy_Rules_Operation(t *testing.T) { require.NoError(t, err, "Could not activate policy rule") rpolicyRule, _, err := apiClient.PolicyAPI.GetPolicyRule(apiClient.cfg.Context, createdPolicy.AccessPolicy.GetId(), createdPolicyRule.AccessPolicyRule.GetId()).Execute() require.NoError(t, err, "Could not get policy rule by ID") - assert.Equal(t, LIFECYCLESTATUS_ACTIVE, rpolicyRule.AccessPolicyRule.GetStatus()) + assert.Equal(t, "ACTIVE", rpolicyRule.AccessPolicyRule.GetStatus()) }) err = cleanUpPolicyRule(createdPolicy.AccessPolicy.GetId(), createdPolicyRule.AccessPolicyRule.GetId()) require.NoError(t, err, "Clean up policy rule should not error") diff --git a/.generator/templates/api_user_schema_test.go b/.generator/templates/api_user_schema_test.go index ef76bc382..48903cfbe 100644 --- a/.generator/templates/api_user_schema_test.go +++ b/.generator/templates/api_user_schema_test.go @@ -14,7 +14,7 @@ func Test_Get_User_Schema(t *testing.T) { assert.NotEmpty(t, schema, "User schema is empty") assert.Equal(t, "Username", schema.Definitions.Base.Properties.Login.GetTitle()) assert.Equal(t, "READ_WRITE", schema.Definitions.Base.Properties.Login.GetMutability()) - assert.Equal(t, USERSCHEMAATTRIBUTESCOPE_NONE, schema.Definitions.Base.Properties.Login.GetScope()) + assert.Equal(t, "NONE", schema.Definitions.Base.Properties.Login.GetScope()) assert.Equal(t, int32(5), schema.Definitions.Base.Properties.Login.GetMinLength()) assert.Equal(t, int32(100), schema.Definitions.Base.Properties.Login.GetMaxLength()) assert.NotEmpty(t, schema.Definitions.Base.Properties.Login.GetPermissions()) @@ -31,7 +31,7 @@ func Test_Update_Property_To_User_Schema(t *testing.T) { customAttributeName := testPrefix + randomTestString() customAttributeDetail := UserSchemaAttribute{} customAttributeDetail.SetTitle(customAttributeName) - customAttributeDetail.SetType(USERSCHEMAATTRIBUTETYPE_STRING) + customAttributeDetail.SetType("string") customAttributeDetail.SetMinLength(1) customAttributeDetail.SetMaxLength(20) customAttribute := make(map[string]UserSchemaAttribute) diff --git a/.generator/templates/api_user_test.go b/.generator/templates/api_user_test.go index 24f4851c0..406f80bd4 100644 --- a/.generator/templates/api_user_test.go +++ b/.generator/templates/api_user_test.go @@ -80,7 +80,7 @@ func Test_Update_User_Profile(t *testing.T) { nickName := "Batman" t.Run("update user", func(t *testing.T) { newProfile := user.Profile - newProfile.NickName = &nickName + newProfile.NickName = NullableString{value: &nickName, isSet: true} req := apiClient.UserAPI.UpdateUser(apiClient.cfg.Context, user.GetId()) body := UpdateUserRequest{Profile: newProfile} req = req.User(body) @@ -90,7 +90,7 @@ func Test_Update_User_Profile(t *testing.T) { t.Run("get user", func(t *testing.T) { updatedUser, _, err := apiClient.UserAPI.GetUser(apiClient.cfg.Context, user.GetId()).Execute() require.NoError(t, err, "Could not get user by ID") - assert.Equal(t, nickName, *updatedUser.Profile.NickName) + assert.Equal(t, nickName, updatedUser.Profile.GetNickName()) }) err = cleanUpUser(user.GetId()) require.NoError(t, err, "Clean up user should not error") @@ -224,7 +224,7 @@ func Test_Assign_User_To_A_Role(t *testing.T) { user, _, _, err := setupUser(true) require.NoError(t, err, "Creating a new user should not error") var roleId string - role := ROLETYPE_USER_ADMIN + role := "USER_ADMIN" t.Run("add role to user", func(t *testing.T) { req := apiClient.RoleAssignmentAPI.AssignRoleToUser(apiClient.cfg.Context, user.GetId()) payload := AssignRoleRequest{ @@ -348,9 +348,9 @@ func Test_List_User_Subscriptions(t *testing.T) { assert.True(t, len(subscriptions) > 0, "User should have subscriptions") }) t.Run("get user subscription by notification type", func(t *testing.T) { - subscription, _, err := apiClient.SubscriptionAPI.GetSubscriptionsNotificationTypeUser(apiClient.cfg.Context, NOTIFICATIONTYPE_OKTA_ANNOUNCEMENT, user.GetId()).Execute() + subscription, _, err := apiClient.SubscriptionAPI.GetSubscriptionsNotificationTypeUser(apiClient.cfg.Context, "OKTA_ANNOUNCEMENT", user.GetId()).Execute() require.NoError(t, err, "Should not error getting user subscription by notification types") - assert.Equal(t, subscription.GetNotificationType(), NOTIFICATIONTYPE_OKTA_ANNOUNCEMENT, "User should have subscription notification type %q, got %q", NOTIFICATIONTYPE_OKTA_ANNOUNCEMENT, subscription.NotificationType) + assert.Equal(t, subscription.GetNotificationType(), "OKTA_ANNOUNCEMENT", "User should have subscription notification type %q, got %q", "OKTA_ANNOUNCEMENT", subscription.NotificationType) }) } diff --git a/.generator/templates/test_helpers.go b/.generator/templates/test_helpers.go index e8f94db49..98008957f 100644 --- a/.generator/templates/test_helpers.go +++ b/.generator/templates/test_helpers.go @@ -96,7 +96,7 @@ func (t *TestFactory) NewValidTestRecoveryQuestionCredential() *RecoveryQuestion func (t *TestFactory) NewValidTestIdentityProvider() *IdentityProvider { res := IdentityProvider{} - res.SetType(IDENTITYPROVIDERTYPE_OIDC) + res.SetType("OIDC") res.SetName(randomTestString()) res.SetProtocol(*t.NewValidTestProtocol()) res.SetPolicy(*t.NewValidTestIdentityProviderPolicy()) @@ -245,7 +245,7 @@ func (t *TestFactory) NewValidTestCSRMetadata() *CsrMetadata { func (t *TestFactory) NewValidAccessPolicy(name string) *AccessPolicy { policyRule := NewPolicyRuleConditions() res := AccessPolicy{} - res.SetType(POLICYTYPE_ACCESS_POLICY) + res.SetType("ACCESS_POLICY") res.SetDescription(randomTestString()) res.SetPriority(int32(1)) res.SetConditions(*policyRule) @@ -262,7 +262,7 @@ func (t *TestFactory) NewValidBasicAuthApplication(label string) *BasicAuthAppli res := BasicAuthApplication{} res.SetSettings(*setting) res.SetName("template_basic_auth") - res.SetSignOnMode(APPLICATIONSIGNONMODE_BASIC_AUTH) + res.SetSignOnMode("BASIC_AUTH") res.SetLabel(label) return &res } @@ -276,7 +276,7 @@ func (t *TestFactory) NewValidBookmarkApplication(label string) *BookmarkApplica res := BookmarkApplication{} res.SetSettings(*setting) res.SetName("bookmark") - res.SetSignOnMode(APPLICATIONSIGNONMODE_BOOKMARK) + res.SetSignOnMode("BOOKMARK") res.SetLabel(label) return &res } @@ -291,7 +291,7 @@ func (t *TestFactory) NewValidOrg2OrgApplication(label string) *SamlApplication res := SamlApplication{} res.SetSettings(*setting) res.SetName("okta_org2org") - res.SetSignOnMode(APPLICATIONSIGNONMODE_SAML_2_0) + res.SetSignOnMode("SAML_2_0") res.SetLabel(label) return &res } @@ -300,17 +300,17 @@ func (t *TestFactory) NewValidOIDCApplication(label string) *OpenIdConnectApplic settingClient := NewOpenIdConnectApplicationSettingsClient() settingClient.SetClientUri("https://example.com/client") settingClient.SetLogoUri("https://example.com/assets/images/logo-new.png") - settingClient.SetResponseTypes([]OAuthResponseType{OAUTHRESPONSETYPE_TOKEN, OAUTHRESPONSETYPE_ID_TOKEN, OAUTHRESPONSETYPE_CODE}) + settingClient.SetResponseTypes([]string{"token", "id_token", "code"}) settingClient.SetRedirectUris([]string{"https://example.com/oauth2/callback", "myapp://callback"}) settingClient.SetPostLogoutRedirectUris([]string{"https://example.com/postlogout", "myapp://postlogoutcallback"}) - settingClient.SetGrantTypes([]OAuthGrantType{OAUTHGRANTTYPE_IMPLICIT, OAUTHGRANTTYPE_AUTHORIZATION_CODE}) - settingClient.SetApplicationType(OPENIDCONNECTAPPLICATIONTYPE_NATIVE) + settingClient.SetGrantTypes([]string{"implicit", "authorization_code"}) + settingClient.SetApplicationType("native") settingClient.SetTosUri("https://example.com/client/tos") settingClient.SetPolicyUri("https://example.com/client/policy") setting := NewOpenIdConnectApplicationSettings() setting.SetOauthClient(*settingClient) credClient := NewApplicationCredentialsOAuthClient() - credClient.SetTokenEndpointAuthMethod(OAUTHENDPOINTAUTHENTICATIONMETHOD_CLIENT_SECRET_POST) + credClient.SetTokenEndpointAuthMethod("client_secret_post") credClient.SetClientId(randomTestString()) credClient.SetAutoKeyRotation(true) credentials := NewOAuthApplicationCredentials() @@ -319,7 +319,7 @@ func (t *TestFactory) NewValidOIDCApplication(label string) *OpenIdConnectApplic res.SetSettings(*setting) res.SetCredentials(*credentials) res.SetName("oidc_client") - res.SetSignOnMode(APPLICATIONSIGNONMODE_OPENID_CONNECT) + res.SetSignOnMode("OPENID_CONNECT") res.SetLabel(label) return &res } diff --git a/.github/workflows/prepareReleaseBranch.yml b/.github/workflows/prepareReleaseBranch.yml index 32e0a77d8..85bcfa6f7 100644 --- a/.github/workflows/prepareReleaseBranch.yml +++ b/.github/workflows/prepareReleaseBranch.yml @@ -39,11 +39,11 @@ jobs: - name: Set openapi generator version run: openapi-generator-cli version-manager set 7.0.1 - name: Generate go client - run: make v3-generate + run: make v4-generate - run: make fmt - run: make import - - run: cd okta/v3 && mv go.mod go.sum ../../ - - run: cd okta && mv v3/* ./ && rm -rf v3 + - run: cd okta/v4 && mv go.mod go.sum ../../ + - run: cd okta && mv v4/* ./ && rm -rf v4 - name: Commit generated code uses: EndBug/add-and-commit@v9 with: diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 85df32d05..000000000 --- a/.travis.yml +++ /dev/null @@ -1,32 +0,0 @@ -language: go - -before_install: - - nvm install 16.16.0 - - nvm use 16.16.0 - - npm install @openapitools/openapi-generator-cli -g - - openapi-generator-cli version-manager set 6.0.1 - - npx @openapitools/openapi-generator-cli generate -c ./.generator/config.yaml -i ./.generator/okta-management-APIs-oasv3-enum-inheritance.yaml - - make fmt - - make import - -jobs: - include: - - stage: test_go_1.19_v2 - go: 1.19.x - script: - - go mod download - - make test - - - stage: test_go_1.19_v3 - go: 1.19.x - script: - - cd okta/v3 - - go mod download - - go test -failfast -race ./ -test.v - - # go tip build is broken upstream on Travis - # - stage: test_go_tip - # go: tip - # script: - # - go mod download - # - make test diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c8ef04f7..1d09ac547 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ # Changelog Running changelog of releases since `2.0.0-rc.4` +## v4.0.0 + - Release v4 version of the sdk base on openapi spec v3 (#427) Thanks [@duytiennguyen-okta] + ## v2.19.0 - Upgrade dependency (#378) Thanks [@duytiennguyen-okta] diff --git a/MIGRATING.md b/MIGRATING.md index 620b3e50a..98093251a 100644 --- a/MIGRATING.md +++ b/MIGRATING.md @@ -1,10 +1,10 @@ # Okta Golang management SDK migration guide -## Migrating from 2.x to 3.x +## Migrating from 2.x to 4.x In releases prior to version 3 we use an Open API v2 specification, and an Okta custom client generator to partially generate our SDK. A new version of the Open API specification (V3) has been released, and new well-known generators are now available and well received by the community. Planning the future of this SDK, we consider this a good opportunity to modernize by aligning with established standards for API client generation. -We acknowledge that migrating from v2 to v3 will require considerable effort, but we expect this change to benefit our customers in the long term. +We acknowledge that migrating from v2 to v4 will require considerable effort, but we expect this change to benefit our customers in the long term. With OpenAPI v3, we saw an opportunity for improvement in several areas: @@ -119,4 +119,4 @@ The following features have been ported to 6.x: * Manual pagination for collections * Default retry strategy for 429 HTTP responses and ability to provide your own strategy * Web proxy -* OAuth for Okta +* OAuth for Okta \ No newline at end of file diff --git a/Makefile b/Makefile index 8d16c5778..eaf3a5b89 100644 --- a/Makefile +++ b/Makefile @@ -90,8 +90,8 @@ import: check-goimports check-goimports: @which $(GOIMPORTS) > /dev/null || GO111MODULE=on go install golang.org/x/tools/cmd/goimports@latest -v3-test: - go test -failfast -race ./okta/v3 -test.v +v4-test: + go test -failfast -race ./okta -test.v -v3-generate: - npx @openapitools/openapi-generator-cli generate -c ./.generator/config.yaml -i .generator/okta-management-APIs-oasv3-enum-inheritance.yaml +v4-generate: + npx @openapitools/openapi-generator-cli generate -c ./.generator/config.yaml -i .generator/okta-management-APIs-oasv3-noEnums-inheritance.yaml \ No newline at end of file